From hardjono@mit.edu Thu Dec 1 10:08:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE02E11E82A8 for ; Thu, 1 Dec 2011 10:08:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7vyhg6LssIZ for ; Thu, 1 Dec 2011 10:08:03 -0800 (PST) Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6A011E8115 for ; Thu, 1 Dec 2011 10:08:00 -0800 (PST) X-AuditID: 12074423-b7f266d0000008b8-02-4ed7c27fc8a9 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id B0.12.02232.F72C7DE4; Thu, 1 Dec 2011 13:07:59 -0500 (EST) Received: from outgoing-exchange-1.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id pB1I7x3l012231 for ; Thu, 1 Dec 2011 13:07:59 -0500 Received: from W92EXEDGE6.EXCHANGE.MIT.EDU (W92EXEDGE6.EXCHANGE.MIT.EDU [18.7.73.28]) by outgoing-exchange-1.mit.edu (8.13.8/8.12.4) with ESMTP id pB1I7voU017728 for ; Thu, 1 Dec 2011 13:07:59 -0500 Received: from OC11EXHUB8.exchange.mit.edu (18.9.3.20) by W92EXEDGE6.EXCHANGE.MIT.EDU (18.7.73.28) with Microsoft SMTP Server (TLS) id 14.1.289.1; Thu, 1 Dec 2011 10:07:39 -0800 Received: from OC11EXPO24.exchange.mit.edu ([169.254.1.210]) by OC11EXHUB8.exchange.mit.edu ([18.9.3.20]) with mapi id 14.01.0289.001; Thu, 1 Dec 2011 13:07:57 -0500 From: Thomas Hardjono To: "oauth (oauth@ietf.org)" Thread-Topic: Webinar on UMA / OAUTH (December 14th at 10AM-PST) Thread-Index: AcywVCVxvzD08ITQR3m9IGzNsPoleg== Date: Thu, 1 Dec 2011 18:07:57 +0000 Message-ID: <5E393DF26B791A428E5F003BB6C5342A03846A@OC11EXPO24.exchange.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [18.111.102.143] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrBKsWRmVeSWpSXmKPExsUixCmqrFt/6LqfwYqTShYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxqW+bywF21grfp1cwNzAeICli5GTQ0LAROLZkgZ2CFtM4sK9 9WxdjFwcQgL7GCX6p2xmgXCuMEr8PXaUFaRKSOAWo8TXE6IQia2MEr+OL2GGcFYySpx69ZkJ pIpNQEPi3O+9YHNFBHQlVn/qBbOFBWwlJl7oYIWIO0l0/GplgrD1JFo6NzCC2CwCKhLvX11k BrF5BQIkGluXgcUZge77fmoNWD2zgLjErSfzmSDuFpRYNHsPM8wP/3Y9ZIOwlSTO//jDAlGv I7Fg9yc2CFtbYtnC11DzBSVOznzCMoFRbBaSsbOQtMxC0jILScsCRpZVjLIpuVW6uYmZOcWp ybrFyYl5ealFumZ6uZkleqkppZsYQRHE7qK8g/HPQaVDjAIcjEo8vJIZ1/yEWBPLiitzDzFK cjApifLy7bvuJ8SXlJ9SmZFYnBFfVJqTWnyIUYKDWUmEd/1UoBxvSmJlVWpRPkxKmoNFSZxX ZqeDn5BAemJJanZqakFqEUxWhoNDSYL3/EGgRsGi1PTUirTMnBKENBMHJ8hwHqDh50BqeIsL EnOLM9Mh8qcYFaXEeW+DJARAEhmleXC9sAT3ilEc6BVh3gsgVTzA5AjX/QpoMBPQ4PbJV0AG lyQipKQaGIt5d1gYtQa+emhVPbNr3tsjx+u64o2ep5zZ5u0bYPLtlJX6by7lnDXsTUvXBNhO /mm5mZGFvbVwz/RDy2zXM54+ti8xNf5e4//dnpICkdwmUwO38uZYHmLa+WCbPFN2F8OZReoL ypquT6jnfGe1kCf8fazNn8cTNlc94DedeS5tkk707YdyvkosxRmJhlrMRcWJAE+8VE9LAwAA Subject: [OAUTH-WG] Webinar on UMA / OAUTH (December 14th at 10AM-PST) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 18:08:04 -0000 Folks, FYI there will be a free UMA webinar on December 14 (Wed) at 10AM-Pacific. = It will include some info/demo by implementers. The registration link is at the following site: http://kantarainitiative.org/confluence/display/uma/Home -------------------------------------- UMA Webinar on Wednesday, December 14 Don't miss the public webinar to be held on Wednesday, December 14 at 10am = PT! Register ahead of time here. Spaces are limited, so don't delay! (The w= ebinar will also be recorded for later viewing.) See the [UMA calendar] for= timezone translation help. -------------------------------------- /thomas/ __________________________________________ From rrichards@cdatazone.org Thu Dec 1 12:09:53 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B26AC21F902C for ; Thu, 1 Dec 2011 12:09:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oS6fhIWa+Q6r for ; Thu, 1 Dec 2011 12:09:51 -0800 (PST) Received: from smtp2go.com (smtp2go.com [207.58.142.213]) by ietfa.amsl.com (Postfix) with ESMTP id 97B5621F902D for ; Thu, 1 Dec 2011 12:09:50 -0800 (PST) Message-ID: <4ED7DF0C.4000701@cdatazone.org> Date: Thu, 01 Dec 2011 15:09:48 -0500 From: Rob Richards User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Barry Leiba References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 20:09:53 -0000 On 11/28/11 10:39 PM, Barry Leiba wrote: >> The OAuth base doc refers in two places to TLS versions (with the same >> text in both places: >> >> OLD >> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD >> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY >> support additional transport-layer mechanisms meeting its security >> requirements. >> >> In both the shepherd review and the AD review, this was called into question: >> 1. MUST for an old version and SHOULD for the current version seems wrong. >> 2. Having specific versions required locks us into those versions (for >> example, all implementations will have to support TLS 1.0, even long >> after it becomes obsolete, unless we rev the spec. > The comments I've gotten on this show a clear consensus against the > change I suggest, and against any attempt to require a version of TLS > other than 1.0. I still, though, am concerned that locking this spec > into TLS 1.0 is limiting. So let me propose an alternative wording, > which again tries to make the version(s) non-normative, while making > it clear which version(s) need to be implemented to get > interoperability: > > NEW > -------------------------------------------- > The authorization server MUST implement TLS. Which version(s) > ought to be implemented will vary over time, and depend on > the widespread deployment and known security vulnerabilities at > the time of implementation. At the time of this writing, TLS version > 1.2 [RFC5246] is the most recent version, but has very limited > actual deployment, and might not be readily available in > implementation toolkits. TLS version 1.0 [RFC2246] is the > most widely deployed version, and will give the broadest > interoperability. > > Servers MAY also implement additional transport-layer > mechanisms that meet their security requirements. > -------------------------------------------- > > Comments on this version? > > Barry > Text is neutral enough for me as it's not mandating anything that isn't readily available. Only comment is whether or not there is a need to even talk about the specific versions or if just the following is enough: The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. Servers MAY also implement additional transport-layer mechanisms that meet their security requirements. Rob From stpeter@stpeter.im Thu Dec 1 12:10:49 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DFAD21F90AE for ; Thu, 1 Dec 2011 12:10:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftbHqqDsrVhs for ; Thu, 1 Dec 2011 12:10:48 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id D26E711E8095 for ; Thu, 1 Dec 2011 12:10:47 -0800 (PST) Received: from normz.cisco.com (unknown [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 43C074214C; Thu, 1 Dec 2011 13:17:37 -0700 (MST) Message-ID: <4ED7DF3B.5010107@stpeter.im> Date: Thu, 01 Dec 2011 13:10:35 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Rob Richards References: <4ED7DF0C.4000701@cdatazone.org> In-Reply-To: <4ED7DF0C.4000701@cdatazone.org> X-Enigmail-Version: 1.3.3 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 20:10:49 -0000 On 12/1/11 1:09 PM, Rob Richards wrote: > On 11/28/11 10:39 PM, Barry Leiba wrote: >>> The OAuth base doc refers in two places to TLS versions (with the same >>> text in both places: >>> >>> OLD >>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD >>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY >>> support additional transport-layer mechanisms meeting its security >>> requirements. >>> >>> In both the shepherd review and the AD review, this was called into >>> question: >>> 1. MUST for an old version and SHOULD for the current version seems >>> wrong. >>> 2. Having specific versions required locks us into those versions (for >>> example, all implementations will have to support TLS 1.0, even long >>> after it becomes obsolete, unless we rev the spec. >> The comments I've gotten on this show a clear consensus against the >> change I suggest, and against any attempt to require a version of TLS >> other than 1.0. I still, though, am concerned that locking this spec >> into TLS 1.0 is limiting. So let me propose an alternative wording, >> which again tries to make the version(s) non-normative, while making >> it clear which version(s) need to be implemented to get >> interoperability: >> >> NEW >> -------------------------------------------- >> The authorization server MUST implement TLS. Which version(s) >> ought to be implemented will vary over time, and depend on >> the widespread deployment and known security vulnerabilities at >> the time of implementation. At the time of this writing, TLS version >> 1.2 [RFC5246] is the most recent version, but has very limited >> actual deployment, and might not be readily available in >> implementation toolkits. TLS version 1.0 [RFC2246] is the >> most widely deployed version, and will give the broadest >> interoperability. >> >> Servers MAY also implement additional transport-layer >> mechanisms that meet their security requirements. >> -------------------------------------------- >> >> Comments on this version? >> >> Barry >> > > Text is neutral enough for me as it's not mandating anything that isn't > readily available. Only comment is whether or not there is a need to > even talk about the specific versions or if just the following is enough: > > The authorization server MUST implement TLS. Which version(s) ought to > be implemented will vary over time, and depend on the widespread > deployment and known security vulnerabilities at the time of > implementation. > > Servers MAY also implement additional transport-layer mechanisms that > meet their security requirements. That seems fine to me. Peter -- Peter Saint-Andre https://stpeter.im/ From stephen.farrell@cs.tcd.ie Thu Dec 1 12:57:05 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1B221F9473 for ; Thu, 1 Dec 2011 12:57:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5M4RfO4u2IK for ; Thu, 1 Dec 2011 12:57:03 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 96D2021F9472 for ; Thu, 1 Dec 2011 12:57:03 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 5E4741541AF; Thu, 1 Dec 2011 20:57:02 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322773022; bh=r0NKHjyWwbq2iO hxwXb6LBjj47+N90GA+PYWd1x+1/U=; b=e3j5WU9COxYMUGr6UBaibFXzAJv3b+ IOmLOhJ21FDVn3gcZ5Opxgjspi4GB4kws+ALZg7pjx1vgUGPHUfLRqnxqVtQ3ZOe P4IOBXoI+/+QD8sJ70M2vhwDfa/bOLkUNwKsXoFdoNXGS2cDBQS3wL0XRbtRTO+u MrAFxYYDDocrQarbIDnJG4B+HCImQHt5eFnYluXz1f3c9yiiCptRTurduBMHlZAO NmI3K5d7McalnRAmEzFF0t1B6h001vOlaltzIfBWYw7yjTQo8F8KrO1FInckcHzU 7gQVBQ6jDkEnUoomQiFY7Fr868WU7mZR/34gEXsky5ipeS2E75656yzQ== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 9Z57Bc151wmm; Thu, 1 Dec 2011 20:57:02 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 11A2E153C7E; Thu, 1 Dec 2011 20:57:00 +0000 (GMT) Message-ID: <4ED7EA1C.1040208@cs.tcd.ie> Date: Thu, 01 Dec 2011 20:57:00 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Peter Saint-Andre References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> In-Reply-To: <4ED7DF3B.5010107@stpeter.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 20:57:05 -0000 On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: > On 12/1/11 1:09 PM, Rob Richards wrote: >> On 11/28/11 10:39 PM, Barry Leiba wrote: >>>> The OAuth base doc refers in two places to TLS versions (with the same >>>> text in both places: >>>> >>>> OLD >>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD >>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY >>>> support additional transport-layer mechanisms meeting its security >>>> requirements. >>>> >>>> In both the shepherd review and the AD review, this was called into >>>> question: >>>> 1. MUST for an old version and SHOULD for the current version seems >>>> wrong. >>>> 2. Having specific versions required locks us into those versions (for >>>> example, all implementations will have to support TLS 1.0, even long >>>> after it becomes obsolete, unless we rev the spec. >>> The comments I've gotten on this show a clear consensus against the >>> change I suggest, and against any attempt to require a version of TLS >>> other than 1.0. I still, though, am concerned that locking this spec >>> into TLS 1.0 is limiting. So let me propose an alternative wording, >>> which again tries to make the version(s) non-normative, while making >>> it clear which version(s) need to be implemented to get >>> interoperability: >>> >>> NEW >>> -------------------------------------------- >>> The authorization server MUST implement TLS. Which version(s) >>> ought to be implemented will vary over time, and depend on >>> the widespread deployment and known security vulnerabilities at >>> the time of implementation. At the time of this writing, TLS version >>> 1.2 [RFC5246] is the most recent version, but has very limited >>> actual deployment, and might not be readily available in >>> implementation toolkits. TLS version 1.0 [RFC2246] is the >>> most widely deployed version, and will give the broadest >>> interoperability. >>> >>> Servers MAY also implement additional transport-layer >>> mechanisms that meet their security requirements. >>> -------------------------------------------- >>> >>> Comments on this version? >>> >>> Barry >>> >> >> Text is neutral enough for me as it's not mandating anything that isn't >> readily available. Only comment is whether or not there is a need to >> even talk about the specific versions or if just the following is enough: >> >> The authorization server MUST implement TLS. Which version(s) ought to >> be implemented will vary over time, and depend on the widespread >> deployment and known security vulnerabilities at the time of >> implementation. >> >> Servers MAY also implement additional transport-layer mechanisms that >> meet their security requirements. > > That seems fine to me. FWIW, I think I'd prefer Barry's as Rob's would be more likely to generate discusses and we do know that there are some security advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if the BEAST attack might affect oauth? Be good to know if someone's done that analysis.) However, as AD, I could live with either, since lots of other specs just say TLS. (But you need to point to the latest RFC as normative or that will I bet generate discusses.) Cheers, S. > Peter > From stpeter@stpeter.im Thu Dec 1 12:59:19 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24AAE11E818E for ; Thu, 1 Dec 2011 12:59:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKMlyJFqgbfc for ; Thu, 1 Dec 2011 12:59:18 -0800 (PST) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 3B12011E818C for ; Thu, 1 Dec 2011 12:59:18 -0800 (PST) Received: from normz.cisco.com (unknown [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id AC71B4214C; Thu, 1 Dec 2011 14:06:17 -0700 (MST) Message-ID: <4ED7EAA2.40402@stpeter.im> Date: Thu, 01 Dec 2011 13:59:14 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Stephen Farrell References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> In-Reply-To: <4ED7EA1C.1040208@cs.tcd.ie> X-Enigmail-Version: 1.3.3 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 20:59:19 -0000 On 12/1/11 1:57 PM, Stephen Farrell wrote: > > > On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: >> On 12/1/11 1:09 PM, Rob Richards wrote: >>> On 11/28/11 10:39 PM, Barry Leiba wrote: >>>>> The OAuth base doc refers in two places to TLS versions (with the same >>>>> text in both places: >>>>> >>>>> OLD >>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD >>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY >>>>> support additional transport-layer mechanisms meeting its security >>>>> requirements. >>>>> >>>>> In both the shepherd review and the AD review, this was called into >>>>> question: >>>>> 1. MUST for an old version and SHOULD for the current version seems >>>>> wrong. >>>>> 2. Having specific versions required locks us into those versions (for >>>>> example, all implementations will have to support TLS 1.0, even long >>>>> after it becomes obsolete, unless we rev the spec. >>>> The comments I've gotten on this show a clear consensus against the >>>> change I suggest, and against any attempt to require a version of TLS >>>> other than 1.0. I still, though, am concerned that locking this spec >>>> into TLS 1.0 is limiting. So let me propose an alternative wording, >>>> which again tries to make the version(s) non-normative, while making >>>> it clear which version(s) need to be implemented to get >>>> interoperability: >>>> >>>> NEW >>>> -------------------------------------------- >>>> The authorization server MUST implement TLS. Which version(s) >>>> ought to be implemented will vary over time, and depend on >>>> the widespread deployment and known security vulnerabilities at >>>> the time of implementation. At the time of this writing, TLS version >>>> 1.2 [RFC5246] is the most recent version, but has very limited >>>> actual deployment, and might not be readily available in >>>> implementation toolkits. TLS version 1.0 [RFC2246] is the >>>> most widely deployed version, and will give the broadest >>>> interoperability. >>>> >>>> Servers MAY also implement additional transport-layer >>>> mechanisms that meet their security requirements. >>>> -------------------------------------------- >>>> >>>> Comments on this version? >>>> >>>> Barry >>>> >>> >>> Text is neutral enough for me as it's not mandating anything that isn't >>> readily available. Only comment is whether or not there is a need to >>> even talk about the specific versions or if just the following is >>> enough: >>> >>> The authorization server MUST implement TLS. Which version(s) ought to >>> be implemented will vary over time, and depend on the widespread >>> deployment and known security vulnerabilities at the time of >>> implementation. >>> >>> Servers MAY also implement additional transport-layer mechanisms that >>> meet their security requirements. >> >> That seems fine to me. > > FWIW, I think I'd prefer Barry's as Rob's would be more likely > to generate discusses and we do know that there are some security > advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how > or if the BEAST attack might affect oauth? Be good to know if > someone's done that analysis.) > > However, as AD, I could live with either, since lots of other > specs just say TLS. (But you need to point to the latest RFC as > normative or that will I bet generate discusses.) Agreed. Peter -- Peter Saint-Andre https://stpeter.im/ From stephen.farrell@cs.tcd.ie Thu Dec 1 13:25:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4F61F0C91 for ; Thu, 1 Dec 2011 13:25:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN3BivCTYiq2 for ; Thu, 1 Dec 2011 13:25:46 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id EAAA81F0C89 for ; Thu, 1 Dec 2011 13:25:45 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 592361541AF; Thu, 1 Dec 2011 21:25:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322774744; bh=PaEFVCpVz9tgvo V6vBZY9S8QCPaSjIaudMV0Vft+xPs=; b=E//G6WrJ9uWuypmdbpYxpxjnJlOj/G 5d3pzA+LCG3tlyqJd8hXru0gl5AJsk6+zaInRBxMdA/uT3BgKEoSh19dbJRCVs2o fK35L+nQW/yrUJnfh7rOEzAUhBaTMn1Wfqw/ZpEYK+ToSO8UCkVXoEa2YnqcoXyJ PgP/9TQvGadOtbLI05zB9r8F/Pfybx/VWN+2hW0pZ3x5w4xXg2Lpy1gZcTiZcgvm uXhKRyL9f7rK7AAapc8g2AD86c0+O/tRBZk2+PPU3r2RLxolRNYbNQtdL46AIKy/ MTbnxRfTsvj8YmIsMpq01rRjK45nePDuOWm7IKwydiFEDND3IzAP6bBg== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id mnUZkONZ6cCE; Thu, 1 Dec 2011 21:25:44 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id BB2BA153C7E; Thu, 1 Dec 2011 21:25:44 +0000 (GMT) Message-ID: <4ED7F0D8.6010703@cs.tcd.ie> Date: Thu, 01 Dec 2011 21:25:44 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Barry Leiba References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 21:25:47 -0000 Barry, all, First, apologies for being so slow responding, various travels got in the way. I hope we can quickly resolve this now. Bit of process first: at the meeting we discussed this and at the end of that discussion, there were quite a few more folks for the "pick one" position. People who favour that outcome and really care about that need to speak up on the list, since the list consensus trumps the sense of the room in the chairs' evaluation of the WG consensus. Second, at the meeting I said that I'd like to see either MAC or bearer picked as MTI, and if not, that I want the draft to say why its ok to have no MTI token type. So the WG either need to pick one, or else explicitly and convincingly justify not picking one. That's the "firm" AD position to which Barry referred. (I didn't properly call out the "if not" part of that in my AD review, sorry.) My own argument for picking one is simple: if every relevant piece of code has to know how to handle one then it becomes easier to get interop. If everyone decides for themselves then interop is less likely since there are currently two choices and may be more in future. I do realise that the background here and current practice is that code tends to be written that is specific to a resource server (or however that's best phrased) but that's maybe where the IETF differs from the community that produced OAuth - here we want two independent implementers who've never talked to produce code that interops even so. I also realise that that's not the full story for getting interop with OAuth and that more is needed. However, this aspect is otherwise fully specified and so I don't buy the argument that this isn't worth doing just because we don't have the full registration story etc. figured out. If we don't sort this out now, then later specs will have to update this one in this respect. possibly making existing code "non-compliant" in some sense, so just going ahead and doing it right now is better. So, pick one (my strong personal preference) or establish and document why you're not picking one seem to me to be the choices available. Regards, Stephen. On 11/17/2011 08:28 AM, Barry Leiba wrote: > Stephen, as AD, brought up the question of mandatory-to-implement > token types, in the IETF 82 meeting. There was some extended > discussion on the point: > > - Stephen is firm in his belief that it's necessary for > interoperability. He notes that mandatory to *implement* is not the > same as mandatory to *use*. > - Several participants believe that without a mechanism for requesting > or negotiating a token type, there is no value in having any type be > mandatory to implement. > > Stephen is happy to continue the discussion on the list, and make his > point clear. In any case, there was clear consensus in the room that > we *should* specify a mandatory-to-implement type, and that that type > be bearer tokens. This would be specified in the base document, and > would make a normative reference from the base doc to the bearer token > doc. > > We need to confirm that consensus on the mailing list, so this starts > the discussion. Let's work on resolving this over the next week or > so, and moving forward: > > 1. Should we specify some token type as mandatory to implement? Why > or why not (*briefly*)? > > 2. If we do specify one, which token type should it be? > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From jricher@mitre.org Thu Dec 1 14:52:38 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EDF21F0CC7 for ; Thu, 1 Dec 2011 14:52:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iC74+ugXtEq8 for ; Thu, 1 Dec 2011 14:52:37 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id AE1DC1F0CC6 for ; Thu, 1 Dec 2011 14:52:37 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E5AAF21B0CCE for ; Thu, 1 Dec 2011 17:52:36 -0500 (EST) Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D3FB221B06F6 for ; Thu, 1 Dec 2011 17:52:36 -0500 (EST) Received: from [129.83.50.8] (129.83.50.8) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.3.192.1; Thu, 1 Dec 2011 17:52:37 -0500 Message-ID: <4ED80528.3070103@mitre.org> Date: Thu, 1 Dec 2011 17:52:24 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF0@P3PW5EX1MB01.EX1.SECURESERVER.NET> Content-Type: multipart/alternative; boundary="------------080209060400010801010405" Subject: Re: [OAUTH-WG] MAC Cookies X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 22:52:38 -0000 --------------080209060400010801010405 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit +1 to dropping cookies. On 11/19/2011 10:33 AM, Eran Hammer-Lahav wrote: > > I would like to drop the cookies support defined in the MAC document > due to lack of interest from the browser vendors. At this point it is > most likely going to be an unimplemented proposal. If there is > interest in the future, it can be proposed in a separate document. > This will allow us to bring this work to a quick conclusion. > > Any objections? > > EHL > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------080209060400010801010405 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit +1 to dropping cookies.

On 11/19/2011 10:33 AM, Eran Hammer-Lahav wrote:

I would like to drop the cookies support defined in the MAC document due to lack of interest from the browser vendors. At this point it is most likely going to be an unimplemented proposal. If there is interest in the future, it can be proposed in a separate document. This will allow us to bring this work to a quick conclusion.

 

Any objections?

 

EHL



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------080209060400010801010405-- From wmills@yahoo-inc.com Thu Dec 1 15:37:10 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9332A11E80CC for ; Thu, 1 Dec 2011 15:37:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.357 X-Spam-Level: X-Spam-Status: No, score=-17.357 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5eL7vqaFr1BY for ; Thu, 1 Dec 2011 15:37:09 -0800 (PST) Received: from nm13-vm2.bullet.mail.ne1.yahoo.com (nm13-vm2.bullet.mail.ne1.yahoo.com [98.138.91.89]) by ietfa.amsl.com (Postfix) with SMTP id 8297211E80B6 for ; Thu, 1 Dec 2011 15:37:09 -0800 (PST) Received: from [98.138.90.56] by nm13.bullet.mail.ne1.yahoo.com with NNFMP; 01 Dec 2011 23:37:04 -0000 Received: from [98.138.89.234] by tm9.bullet.mail.ne1.yahoo.com with NNFMP; 01 Dec 2011 23:37:04 -0000 Received: from [127.0.0.1] by omp1049.mail.ne1.yahoo.com with NNFMP; 01 Dec 2011 23:37:04 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 723212.6993.bm@omp1049.mail.ne1.yahoo.com Received: (qmail 25779 invoked by uid 60001); 1 Dec 2011 23:37:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322782624; bh=2SacPa8HtiriRqf+aw0iuwZOh3TaDdxcyNpDDAeDgyg=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=KoTwX2I80rykurRTym1AUu17Yb3O2ZDUlISLc5MPjFKYCvacK3DkDjK+GT7hoYuQhZVE/VhUln4FMyGbHvs16uNleZ8e6FNqSgQP+6QK7iXCBm0Wlv2TL/P5c9+bjMYek/xUCQ+X5z7mRIS5Zd6+d7ulCliyltu9eOL0Emspg8g= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=VjOUjjZFjqS2NbDy56BUfOzLSUggI8L1gH7zvlqTz+c+NVqZFF8a+R2DYikoYbO8Nop7VT2XpY092GSkrul9Uc3DISCkVzMMpjsaNlcXXvM+hwpY8udVg422Eh6vqeYaxzAgme0HhmBxFuuibwFKd6a47Fy2xxyUA+zTWy0drjk=; X-YMail-OSG: TnCrXaYVM1kDSK.u1Wh8Pj0s99rJa4.vbLyXb_o3JKTaVn5 dL7fU20A5jHndsSbJKxDQljT_dhhU5Sxu.SDxkyqZYtivvAS04k3azIGcvVx iBUM9.xGUaei11x9sWYTZ6g8tv5SQsdzQLtzgVWT8XtVbnVfwEkc8XaRxiRR o1Z5FKKCBp5y5VHMSchGxkPIAEc6lkhQHM6NyZ6JpkKD1H1.t_DA99IpyoIz hWWUnMIWwugOfX3oIXuEm2es7Tm3SS.pq2y5S.pyyH3PIMrN91PReoIbI01T tLriuB9339xfADWCG3Mtb_UtTPANTa4CyIGU0FOsTTjTM2KyJSTtChXALsCN MwEXnPtvhAw9cipdV0HXjZsqRjt9wTIIqicw_SDmy_J2GtdGHlK3yX_wAUsf Tw6QNbAnOV.zM5_E59ivz55kI2joiBuJnPDgnvp7UtQ-- Received: from [209.131.62.113] by web31813.mail.mud.yahoo.com via HTTP; Thu, 01 Dec 2011 15:37:04 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <4ED7F0D8.6010703@cs.tcd.ie> Message-ID: <1322782624.25300.YahooMailNeo@web31813.mail.mud.yahoo.com> Date: Thu, 1 Dec 2011 15:37:04 -0800 (PST) From: William Mills To: Stephen Farrell , Barry Leiba In-Reply-To: <4ED7F0D8.6010703@cs.tcd.ie> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="767760015-2036876281-1322782624=:25300" Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 23:37:10 -0000 --767760015-2036876281-1322782624=:25300 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Re: "So, pick one (my strong personal preference) or establish and=0Adocume= nt why you're not picking one seem to me to be the choices=0Aavailable."=0A= =0AWe don't have discovery done (enough) yet to lean on it in the core spec= , but if we did I'd be in favor of something that says that you must implem= ent either an MTI token OR a discovery mechanism that advertises at least o= ne token.=A0 Would that be workable?=A0 =0A=0A=0AWe could bang on the disco= very stuff in pretty short order I think if we needed to.=0A=0A-bill=0A=0A= =0A=0A________________________________=0A From: Stephen Farrell =0ATo: Barry Leiba =0ACc: oauth W= G =0ASent: Thursday, December 1, 2011 1:25 PM=0ASubject: R= e: [OAUTH-WG] Mandatory-to-implement token type=0A =0A=0ABarry, all,=0A=0AF= irst, apologies for being so slow responding, various=0Atravels got in the = way. I hope we can quickly resolve this now.=0A=0ABit of process first: at = the meeting we discussed this and at the=0Aend of that discussion, there we= re quite a few more folks for the=0A"pick one" position. People who favour = that outcome and really=0Acare about that need to speak up on the list, sin= ce the list=0Aconsensus trumps the sense of the room in the chairs' evaluat= ion=0Aof the WG consensus.=0A=0ASecond, at the meeting I said that I'd like= to see either MAC or=0Abearer picked as MTI, and if not, that I want the d= raft to say=0Awhy its ok to have no MTI token type. So the WG either need t= o=0Apick one, or else explicitly and convincingly justify not=0Apicking one= . That's the "firm" AD position to which Barry=0Areferred. (I didn't proper= ly call out the "if not" part of=0Athat in my AD review, sorry.)=0A=0AMy ow= n argument for picking one is simple: if every relevant=0Apiece of code has= to know how to handle one then it becomes=0Aeasier to get interop. If ever= yone decides for themselves=0Athen interop is less likely since there are c= urrently two=0Achoices and may be more in future.=0A=0AI do realise that th= e background here and current practice=0Ais that code tends to be written t= hat is specific to a=0Aresource server (or however that's best phrased) but= that's=0Amaybe where the IETF differs from the community that produced=0AO= Auth - here we want two independent implementers who've=0Anever talked to p= roduce code that interops even so.=0A=0AI also realise that that's not the = full story for getting=0Ainterop with OAuth and that more is needed. Howeve= r, this=0Aaspect is otherwise fully specified and so I don't buy the=0Aargu= ment that this isn't worth doing just because we don't=0Ahave the full regi= stration story etc. figured out. If we don't=0Asort this out now, then late= r specs will have to update=0Athis one in this respect. possibly making exi= sting code=0A"non-compliant" in some sense, so just going ahead and doing= =0Ait right now is better.=0A=0ASo, pick one (my strong personal preference= ) or establish and=0Adocument why you're not picking one seem to me to be t= he choices=0Aavailable.=0A=0ARegards,=0AStephen.=0A=0A=0AOn 11/17/2011 08:2= 8 AM, Barry Leiba wrote:=0A> Stephen, as AD, brought up the question of man= datory-to-implement=0A> token types, in the IETF 82 meeting.=A0 There was s= ome extended=0A> discussion on the point:=0A>=0A> - Stephen is firm in his = belief that it's necessary for=0A> interoperability.=A0 He notes that manda= tory to *implement* is not the=0A> same as mandatory to *use*.=0A> - Severa= l participants believe that without a mechanism for requesting=0A> or negot= iating a token type, there is no value in having any type be=0A> mandatory = to implement.=0A>=0A> Stephen is happy to continue the discussion on the li= st, and make his=0A> point clear.=A0 In any case, there was clear consensus= in the room that=0A> we *should* specify a mandatory-to-implement type, an= d that that type=0A> be bearer tokens.=A0 This would be specified in the ba= se document, and=0A> would make a normative reference from the base doc to = the bearer token=0A> doc.=0A>=0A> We need to confirm that consensus on the = mailing list, so this starts=0A> the discussion.=A0 Let's work on resolving= this over the next week or=0A> so, and moving forward:=0A>=0A> 1. Should w= e specify some token type as mandatory to implement?=A0 Why=0A> or why not = (*briefly*)?=0A>=0A> 2. If we do specify one, which token type should it be= ?=0A>=0A> Barry, as chair=0A> _____________________________________________= __=0A> OAuth mailing list=0A> OAuth@ietf.org=0A> https://www.ietf.org/mailm= an/listinfo/oauth=0A>=0A_______________________________________________=0AO= Auth mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/= oauth --767760015-2036876281-1322782624=:25300 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Re: "So, pick one (my strong personal preference) or establish and=
document why you're not picking one seem to me to be the choices
ava= ilable."

We don't have discovery done (enough) yet= to lean on it in the core spec, but if we did I'd be in favor of something= that says that you must implement either an MTI token OR a discovery mecha= nism that advertises at least one token.  Would that be workable? = ;

We could bang on the discovery stuff in pre= tty short order I think if we needed to.

-bill
=

From: Stephen Farrell <stephen.farrell@cs.tcd.ie> To: Barry Leiba <bar= ryleiba@computer.org>
Cc: oauth WG <oauth@ietf.org>
Sent: Thursday, December 1, 2011 1:25 PM
Subject: Re: [OAUTH-WG] Mandatory-to-i= mplement token type
=0A
Barry, all,

First, apolog= ies for being so slow responding, various
travels got in the way. I hope= we can quickly resolve this now.

Bit of process first: at the meeti= ng we discussed this and at the
end of that discussion, there were quite= a few more folks for the
"pick one" position. People who favour that ou= tcome and really
care about that need to speak up on the list, since the= list
consensus trumps the sense of the room in the chairs' evaluationof the WG consensus.

Second, at the meeting I said that I'd like t= o see either MAC or
bearer picked as MTI, and if not, that I want the dr= aft to say
why its ok to have no MTI token type. So the WG either need t= o
pick one, or else explicitly and convincingly justify not
picking o= ne. That's the "firm" AD position to which Barry
referred. (I didn't pro= perly call out the "if not" part of
that in my AD review, sorry.)
My own argument for picking one is simple: if every relevant
piece of code has to know how to handle on= e then it becomes
easier to get interop. If everyone decides for themsel= ves
then interop is less likely since there are currently two
choices= and may be more in future.

I do realise that the background here an= d current practice
is that code tends to be written that is specific to = a
resource server (or however that's best phrased) but that's
maybe w= here the IETF differs from the community that produced
OAuth - here we w= ant two independent implementers who've
never talked to produce code tha= t interops even so.

I also realise that that's not the full story fo= r getting
interop with OAuth and that more is needed. However, this
a= spect is otherwise fully specified and so I don't buy the
argument that = this isn't worth doing just because we don't
have the full registration = story etc. figured out. If we don't
sort this out now, then later specs will have to update
this one in this respect. possibly making exi= sting code
"non-compliant" in some sense, so just going ahead and doing<= br>it right now is better.

So, pick one (my strong personal preferen= ce) or establish and
document why you're not picking one seem to me to b= e the choices
available.

Regards,
Stephen.


On 11/17= /2011 08:28 AM, Barry Leiba wrote:
> Stephen, as AD, brought up the q= uestion of mandatory-to-implement
> token types, in the IETF 82 meeti= ng.  There was some extended
> discussion on the point:
><= br>> - Stephen is firm in his belief that it's necessary for
> int= eroperability.  He notes that mandatory to *implement* is not the
&= gt; same as mandatory to *use*.
> - Several participants believe that= without a mechanism for requesting
> or negotiating a token type, th= ere is no value in having any type be
> mandatory to implement.
>
> Stephen is happy to continue the discussion on = the list, and make his
> point clear.  In any case, there was cl= ear consensus in the room that
> we *should* specify a mandatory-to-i= mplement type, and that that type
> be bearer tokens.  This woul= d be specified in the base document, and
> would make a normative ref= erence from the base doc to the bearer token
> doc.
>
> W= e need to confirm that consensus on the mailing list, so this starts
>= ; the discussion.  Let's work on resolving this over the next week or<= br>> so, and moving forward:
>
> 1. Should we specify some t= oken type as mandatory to implement?  Why
> or why not (*briefly= *)?
>
> 2. If we do specify one, which token type should it be?=
>
> Barry, as chair
> __________________________________= _____________
> OAuth mailing list
> OAuth@iet= f.org
> https://www.ietf.org/mailman/listinfo/oauth
>_______________________________________________
OAuth mailing list
<= a ymailto=3D"mailto:OAuth@ietf.org" href=3D"mailto:OAuth@ietf.org">OAuth@ie= tf.org
https://www.ietf.org/mailman/listinfo/oauth


--767760015-2036876281-1322782624=:25300-- From phil.hunt@oracle.com Thu Dec 1 16:23:57 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA0D21F959F for ; Thu, 1 Dec 2011 16:23:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eT-mLr9n2aHb for ; Thu, 1 Dec 2011 16:23:55 -0800 (PST) Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 2554F21F959E for ; Thu, 1 Dec 2011 16:23:52 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pB20Nkb2026445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 2 Dec 2011 00:23:47 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pB20Njpt010537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Dec 2011 00:23:46 GMT Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pB20NejW016781; Thu, 1 Dec 2011 18:23:40 -0600 Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 01 Dec 2011 16:23:38 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Phil Hunt In-Reply-To: <4ED7F0D8.6010703@cs.tcd.ie> Date: Thu, 1 Dec 2011 16:23:38 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> References: <4ED7F0D8.6010703@cs.tcd.ie> To: Stephen Farrell X-Mailer: Apple Mail (2.1251.1) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-CT-RefId: str=0001.0A090203.4ED81A94.000A,ss=1,re=0.000,fgs=0 Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 00:23:57 -0000 Because different token types have distinct advantages in different = scenarios, choosing a single MTI would be difficult. E.g. MAC tokens = work well for non-TLS protected resources. Bearer tokens in contrast = are easier to use, but require TLS protected service to avoid = theft-of-credential. Even at this level, site security policies will = simply override whatever is stated in the specification and choose one = type only.=20 Having multiple MTIs, suggests choice and that causes other problems. = What happens when a client wants to use a bearer token over an = unprotected connection? How does the client discover what can be used = and when? The approach we have now where the Token specification defines interop = requirements and a profile for use with OAuth2 seems to be a good way to = go. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-12-01, at 1:25 PM, Stephen Farrell wrote: >=20 > Barry, all, >=20 > First, apologies for being so slow responding, various > travels got in the way. I hope we can quickly resolve this now. >=20 > Bit of process first: at the meeting we discussed this and at the > end of that discussion, there were quite a few more folks for the > "pick one" position. People who favour that outcome and really > care about that need to speak up on the list, since the list > consensus trumps the sense of the room in the chairs' evaluation > of the WG consensus. >=20 > Second, at the meeting I said that I'd like to see either MAC or > bearer picked as MTI, and if not, that I want the draft to say > why its ok to have no MTI token type. So the WG either need to > pick one, or else explicitly and convincingly justify not > picking one. That's the "firm" AD position to which Barry > referred. (I didn't properly call out the "if not" part of > that in my AD review, sorry.) >=20 > My own argument for picking one is simple: if every relevant > piece of code has to know how to handle one then it becomes > easier to get interop. If everyone decides for themselves > then interop is less likely since there are currently two > choices and may be more in future. >=20 > I do realise that the background here and current practice > is that code tends to be written that is specific to a > resource server (or however that's best phrased) but that's > maybe where the IETF differs from the community that produced > OAuth - here we want two independent implementers who've > never talked to produce code that interops even so. >=20 > I also realise that that's not the full story for getting > interop with OAuth and that more is needed. However, this > aspect is otherwise fully specified and so I don't buy the > argument that this isn't worth doing just because we don't > have the full registration story etc. figured out. If we don't > sort this out now, then later specs will have to update > this one in this respect. possibly making existing code > "non-compliant" in some sense, so just going ahead and doing > it right now is better. >=20 > So, pick one (my strong personal preference) or establish and > document why you're not picking one seem to me to be the choices > available. >=20 > Regards, > Stephen. >=20 >=20 > On 11/17/2011 08:28 AM, Barry Leiba wrote: >> Stephen, as AD, brought up the question of mandatory-to-implement >> token types, in the IETF 82 meeting. There was some extended >> discussion on the point: >>=20 >> - Stephen is firm in his belief that it's necessary for >> interoperability. He notes that mandatory to *implement* is not the >> same as mandatory to *use*. >> - Several participants believe that without a mechanism for = requesting >> or negotiating a token type, there is no value in having any type be >> mandatory to implement. >>=20 >> Stephen is happy to continue the discussion on the list, and make his >> point clear. In any case, there was clear consensus in the room that >> we *should* specify a mandatory-to-implement type, and that that type >> be bearer tokens. This would be specified in the base document, and >> would make a normative reference from the base doc to the bearer = token >> doc. >>=20 >> We need to confirm that consensus on the mailing list, so this starts >> the discussion. Let's work on resolving this over the next week or >> so, and moving forward: >>=20 >> 1. Should we specify some token type as mandatory to implement? Why >> or why not (*briefly*)? >>=20 >> 2. If we do specify one, which token type should it be? >>=20 >> Barry, as chair >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Thu Dec 1 17:19:38 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6601B11E807F for ; Thu, 1 Dec 2011 17:19:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.587 X-Spam-Level: X-Spam-Status: No, score=-102.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjcDqO6ZCnyN for ; Thu, 1 Dec 2011 17:19:37 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 1CE5F11E80A2 for ; Thu, 1 Dec 2011 17:19:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 7F9121541AF; Fri, 2 Dec 2011 01:19:35 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322788774; bh=QC/PLK4DMlPxPa wG4BqIe7gqOnB4WW9IgCVLSCmDew4=; b=hke0Au4BSy7DmVFMkKdjts0VPCEKXq fMLcJ6zqFLRlIVdhYsh6pjLuPUHQrVgW7+5E7RN//Pv0PXH8CDlW7/ULdGt1mDCq mIxgyVnRbHgrQXgARnI5pyxH8b6NivrFxz4iB8kqlqABhKUvDiCgkIE0uvaKKcYU b0UCRoayB//Wt/1vxG+JRjUYrxqSsGty+hk3awvXTeyAziqAziTtwxio73bYtNfK tVYGwOkhD3+XdUL/OHY3WUxp9itFd+HPts3iPiUNOedaZ78tK+NDuDvkU7jSK3zb upc6eo0ariXVI+w5a20oxmRP/pIkDpBMLMzPkm9JwiQLtrGdo4u67KGA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id NHGzYU-Mt5cK; Fri, 2 Dec 2011 01:19:34 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 410D9153C7E; Fri, 2 Dec 2011 01:19:33 +0000 (GMT) Message-ID: <4ED827A4.7070802@cs.tcd.ie> Date: Fri, 02 Dec 2011 01:19:32 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: William Mills References: <4ED7F0D8.6010703@cs.tcd.ie> <1322782624.25300.YahooMailNeo@web31813.mail.mud.yahoo.com> In-Reply-To: <1322782624.25300.YahooMailNeo@web31813.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:19:38 -0000 On 12/01/2011 11:37 PM, William Mills wrote: > Re: "So, pick one (my strong personal preference) or establish and > document why you're not picking one seem to me to be the choices > available." > > We don't have discovery done (enough) yet to lean on it in the core spec, but if we did I'd be in favor of something that says that you must implement either an MTI token OR a discovery mechanism that advertises at least one token. Would that be workable? Might be, but I think the "if we did" says timing is against that argument. > We could bang on the discovery stuff in pretty short order I think if we needed to. Really? Doesn't the WG first need to recharter? We're talking about how to get the base spec to be an RFC right now, which is a shorter term thing IMO. S. > > -bill > > > > ________________________________ > From: Stephen Farrell > To: Barry Leiba > Cc: oauth WG > Sent: Thursday, December 1, 2011 1:25 PM > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type > > > Barry, all, > > First, apologies for being so slow responding, various > travels got in the way. I hope we can quickly resolve this now. > > Bit of process first: at the meeting we discussed this and at the > end of that discussion, there were quite a few more folks for the > "pick one" position. People who favour that outcome and really > care about that need to speak up on the list, since the list > consensus trumps the sense of the room in the chairs' evaluation > of the WG consensus. > > Second, at the meeting I said that I'd like to see either MAC or > bearer picked as MTI, and if not, that I want the draft to say > why its ok to have no MTI token type. So the WG either need to > pick one, or else explicitly and convincingly justify not > picking one. That's the "firm" AD position to which Barry > referred. (I didn't properly call out the "if not" part of > that in my AD review, sorry.) > > My own argument for picking one is simple: if every relevant > piece of code has to know how to handle one then it becomes > easier to get interop. If everyone decides for themselves > then interop is less likely since there are currently two > choices and may be more in future. > > I do realise that the background here and current practice > is that code tends to be written that is specific to a > resource server (or however that's best phrased) but that's > maybe where the IETF differs from the community that produced > OAuth - here we want two independent implementers who've > never talked to produce code that interops even so. > > I also realise that that's not the full story for getting > interop with OAuth and that more is needed. However, this > aspect is otherwise fully specified and so I don't buy the > argument that this isn't worth doing just because we don't > have the full registration story etc. figured out. If we don't > sort this out now, then later specs will have to update > this one in this respect. possibly making existing code > "non-compliant" in some sense, so just going ahead and doing > it right now is better. > > So, pick one (my strong personal preference) or establish and > document why you're not picking one seem to me to be the choices > available. > > Regards, > Stephen. > > > On 11/17/2011 08:28 AM, Barry Leiba wrote: >> Stephen, as AD, brought up the question of mandatory-to-implement >> token types, in the IETF 82 meeting. There was some extended >> discussion on the point: >> >> - Stephen is firm in his belief that it's necessary for >> interoperability. He notes that mandatory to *implement* is not the >> same as mandatory to *use*. >> - Several participants believe that without a mechanism for requesting >> or negotiating a token type, there is no value in having any type be >> mandatory to implement. >> >> Stephen is happy to continue the discussion on the list, and make his >> point clear. In any case, there was clear consensus in the room that >> we *should* specify a mandatory-to-implement type, and that that type >> be bearer tokens. This would be specified in the base document, and >> would make a normative reference from the base doc to the bearer token >> doc. >> >> We need to confirm that consensus on the mailing list, so this starts >> the discussion. Let's work on resolving this over the next week or >> so, and moving forward: >> >> 1. Should we specify some token type as mandatory to implement? Why >> or why not (*briefly*)? >> >> 2. If we do specify one, which token type should it be? >> >> Barry, as chair >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Thu Dec 1 17:23:33 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271E911E80BA for ; Thu, 1 Dec 2011 17:23:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.588 X-Spam-Level: X-Spam-Status: No, score=-102.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iW6YVkG2LDIm for ; Thu, 1 Dec 2011 17:23:32 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id E173611E807F for ; Thu, 1 Dec 2011 17:23:31 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 2128F1541AF; Fri, 2 Dec 2011 01:23:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322789010; bh=78vrhZRYRKvwJO CXn0fvqzgHLpVkgas3twpiFiPYySE=; b=f8+gGdZqOtEq9i31yZvGQixSYiY0T1 cJSYxqtUgGy1k7nbCuePQfGctEvc2t1YTgjl6mO3wSNH3lG/lCGI3pw6zgpOh3qv O48Snk3GBOFqkVj2OLmE+FhsgFsjbmzTH6gwWcAiM/WzHYMBBpvC2ugwFgEPnaHw Ht1ZukMo4JdjXDMIZ5dWf/AsJWLHiYQXnC2o8jhqEW8+qvRI5aRBvf/CflV/ee4A yjztmW1A9tQg/oBk5Ai8vbmb866RY+JCaUEUYVLqA5tqsLPq9jI9twde9kbc1lzB EGqDkqMNtTRbhboaxObtb/n4iYoeMv+L3zYf3eQBC4MTkBpwWEEIjbug== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id yyAsKneyHjEt; Fri, 2 Dec 2011 01:23:30 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 03F57153C7E; Fri, 2 Dec 2011 01:23:26 +0000 (GMT) Message-ID: <4ED8288E.90101@cs.tcd.ie> Date: Fri, 02 Dec 2011 01:23:26 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Phil Hunt References: <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> In-Reply-To: <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:23:33 -0000 On 12/02/2011 12:23 AM, Phil Hunt wrote: > Because different token types have distinct advantages in different scenarios, choosing a single MTI would be difficult. I just don't get that. Why is it somehow difficult to pick one but at the same time easy to implement any? > E.g. MAC tokens work well for non-TLS protected resources. Bearer tokens in contrast are easier to use, but require TLS protected service to avoid theft-of-credential. So picking is a nuisance sure. But it helps interop. > Even at this level, site security policies will simply override whatever is stated in the specification and choose one type only. Yes, but those policies will be affected by what's available in the running code. I'd like if what's available was known when the coder says "we implement RFC " > Having multiple MTIs, suggests choice and that causes other problems. What happens when a client wants to use a bearer token over an unprotected connection? How does the client discover what can be used and when? Having no MTI causes identical problems. > The approach we have now where the Token specification defines interop requirements and a profile for use with OAuth2 seems to be a good way to go. We disagree about that I guess. To me it seems a peculiar way to go unless one assumes that coders write code that's specific to a specific service provider. S. > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > On 2011-12-01, at 1:25 PM, Stephen Farrell wrote: > >> >> Barry, all, >> >> First, apologies for being so slow responding, various >> travels got in the way. I hope we can quickly resolve this now. >> >> Bit of process first: at the meeting we discussed this and at the >> end of that discussion, there were quite a few more folks for the >> "pick one" position. People who favour that outcome and really >> care about that need to speak up on the list, since the list >> consensus trumps the sense of the room in the chairs' evaluation >> of the WG consensus. >> >> Second, at the meeting I said that I'd like to see either MAC or >> bearer picked as MTI, and if not, that I want the draft to say >> why its ok to have no MTI token type. So the WG either need to >> pick one, or else explicitly and convincingly justify not >> picking one. That's the "firm" AD position to which Barry >> referred. (I didn't properly call out the "if not" part of >> that in my AD review, sorry.) >> >> My own argument for picking one is simple: if every relevant >> piece of code has to know how to handle one then it becomes >> easier to get interop. If everyone decides for themselves >> then interop is less likely since there are currently two >> choices and may be more in future. >> >> I do realise that the background here and current practice >> is that code tends to be written that is specific to a >> resource server (or however that's best phrased) but that's >> maybe where the IETF differs from the community that produced >> OAuth - here we want two independent implementers who've >> never talked to produce code that interops even so. >> >> I also realise that that's not the full story for getting >> interop with OAuth and that more is needed. However, this >> aspect is otherwise fully specified and so I don't buy the >> argument that this isn't worth doing just because we don't >> have the full registration story etc. figured out. If we don't >> sort this out now, then later specs will have to update >> this one in this respect. possibly making existing code >> "non-compliant" in some sense, so just going ahead and doing >> it right now is better. >> >> So, pick one (my strong personal preference) or establish and >> document why you're not picking one seem to me to be the choices >> available. >> >> Regards, >> Stephen. >> >> >> On 11/17/2011 08:28 AM, Barry Leiba wrote: >>> Stephen, as AD, brought up the question of mandatory-to-implement >>> token types, in the IETF 82 meeting. There was some extended >>> discussion on the point: >>> >>> - Stephen is firm in his belief that it's necessary for >>> interoperability. He notes that mandatory to *implement* is not the >>> same as mandatory to *use*. >>> - Several participants believe that without a mechanism for requesting >>> or negotiating a token type, there is no value in having any type be >>> mandatory to implement. >>> >>> Stephen is happy to continue the discussion on the list, and make his >>> point clear. In any case, there was clear consensus in the room that >>> we *should* specify a mandatory-to-implement type, and that that type >>> be bearer tokens. This would be specified in the base document, and >>> would make a normative reference from the base doc to the bearer token >>> doc. >>> >>> We need to confirm that consensus on the mailing list, so this starts >>> the discussion. Let's work on resolving this over the next week or >>> so, and moving forward: >>> >>> 1. Should we specify some token type as mandatory to implement? Why >>> or why not (*briefly*)? >>> >>> 2. If we do specify one, which token type should it be? >>> >>> Barry, as chair >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > From mike@mtcc.com Thu Dec 1 17:35:45 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8332811E808A for ; Thu, 1 Dec 2011 17:35:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R15qDpI8UV2V for ; Thu, 1 Dec 2011 17:35:44 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id A736F11E8081 for ; Thu, 1 Dec 2011 17:35:44 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pB21ZdIw001248 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 1 Dec 2011 17:35:39 -0800 Message-ID: <4ED82B6B.6050301@mtcc.com> Date: Thu, 01 Dec 2011 17:35:39 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Stephen Farrell References: <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> <4ED8288E.90101@cs.tcd.ie> In-Reply-To: <4ED8288E.90101@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1096; t=1322789740; x=1323653740; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory-to-implement=20t oken=20type |Sender:=20 |To:=20Stephen=20Farrell=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=qDLJPH6Sf6S8AZmrwIhhLFqHxuwgA31LYQDjWyNG+3o=; b=uVGzfI6UaX/hZFDgnM06QlI3cY8prSzZPt6UdHHOhh1nz9w6Jovu2ZM2dW B9qmqzYfCZDej13yg2MyzKO868Kys2yXJLbO6JlBo/Uz1UGvyXE1IFqV4ccO TH3dgYwWAvtJY8+omJPr9ikAF95Ko3hqHtbsINoi1mn9mFY6k6JdA=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:35:45 -0000 On 12/01/2011 05:23 PM, Stephen Farrell wrote: >> E.g. MAC tokens work well for non-TLS protected resources. Bearer tokens in contrast are easier to use, but require TLS protected service to avoid theft-of-credential. > > So picking is a nuisance sure. But it helps interop. This smacks of truth by blatant assertion. If something is required to be implemented but is unused -- which will happen if the profile chosen by the SDK doesn't need the required one -- you're not going to get better interoperability, you're just going to get untested code. I don't see what the big deal is about saying that discovery, etc, is for a -bis release of this PS. That would take care of your problem of reaching back into this PS to change just this part. And what are the chances of not having a recycle anyway with any well-deployed PS? Zero? |We disagree about that I guess. To me it seems a peculiar way to go |unless one assumes that coders write code that's specific to a specific |service provider. But that is exactly what's happening in the field. Mike Mike From michael.d.adams@gmail.com Thu Dec 1 17:39:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E4C11E80E1 for ; Thu, 1 Dec 2011 17:39:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ouw5Y5ejF3vP for ; Thu, 1 Dec 2011 17:39:09 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id E7C9011E80D0 for ; Thu, 1 Dec 2011 17:39:08 -0800 (PST) Received: by ywm13 with SMTP id 13so2944333ywm.31 for ; Thu, 01 Dec 2011 17:39:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=U6ThrA46vSEH8GKABvQNlKEUtiW+FFQPIlaa1FUt46U=; b=F/U4AuHHEKPinEAuJoshTxGEEbdyCaIDCoZPA9aC4hy5KsARKC1fo7qOLv4nEu0hMM TR0HrMP7cNfcM5BM3LbXtF964+DfEtkJKziLHAEQT7CGOk3pNB7WSZ1f+GYFQ6wMaaW6 P5Hors5+zAjvwSGW8QJVMktDXCYHQEtVH+ePE= Received: by 10.236.77.163 with SMTP id d23mr15740448yhe.34.1322789948216; Thu, 01 Dec 2011 17:39:08 -0800 (PST) MIME-Version: 1.0 Sender: michael.d.adams@gmail.com Received: by 10.101.116.15 with HTTP; Thu, 1 Dec 2011 17:38:46 -0800 (PST) In-Reply-To: References: From: Michael D Adams Date: Thu, 1 Dec 2011 17:38:46 -0800 X-Google-Sender-Auth: Zr9iURONISG1E47CG87fm_MKOm4 Message-ID: To: Barry Leiba Content-Type: text/plain; charset=ISO-8859-1 Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:39:09 -0000 I echo Justin Richer's comments. On Thu, Nov 17, 2011 at 12:28 AM, Barry Leiba wrote: > 1. Should we specify some token type as mandatory to implement? Why > or why not (*briefly*)? No. There's no mechanism in the spec for clients to request a particular token type, so there's no opportunity for the authorization server to decide what token type to send. The only thing the authorization server can do is pick its own preference. If there's an MTI token type, and with the absence of a client preference, the authorization server will have to pick the MTI token type. So an MTI token type + no client preference is equivalent to there only existing one token type. Mike PS: I sent this 2011/11/17 but apparently hit reply instead of reply all. From stephen.farrell@cs.tcd.ie Thu Dec 1 17:44:05 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B86211E8107 for ; Thu, 1 Dec 2011 17:44:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.589 X-Spam-Level: X-Spam-Status: No, score=-102.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNtSewbRQMKB for ; Thu, 1 Dec 2011 17:44:04 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 81DF511E8081 for ; Thu, 1 Dec 2011 17:44:04 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id DCB381541B0; Fri, 2 Dec 2011 01:44:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322790243; bh=8hra5KpKTbYZGd nxccFkNmg39bfi26tQz+7pWCxafbU=; b=UOCVCgUD16gPZxigBRR7hsFf8loev2 tJCcFHrhyyK4JRFaawT1tRgODoIAJQYJQeqrkdUUHWukRXJicQ92xi/lcRqONkgy JdUIzMKXLY/nBdmgnAqOB8DQ4+cSa2FHKik4jJh6nvfSN+RjjdDsNWNCW26suHMN NrwjDUdXM4iyRsZar4O9jVo4fhJ3CfaRaLTO0lffVszHzffKQn3RbIlf9b+t5/8q dE0j1nz2kvXo66MCrr30nSjmZBLtvzYp1ApRzzVtrzhPE/uOr56rvKXMkFebsM25 qkae1D2P6iR8GEhH5nQQOJ/TTk+SuFuCSUUDpFKPC+Q070fj2V977dtw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id q-V7LQlaAV31; Fri, 2 Dec 2011 01:44:03 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 7071F1541AF; Fri, 2 Dec 2011 01:44:03 +0000 (GMT) Message-ID: <4ED82D62.3070800@cs.tcd.ie> Date: Fri, 02 Dec 2011 01:44:02 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Michael D Adams References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:44:05 -0000 Hiya, On 12/02/2011 01:38 AM, Michael D Adams wrote: > I echo Justin Richer's comments. > > On Thu, Nov 17, 2011 at 12:28 AM, Barry Leiba wrote: >> 1. Should we specify some token type as mandatory to implement? Why >> or why not (*briefly*)? > > No. There's no mechanism in the spec for clients to request a > particular token type, so there's no opportunity for the authorization > server to decide what token type to send. The only thing the > authorization server can do is pick its own preference. > > If there's an MTI token type, and with the absence of a client > preference, the authorization server will have to pick the MTI token > type. > > So an MTI token type + no client preference is equivalent to there > only existing one token type. Maybe. However, no MTI token type + no client preference = no interop. So I don't get your argument. (When thinking of interop.) S. > > Mike > > PS: I sent this 2011/11/17 but apparently hit reply instead of reply all. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From wmills@yahoo-inc.com Thu Dec 1 17:51:11 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BDF921F955A for ; Thu, 1 Dec 2011 17:51:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.397 X-Spam-Level: X-Spam-Status: No, score=-17.397 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2zFS344tive for ; Thu, 1 Dec 2011 17:51:09 -0800 (PST) Received: from nm20.bullet.mail.sp2.yahoo.com (nm20.bullet.mail.sp2.yahoo.com [98.139.91.90]) by ietfa.amsl.com (Postfix) with SMTP id 634651F0C87 for ; Thu, 1 Dec 2011 17:50:34 -0800 (PST) Received: from [98.139.91.62] by nm20.bullet.mail.sp2.yahoo.com with NNFMP; 02 Dec 2011 01:50:34 -0000 Received: from [98.139.91.35] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 02 Dec 2011 01:50:34 -0000 Received: from [127.0.0.1] by omp1035.mail.sp2.yahoo.com with NNFMP; 02 Dec 2011 01:50:34 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 293519.52110.bm@omp1035.mail.sp2.yahoo.com Received: (qmail 23332 invoked by uid 60001); 2 Dec 2011 01:50:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322790633; bh=DlJlTKnKtOvn6WlrleckW1lclHUCzp5Gped7qXwiAyI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=S/j4w+Th3B9ZLKp3F4YHIyKquihMenEdKjnb8B1F95Nh3TM5kvq8VYFi5w8MVRYOvM3h4rJ6rl/2PaPmxF6s4n3Xn3IQd9lvGcaYjbVtPSfCbbRALZZpGCcMTwu2lNUX6R2nGKKX2kVBwwBNPduh0W3OH+6QUtycA9KgGQ4SrOY= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=V6iaV8zSLwYGrqpy/yqWMZTYbFjssWYJuDrVA1p0cAfwXhKbCBckmzCMSYOkG7k2IYs6fp2p/p7oxmXwY8NIMzNut23TrbpkHIW9TzO48i55lgXnzpE2ooL5ApKbxLlquaAKc0pc6d1WSz+xyUtw+f89kt1ePRjnxMrCPiL0mPQ=; X-YMail-OSG: JVEVmOMVM1nuoz8M7Yl3Dwowoyifr.0AeKliLB6LFkZK9f1 zBuj6ZXs.2GVTGtn3.0yRnSukd1r21V3quhrOuw7MgW5DzujUf0ho_rM8KAo 30IoCNrWG8rrhwbMYRk0i95QR1Bnbj4DLyCCAf7cM9o8g4f45b_gP7AuoWne FreRMjRLQr6GDtfNSJJpuzbTroe0NkV6eRb4gIKTwWuvC8z3nYozfxnmBSb4 wCy3aLv3io6Enl0mhqVc3eHYLb3kjEieZ4NdIli8XuZUswfmA4NNn58kR3ft gPxRtuMFKbMvpx6_7zPuKmuMDl5hdsARd1kkjKb0OxRpwvTSPlAmgybP4CBj GGTI4F6dOgihyVhniOtx897t8H0bJhYSCzaPrCziQGBCO1l4Px_Ap_biFJmn d1Gd6.tITFgJF.WzNuWcRsvRqSNz06KMKoPoGXdiz8TLv3K7f835AsoELcD5 AGf0PdhDDZtxGAa8ex9ZGZ_ckG61Zem92KhoVX0dD65tVKLJuAw1SCHGxoA- - Received: from [209.131.62.113] by web31816.mail.mud.yahoo.com via HTTP; Thu, 01 Dec 2011 17:50:33 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> <4ED8288E.90101@cs.tcd.ie> Message-ID: <1322790633.20785.YahooMailNeo@web31816.mail.mud.yahoo.com> Date: Thu, 1 Dec 2011 17:50:33 -0800 (PST) From: William Mills To: Stephen Farrell , Phil Hunt In-Reply-To: <4ED8288E.90101@cs.tcd.ie> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1238014912-1269876988-1322790633=:20785" Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:51:11 -0000 ---1238014912-1269876988-1322790633=:20785 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable If we MTI a "weaker" token type (arguably Bearer falls here) that means =0A= the spec will be inappropriate in higher security requirement situations, t= hose folks walk away.=0A=0A=0AIf we MTI something like SAML it makes the fo= lks that want a light weight Bearer token solution walk away.=0A=0A=0A_____= ___________________________=0A From: Stephen Farrell =0ATo: Phil Hunt =0ACc: Barry Leiba ; oauth WG =0ASent: Thursday, December 1, 20= 11 5:23 PM=0ASubject: Re: [OAUTH-WG] Mandatory-to-implement token type=0A = =0A=0AOn 12/02/2011 12:23 AM, Phil Hunt wrote:=0A> Because different token = types have distinct advantages in different scenarios, choosing a single MT= I would be difficult.=0A=0AI just don't get that. Why is it somehow difficu= lt to pick one=0Abut at the same time easy to implement any?=0A=0A=0ATo: Phil Hunt =0ACc: Barry Lei= ba ; oauth WG =0ASent: Thursday, = December 1, 2011 5:23 PM=0ASubject: Re: [OAUTH-WG] Mandatory-to-implement t= oken type=0A =0A=0A=0AOn 12/02/2011 12:23 AM, Phil Hunt wrote:=0A> Because = different token types have distinct advantages in different scenarios, choo= sing a single MTI would be difficult.=0A=0AI just don't get that. Why is it= somehow difficult to pick one=0Abut at the same time easy to implement any= ?=0A=0A> E.g. MAC tokens work well for non-TLS protected resources.=A0 Bear= er tokens in contrast are easier to use, but require TLS protected service = to avoid theft-of-credential.=0A=0ASo picking is a nuisance sure. But it he= lps interop.=0A=0A> Even at this level, site security policies will simply = override =0Awhatever is stated in the specification and choose one type onl= y.=0A=0AYes, but those policies will be affected by what's available in=0At= he running code. I'd like if what's available was known when=0Athe coder sa= ys "we implement RFC "=0A=0A> Having multiple MTIs, suggests choice an= d that causes other problems. What happens when a client wants to use a bea= rer token over an unprotected connection? How does the client discover what= can be used and when?=0A=0AHaving no MTI causes identical problems.=0A=0A>= The approach we have now where the Token specification defines interop req= uirements and a profile for use with OAuth2 seems to be a good way to go.= =0A=0AWe disagree about that I guess. To me it seems a peculiar way to go= =0Aunless one assumes that coders write code that's specific to a specific= =0Aservice provider.=0A=0AS.=0A=0A> Phil=0A>=0A> @independentid=0A> www.ind= ependentid.com=0A> phil.hunt@oracle.com=0A>=0A>=0A>=0A>=0A>=0A> On 2011-12-= 01, at 1:25 PM, Stephen Farrell wrote:=0A>=0A>>=0A>> Barry, all,=0A>>=0A>> = First, apologies for being so slow responding, various=0A>> travels got in = the way. I hope we can quickly resolve this now.=0A>>=0A>> Bit of process f= irst: at the meeting we discussed this and at the=0A>> end of that discussi= on, there were quite a few more folks for the=0A>> "pick one" position. Peo= ple who favour that outcome and really=0A>> care about that need to speak u= p on the list, since the list=0A>> consensus trumps the sense of the room i= n the chairs' evaluation=0A>> of the WG consensus.=0A>>=0A>> Second, at the= meeting I said that I'd like to see either MAC or=0A>> bearer picked as MT= I, and if not, that I want the draft to say=0A>> why its ok to have no MTI = token type. So the WG either need to=0A>> pick one, or else explicitly and = convincingly justify not=0A>> picking one. That's the "firm" AD position to= which Barry=0A>> referred. (I didn't properly call out the "if not" part o= f=0A>> that in my AD review, sorry.)=0A>>=0A>> My own argument for picking = one is simple: if every relevant=0A>> piece of code has to know how to hand= le one then it becomes=0A>> easier to get interop. If everyone decides for = themselves=0A>> then interop is less likely since there are currently two= =0A>> choices and may be more in future.=0A>>=0A>> I do realise that the ba= ckground here and current practice=0A>> is that code tends to be written th= at is specific to a=0A>> resource server (or however that's best phrased) b= ut that's=0A>> maybe where the IETF differs from the community that produce= d=0A>> OAuth - here we want two independent implementers who've=0A>> never = talked to produce code that interops even so.=0A>>=0A>> I also realise that= that's not the full story for getting=0A>> interop with OAuth and that mor= e is needed. However, this=0A>> aspect is otherwise fully specified and so = I don't buy the=0A>> argument that this isn't worth doing just because we d= on't=0A>> have the full registration story etc. figured out. If we don't=0A= >> sort this out now, then later specs will have to update=0A>> this one in= this respect. possibly making existing code=0A>> "non-compliant" in some s= ense, so just going ahead and doing=0A>> it right now is better.=0A>>=0A>> = So, pick one (my strong personal preference) or establish and=0A>> document= why you're not picking one seem to me to be the choices=0A>> available.=0A= >>=0A>> Regards,=0A>> Stephen.=0A>>=0A>>=0A>> On 11/17/2011 08:28 AM, Barry= Leiba wrote:=0A>>> Stephen, as AD, brought up the question of mandatory-to= -implement=0A>>> token types, in the IETF 82 meeting.=A0 There was some ext= ended=0A>>> discussion on the point:=0A>>>=0A>>> - Stephen is firm in his b= elief that it's necessary for=0A>>> interoperability.=A0 He notes that mand= atory to *implement* is not the=0A>>> same as mandatory to *use*.=0A>>> - S= everal participants believe that without a mechanism for requesting=0A>>> o= r negotiating a token type, there is no value in having any type be=0A>>> m= andatory to implement.=0A>>>=0A>>> Stephen is happy to continue the discuss= ion on the list, and make his=0A>>> point clear.=A0 In any case, there was = clear consensus in the room that=0A>>> we *should* specify a mandatory-to-i= mplement type, and that that type=0A>>> be bearer tokens.=A0 This would be = specified in the base document, and=0A>>> would make a normative reference = from the base doc to the bearer token=0A>>> doc.=0A>>>=0A>>> We need to con= firm that consensus on the mailing list, so this starts=0A>>> the discussio= n.=A0 Let's work on resolving this over the next week or=0A>>> so, and movi= ng forward:=0A>>>=0A>>> 1. Should we specify some token type as mandatory t= o implement?=A0 Why=0A>>> or why not (*briefly*)?=0A>>>=0A>>> 2. If we do s= pecify one, which token type should it be?=0A>>>=0A>>> Barry, as chair=0A>>= > _______________________________________________=0A>>> OAuth mailing list= =0A>>> OAuth@ietf.org=0A>>> https://www.ietf.org/mailman/listinfo/oauth=0A>= >>=0A>> _______________________________________________=0A>> OAuth mailing = list=0A>> OAuth@ietf.org=0A>> https://www.ietf.org/mailman/listinfo/oauth= =0A>=0A>=0A_______________________________________________=0AOAuth mailing = list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth ---1238014912-1269876988-1322790633=:20785 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
If=0A we MTI a "weaker" token type (arguably Bearer falls here) that mean= s =0Athe spec will be inappropriate in higher security requirement situatio= ns, those folks walk away.
=0A

=0A =0A
If we MTI something like SAML it makes the folks that wan= t a light weight Bearer token solution walk away.
=0A
<= br>
From: Stephen Farrell <stephen.farre= ll@cs.tcd.ie>
To: P= hil Hunt <phil.hunt@oracle.com>
Cc: Barry Leiba <barryleiba@computer.org>; oauth WG &= lt;oauth@ietf.org>
Sent: Thursday, December 1, 2011 5:23 PM
Subject: Re: [OAUTH-WG] Mandatory-to-implement token ty= pe
=0A
=0AOn 12/02/2011 12:23 AM, Phil Hunt wrote:
&g= t; Because different token types have distinct advantages in different scen= arios, choosing a single MTI would be difficult.

I just don't get th= at. Why is it somehow difficult to pick one
but at the same time easy to= implement any?

<snip /

<= div style=3D"font-family: times new roman, new york, times, serif; font-siz= e: 12pt;">
From: Stephen Farrell <stephen.farrell= @cs.tcd.ie>
To: Phi= l Hunt <phil.hunt@oracle.com>
Cc: Barry Leiba <barryleiba@computer.org>; oauth WG <= ;oauth@ietf.org>
Sent:= Thursday, December 1, 2011 5:23 PM
Subject: Re: [OAUT= H-WG] Mandatory-to-implement token type
=0A

On 12/02= /2011 12:23 AM, Phil Hunt wrote:
> Because different token types have= distinct advantages in different scenarios, choosing a single MTI would be= difficult.

I just don't get that. Why is it somehow difficult to pi= ck one
but at the same time easy to implement any?

> E.g. MAC = tokens work well for non-TLS protected resources.  Bearer tokens in co= ntrast are easier to use, but require TLS protected service to avoid theft-= of-credential.

So picking is a nuisance sure. But it helps interop.<= br>
> Even at this level, site security policies will simply overrid= e
whatever is stated in the specification and choose one type only.
=
Yes, but those policies will be affected by what's available in
the = running code. I'd like if what's available was known when
the coder says= "we implement RFC <foo>"

> Having multiple MTIs, suggests = choice and that causes other problems. What happens when a client wants to use a bearer token over an unprotected connection? = How does the client discover what can be used and when?

Having no MT= I causes identical problems.

> The approach we have now where the= Token specification defines interop requirements and a profile for use wit= h OAuth2 seems to be a good way to go.

We disagree about that I gues= s. To me it seems a peculiar way to go
unless one assumes that coders wr= ite code that's specific to a specific
service provider.

S.
> Phil
>
> @independentid
> www.independentid.com
> p= hil.hunt@oracle.com
>
>
>
>
>
> On = 2011-12-01, at 1:25 PM, Stephen Farrell wrote:
>
>>
>&= gt; Barry, all,
>>
>> First, apologies for being so slow responding, various
>> travels got in the way. I hope we can quic= kly resolve this now.
>>
>> Bit of process first: at the = meeting we discussed this and at the
>> end of that discussion, th= ere were quite a few more folks for the
>> "pick one" position. Pe= ople who favour that outcome and really
>> care about that need to= speak up on the list, since the list
>> consensus trumps the sens= e of the room in the chairs' evaluation
>> of the WG consensus.>>
>> Second, at the meeting I said that I'd like to see ei= ther MAC or
>> bearer picked as MTI, and if not, that I want the d= raft to say
>> why its ok to have no MTI token type. So the WG eit= her need to
>> pick one, or else explicitly and convincingly justi= fy not
>> picking one. That's the "firm" AD position to which Barr= y
>> referred. (I didn't properly call out the "if not" part of
>> that in my AD review, sorry.)
>>
>> = My own argument for picking one is simple: if every relevant
>> pi= ece of code has to know how to handle one then it becomes
>> easie= r to get interop. If everyone decides for themselves
>> then inter= op is less likely since there are currently two
>> choices and may= be more in future.
>>
>> I do realise that the backgroun= d here and current practice
>> is that code tends to be written th= at is specific to a
>> resource server (or however that's best phr= ased) but that's
>> maybe where the IETF differs from the communit= y that produced
>> OAuth - here we want two independent implemente= rs who've
>> never talked to produce code that interops even so.>>
>> I also realise that that's not the full story for ge= tting
>> interop with OAuth and that more is needed. However, this
>> aspect is otherwise fully specified and so I don= 't buy the
>> argument that this isn't worth doing just because we= don't
>> have the full registration story etc. figured out. If we= don't
>> sort this out now, then later specs will have to update<= br>>> this one in this respect. possibly making existing code
>= > "non-compliant" in some sense, so just going ahead and doing
>&g= t; it right now is better.
>>
>> So, pick one (my strong = personal preference) or establish and
>> document why you're not p= icking one seem to me to be the choices
>> available.
>><= br>>> Regards,
>> Stephen.
>>
>>
>&g= t; On 11/17/2011 08:28 AM, Barry Leiba wrote:
>>> Stephen, as A= D, brought up the question of mandatory-to-implement
>>> token = types, in the IETF 82 meeting.  There was some extended
>>> discussion on the point:
>>>
>&= gt;> - Stephen is firm in his belief that it's necessary for
>>= > interoperability.  He notes that mandatory to *implement* is not = the
>>> same as mandatory to *use*.
>>> - Several p= articipants believe that without a mechanism for requesting
>>>= or negotiating a token type, there is no value in having any type be
&g= t;>> mandatory to implement.
>>>
>>> Stephen = is happy to continue the discussion on the list, and make his
>>&g= t; point clear.  In any case, there was clear consensus in the room th= at
>>> we *should* specify a mandatory-to-implement type, and t= hat that type
>>> be bearer tokens.  This would be specifi= ed in the base document, and
>>> would make a normative referen= ce from the base doc to the bearer token
>>> doc.
>>>
>>> We need to confirm that consensus on = the mailing list, so this starts
>>> the discussion.  Let'= s work on resolving this over the next week or
>>> so, and movi= ng forward:
>>>
>>> 1. Should we specify some token= type as mandatory to implement?  Why
>>> or why not (*bri= efly*)?
>>>
>>> 2. If we do specify one, which toke= n type should it be?
>>>
>>> Barry, as chair
>= ;>> _______________________________________________
>>> O= Auth mailing list
>>> OAuth@ietf.org
>>> https://www.ie= tf.org/mailman/listinfo/oauth
>>>
>> _____________= __________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listi= nfo/oauth
>
>
__________________________________________= _____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/l= istinfo/oauth


---1238014912-1269876988-1322790633=:20785-- From stephen.farrell@cs.tcd.ie Thu Dec 1 17:53:34 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF40D1F0C5F for ; Thu, 1 Dec 2011 17:53:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.589 X-Spam-Level: X-Spam-Status: No, score=-102.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84fHvY1WVv8X for ; Thu, 1 Dec 2011 17:53:33 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 6D0D31F0C5E for ; Thu, 1 Dec 2011 17:53:33 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id C64A51541AF; Fri, 2 Dec 2011 01:53:32 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322790811; bh=engEdd/+aIQDg0 6dRamOJihVPX8cKhO8wLrJlgkBsRc=; b=vjrVJKQdu9iu3QisTRtBecbbpObKqr GLBYMqG7xtQ9J61nH/EQsRukwxCEqwb6RLRyEY/YSQus5sdzGwNsvdVLWdswBUNe 4TzxdbXaNt9Rsu/qvCZbBPMaOvVY14W6sk9us858kPqukb7PawnCsBlfqK8l6PcB p8I5ZplCHNerPR2luVkNsih6g3QXFhxXjZLjEupqFF3YZ5Xwq/6r75+voGZXmr9J XCxTALyIiv1kQG+8ZUHEF8YSmGcHwC3Yw1io1TO2E9g/LogAsomYjrry5nDS4pTR 1Ku1U3BcBzzho2nOEuT550D/6Dyolxga423N1A/DwFswK0X4GfsaPGqA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id TL8l5LYsQlvY; Fri, 2 Dec 2011 01:53:31 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 46B6E153C7E; Fri, 2 Dec 2011 01:53:30 +0000 (GMT) Message-ID: <4ED82F99.9030400@cs.tcd.ie> Date: Fri, 02 Dec 2011 01:53:29 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: William Mills References: <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> <4ED8288E.90101@cs.tcd.ie> <1322790633.20785.YahooMailNeo@web31816.mail.mud.yahoo.com> In-Reply-To: <1322790633.20785.YahooMailNeo@web31816.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 01:53:34 -0000 On 12/02/2011 01:50 AM, William Mills wrote: > If we MTI a "weaker" token type (arguably Bearer falls here) that means > the spec will be inappropriate in higher security requirement situations, those folks walk away. Disagree. People who need more can specify more. The base spec not having an MTI doesn't help them at all since absent any MTI it'd clearly not be appropriate for higher security environments to use your term. > If we MTI something like SAML it makes the folks that want a light weight Bearer token solution walk away. I would agree that SAML might be too heavy. If the WG do pick an MTI then it does need to be relatively simple. S. > > > ________________________________ > From: Stephen Farrell > To: Phil Hunt > Cc: Barry Leiba; oauth WG > Sent: Thursday, December 1, 2011 5:23 PM > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type > > > On 12/02/2011 12:23 AM, Phil Hunt wrote: >> Because different token types have distinct advantages in different scenarios, choosing a single MTI would be difficult. > > I just don't get that. Why is it somehow difficult to pick one > but at the same time easy to implement any? > > > > ________________________________ > From: Stephen Farrell > To: Phil Hunt > Cc: Barry Leiba; oauth WG > Sent: Thursday, December 1, 2011 5:23 PM > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type > > > > On 12/02/2011 12:23 AM, Phil Hunt wrote: >> Because different token types have distinct advantages in different scenarios, choosing a single MTI would be difficult. > > I just don't get that. Why is it somehow difficult to pick one > but at the same time easy to implement any? > >> E.g. MAC tokens work well for non-TLS protected resources. Bearer tokens in contrast are easier to use, but require TLS protected service to avoid theft-of-credential. > > So picking is a nuisance sure. But it helps interop. > >> Even at this level, site security policies will simply override > whatever is stated in the specification and choose one type only. > > Yes, but those policies will be affected by what's available in > the running code. I'd like if what's available was known when > the coder says "we implement RFC" > >> Having multiple MTIs, suggests choice and that causes other problems. What happens when a client wants to use a bearer token over an unprotected connection? How does the client discover what can be used and when? > > Having no MTI causes identical problems. > >> The approach we have now where the Token specification defines interop requirements and a profile for use with OAuth2 seems to be a good way to go. > > We disagree about that I guess. To me it seems a peculiar way to go > unless one assumes that coders write code that's specific to a specific > service provider. > > S. > >> Phil >> >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >> >> >> >> >> On 2011-12-01, at 1:25 PM, Stephen Farrell wrote: >> >>> >>> Barry, all, >>> >>> First, apologies for being so slow responding, various >>> travels got in the way. I hope we can quickly resolve this now. >>> >>> Bit of process first: at the meeting we discussed this and at the >>> end of that discussion, there were quite a few more folks for the >>> "pick one" position. People who favour that outcome and really >>> care about that need to speak up on the list, since the list >>> consensus trumps the sense of the room in the chairs' evaluation >>> of the WG consensus. >>> >>> Second, at the meeting I said that I'd like to see either MAC or >>> bearer picked as MTI, and if not, that I want the draft to say >>> why its ok to have no MTI token type. So the WG either need to >>> pick one, or else explicitly and convincingly justify not >>> picking one. That's the "firm" AD position to which Barry >>> referred. (I didn't properly call out the "if not" part of >>> that in my AD review, sorry.) >>> >>> My own argument for picking one is simple: if every relevant >>> piece of code has to know how to handle one then it becomes >>> easier to get interop. If everyone decides for themselves >>> then interop is less likely since there are currently two >>> choices and may be more in future. >>> >>> I do realise that the background here and current practice >>> is that code tends to be written that is specific to a >>> resource server (or however that's best phrased) but that's >>> maybe where the IETF differs from the community that produced >>> OAuth - here we want two independent implementers who've >>> never talked to produce code that interops even so. >>> >>> I also realise that that's not the full story for getting >>> interop with OAuth and that more is needed. However, this >>> aspect is otherwise fully specified and so I don't buy the >>> argument that this isn't worth doing just because we don't >>> have the full registration story etc. figured out. If we don't >>> sort this out now, then later specs will have to update >>> this one in this respect. possibly making existing code >>> "non-compliant" in some sense, so just going ahead and doing >>> it right now is better. >>> >>> So, pick one (my strong personal preference) or establish and >>> document why you're not picking one seem to me to be the choices >>> available. >>> >>> Regards, >>> Stephen. >>> >>> >>> On 11/17/2011 08:28 AM, Barry Leiba wrote: >>>> Stephen, as AD, brought up the question of mandatory-to-implement >>>> token types, in the IETF 82 meeting. There was some extended >>>> discussion on the point: >>>> >>>> - Stephen is firm in his belief that it's necessary for >>>> interoperability. He notes that mandatory to *implement* is not the >>>> same as mandatory to *use*. >>>> - Several participants believe that without a mechanism for requesting >>>> or negotiating a token type, there is no value in having any type be >>>> mandatory to implement. >>>> >>>> Stephen is happy to continue the discussion on the list, and make his >>>> point clear. In any case, there was clear consensus in the room that >>>> we *should* specify a mandatory-to-implement type, and that that type >>>> be bearer tokens. This would be specified in the base document, and >>>> would make a normative reference from the base doc to the bearer token >>>> doc. >>>> >>>> We need to confirm that consensus on the mailing list, so this starts >>>> the discussion. Let's work on resolving this over the next week or >>>> so, and moving forward: >>>> >>>> 1. Should we specify some token type as mandatory to implement? Why >>>> or why not (*briefly*)? >>>> >>>> 2. If we do specify one, which token type should it be? >>>> >>>> Barry, as chair >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From michael.d.adams@gmail.com Thu Dec 1 18:14:32 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D5C811E80A6 for ; Thu, 1 Dec 2011 18:14:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozLYkBl5YhUk for ; Thu, 1 Dec 2011 18:14:31 -0800 (PST) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 876A311E8114 for ; Thu, 1 Dec 2011 18:14:31 -0800 (PST) Received: by ghrr18 with SMTP id r18so2940151ghr.31 for ; Thu, 01 Dec 2011 18:14:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=Kw5c2pCvRJBel9p660D+EzlqjBUiSeBmOW2xnBIQHXA=; b=DKYUSE3VM2zKoM/2i+bylSIn7CAsU0pxQchHdaSsja9olnszFbFKS01nsOTBI0f1K1 /T9VpTP6RDJp5lg1q6rm2G6pT18GCDlPvVryWkh+NEG/Hm+ZTJHqX9szkbEB5yww0o7Y iQQZXhmvLWCPVEgvu4GXKTRaBhC+qYhd4sCOI= Received: by 10.236.189.97 with SMTP id b61mr15562428yhn.116.1322792071193; Thu, 01 Dec 2011 18:14:31 -0800 (PST) MIME-Version: 1.0 Sender: michael.d.adams@gmail.com Received: by 10.101.116.15 with HTTP; Thu, 1 Dec 2011 18:14:10 -0800 (PST) In-Reply-To: <4ED82D62.3070800@cs.tcd.ie> References: <4ED82D62.3070800@cs.tcd.ie> From: Michael D Adams Date: Thu, 1 Dec 2011 18:14:10 -0800 X-Google-Sender-Auth: 4GLdOkdMHQn2T_jOfXUg1FW51Xc Message-ID: To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 02:14:32 -0000 On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell wrote: > On 12/02/2011 01:38 AM, Michael D Adams wrote: >> So an MTI token type + no client preference is equivalent to there >> only existing one token type. > > Maybe. > > However, no MTI token type + no client preference = no interop. > > So I don't get your argument. (When thinking of interop.) I think it's me that doesn't understand your argument. Suppose an authorization server implements OAuth2 and has some requirement that the MTI token type doesn't provide (as William Mills suggested), so the server implements token type AWESOME in addition to token type MTI. Whenever a token is requested, the authorization server issues one of type AWESOME. Type MTI is never issued. Why bother implementing type MTI if it's never used? Additionally, the authorization server could not implement type MTI but claim it did. There's no way for a third party to verify the claim since the authorization server never issues a token of type MTI. If tokens of type MTI are never used by this server, how does the MTI token type help interop? Is your argument that this server would say "No, we do not support OAuth2. We do, however, support OAuth2+AWESOME."? That semantic argument I understand, but I am ignorant as to how/if it fits into the RFC. From stephen.farrell@cs.tcd.ie Thu Dec 1 18:22:16 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA2A11E8096 for ; Thu, 1 Dec 2011 18:22:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.59 X-Spam-Level: X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajo7IUwMS3vG for ; Thu, 1 Dec 2011 18:22:15 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id C859711E8081 for ; Thu, 1 Dec 2011 18:22:15 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id D700F1541AF; Fri, 2 Dec 2011 02:22:14 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322792534; bh=vN9CF4S7qOPF7G epIo1ghJQnGvQJcSJgwD1LvyLpJbo=; b=x80hr1ildu8XON1HkLxTCJUHMrakD9 iy7Gk+YlOG67eObzRTw+SlZZEvCF/PD/k3eCmjaOOmevqdaMuOqbOhGExvGOpMAv BjGIhKIeqU7wZsLEVA2/LC6OXFyPFmRJzYRQfm93vqDGuUldoCe7Vdzoqao6jJrP iZZp39avtkHP8bUQ625tNdyI0GtX+0GPTL5JLzfkIMPH1ALAL6hI9BAjCOZSLrJP zJErVlbqTf8fJCr03PsS5/t/3AOy0x/ATlIED2DTCyIlAzNRlQJZBKe4BwSEh39j hzcItCHoF/puKHV54yk8wG9Sb/vViLRYvULMwOVMqNKJSZfMncSf8WvQ== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 3hBe1iYxrA0a; Fri, 2 Dec 2011 02:22:14 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 21478153C7E; Fri, 2 Dec 2011 02:22:14 +0000 (GMT) Message-ID: <4ED83655.5030405@cs.tcd.ie> Date: Fri, 02 Dec 2011 02:22:13 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Michael Thomas References: <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> <4ED8288E.90101@cs.tcd.ie> <4ED82B6B.6050301@mtcc.com> In-Reply-To: <4ED82B6B.6050301@mtcc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 02:22:16 -0000 Hi Mike, On 12/02/2011 01:35 AM, Michael Thomas wrote: > On 12/01/2011 05:23 PM, Stephen Farrell wrote: >>> E.g. MAC tokens work well for non-TLS protected resources. Bearer >>> tokens in contrast are easier to use, but require TLS protected >>> service to avoid theft-of-credential. >> >> So picking is a nuisance sure. But it helps interop. > > This smacks of truth by blatant assertion. Of course. My 2 sentences have 10 words. Yours has 7. Neither can really capture everything. Nonetheless, picking between one of two things does help interop IMO. > If something is required to > be implemented but is unused -- which will happen if the profile > chosen by the SDK doesn't need the required one -- you're not going > to get better interoperability, you're just going to get untested code. That'd be a fair point if the MTI wasn't used. While that might be true of MAC, I doubt it'd be true for bearer, which is what seemed to be the thing folks in the room in Taipei would pick, had they to pick. So yes, your argument would be telling if the WG chose a rare beast as the MTI thing. > I don't see what the big deal is about saying that discovery, etc, is > for a -bis release of this PS. That would take care of your problem of > reaching back into this PS to change just this part. And what are the > chances of not having a recycle anyway with any well-deployed PS? > Zero? That's not a reason to not fix an easily fixable thing now though. > |We disagree about that I guess. To me it seems a peculiar way to go > |unless one assumes that coders write code that's specific to a specific > |service provider. > > But that is exactly what's happening in the field. To date yes. I would (perhaps naively) hope for that to get better (by at least a bit) when we have an OAuth 2.0 RFC. Cheers, S. > > Mike > > > Mike > > > From stephen.farrell@cs.tcd.ie Thu Dec 1 18:27:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D8D21F9543 for ; Thu, 1 Dec 2011 18:27:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.29 X-Spam-Level: X-Spam-Status: No, score=-102.29 tagged_above=-999 required=5 tests=[AWL=-0.291, BAYES_00=-2.599, J_CHICKENPOX_72=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xPayu-Ei5yM for ; Thu, 1 Dec 2011 18:27:51 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id A072A21F9542 for ; Thu, 1 Dec 2011 18:27:51 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id D38A71541B0; Fri, 2 Dec 2011 02:27:50 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322792870; bh=/XouGbHeMmjEok zK/VeSgAwFF847w6AKSe+Fa7rGYoQ=; b=1gYbfdANEx1SbrJ9am4IhJjmIDIDsR tlaxQMBRQtIR2/sReMSXjq/PvSZNTWVX/hqQ4cq/w1nM6os2F63WBRuPTt/irJM6 WTiXveJio7gjT5cCFAwUfqcyX1jgNOiVw53IUHLPDj5Ru2Kjw6amFlSL9//2R0+W T9tm9AFGmYiEIPJ9V0yfjgiJg4xnSIfP02zuPMOz+B8SevHibOHDrhH1jORD6/II KJ7nmViusyfRmEmXmHRKGs0jizVBdF7K4o4ufyr8bWqcKhFeP12UDIeQP7hXQtsb tO+v9Uj6bzr8eN+LnkrBOoaQtlI8HA2bETAy7JC9shGQsBuMDU9fLblw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id hCf9PKtUCk8s; Fri, 2 Dec 2011 02:27:50 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 4D49D1541AF; Fri, 2 Dec 2011 02:27:50 +0000 (GMT) Message-ID: <4ED837A5.502@cs.tcd.ie> Date: Fri, 02 Dec 2011 02:27:49 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Michael D Adams References: <4ED82D62.3070800@cs.tcd.ie> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 02:27:52 -0000 Hiya, On 12/02/2011 02:14 AM, Michael D Adams wrote: > On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell > wrote: >> On 12/02/2011 01:38 AM, Michael D Adams wrote: >>> So an MTI token type + no client preference is equivalent to there >>> only existing one token type. >> >> Maybe. >> >> However, no MTI token type + no client preference = no interop. >> >> So I don't get your argument. (When thinking of interop.) > > I think it's me that doesn't understand your argument. That can be mutual:-) > Suppose an authorization server implements OAuth2 and has some > requirement that the MTI token type doesn't provide (as William Mills > suggested), so the server implements token type AWESOME in addition to > token type MTI. > > Whenever a token is requested, the authorization server issues one of > type AWESOME. Type MTI is never issued. > > Why bother implementing type MTI if it's never used? That, I think, assumes that the requesting party only ever works with the AWESOME token-type issuer. Seems a shame to me that whoever wrote that code can't work with any other MTI token-type issuer as well, at least. > Additionally, the authorization server could not implement type MTI > but claim it did. There's no way for a third party to verify the > claim since the authorization server never issues a token of type MTI. Irrelevant. I could claim to be handsome. Would work equally well. > If tokens of type MTI are never used by this server, how does the MTI > token type help interop?Is your argument that this server would say > "No, we do not support OAuth2. We do, however, support > OAuth2+AWESOME."? That semantic argument I understand, but I am > ignorant as to how/if it fits into the RFC. No, my argument is that there are many servers and many clients on the Internet and having them all have a way to interop, if they choose to do so, is a good thing in itself. Writing an RFC so that its a random pick as to whether they do or don't interop is not IMO a good thing. S. From mike@mtcc.com Thu Dec 1 18:57:44 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08FB81F0C5E for ; Thu, 1 Dec 2011 18:57:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8DBkSVjLX8z for ; Thu, 1 Dec 2011 18:57:43 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC371F0C35 for ; Thu, 1 Dec 2011 18:57:43 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pB22vZOk028918 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 1 Dec 2011 18:57:35 -0800 Message-ID: <4ED83E9F.1070309@mtcc.com> Date: Thu, 01 Dec 2011 18:57:35 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Stephen Farrell References: <4ED7F0D8.6010703@cs.tcd.ie> <17870960-E739-40BC-B2C1-EB93507F34EA@oracle.com> <4ED8288E.90101@cs.tcd.ie> <4ED82B6B.6050301@mtcc.com> <4ED83655.5030405@cs.tcd.ie> In-Reply-To: <4ED83655.5030405@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2119; t=1322794657; x=1323658657; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory-to-implement=20t oken=20type |Sender:=20 |To:=20Stephen=20Farrell=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=gsxCmao/8BbJaWLFTHr1niGTlIpn8zRfjzJY6iW76vU=; b=rNSTDvuHdxAe4iQgOq22lEC8mp3O3xqRXHeWE+d6VNga+s7svn5PFOYKUO FCEcLyoaYAYRWraZzgKDGTHKl93NWYNsKg9WkH8CJDv/y/A3p+GKLI6wNCpe QllEDVqK4g2yY4qKf0zIPNHzvJlnT8WiMiR4GPIdOD5G1siPwEkIw=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 02:57:44 -0000 On 12/01/2011 06:22 PM, Stephen Farrell wrote: > > > If something is required to >> be implemented but is unused -- which will happen if the profile >> chosen by the SDK doesn't need the required one -- you're not going >> to get better interoperability, you're just going to get untested code. > > That'd be a fair point if the MTI wasn't used. > > While that might be true of MAC, I doubt it'd be true for bearer, > which is what seemed to be the thing folks in the room in Taipei > would pick, had they to pick. > > So yes, your argument would be telling if the WG chose a rare > beast as the MTI thing. > >> I don't see what the big deal is about saying that discovery, etc, is >> for a -bis release of this PS. That would take care of your problem of >> reaching back into this PS to change just this part. And what are the >> chances of not having a recycle anyway with any well-deployed PS? >> Zero? > > That's not a reason to not fix an easily fixable thing now though. What bothers me here is overreach. If the wg has come to the conclusion that the standardizing the status quo of purpose built sdk's is a Good Thing, then that is still a pretty good reason to create a standard -- if nothing else, it dissuades people from badly rolling their own. Stopping there is ok, IMO. It still serves a purpose. Also: it seems to me that the longer term solution for libraries implementing oauth is not to have a single point of interoperability, but a suite of algorithms/ methods that satisfy the various policies of many/most deployments. That is, they're going to need to MUST IMPLEMENT a whole lot of things, not just one. So I just don't see this MUST as doing anything especially useful, and has the downside of making perfectly reasonable purpose-build SDK's "non-conformant". That said, I don't think the world will fail to revolve if this goes in there. Mostly, I think that it will be ignored. But that's what bothers me: putting stuff in that you know will be disregarded with impunity is not good. Mike, listening to Ken Burns' Prohibition in the background From michael.d.adams@gmail.com Thu Dec 1 18:58:13 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EE51F0C5E for ; Thu, 1 Dec 2011 18:58:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.677 X-Spam-Level: X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLYBtJlSUTPj for ; Thu, 1 Dec 2011 18:58:12 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 988CD1F0C35 for ; Thu, 1 Dec 2011 18:58:12 -0800 (PST) Received: by ggnp4 with SMTP id p4so2989793ggn.31 for ; Thu, 01 Dec 2011 18:58:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=QvacvTvHsp/bFC9uA/34NU8f3orFSRzbMflxudWuKPQ=; b=SD4G3a1e7nj0p8dnG3acX+g7HcRAyUt6pgHCUxv+8h9hDwJtWq7rVJKZed3FCddnTP NkuxBE6FPoiK5H1pfQTuN3sdKKfJ1FdQDoSrGaRo2hP9/G96ZQgWQPKmKmIfHrloujpc B835RHBkgX1BdrowG9JLcWatyxtwfjrCS35WE= Received: by 10.101.208.36 with SMTP id k36mr1111315anq.134.1322794692171; Thu, 01 Dec 2011 18:58:12 -0800 (PST) MIME-Version: 1.0 Sender: michael.d.adams@gmail.com Received: by 10.101.116.15 with HTTP; Thu, 1 Dec 2011 18:57:51 -0800 (PST) In-Reply-To: <4ED837A5.502@cs.tcd.ie> References: <4ED82D62.3070800@cs.tcd.ie> <4ED837A5.502@cs.tcd.ie> From: Michael D Adams Date: Thu, 1 Dec 2011 18:57:51 -0800 X-Google-Sender-Auth: L2-SQnGlqpNNAN1FiFIcxUCLPQY Message-ID: To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 02:58:13 -0000 On Thu, Dec 1, 2011 at 6:27 PM, Stephen Farrell wrote: > On 12/02/2011 02:14 AM, Michael D Adams wrote: >> Suppose an authorization server implements OAuth2 and has some >> requirement that the MTI token type doesn't provide (as William Mills >> suggested), so the server implements token type AWESOME in addition to >> token type MTI. >> >> Whenever a token is requested, the authorization server issues one of >> type AWESOME. =A0Type MTI is never issued. >> >> Why bother implementing type MTI if it's never used? > > That, I think, assumes that the requesting party only ever works with > the AWESOME token-type issuer. Seems a shame to me that whoever wrote > that code can't work with any other MTI token-type issuer as well, at > least. Sorry, I was unclear. Suppose awesome.com only issues token of type AWESOME and mti.com only issues tokens of type MTI. Suppose further that client X understands how to handle both types of tokens and can receive and use tokens from both awesome.com and mti.com. My question does not concern the client. My question is: Why should awesome.com bother implementing type MTI if it will never issue such a token? >> Additionally, the authorization server could not implement type MTI >> but claim it did. =A0There's no way for a third party to verify the >> claim since the authorization server never issues a token of type MTI. > > Irrelevant. I could claim to be handsome. Would work equally > well. I claim the argument helps show the meaninglessness of defining an MTI token type, but I think my statement of it is poorly formulated and trying to restate it more clearly will just take us down a road with as much relevance to the discussion as you grant my initial statement :) So I concede. >> If tokens of type MTI are never used by this server, how does the MTI >> token type help interop?Is your argument that this server would say >> >> "No, we do not support OAuth2. =A0We do, however, support >> OAuth2+AWESOME."? =A0That semantic argument I understand, but I am >> ignorant as to how/if it fits into the RFC. > > No, my argument is that there are many servers and many clients on > the Internet and having them all have a way to interop, if they > choose to do so, is a good thing in itself. Writing an RFC so that > its a random pick as to whether they do or don't interop is not IMO > a good thing. Thanks. I understand better what you're saying. I believe you're saying: 1. In a world where there is a MTI token type, my hypothetical only-issue-tokens-of-type-AWESOME has explicitly opted out of interoperability. 2. In a world where there is no MTI token type, interoperability becomes ad hoc and so non-existant. From barryleiba@gmail.com Thu Dec 1 19:20:27 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF3A1F0CAF for ; Thu, 1 Dec 2011 19:20:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.124 X-Spam-Level: X-Spam-Status: No, score=-103.124 tagged_above=-999 required=5 tests=[AWL=-0.147, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm7iSToRWaKp for ; Thu, 1 Dec 2011 19:20:25 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 90ABF1F0C93 for ; Thu, 1 Dec 2011 19:20:23 -0800 (PST) Received: by ywm13 with SMTP id 13so2997200ywm.31 for ; Thu, 01 Dec 2011 19:20:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=baXdOTUySUuUSFDIomSAbfpEatKgUNuWyyMJnCZzvto=; b=SFvk4TDRXk29V6P/tBhwWD3lm3NzVYDfTvsCna2scvLuCSGjHmBldiDhyt0TUlBmN7 7dCg3tlbjY9EDudOAInr8ZetE2e6zV9nI4dkCwc0zd77MnnOVO1EQwo8mY/alXwomazc J07+hYAVW4Z8SaCeLe4cjDzbY8ePZmW/kK45w= MIME-Version: 1.0 Received: by 10.236.201.194 with SMTP id b42mr16134948yho.32.1322796023131; Thu, 01 Dec 2011 19:20:23 -0800 (PST) Sender: barryleiba@gmail.com Received: by 10.236.110.49 with HTTP; Thu, 1 Dec 2011 19:20:22 -0800 (PST) In-Reply-To: <4ED82D62.3070800@cs.tcd.ie> References: <4ED82D62.3070800@cs.tcd.ie> Date: Thu, 1 Dec 2011 22:20:22 -0500 X-Google-Sender-Auth: 9XtWyjbtf4aa27QY4_DSqVSTdUY Message-ID: From: Barry Leiba To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 03:20:27 -0000 >> So an MTI token type + no client preference is equivalent to there >> only existing one token type. > > Maybe. > > However, no MTI token type + no client preference = no interop. I think this exchange, coupled with what you Stephen said in Taipei (noting that "mandatory to implement" doesn't mean "mandatory to use"), points out a basic difference between how Stephen is thinking about this and how at least some of the WG participants are. Let me see if calling this out helps: Stephen is thinking that code will be reused. Perhaps there'll be a limited number of coded toolkits, and their code will be used to implement various authorization servers, etc. That's the way a lot of Internet code is done today. In that case, Stephen posits, if we tell the toolkit writers that they MUST implement X, then at least when X is being used, implementations based on the different toolkits can always interoperate. Lacking that directive, a toolkit that only implements X will be unable to interoperate with a toolkit that only implements Y. Others are thinking that deployed code will be specific to a particular environment, and it doesn't help at all for that code to support X if the environment demands Y. There's no interop benefit from the "MUST implement X" directive if the code has been written specifically for that environment, and, as Mike T says, it only results in untested code and wasted development time. I see both sides of this, but in the end I think what Mike says is spot on, here. I think it would be very nice to strongly encourage toolkit writers to support all the available options, but there's absolutely no reason to require, and no benefit in requiring, purpose-built code to do anything of the sort. Maybe what would work best is some text that suggests what I say above: that toolkits intended for use in implementing OAuth services in general... implement [X and/or Y], and that code written for a specific environment implement what makes sense for that environment. It seems to me that to require any particular implementation in the latter case is arbitrary and counter-productive, and doesn't help anything interoperate. Whereas general-purpose toolkits that implement everything DO help interop. Barry, as participant From wmills@yahoo-inc.com Thu Dec 1 20:59:04 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4872311E80AA for ; Thu, 1 Dec 2011 20:59:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.523 X-Spam-Level: X-Spam-Status: No, score=-17.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaCmrgEUHLTk for ; Thu, 1 Dec 2011 20:59:03 -0800 (PST) Received: from nm27.bullet.mail.ac4.yahoo.com (nm27.bullet.mail.ac4.yahoo.com [98.139.52.224]) by ietfa.amsl.com (Postfix) with SMTP id 4FD0611E80A6 for ; Thu, 1 Dec 2011 20:59:03 -0800 (PST) Received: from [98.139.52.196] by nm27.bullet.mail.ac4.yahoo.com with NNFMP; 02 Dec 2011 04:58:56 -0000 Received: from [98.139.52.156] by tm9.bullet.mail.ac4.yahoo.com with NNFMP; 02 Dec 2011 04:58:56 -0000 Received: from [127.0.0.1] by omp1039.mail.ac4.yahoo.com with NNFMP; 02 Dec 2011 04:58:56 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 244873.34684.bm@omp1039.mail.ac4.yahoo.com Received: (qmail 38105 invoked by uid 60001); 2 Dec 2011 04:58:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1322801935; bh=CX95AztNtxsJUZSjWPx5qVIdaRMzxUjtOp3wbGXR+WQ=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=p7usqffQ/b1OEAjTid4Ex84tBRyznNGPSdyqgXj8vnVUZBoBM486tWZkir/B/4KMqqQ+dmJj52uZzDEfqLRPL0tvGBnAcLHFpcHEClR7z+julqZjxUJH5u4grVN7Dfz1B7aK0PhyWlFAVsVoto1PmxYUkSqGbe1X2tL60G02eh0= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=VWbGGT6bwAPQrt/CnW/y6QUmctQhonzAUzJd8VdbDu+ipAl7DK84d6HW8dl0DeUsSWOtAQmohUd6oOoSvHjXS2qnomXqdClICi7OYrUlUsXpZaCwJMXeNckxvbCoAkmmkGeUKYxNIEE5nG02x7lFPOTjqAuGjvRDE20bFg1RvC0=; X-YMail-OSG: YPhiwNIVM1lJBzugdlbFPBor94nnm8uDpeRJz9JyGg2m9QK sN95WyzS9Kl57dXkAaRlrnHcR3hdE_q_4p6zzTcVaYSxXwDked7bWgs96vYT SxJWacefaWIzagTqDoQpyh9hT_XSJkm_mqYCu0I0b8USpv7_b2m53UlMso0X wou0366L3IK9G.80NM_Thcz2aXs17hjhFMrtZlnVz_Rh_9YFPAK3U8O6t2WA snxp7M2cZMv6inef0hB8P.eFjxMpg_MUlqcH9kkYSCNMtgdiiux8XMxlyY42 jKSAulQphyhfPO.H0_UglHqfSuDROe3ZDb3FBeMFNdza003NbETnN0L0vF5A N9ZDuWjkn7mJs0AjvBSArZd0umeipZJ6QwaUOGU2Yd6RiD5dF7tm_Dxckp1a AMiFlURejyXSGMem.fFJ2YKw- Received: from [99.31.212.42] by web31806.mail.mud.yahoo.com via HTTP; Thu, 01 Dec 2011 20:58:55 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <4ED82D62.3070800@cs.tcd.ie> Message-ID: <1322801935.94232.YahooMailNeo@web31806.mail.mud.yahoo.com> Date: Thu, 1 Dec 2011 20:58:55 -0800 (PST) From: William Mills To: Michael D Adams , Stephen Farrell In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1055047407-1613328379-1322801935=:94232" Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 04:59:04 -0000 ---1055047407-1613328379-1322801935=:94232 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable The problem is that token type AWESOME may have different mechanics for sub= mission.=A0 The client has to know how to use it.=A0 I do agree we have a d= isconnect here, and that what we have right now leans completely on "readin= g the service documentation" for the Auth and RP endpoints you want to use.= =0A=0A=0A=0A________________________________=0A From: Michael D Adams =0ATo: Stephen Farrell =0ACc: B= arry Leiba ; oauth WG =0ASent: Th= ursday, December 1, 2011 6:14 PM=0ASubject: Re: [OAUTH-WG] Mandatory-to-imp= lement token type=0A =0AOn Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell=0A<= stephen.farrell@cs.tcd.ie> wrote:=0A> On 12/02/2011 01:38 AM, Michael D Ada= ms wrote:=0A>> So an MTI token type + no client preference is equivalent to= there=0A>> only existing one token type.=0A>=0A> Maybe.=0A>=0A> However, n= o MTI token type + no client preference =3D no interop.=0A>=0A> So I don't = get your argument. (When thinking of interop.)=0A=0AI think it's me that do= esn't understand your argument.=0A=0ASuppose an authorization server implem= ents OAuth2 and has some=0Arequirement that the MTI token type doesn't prov= ide (as William Mills=0Asuggested), so the server implements token type AWE= SOME in addition to=0Atoken type MTI.=0A=0AWhenever a token is requested, t= he authorization server issues one of=0Atype AWESOME.=A0 Type MTI is never = issued.=0A=0AWhy bother implementing type MTI if it's never used?=0A=0AAddi= tionally, the authorization server could not implement type MTI=0Abut claim= it did.=A0 There's no way for a third party to verify the=0Aclaim since th= e authorization server never issues a token of type MTI.=0A=0AIf tokens of = type MTI are never used by this server, how does the MTI=0Atoken type help = interop?=A0 Is your argument that this server would say=0A"No, we do not su= pport OAuth2.=A0 We do, however, support=0AOAuth2+AWESOME."?=A0 That semant= ic argument I understand, but I am=0Aignorant as to how/if it fits into the= RFC.=0A_______________________________________________=0AOAuth mailing lis= t=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth ---1055047407-1613328379-1322801935=:94232 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
The problem is that token type AWESOME may have different mechanics for s= ubmission.  The client has to know how to use it.  I do agree we = have a disconnect here, and that what we have right now leans completely on= "reading the service documentation" for the Auth and RP endpoints you want= to use.

From: Michael D Adams <mike@automattic.com>=
To: Stephen Farrell &= lt;stephen.farrell@cs.tcd.ie>
Cc: Barry Leiba <barryleiba@computer.org>; oauth W= G <oauth@ietf.org>
Sent: Thursday, December 1, 2011 6:14 PM
Subject: Re: [OAUTH-WG] Mandatory-to-implement token= type

=0AOn Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell<stephen.farrell@cs.tcd.ie> wrote:
> On 12/= 02/2011 01:38 AM, Michael D Adams wrote:
>> So an MTI token type += no client preference is equivalent to there
>> only existing one = token type.
>
> Maybe.
>
> However, no MTI token ty= pe + no client preference =3D no interop.
>
> So I don't get yo= ur argument. (When thinking of interop.)

I think it's me that doesn'= t understand your argument.

Suppose an authorization server implemen= ts OAuth2 and has some
requirement that the MTI token type doesn't provi= de (as William Mills
suggested), so the server implements token type AWE= SOME in addition to
token type MTI.

Whenever a token is requested= , the authorization server issues one of
type AWESOME.  Type MTI is= never issued.

Why bother implementing type MTI if it's never used?
Additionally, the authorization server could not implement type MTI
but= claim it did.  There's no way for a third party to verify the
clai= m since the authorization server never issues a token of type MTI.

I= f tokens of type MTI are never used by this server, how does the MTI
tok= en type help interop?  Is your argument that this server would say
= "No, we do not support OAuth2.  We do, however, support
OAuth2+AWES= OME."?  That semantic argument I understand, but I am
ignorant as t= o how/if it fits into the RFC.
_________________________________________= ______
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailma= n/listinfo/oauth


---1055047407-1613328379-1322801935=:94232-- From stephen.farrell@cs.tcd.ie Fri Dec 2 00:59:55 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF6C521F9383 for ; Fri, 2 Dec 2011 00:59:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.276 X-Spam-Level: X-Spam-Status: No, score=-102.276 tagged_above=-999 required=5 tests=[AWL=-0.277, BAYES_00=-2.599, J_CHICKENPOX_71=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vphPnglXK5V for ; Fri, 2 Dec 2011 00:59:55 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 1D87D21F9377 for ; Fri, 2 Dec 2011 00:59:54 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 8F70B153C12; Fri, 2 Dec 2011 08:59:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322816391; bh=YGpDkJSgE/N7e+ iGqH+5GZdlYiMTV1ZxgiqLk8eHD58=; b=1Gz/HpISHfBZqA2/NsHeViufM3RYeU QvVWST50Kr44TYG+o97O0G5xDv2C9dmBXWtx7v+NKF3o3ru9aAG50z5oMAmEWndr qSPyddjtpsBHBJJw7pH88a7vf9W2TBmCDHgwBxnXigfpJEK/BlUUMDD1jHqYpV1P JOFomQmDhjYM01B6x8nnAHD+xbxab2QdCtBim4yzYzz31Pl+lYMzOzkFikgWaDvP c9fyy1HEa3xbKZM9EHr/YDmxMTayUhaUx0Y+xQRKXrUFVQSOpwN3Kie3IGizx4Wd 9eeu9ytLuRStOejvcypdOBHlbGWIG/lIvmpqQuAFenRK1wNcfLbXnr4A== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id UgmtaK-kq7et; Fri, 2 Dec 2011 08:59:51 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.41.14.223]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 15DCA15364F; Fri, 2 Dec 2011 08:59:49 +0000 (GMT) Message-ID: <4ED89384.9060603@cs.tcd.ie> Date: Fri, 02 Dec 2011 08:59:48 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Barry Leiba References: <4ED82D62.3070800@cs.tcd.ie> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 08:59:55 -0000 Hi Barry, On 12/02/2011 03:20 AM, Barry Leiba wrote: > Maybe what would work best is some text that suggests what I say > above: that toolkits intended for use in implementing OAuth services > in general... implement [X and/or Y], and that code written for a > specific environment implement what makes sense for that environment. > It seems to me that to require any particular implementation in the > latter case is arbitrary and counter-productive, and doesn't help > anything interoperate. Whereas general-purpose toolkits that > implement everything DO help interop.j That'd work just fine for me. > Barry, as participant Stephen, as breakfast eater:-) From bart@all4students.nl Fri Dec 2 01:02:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6498521F9383 for ; Fri, 2 Dec 2011 01:02:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.739 X-Spam-Level: X-Spam-Status: No, score=0.739 tagged_above=-999 required=5 tests=[AWL=0.643, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_71=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cVj3rTqZXjGf for ; Fri, 2 Dec 2011 01:02:22 -0800 (PST) Received: from mx-out14.all4students.nl (mx-out14.all4students.nl [89.188.22.31]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDE821F9935 for ; Fri, 2 Dec 2011 01:02:22 -0800 (PST) Received: from mx-out14.all4students.nl (localhost [127.0.0.1]) by mx-out14.all4students.nl (Postfix) with ESMTP id 70FBD94395 for ; Fri, 2 Dec 2011 10:02:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=studenten.net; h= mime-version:content-type:content-transfer-encoding:subject:date :message-id:in-reply-to:references:from:to:cc; s=selector1; bh=9 M6baPErJx9w20a5oeAhwqAUVbE=; b=dvLSgen7PMBGzt5IYN+n9KDkqT8IzIXwW F3DeI/6qeS/bBpfqXJe2cpxTYX+XUdkYzXv6C24IL3ZisOb3oyVN69Zma3tGF9+M mVbLfjdw7qhLYW6aZ6mnzyTMwT3DbQ698pN8X0/LCkBMtXXxUHId03cFQ2SDUnTP cj68kC2+so= Received: from all4students.nl (ip189-178-172-82.adsl2.static.versatel.nl [82.172.178.189]) by mx-out14.all4students.nl (Postfix) with ESMTP id 4507F94368; Fri, 2 Dec 2011 10:02:21 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 2 Dec 2011 10:02:20 +0100 Message-ID: In-Reply-To: <4ED89384.9060603@cs.tcd.ie> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: Acyw0MyLpjbFrns8S82UCCxx8V3XmAAAA0KA References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> From: "Bart Wiegmans" To: "Stephen Farrell" , "Barry Leiba" Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 09:02:23 -0000 Just chipping in: I'd think [X and/or Y] should be Bearer and MAC, respectively. Between them I think they can cover a lot of use cases. Regards, Bart -----Oorspronkelijk bericht----- Van: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] Namens Stephen Farrell Verzonden: vrijdag 2 december 2011 10:00 Aan: Barry Leiba CC: oauth WG Onderwerp: Re: [OAUTH-WG] Mandatory-to-implement token type Hi Barry, On 12/02/2011 03:20 AM, Barry Leiba wrote: > Maybe what would work best is some text that suggests what I say > above: that toolkits intended for use in implementing OAuth services=20 > in general... implement [X and/or Y], and that code written for a=20 > specific environment implement what makes sense for that environment. > It seems to me that to require any particular implementation in the=20 > latter case is arbitrary and counter-productive, and doesn't help=20 > anything interoperate. Whereas general-purpose toolkits that=20 > implement everything DO help interop.j That'd work just fine for me. > Barry, as participant Stephen, as breakfast eater:-) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From romeda@gmail.com Fri Dec 2 05:10:29 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 771ED21F9912 for ; Fri, 2 Dec 2011 05:10:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.599 X-Spam-Level: X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rXR8CbJiWkV for ; Fri, 2 Dec 2011 05:10:28 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 621E921F9837 for ; Fri, 2 Dec 2011 05:10:28 -0800 (PST) Received: by ggnp4 with SMTP id p4so3495732ggn.31 for ; Fri, 02 Dec 2011 05:10:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=FdcALfY8rEwFJkDcflPvia/Udftfz5w7eb3DrnuUOaQ=; b=YzVXAmEXKvAyPm1MBLsnB5DX+Q1giqmVnPZfK8WQoaBL5YLk+bhWVMAvKJ9ayGi2Nj VyA9FxQfGGL6uRboWvUgfZLWyn9126V2d+kWSPs1yWBlifZw/89tS5/40G7hWJ+9DvgX oH+2ccNe32yJ223pGix0SxlNZrXEEh1Kf82GM= Received: by 10.182.5.166 with SMTP id t6mr2328536obt.2.1322831409320; Fri, 02 Dec 2011 05:10:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.114.68 with HTTP; Fri, 2 Dec 2011 05:09:48 -0800 (PST) In-Reply-To: References: <4ED82D62.3070800@cs.tcd.ie> From: Blaine Cook Date: Fri, 2 Dec 2011 13:09:48 +0000 Message-ID: To: Barry Leiba Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 13:10:29 -0000 On 2 December 2011 03:20, Barry Leiba wrote: > Stephen is thinking that code will be reused. =C2=A0Perhaps there'll be a > limited number of coded toolkits, and their code will be used to > implement various authorization servers, etc. =C2=A0That's the way a lot = of > Internet code is done today. =C2=A0In that case, Stephen posits, if we te= ll > the toolkit writers that they MUST implement X, then at least when X > is being used, implementations based on the different toolkits can > always interoperate. =C2=A0Lacking that directive, a toolkit that only > implements X will be unable to interoperate with a toolkit that only > implements Y. My $0.02 (tl;dr: I agree with Barry): Libraries are the point of code re-use for OAuth at the moment. If two libraries (e.g., "Ruby OAuth" and "Java OAuth") implement all the necessary bits of OAuth, then people using those libraries can expect (or hope for) interop. We cannot force compliance, but we can mandate it. If a service provider chooses to allow only a subset of OAuth's functionality, and a general-purpose tool (i.e., NOT a library, though perhaps written using a library) doesn't support that subset, then obviously the implementations are not interoperable. However, more likely than not, tools are designed to be used against specific service providers OR other standards (which would in either case mandate the way(s) in which to use OAuth). SO, having Mandatory to Implement schemes in the general sense is pointless= . BUT, having BOTH Bearer and MAC be Mandatory to Implement for general-purpose libraries IS useful, and will help interop (assuming library authors bother to follow the spec). b. From jerome.marcon@alcatel-lucent.com Fri Dec 2 05:47:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5149921F8DEB for ; Fri, 2 Dec 2011 05:47:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.249 X-Spam-Level: X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A+d2uezh64ah for ; Fri, 2 Dec 2011 05:47:08 -0800 (PST) Received: from smail3.alcatel.fr (smail3.alcatel.fr [62.23.212.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7E0A321F8DE6 for ; Fri, 2 Dec 2011 05:47:04 -0800 (PST) Received: from FRMRSSXCHHUB02.dc-m.alcatel-lucent.com (FRMRSSXCHHUB02.dc-m.alcatel-lucent.com [135.120.45.62]) by smail3.alcatel.fr (8.14.3/8.14.3/ICT) with ESMTP id pB2Dku0w011239 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Fri, 2 Dec 2011 14:47:02 +0100 Received: from FRMRSSXCHMBSA2.dc-m.alcatel-lucent.com ([135.120.45.34]) by FRMRSSXCHHUB02.dc-m.alcatel-lucent.com ([135.120.45.62]) with mapi; Fri, 2 Dec 2011 14:46:56 +0100 From: "MARCON, JEROME (JEROME)" To: "oauth@ietf.org" Date: Fri, 2 Dec 2011 14:46:55 +0100 Thread-Topic: [OAUTH-WG] [oauth] #27: Incorporate bearer "scope" character restrictions into the base spec Thread-Index: AcyO4SjsM77LWWueRGCcTBJU/UeC4wiFpQVw Message-ID: Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: fr-FR, en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.69 on 155.132.188.83 Subject: [OAUTH-WG] TR: [oauth] #27: Incorporate bearer "scope" character restrictions into the base spec X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 13:47:09 -0000 Hello everyone, Does someone know if ticket#27 (Incorporate bearer "scope" character restri= ctions into the base spec) is still planned to be resolved ?=20 Many thanks, Jerome Marcon -----Message d'origine----- De=A0: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] De la part de= oauth issue tracker Envoy=E9=A0: jeudi 20 octobre 2011 06:31 =C0=A0: barryleiba@computer.org Cc=A0: oauth@ietf.org Objet=A0: [OAUTH-WG] [oauth] #27: Incorporate bearer "scope" character rest= rictions into the base spec #27: Incorporate bearer "scope" character restrictions into the base spec This is part of the resolution of issue #26, as discussed on the mailing list: Can you please open an issue for the core spec to incorporate the scope character restrictions from the bearer spec into the core spec? These restrictions are: scope =3D "scope" "=3D" <"> scope-val *( SP scope-val ) <"> scope-val =3D 1*scope-val-char scope-val-char =3D %x21 / %x23-5B / %x5D-7E --=20 --------------------------------+------------------------------------ Reporter: barryleiba@. | Owner: Type: task | Status: new Priority: minor | Milestone: Deliver OAuth 2.0 spec Component: v2 | Version: Severity: Active WG Document | Keywords: --------------------------------+------------------------------------ Ticket URL: oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From eran@hueniverse.com Fri Dec 2 07:21:56 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 163C621F8C44 for ; Fri, 2 Dec 2011 07:21:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.498 X-Spam-Level: X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OE6ABTmumYr for ; Fri, 2 Dec 2011 07:21:55 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 7806E21F8C43 for ; Fri, 2 Dec 2011 07:21:52 -0800 (PST) Received: (qmail 26088 invoked from network); 2 Dec 2011 15:21:47 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 2 Dec 2011 15:21:33 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 2 Dec 2011 08:21:27 -0700 From: Eran Hammer-Lahav To: "MARCON, JEROME (JEROME)" , "oauth@ietf.org" Date: Fri, 2 Dec 2011 08:21:18 -0700 Thread-Topic: [OAUTH-WG] TR: [oauth] #27: Incorporate bearer "scope" character restrictions into the base spec Thread-Index: AcyO4SjsM77LWWueRGCcTBJU/UeC4wiFpQVwAAOSJfA= Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C7184@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OAUTH-WG] TR: [oauth] #27: Incorporate bearer "scope" character restrictions into the base spec X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 15:21:56 -0000 It has to be. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of MARCON, JEROME (JEROME) > Sent: Friday, December 02, 2011 5:47 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] TR: [oauth] #27: Incorporate bearer "scope" character > restrictions into the base spec >=20 > Hello everyone, >=20 > Does someone know if ticket#27 (Incorporate bearer "scope" character > restrictions into the base spec) is still planned to be resolved ? >=20 > Many thanks, > Jerome Marcon >=20 > -----Message d'origine----- > De=A0: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] De la part = de > oauth issue tracker Envoy=E9=A0: jeudi 20 octobre 2011 06:31 =C0=A0: > barryleiba@computer.org Cc=A0: oauth@ietf.org Objet=A0: [OAUTH-WG] [oauth= ] > #27: Incorporate bearer "scope" character restrictions into the base spec >=20 > #27: Incorporate bearer "scope" character restrictions into the base spec >=20 > This is part of the resolution of issue #26, as discussed on the mailing > list: >=20 > Can you please open an issue for the core spec to incorporate the scope > character restrictions from the bearer spec into the core spec? These > restrictions are: >=20 > scope =3D "scope" "=3D" <"> scope-val *( SP scope-val ) <"> > scope-val =3D 1*scope-val-char > scope-val-char =3D %x21 / %x23-5B / %x5D-7E >=20 > -- > --------------------------------+------------------------------------ > Reporter: barryleiba@. | Owner: > Type: task | Status: new > Priority: minor | Milestone: Deliver OAuth 2.0 spec > Component: v2 | Version: > Severity: Active WG Document | Keywords: > --------------------------------+------------------------------------ >=20 > Ticket URL: > oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From jricher@mitre.org Fri Dec 2 10:45:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C701F0C36 for ; Fri, 2 Dec 2011 10:45:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2XXv+haRmh6 for ; Fri, 2 Dec 2011 10:45:23 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id ED44F21F8C33 for ; Fri, 2 Dec 2011 10:45:22 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id CA2FC21B1442 for ; Fri, 2 Dec 2011 13:45:21 -0500 (EST) Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AAAE921B18A6 for ; Fri, 2 Dec 2011 13:45:21 -0500 (EST) Received: from [129.83.50.8] (129.83.50.8) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.3.192.1; Fri, 2 Dec 2011 13:45:22 -0500 Message-ID: <4ED91CB4.7090301@mitre.org> Date: Fri, 2 Dec 2011 13:45:08 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: References: <63366D5A116E514AA4A9872D3C5335395BB5495FBE@QEO40072.de.t-online.corp> In-Reply-To: <63366D5A116E514AA4A9872D3C5335395BB5495FBE@QEO40072.de.t-online.corp> Content-Type: multipart/alternative; boundary="------------000408030103020805040505" Subject: Re: [OAUTH-WG] delete access tokens? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 18:45:23 -0000 --------------000408030103020805040505 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Specifically, the DELETE method was rejected as tokens aren't necessarily directly URL-addressable from the token endpoint. Shoehorning that requirement in order to make it feel more RESTful was more of a hack than a few folks (myself included) really wanted to make. -- Justin On 11/29/2011 08:08 AM, Lodderstedt, Torsten wrote: > > Hi Bart, > > I think this would be a truly RESTful approach. The group discussed > this topic several months ago and consensus was to use another > endpoint for token revocation (== deletion). Pls. take a look onto > http://tools.ietf.org/html/draft-lodderstedt-oauth-revocation-02. > > regards, > > Torsten. > > *Von:*Bart Wiegmans [mailto:bart@all4students.nl] > *Gesendet:* Dienstag, 29. November 2011 11:32 > *An:* oauth WG > *Betreff:* [OAUTH-WG] delete access tokens? > > Hello everybody, again. > > This is just me pushing a random idea, but what if you specified that > clients could ask for access token invalidation by making a DELETE > request to the token endpoint? > > Bart Wiegmans > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------000408030103020805040505 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Specifically, the DELETE method was rejected as tokens aren't necessarily directly URL-addressable from the token endpoint. Shoehorning that requirement in order to make it feel more RESTful was more of a hack than a few folks (myself included) really wanted to make.

 -- Justin

On 11/29/2011 08:08 AM, Lodderstedt, Torsten wrote:

Hi Bart,

 

I think this would be a truly RESTful approach. The group discussed this topic several months ago and consensus was to use another endpoint for token revocation (== deletion). Pls. take a look onto http://tools.ietf.org/html/draft-lodderstedt-oauth-revocation-02.

 

regards,

Torsten.

 

Von: Bart Wiegmans [mailto:bart@all4students.nl]
Gesendet: Dienstag, 29. November 2011 11:32
An: oauth WG
Betreff: [OAUTH-WG] delete access tokens?

 

Hello everybody, again.

 

This is just me pushing a random idea, but what if you specified that clients could ask for access token invalidation by making a DELETE request to the token endpoint?

 

Bart Wiegmans

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------000408030103020805040505-- From jricher@mitre.org Fri Dec 2 12:08:27 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB39A1F0C49 for ; Fri, 2 Dec 2011 12:08:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.298 X-Spam-Level: X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjhl57XSXeep for ; Fri, 2 Dec 2011 12:08:26 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 68FF11F0C5A for ; Fri, 2 Dec 2011 12:08:26 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E11F821B024A for ; Fri, 2 Dec 2011 15:08:21 -0500 (EST) Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id CAA4921B013B for ; Fri, 2 Dec 2011 15:08:21 -0500 (EST) Received: from [129.83.50.8] (129.83.50.8) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.3.192.1; Fri, 2 Dec 2011 15:08:21 -0500 Message-ID: <4ED93028.6030206@mitre.org> Date: Fri, 2 Dec 2011 15:08:08 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: "oauth@ietf.org" References: <4ED9300B.3000009@mitre.org> In-Reply-To: <4ED9300B.3000009@mitre.org> X-Forwarded-Message-Id: <4ED9300B.3000009@mitre.org> Content-Type: multipart/alternative; boundary="------------090209000002000004060702" Subject: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 20:08:27 -0000 --------------090209000002000004060702 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Forwarding my response to the list. (oops) -- Justin -------- Original Message -------- Subject: Re: [OAUTH-WG] Mandatory-to-implement token type Date: Fri, 02 Dec 2011 15:07:39 -0500 From: Justin Richer To: Stephen Farrell I still don't think that having an MTI token type actually buys us anything, and what I *really* don't understand from this entire argument is the weight that's being put behind "Compliance with OAuth2" and what that means. With no MTI token type, we can still have interop for people who claim to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the example below, compliant with "OAuth2 + AWESOME". Both of these are compliant with "OAuth2" because they use OAuth2 to issue their tokens. *Those* parts of the library should work just fine to interop between each other. Since you're getting a JSON or fragment-encoded structure back as the token, you should be able to toss that into some kind of generic data structure and hand it to the token-handling part of your library, which is going to need more smarts to know what to do with it. A robust OAuth2 library, from server or client perspective, will likely do both Bearer and Mac and let you pick which you want. A good discovery system will aid that. An extended library will give you AWESOME tokens as well. *All* of these should be called compliant with OAuth2, in my opinion, and in this case it would be compliant with "OAuth2 + Bearer + MAC + AWESOME". A great library indeed! Making a MTI misses the point of the composability of the system, does absolutely nothing for real-world interop due to reasons I've already laid out in previous emails, will cause people to ignore the spec and be in noncompliance for something they think is dumb, have unused and untested code just to claim compliance that nobody cares about, and ultimately makes us look a bit silly for insisting that one solution will fit all use cases and that we can have any sense of real authority in this over developers. I'd like to point out that there's no MTI token-acquisition flow, which is arguably more important for worldwide interop and just as untenable a solution given the reality of the internet -- and I can also guarantee that we will never see agreement over an MTI grant type / token flow due to the simple fact that some instances will only do client credentials for 2-legged and some will do code for 3-legged, and the two of those probably don't want to talk to each other. In summary, I suggest that "compliance with OAuth2" be defined in terms of each of the separate composable documents and their combinations, and that "compliance with OAuth2" not be limited to a particular combination of any of them. -- Justin On 12/01/2011 09:27 PM, Stephen Farrell wrote: > > Hiya, > > On 12/02/2011 02:14 AM, Michael D Adams wrote: >> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell >> wrote: >>> On 12/02/2011 01:38 AM, Michael D Adams wrote: >>>> So an MTI token type + no client preference is equivalent to there >>>> only existing one token type. >>> >>> Maybe. >>> >>> However, no MTI token type + no client preference = no interop. >>> >>> So I don't get your argument. (When thinking of interop.) >> >> I think it's me that doesn't understand your argument. > > That can be mutual:-) > >> Suppose an authorization server implements OAuth2 and has some >> requirement that the MTI token type doesn't provide (as William Mills >> suggested), so the server implements token type AWESOME in addition to >> token type MTI. >> >> Whenever a token is requested, the authorization server issues one of >> type AWESOME. Type MTI is never issued. >> >> Why bother implementing type MTI if it's never used? > > That, I think, assumes that the requesting party only ever works with > the AWESOME token-type issuer. Seems a shame to me that whoever wrote > that code can't work with any other MTI token-type issuer as well, at > least. > >> Additionally, the authorization server could not implement type MTI >> but claim it did. There's no way for a third party to verify the >> claim since the authorization server never issues a token of type MTI. > > Irrelevant. I could claim to be handsome. Would work equally > well. > >> If tokens of type MTI are never used by this server, how does the MTI >> token type help interop?Is your argument that this server would say >> "No, we do not support OAuth2. We do, however, support >> OAuth2+AWESOME."? That semantic argument I understand, but I am >> ignorant as to how/if it fits into the RFC. > > No, my argument is that there are many servers and many clients on > the Internet and having them all have a way to interop, if they > choose to do so, is a good thing in itself. Writing an RFC so that > its a random pick as to whether they do or don't interop is not IMO > a good thing. > > S. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------090209000002000004060702 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Forwarding my response to the list. (oops)

 -- Justin

-------- Original Message --------
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
Date: Fri, 02 Dec 2011 15:07:39 -0500
From: Justin Richer <jricher@mitre.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie> 


I still don't think that having an MTI token type actually buys us 
anything, and what I *really* don't understand from this entire argument 
is the weight that's being put behind "Compliance with OAuth2" and what 
that means.

With no MTI token type, we can still have interop for people who claim 
to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the example 
below, compliant with "OAuth2 + AWESOME". Both of these are compliant 
with "OAuth2" because they use OAuth2 to issue their tokens. *Those* 
parts of the library should work just fine to interop between each 
other. Since you're getting a JSON or fragment-encoded structure back as 
the token, you should be able to toss that into some kind of generic 
data structure and hand it to the token-handling part of your library, 
which is going to need more smarts to know what to do with it.

A robust OAuth2 library, from server or client perspective, will likely 
do both Bearer and Mac and let you pick which you want. A good discovery 
system will aid that. An extended library will give you AWESOME tokens 
as well. *All* of these should be called compliant with OAuth2, in my 
opinion, and in this case it would be compliant with "OAuth2 + Bearer + 
MAC + AWESOME". A great library indeed!

Making a MTI misses the point of the composability of the system, does 
absolutely nothing for real-world interop due to reasons I've already 
laid out in previous emails, will cause people to ignore the spec and be 
in noncompliance for something they think is dumb, have unused and 
untested code just to claim compliance that nobody cares about, and 
ultimately makes us look a bit silly for insisting that one solution 
will fit all use cases and that we can have any sense of real authority 
in this over developers.

I'd like to point out that there's no MTI token-acquisition flow, which 
is arguably more important for worldwide interop and just as untenable a 
solution given the reality of the internet -- and I can also guarantee 
that we will never see agreement over an MTI grant type / token flow due 
to the simple fact that some instances will only do client credentials 
for 2-legged and some will do code for 3-legged, and the two of those 
probably don't want to talk to each other.

In summary, I suggest that "compliance with OAuth2" be defined in terms 
of each of the separate composable documents and their combinations, and 
that "compliance with OAuth2" not be limited to a particular combination 
of any of them.

 -- Justin

On 12/01/2011 09:27 PM, Stephen Farrell wrote:
>
> Hiya,
>
> On 12/02/2011 02:14 AM, Michael D Adams wrote:
>> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie>  wrote:
>>> On 12/02/2011 01:38 AM, Michael D Adams wrote:
>>>> So an MTI token type + no client preference is equivalent to there
>>>> only existing one token type.
>>>
>>> Maybe.
>>>
>>> However, no MTI token type + no client preference = no interop.
>>>
>>> So I don't get your argument. (When thinking of interop.)
>>
>> I think it's me that doesn't understand your argument.
>
> That can be mutual:-)
>
>> Suppose an authorization server implements OAuth2 and has some
>> requirement that the MTI token type doesn't provide (as William Mills
>> suggested), so the server implements token type AWESOME in addition to
>> token type MTI.
>>
>> Whenever a token is requested, the authorization server issues one of
>> type AWESOME.  Type MTI is never issued.
>>
>> Why bother implementing type MTI if it's never used?
>
> That, I think, assumes that the requesting party only ever works with
> the AWESOME token-type issuer. Seems a shame to me that whoever wrote
> that code can't work with any other MTI token-type issuer as well, at
> least.
>
>> Additionally, the authorization server could not implement type MTI
>> but claim it did.  There's no way for a third party to verify the
>> claim since the authorization server never issues a token of type MTI.
>
> Irrelevant. I could claim to be handsome. Would work equally
> well.
>
>> If tokens of type MTI are never used by this server, how does the MTI
>> token type help interop?Is your argument that this server would say
>> "No, we do not support OAuth2.  We do, however, support
>> OAuth2+AWESOME."?  That semantic argument I understand, but I am
>> ignorant as to how/if it fits into the RFC.
>
> No, my argument is that there are many servers and many clients on
> the Internet and having them all have a way to interop, if they
> choose to do so, is a good thing in itself. Writing an RFC so that
> its a random pick as to whether they do or don't interop is not IMO
> a good thing.
>
> S.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
--------------090209000002000004060702-- From andredemarre@gmail.com Fri Dec 2 14:13:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41BA91F0C3F for ; Fri, 2 Dec 2011 14:13:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_72=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHJYaPX7vCbn for ; Fri, 2 Dec 2011 14:13:22 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 00BFE21F8C34 for ; Fri, 2 Dec 2011 14:13:21 -0800 (PST) Received: by iaek3 with SMTP id k3so2592930iae.31 for ; Fri, 02 Dec 2011 14:13:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8io+x2i2SgywBEbb7o770Z7mdQkfeGtYD3acYhY3XFQ=; b=v7Lkc8Bbo9W3irwyXJtoitUO6O2oM0nvn7l8ly6IkKkOr3tTjLQAbIdbGQ3TvRlldf 0atgRiwii+jnqZvI09nkte0Y9xwaXbOD+HmfRVjriI2ymtahkgRXsmAVVqwfU61R1wPj tCaAiHlVxiRtoePUIMwx02jhvxzSENvWMFIE8= MIME-Version: 1.0 Received: by 10.231.82.11 with SMTP id z11mr23218ibk.77.1322864000124; Fri, 02 Dec 2011 14:13:20 -0800 (PST) Received: by 10.42.141.202 with HTTP; Fri, 2 Dec 2011 14:13:20 -0800 (PST) In-Reply-To: <4ED93028.6030206@mitre.org> References: <4ED9300B.3000009@mitre.org> <4ED93028.6030206@mitre.org> Date: Fri, 2 Dec 2011 14:13:20 -0800 Message-ID: From: =?ISO-8859-1?Q?Andr=E9_DeMarre?= To: OAuth WG Content-Type: multipart/alternative; boundary=000e0cd6b326d047da04b32346a3 Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 22:13:23 -0000 --000e0cd6b326d047da04b32346a3 Content-Type: text/plain; charset=ISO-8859-1 +1 A server will issue whichever token types satisfy its own requirements, so IMHO the idea of an MTI token type is a concern for client implementations. We can distinguish between two categories of clients: (1) interoperable clients and (2) service-specific clients. Obviously, service-specific clients must implement the token types used by the authorization server. Interoperable clients (probably OAuth client libraries) is where an MTI token type might have value. We can extend the differentiation of interoperable/service-specific to authorization servers as well, where a generic OAuth server library is an interoperable server, but it becomes a service-specific server when it is used to implement an actual service. Is this a good compromise? If the spec defines interoperable and service-specific clients and servers in such a way, then it can claim that interoperable clients and servers must implement bearer tokens (for example), but service-specific clients and servers have no MTI token type. Regards, Andre DeMarre On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer wrote: > Forwarding my response to the list. (oops) > > -- Justin > > -------- Original Message -------- Subject: Re: [OAUTH-WG] > Mandatory-to-implement token type Date: Fri, 02 Dec 2011 15:07:39 -0500 From: > Justin Richer To: Stephen > Farrell > > I still don't think that having an MTI token type actually buys us > anything, and what I *really* don't understand from this entire argument > is the weight that's being put behind "Compliance with OAuth2" and what > that means. > > With no MTI token type, we can still have interop for people who claim > to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the example > below, compliant with "OAuth2 + AWESOME". Both of these are compliant > with "OAuth2" because they use OAuth2 to issue their tokens. *Those* > parts of the library should work just fine to interop between each > other. Since you're getting a JSON or fragment-encoded structure back as > the token, you should be able to toss that into some kind of generic > data structure and hand it to the token-handling part of your library, > which is going to need more smarts to know what to do with it. > > A robust OAuth2 library, from server or client perspective, will likely > do both Bearer and Mac and let you pick which you want. A good discovery > system will aid that. An extended library will give you AWESOME tokens > as well. *All* of these should be called compliant with OAuth2, in my > opinion, and in this case it would be compliant with "OAuth2 + Bearer + > MAC + AWESOME". A great library indeed! > > Making a MTI misses the point of the composability of the system, does > absolutely nothing for real-world interop due to reasons I've already > laid out in previous emails, will cause people to ignore the spec and be > in noncompliance for something they think is dumb, have unused and > untested code just to claim compliance that nobody cares about, and > ultimately makes us look a bit silly for insisting that one solution > will fit all use cases and that we can have any sense of real authority > in this over developers. > > I'd like to point out that there's no MTI token-acquisition flow, which > is arguably more important for worldwide interop and just as untenable a > solution given the reality of the internet -- and I can also guarantee > that we will never see agreement over an MTI grant type / token flow due > to the simple fact that some instances will only do client credentials > for 2-legged and some will do code for 3-legged, and the two of those > probably don't want to talk to each other. > > In summary, I suggest that "compliance with OAuth2" be defined in terms > of each of the separate composable documents and their combinations, and > that "compliance with OAuth2" not be limited to a particular combination > of any of them. > > -- Justin > > On 12/01/2011 09:27 PM, Stephen Farrell wrote: > > > > Hiya, > > > > On 12/02/2011 02:14 AM, Michael D Adams wrote: > >> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell > >> wrote: > >>> On 12/02/2011 01:38 AM, Michael D Adams wrote: > >>>> So an MTI token type + no client preference is equivalent to there > >>>> only existing one token type. > >>> > >>> Maybe. > >>> > >>> However, no MTI token type + no client preference = no interop. > >>> > >>> So I don't get your argument. (When thinking of interop.) > >> > >> I think it's me that doesn't understand your argument. > > > > That can be mutual:-) > > > >> Suppose an authorization server implements OAuth2 and has some > >> requirement that the MTI token type doesn't provide (as William Mills > >> suggested), so the server implements token type AWESOME in addition to > >> token type MTI. > >> > >> Whenever a token is requested, the authorization server issues one of > >> type AWESOME. Type MTI is never issued. > >> > >> Why bother implementing type MTI if it's never used? > > > > That, I think, assumes that the requesting party only ever works with > > the AWESOME token-type issuer. Seems a shame to me that whoever wrote > > that code can't work with any other MTI token-type issuer as well, at > > least. > > > >> Additionally, the authorization server could not implement type MTI > >> but claim it did. There's no way for a third party to verify the > >> claim since the authorization server never issues a token of type MTI. > > > > Irrelevant. I could claim to be handsome. Would work equally > > well. > > > >> If tokens of type MTI are never used by this server, how does the MTI > >> token type help interop?Is your argument that this server would say > >> "No, we do not support OAuth2. We do, however, support > >> OAuth2+AWESOME."? That semantic argument I understand, but I am > >> ignorant as to how/if it fits into the RFC. > > > > No, my argument is that there are many servers and many clients on > > the Internet and having them all have a way to interop, if they > > choose to do so, is a good thing in itself. Writing an RFC so that > > its a random pick as to whether they do or don't interop is not IMO > > a good thing. > > > > S. > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --000e0cd6b326d047da04b32346a3 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
+1

A server will issue whichever token types = satisfy its own requirements, so IMHO the idea of an MTI token type is a co= ncern for client implementations. We can distinguish between two categories= of clients: (1) interoperable clients and (2) service-specific clients.

Obviously, service-specific clients must implement the = token types used by the authorization server. Interoperable clients (probab= ly OAuth client libraries) is where an MTI token type might have value.

We can extend the=A0differentiation=A0of interoperable/= service-specific to authorization servers as well, where a generic OAuth se= rver library is an interoperable server, but it becomes a service-specific = server when it is used to implement an actual service.

Is this a good compromise? If the spec defines interope= rable and service-specific clients and servers in such a way, then it can c= laim that interoperable clients and servers must implement bearer tokens (f= or example), but service-specific clients and servers have no MTI token typ= e.

Regards,
Andre DeMarre

On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer= <jricher@mitre.o= rg> wrote:
=20 =20 =20
Forwarding my response to the list. (oops)

=A0-- Justin

-------- Original Message --------
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
Date: Fri, 02 Dec 2011 15:07:39 -0500
From: Justin Richer <jricher@mitre.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie> 


I still don't think that having an MTI token type actually buy=
s us=20
anything, and what I *really* don't understand from this entire argumen=
t=20
is the weight that's being put behind "Compliance with OAuth2"=
; and what=20
that means.

With no MTI token type, we can still have interop for people who claim=20
to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the e=
xample=20
below, compliant with "OAuth2 + AWESOME". Both of these are compl=
iant=20
with "OAuth2" because they use OAuth2 to issue their tokens. *Tho=
se*=20
parts of the library should work just fine to interop between each=20
other. Since you're getting a JSON or fragment-encoded structure back a=
s=20
the token, you should be able to toss that into some kind of generic=20
data structure and hand it to the token-handling part of your library,=20
which is going to need more smarts to know what to do with it.

A robust OAuth2 library, from server or client perspective, will likely=20
do both Bearer and Mac and let you pick which you want. A good discovery=20
system will aid that. An extended library will give you AWESOME tokens=20
as well. *All* of these should be called compliant with OAuth2, in my=20
opinion, and in this case it would be compliant with "OAuth2 + Bearer =
+=20
MAC + AWESOME". A great library indeed!

Making a MTI misses the point of the composability of the system, does=20
absolutely nothing for real-world interop due to reasons I've already=
=20
laid out in previous emails, will cause people to ignore the spec and be=20
in noncompliance for something they think is dumb, have unused and=20
untested code just to claim compliance that nobody cares about, and=20
ultimately makes us look a bit silly for insisting that one solution=20
will fit all use cases and that we can have any sense of real authority=20
in this over developers.

I'd like to point out that there's no MTI token-acquisition flow, w=
hich=20
is arguably more important for worldwide interop and just as untenable a=20
solution given the reality of the internet -- and I can also guarantee=20
that we will never see agreement over an MTI grant type / token flow due=20
to the simple fact that some instances will only do client credentials=20
for 2-legged and some will do code for 3-legged, and the two of those=20
probably don't want to talk to each other.

In summary, I suggest that "compliance with OAuth2" be defined in=
 terms=20
of each of the separate composable documents and their combinations, and=20
that "compliance with OAuth2" not be limited to a particular comb=
ination=20
of any of them.

 -- Justin

On 12/01/2011 09:27 PM, Stephen Farrell wrote:
>
> Hiya,
>
> On 12/02/2011 02:14 AM, Michael D Adams wrote:
>> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell
>> <=
;stephen.farrell@cs.tcd.ie>  wrote:
>>> On 12/02/2011 01:38 AM, Michael D Adams wrote:
>>>> So an MTI token type + no client preference is equivalent =
to there
>>>> only existing one token type.
>>>
>>> Maybe.
>>>
>>> However, no MTI token type + no client preference =3D no inter=
op.
>>>
>>> So I don't get your argument. (When thinking of interop.)
>>
>> I think it's me that doesn't understand your argument.
>
> That can be mutual:-)
>
>> Suppose an authorization server implements OAuth2 and has some
>> requirement that the MTI token type doesn't provide (as Willia=
m Mills
>> suggested), so the server implements token type AWESOME in additio=
n to
>> token type MTI.
>>
>> Whenever a token is requested, the authorization server issues one=
 of
>> type AWESOME.  Type MTI is never issued.
>>
>> Why bother implementing type MTI if it's never used?
>
> That, I think, assumes that the requesting party only ever works with
> the AWESOME token-type issuer. Seems a shame to me that whoever wrote
> that code can't work with any other MTI token-type issuer as well,=
 at
> least.
>
>> Additionally, the authorization server could not implement type MT=
I
>> but claim it did.  There's no way for a third party to verify =
the
>> claim since the authorization server never issues a token of type =
MTI.
>
> Irrelevant. I could claim to be handsome. Would work equally
> well.
>
>> If tokens of type MTI are never used by this server, how does the =
MTI
>> token type help interop?Is your argument that this server would sa=
y
>> "No, we do not support OAuth2.  We do, however, support
>> OAuth2+AWESOME."?  That semantic argument I understand, but I=
 am
>> ignorant as to how/if it fits into the RFC.
>
> No, my argument is that there are many servers and many clients on
> the Internet and having them all have a way to interop, if they
> choose to do so, is a good thing in itself. Writing an RFC so that
> its a random pick as to whether they do or don't interop is not IM=
O
> a good thing.
>
> S.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--000e0cd6b326d047da04b32346a3-- From jricher@mitre.org Fri Dec 2 14:23:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8293821F8C48 for ; Fri, 2 Dec 2011 14:23:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.048 X-Spam-Level: X-Spam-Status: No, score=-6.048 tagged_above=-999 required=5 tests=[AWL=-0.350, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_72=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPqCkswgD-ma for ; Fri, 2 Dec 2011 14:23:08 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1337D21F8C43 for ; Fri, 2 Dec 2011 14:23:08 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3125E21B18CA; Fri, 2 Dec 2011 17:23:07 -0500 (EST) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 23C1A21B0E28; Fri, 2 Dec 2011 17:23:07 -0500 (EST) Received: from IMCMBX01.MITRE.ORG ([169.254.1.18]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.01.0339.001; Fri, 2 Dec 2011 17:23:06 -0500 From: "Richer, Justin P." To: =?iso-8859-1?Q?Andr=E9_DeMarre?= , OAuth WG Thread-Topic: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type Thread-Index: AQHMsT+apQJKbEshjU22wgV/dnm9DZXJHyfs Date: Fri, 2 Dec 2011 22:23:06 +0000 Message-ID: References: <4ED9300B.3000009@mitre.org> <4ED93028.6030206@mitre.org>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.83.31.56] Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E050625IMCMBX01MITREORG_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 22:23:09 -0000 --_000_B33BFB58CCC8BE4998958016839DE27E050625IMCMBX01MITREORG_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I still don't see what the MTI requirement buys us in this relaxed case. We= 're basically dictating what the best libraries would have. I still think "OAuth2 + Bearer" is a better compliance label than "OAuth2" = if you want real interoperability, and we should treat it as its own thing. -- Justin ________________________________ From: Andr=E9 DeMarre [andredemarre@gmail.com] Sent: Friday, December 02, 2011 5:13 PM To: OAuth WG Cc: Richer, Justin P. Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type +1 A server will issue whichever token types satisfy its own requirements, so = IMHO the idea of an MTI token type is a concern for client implementations.= We can distinguish between two categories of clients: (1) interoperable cl= ients and (2) service-specific clients. Obviously, service-specific clients must implement the token types used by = the authorization server. Interoperable clients (probably OAuth client libr= aries) is where an MTI token type might have value. We can extend the differentiation of interoperable/service-specific to auth= orization servers as well, where a generic OAuth server library is an inter= operable server, but it becomes a service-specific server when it is used t= o implement an actual service. Is this a good compromise? If the spec defines interoperable and service-sp= ecific clients and servers in such a way, then it can claim that interopera= ble clients and servers must implement bearer tokens (for example), but ser= vice-specific clients and servers have no MTI token type. Regards, Andre DeMarre On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer > wrote: Forwarding my response to the list. (oops) -- Justin -------- Original Message -------- Subject: Re: [OAUTH-WG] Mandatory-to-implement token type Date: Fri, 02 Dec 2011 15:07:39 -0500 From: Justin Richer To: Stephen Farrell I still don't think that having an MTI token type actually buys us anything, and what I *really* don't understand from this entire argument is the weight that's being put behind "Compliance with OAuth2" and what that means. With no MTI token type, we can still have interop for people who claim to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the example below, compliant with "OAuth2 + AWESOME". Both of these are compliant with "OAuth2" because they use OAuth2 to issue their tokens. *Those* parts of the library should work just fine to interop between each other. Since you're getting a JSON or fragment-encoded structure back as the token, you should be able to toss that into some kind of generic data structure and hand it to the token-handling part of your library, which is going to need more smarts to know what to do with it. A robust OAuth2 library, from server or client perspective, will likely do both Bearer and Mac and let you pick which you want. A good discovery system will aid that. An extended library will give you AWESOME tokens as well. *All* of these should be called compliant with OAuth2, in my opinion, and in this case it would be compliant with "OAuth2 + Bearer + MAC + AWESOME". A great library indeed! Making a MTI misses the point of the composability of the system, does absolutely nothing for real-world interop due to reasons I've already laid out in previous emails, will cause people to ignore the spec and be in noncompliance for something they think is dumb, have unused and untested code just to claim compliance that nobody cares about, and ultimately makes us look a bit silly for insisting that one solution will fit all use cases and that we can have any sense of real authority in this over developers. I'd like to point out that there's no MTI token-acquisition flow, which is arguably more important for worldwide interop and just as untenable a solution given the reality of the internet -- and I can also guarantee that we will never see agreement over an MTI grant type / token flow due to the simple fact that some instances will only do client credentials for 2-legged and some will do code for 3-legged, and the two of those probably don't want to talk to each other. In summary, I suggest that "compliance with OAuth2" be defined in terms of each of the separate composable documents and their combinations, and that "compliance with OAuth2" not be limited to a particular combination of any of them. -- Justin On 12/01/2011 09:27 PM, Stephen Farrell wrote: > > Hiya, > > On 12/02/2011 02:14 AM, Michael D Adams wrote: >> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell >> wrote: >>> On 12/02/2011 01:38 AM, Michael D Adams wrote: >>>> So an MTI token type + no client preference is equivalent to there >>>> only existing one token type. >>> >>> Maybe. >>> >>> However, no MTI token type + no client preference =3D no interop. >>> >>> So I don't get your argument. (When thinking of interop.) >> >> I think it's me that doesn't understand your argument. > > That can be mutual:-) > >> Suppose an authorization server implements OAuth2 and has some >> requirement that the MTI token type doesn't provide (as William Mills >> suggested), so the server implements token type AWESOME in addition to >> token type MTI. >> >> Whenever a token is requested, the authorization server issues one of >> type AWESOME. Type MTI is never issued. >> >> Why bother implementing type MTI if it's never used? > > That, I think, assumes that the requesting party only ever works with > the AWESOME token-type issuer. Seems a shame to me that whoever wrote > that code can't work with any other MTI token-type issuer as well, at > least. > >> Additionally, the authorization server could not implement type MTI >> but claim it did. There's no way for a third party to verify the >> claim since the authorization server never issues a token of type MTI. > > Irrelevant. I could claim to be handsome. Would work equally > well. > >> If tokens of type MTI are never used by this server, how does the MTI >> token type help interop?Is your argument that this server would say >> "No, we do not support OAuth2. We do, however, support >> OAuth2+AWESOME."? That semantic argument I understand, but I am >> ignorant as to how/if it fits into the RFC. > > No, my argument is that there are many servers and many clients on > the Internet and having them all have a way to interop, if they > choose to do so, is a good thing in itself. Writing an RFC so that > its a random pick as to whether they do or don't interop is not IMO > a good thing. > > S. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_B33BFB58CCC8BE4998958016839DE27E050625IMCMBX01MITREORG_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I still don't see what the MTI requirement buys us in this relaxed c= ase. We're basically dictating what the best libraries would have.

I still think "OAuth2 + Bearer" is a better compliance label = than "OAuth2" if you want real interoperability, and we should tr= eat it as its own thing.

 -- Justin

From: Andr=E9 DeMarre [andredemarre@gmail= .com]
Sent: Friday, December 02, 2011 5:13 PM
To: OAuth WG
Cc: Richer, Justin P.
Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type
+1

A server will issue whichever token types satisfy its own requirements= , so IMHO the idea of an MTI token type is a concern for client implementat= ions. We can distinguish between two categories of clients: (1) interoperab= le clients and (2) service-specific clients.

Obviously, service-specific clients must implement the token types use= d by the authorization server. Interoperable clients (probably OAuth client= libraries) is where an MTI token type might have value.

We can extend the differentiation of interoperable/service-s= pecific to authorization servers as well, where a generic OAuth server libr= ary is an interoperable server, but it becomes a service-specific server wh= en it is used to implement an actual service.

Is this a good compromise? If the spec defines interoperable and servi= ce-specific clients and servers in such a way, then it can claim that inter= operable clients and servers must implement bearer tokens (for example), bu= t service-specific clients and servers have no MTI token type.

Regards,
Andre DeMarre


On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer <= span dir=3D"ltr"> <jricher@mitre.or= g> wrote:
Forwarding my response to the list. (oops)

 -- Justin

-------- Original Message --------
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
Date: Fri, 02 Dec 2011 15:07:39 -0500
From: Justin Richer &l= t;jricher@mitre.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie> 


I still don't think that having an MTI token type actually buys us =0A=
anything, and what I *really* don't understand from this entire argument =
=0A=
is the weight that's being put behind "Compliance with OAuth2" an=
d what =0A=
that means.=0A=
=0A=
With no MTI token type, we can still have interop for people who claim =0A=
to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow t=
he example =0A=
below, compliant with "OAuth2 + AWESOME". Both of these are c=
ompliant =0A=
with "OAuth2" because they use OAuth2 to issue their tokens. *Tho=
se* =0A=
parts of the library should work just fine to interop between each =0A=
other. Since you're getting a JSON or fragment-encoded structure back as =
=0A=
the token, you should be able to toss that into some kind of generic =0A=
data structure and hand it to the token-handling part of your library, =0A=
which is going to need more smarts to know what to do with it.=0A=
=0A=
A robust OAuth2 library, from server or client perspective, will likely =0A=
do both Bearer and Mac and let you pick which you want. A good discovery =
=0A=
system will aid that. An extended library will give you AWESOME tokens =0A=
as well. *All* of these should be called compliant with OAuth2, in my =0A=
opinion, and in this case it would be compliant with "OAuth2 + Bea=
rer + =0A=
MAC + AWESOME". A great library indeed!=0A=
=0A=
Making a MTI misses the point of the composability of the system, does =0A=
absolutely nothing for real-world interop due to reasons I've already =0A=
laid out in previous emails, will cause people to ignore the spec and be =
=0A=
in noncompliance for something they think is dumb, have unused and =0A=
untested code just to claim compliance that nobody cares about, and =0A=
ultimately makes us look a bit silly for insisting that one solution =0A=
will fit all use cases and that we can have any sense of real authority =0A=
in this over developers.=0A=
=0A=
I'd like to point out that there's no MTI token-acquisition flow, which =0A=
is arguably more important for worldwide interop and just as untenable a =
=0A=
solution given the reality of the internet -- and I can also guarantee =0A=
that we will never see agreement over an MTI grant type / token flow due =
=0A=
to the simple fact that some instances will only do client credentials =0A=
for 2-legged and some will do code for 3-legged, and the two of those =0A=
probably don't want to talk to each other.=0A=
=0A=
In summary, I suggest that "compliance with OAuth2" be defined in=
 terms =0A=
of each of the separate composable documents and their combinations, and =
=0A=
that "compliance with OAuth2" not be limited to a particular comb=
ination =0A=
of any of them.=0A=
=0A=
 -- Justin=0A=
=0A=
On 12/01/2011 09:27 PM, Stephen Farrell wrote:=0A=
>=0A=
> Hiya,=0A=
>=0A=
> On 12/02/2011 02:14 AM, Michael D Adams wrote:=0A=
>> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell=0A=
>> <=
;stephen.farrell@cs.tcd.ie>  wrote:=0A=
>>> On 12/02/2011 01:38 AM, Michael D Adams wrote:=0A=
>>>> So an MTI token type + no client preference is equival=
ent to there=0A=
>>>> only existing one token type.=0A=
>>>=0A=
>>> Maybe.=0A=
>>>=0A=
>>> However, no MTI token type + no client preference =3D no i=
nterop.=0A=
>>>=0A=
>>> So I don't get your argument. (When thinking of interop.)=0A=
>>=0A=
>> I think it's me that doesn't understand your argument.=0A=
>=0A=
> That can be mutual:-)=0A=
>=0A=
>> Suppose an authorization server implements OAuth2 and has some=0A=
>> requirement that the MTI token type doesn't provide (as William Mi=
lls=0A=
>> suggested), so the server implements token type AWESOME in additio=
n to=0A=
>> token type MTI.=0A=
>>=0A=
>> Whenever a token is requested, the authorization server issues one=
 of=0A=
>> type AWESOME.  Type MTI is never issued.=0A=
>>=0A=
>> Why bother implementing type MTI if it's never used?=0A=
>=0A=
> That, I think, assumes that the requesting party only ever works with=
=0A=
> the AWESOME token-type issuer. Seems a shame to me that whoever wrote=
=0A=
> that code can't work with any other MTI token-type issuer as well, at=
=0A=
> least.=0A=
>=0A=
>> Additionally, the authorization server could not implement type MT=
I=0A=
>> but claim it did.  There's no way for a third party to verify the=
=0A=
>> claim since the authorization server never issues a token of type =
MTI.=0A=
>=0A=
> Irrelevant. I could claim to be handsome. Would work equally=0A=
> well.=0A=
>=0A=
>> If tokens of type MTI are never used by this server, how does the =
MTI=0A=
>> token type help interop?Is your argument that this server would sa=
y=0A=
>> "No, we do not support OAuth2.  We do, however, support=0A=
>> OAuth2+AWESOME."?  That semantic argument I understand, b=
ut I am=0A=
>> ignorant as to how/if it fits into the RFC.=0A=
>=0A=
> No, my argument is that there are many servers and many clients on=0A=
> the Internet and having them all have a way to interop, if they=0A=
> choose to do so, is a good thing in itself. Writing an RFC so that=0A=
> its a random pick as to whether they do or don't interop is not IMO=0A=
> a good thing.=0A=
>=0A=
> S.=0A=
>=0A=
>=0A=
>=0A=
>=0A=
> _______________________________________________=0A=
> OAuth mailing list=0A=
> OAuth@ietf.org=
=0A=
> https://www.ietf.org/mailman/listinfo/oauth=0A=
=0A=

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--_000_B33BFB58CCC8BE4998958016839DE27E050625IMCMBX01MITREORG_-- From andredemarre@gmail.com Fri Dec 2 14:38:29 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD5E11E80A1 for ; Fri, 2 Dec 2011 14:38:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_72=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PF0kvevrc6AO for ; Fri, 2 Dec 2011 14:38:27 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id AB55A11E809A for ; Fri, 2 Dec 2011 14:38:27 -0800 (PST) Received: by iaek3 with SMTP id k3so2624268iae.31 for ; Fri, 02 Dec 2011 14:38:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2UxW4SXLjZqOVgWsQEN37zTPy+Jv8W1P0JPK5QptHRw=; b=hJaNRb94czgqLAILJ4BgtWE1tINUBqc9U9K21XAJDmqJeE7ZdbTQgBJP2SCC1lD5hT unS7LZq3vmHLFW7Qg+77x9+mRu21gy0FfkcO7GbUc+WwLE1saBbxnrdoqvEQDuYlNxNI f35ZnLkYIUKGOkIsIURW8P2RS1q2sUtJS6C+c= MIME-Version: 1.0 Received: by 10.42.197.195 with SMTP id el3mr154020icb.54.1322865507366; Fri, 02 Dec 2011 14:38:27 -0800 (PST) Received: by 10.42.141.202 with HTTP; Fri, 2 Dec 2011 14:38:27 -0800 (PST) In-Reply-To: References: <4ED9300B.3000009@mitre.org> <4ED93028.6030206@mitre.org> Date: Fri, 2 Dec 2011 14:38:27 -0800 Message-ID: From: =?ISO-8859-1?Q?Andr=E9_DeMarre?= To: "Richer, Justin P." Content-Type: multipart/alternative; boundary=20cf303bff66a6f5a804b323a0a7 Cc: OAuth WG Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 22:38:29 -0000 --20cf303bff66a6f5a804b323a0a7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It buys us compromise. I agree with you 100% that "OAuth2 + Bearer" is an ideal compliance declaration; it promotes modular design as well. But I can also understand why some would be concerned about the core spec not adequately directing the efforts of implementers who want to write a general-purpose OAuth2 client or server library. Regards, Andre DeMarre On Fri, Dec 2, 2011 at 2:23 PM, Richer, Justin P. wrote= : > I still don't see what the MTI requirement buys us in this relaxed case. > We're basically dictating what the best libraries would have. > > I still think "OAuth2 + Bearer" is a better compliance label than "OAuth2= " > if you want real interoperability, and we should treat it as its own thin= g. > > -- Justin > > ------------------------------ > *From:* Andr=E9 DeMarre [andredemarre@gmail.com] > *Sent:* Friday, December 02, 2011 5:13 PM > *To:* OAuth WG > *Cc:* Richer, Justin P. > *Subject:* Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type > > +1 > > A server will issue whichever token types satisfy its own requirements, > so IMHO the idea of an MTI token type is a concern for client > implementations. We can distinguish between two categories of clients: (1= ) > interoperable clients and (2) service-specific clients. > > Obviously, service-specific clients must implement the token types used > by the authorization server. Interoperable clients (probably OAuth client > libraries) is where an MTI token type might have value. > > We can extend the differentiation of interoperable/service-specific to > authorization servers as well, where a generic OAuth server library is an > interoperable server, but it becomes a service-specific server when it is > used to implement an actual service. > > Is this a good compromise? If the spec defines interoperable and > service-specific clients and servers in such a way, then it can claim tha= t > interoperable clients and servers must implement bearer tokens (for > example), but service-specific clients and servers have no MTI token type= . > > Regards, > Andre DeMarre > > > On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer wrote: > >> Forwarding my response to the list. (oops) >> >> -- Justin >> >> -------- Original Message -------- Subject: Re: [OAUTH-WG] >> Mandatory-to-implement token type Date: Fri, 02 Dec 2011 15:07:39 -0500= From: >> Justin Richer To: Stephen >> Farrell >> >> I still don't think that having an MTI token type actually buys us >> anything, and what I *really* don't understand from this entire argument >> is the weight that's being put behind "Compliance with OAuth2" and what >> that means. >> >> With no MTI token type, we can still have interop for people who claim >> to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the example >> below, compliant with "OAuth2 + AWESOME". Both of these are compliant >> with "OAuth2" because they use OAuth2 to issue their tokens. *Those* >> parts of the library should work just fine to interop between each >> other. Since you're getting a JSON or fragment-encoded structure back as >> the token, you should be able to toss that into some kind of generic >> data structure and hand it to the token-handling part of your library, >> which is going to need more smarts to know what to do with it. >> >> A robust OAuth2 library, from server or client perspective, will likely >> do both Bearer and Mac and let you pick which you want. A good discovery >> system will aid that. An extended library will give you AWESOME tokens >> as well. *All* of these should be called compliant with OAuth2, in my >> opinion, and in this case it would be compliant with "OAuth2 + Bearer + >> MAC + AWESOME". A great library indeed! >> >> Making a MTI misses the point of the composability of the system, does >> absolutely nothing for real-world interop due to reasons I've already >> laid out in previous emails, will cause people to ignore the spec and be >> in noncompliance for something they think is dumb, have unused and >> untested code just to claim compliance that nobody cares about, and >> ultimately makes us look a bit silly for insisting that one solution >> will fit all use cases and that we can have any sense of real authority >> in this over developers. >> >> I'd like to point out that there's no MTI token-acquisition flow, which >> is arguably more important for worldwide interop and just as untenable a >> solution given the reality of the internet -- and I can also guarantee >> that we will never see agreement over an MTI grant type / token flow due >> to the simple fact that some instances will only do client credentials >> for 2-legged and some will do code for 3-legged, and the two of those >> probably don't want to talk to each other. >> >> In summary, I suggest that "compliance with OAuth2" be defined in terms >> of each of the separate composable documents and their combinations, and >> that "compliance with OAuth2" not be limited to a particular combination >> of any of them. >> >> -- Justin >> >> On 12/01/2011 09:27 PM, Stephen Farrell wrote: >> > >> > Hiya, >> > >> > On 12/02/2011 02:14 AM, Michael D Adams wrote: >> >> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell >> >> wrote: >> >>> On 12/02/2011 01:38 AM, Michael D Adams wrote: >> >>>> So an MTI token type + no client preference is equivalent to there >> >>>> only existing one token type. >> >>> >> >>> Maybe. >> >>> >> >>> However, no MTI token type + no client preference =3D no interop. >> >>> >> >>> So I don't get your argument. (When thinking of interop.) >> >> >> >> I think it's me that doesn't understand your argument. >> > >> > That can be mutual:-) >> > >> >> Suppose an authorization server implements OAuth2 and has some >> >> requirement that the MTI token type doesn't provide (as William Mills >> >> suggested), so the server implements token type AWESOME in addition t= o >> >> token type MTI. >> >> >> >> Whenever a token is requested, the authorization server issues one of >> >> type AWESOME. Type MTI is never issued. >> >> >> >> Why bother implementing type MTI if it's never used? >> > >> > That, I think, assumes that the requesting party only ever works with >> > the AWESOME token-type issuer. Seems a shame to me that whoever wrote >> > that code can't work with any other MTI token-type issuer as well, at >> > least. >> > >> >> Additionally, the authorization server could not implement type MTI >> >> but claim it did. There's no way for a third party to verify the >> >> claim since the authorization server never issues a token of type MTI= . >> > >> > Irrelevant. I could claim to be handsome. Would work equally >> > well. >> > >> >> If tokens of type MTI are never used by this server, how does the MTI >> >> token type help interop?Is your argument that this server would say >> >> "No, we do not support OAuth2. We do, however, support >> >> OAuth2+AWESOME."? That semantic argument I understand, but I am >> >> ignorant as to how/if it fits into the RFC. >> > >> > No, my argument is that there are many servers and many clients on >> > the Internet and having them all have a way to interop, if they >> > choose to do so, is a good thing in itself. Writing an RFC so that >> > its a random pick as to whether they do or don't interop is not IMO >> > a good thing. >> > >> > S. >> > >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > --20cf303bff66a6f5a804b323a0a7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It buys us compromise. I agree with you 100% that=A0"OAuth2 + Bearer" is an ideal complianc= e declaration; it promotes modular design as well. But I can also understan= d why some would be concerned about the core spec not=A0adequately=A0direct= ing the efforts of=A0implementers=A0who want to write a general-purpose OAu= th2 client or server library.

Regards,
Andre DeMarre

On Fri, Dec 2, 2011 at 2:23 PM, Richer, Justin P. = <jricher@mitre.org> w= rote:
I still don't see what the MTI requirement buys us in this relaxed ca= se. We're basically dictating what the best libraries would have.

I still think "OAuth2 + Bearer" is a better compliance label than= "OAuth2" if you want real interoperability, and we should treat = it as its own thing.

=A0-- Justin

From: Andr=E9 DeMarre [andredemarre@gmail.com]
Sent: Friday, December 02, 2011 5:13 PM
To: OAuth WG
Cc: Richer, Justin P.
Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type
+1

A server will issue whichever token types satisfy its own requirements= , so IMHO the idea of an MTI token type is a concern for client implementat= ions. We can distinguish between two categories of clients: (1) interoperab= le clients and (2) service-specific clients.

Obviously, service-specific clients must implement the token types use= d by the authorization server. Interoperable clients (probably OAuth client= libraries) is where an MTI token type might have value.

We can extend the=A0differentiation=A0of interoperable/service-specifi= c to authorization servers as well, where a generic OAuth server library is= an interoperable server, but it becomes a service-specific server when it = is used to implement an actual service.

Is this a good compromise? If the spec defines interoperable and servi= ce-specific clients and servers in such a way, then it can claim that inter= operable clients and servers must implement bearer tokens (for example), bu= t service-specific clients and servers have no MTI token type.

Regards,
Andre DeMarre


On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer <= span dir=3D"ltr"> <jricher@mitre.or= g> wrote:
Forwarding my response to the list. (oops)

=A0-- Justin

-------- Original Message --------
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
Date: Fri, 02 Dec 2011 15:07:39 -0500
From: Justin Richer &l= t;jricher@mitre.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie> 


I still don't think that having an MTI token type actually buys us=
=20
anything, and what I *really* don't understand from this entire argumen=
t=20
is the weight that's being put behind "Compliance with OAuth2"=
; and what=20
that means.

With no MTI token type, we can still have interop for people who claim=20
to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the e=
xample=20
below, compliant with "OAuth2 + AWESOME". Both of these are compl=
iant=20
with "OAuth2" because they use OAuth2 to issue their tokens. *Tho=
se*=20
parts of the library should work just fine to interop between each=20
other. Since you're getting a JSON or fragment-encoded structure back a=
s=20
the token, you should be able to toss that into some kind of generic=20
data structure and hand it to the token-handling part of your library,=20
which is going to need more smarts to know what to do with it.

A robust OAuth2 library, from server or client perspective, will likely=20
do both Bearer and Mac and let you pick which you want. A good discovery=20
system will aid that. An extended library will give you AWESOME tokens=20
as well. *All* of these should be called compliant with OAuth2, in my=20
opinion, and in this case it would be compliant with "OAuth2 + Bearer =
+=20
MAC + AWESOME". A great library indeed!

Making a MTI misses the point of the composability of the system, does=20
absolutely nothing for real-world interop due to reasons I've already=
=20
laid out in previous emails, will cause people to ignore the spec and be=20
in noncompliance for something they think is dumb, have unused and=20
untested code just to claim compliance that nobody cares about, and=20
ultimately makes us look a bit silly for insisting that one solution=20
will fit all use cases and that we can have any sense of real authority=20
in this over developers.

I'd like to point out that there's no MTI token-acquisition flow, w=
hich=20
is arguably more important for worldwide interop and just as untenable a=20
solution given the reality of the internet -- and I can also guarantee=20
that we will never see agreement over an MTI grant type / token flow due=20
to the simple fact that some instances will only do client credentials=20
for 2-legged and some will do code for 3-legged, and the two of those=20
probably don't want to talk to each other.

In summary, I suggest that "compliance with OAuth2" be defined in=
 terms=20
of each of the separate composable documents and their combinations, and=20
that "compliance with OAuth2" not be limited to a particular comb=
ination=20
of any of them.

 -- Justin

On 12/01/2011 09:27 PM, Stephen Farrell wrote:
>
> Hiya,
>
> On 12/02/2011 02:14 AM, Michael D Adams wrote:
>> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell
>> <=
;stephen.farrell@cs.tcd.ie>  wrote:
>>> On 12/02/2011 01:38 AM, Michael D Adams wrote:
>>>> So an MTI token type + no client preference is equivalent =
to there
>>>> only existing one token type.
>>>
>>> Maybe.
>>>
>>> However, no MTI token type + no client preference =3D no inter=
op.
>>>
>>> So I don't get your argument. (When thinking of interop.)
>>
>> I think it's me that doesn't understand your argument.
>
> That can be mutual:-)
>
>> Suppose an authorization server implements OAuth2 and has some
>> requirement that the MTI token type doesn't provide (as Willia=
m Mills
>> suggested), so the server implements token type AWESOME in additio=
n to
>> token type MTI.
>>
>> Whenever a token is requested, the authorization server issues one=
 of
>> type AWESOME.  Type MTI is never issued.
>>
>> Why bother implementing type MTI if it's never used?
>
> That, I think, assumes that the requesting party only ever works with
> the AWESOME token-type issuer. Seems a shame to me that whoever wrote
> that code can't work with any other MTI token-type issuer as well,=
 at
> least.
>
>> Additionally, the authorization server could not implement type MT=
I
>> but claim it did.  There's no way for a third party to verify =
the
>> claim since the authorization server never issues a token of type =
MTI.
>
> Irrelevant. I could claim to be handsome. Would work equally
> well.
>
>> If tokens of type MTI are never used by this server, how does the =
MTI
>> token type help interop?Is your argument that this server would sa=
y
>> "No, we do not support OAuth2.  We do, however, support
>> OAuth2+AWESOME."?  That semantic argument I understand, but I=
 am
>> ignorant as to how/if it fits into the RFC.
>
> No, my argument is that there are many servers and many clients on
> the Internet and having them all have a way to interop, if they
> choose to do so, is a good thing in itself. Writing an RFC so that
> its a random pick as to whether they do or don't interop is not IM=
O
> a good thing.
>
> S.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth



--20cf303bff66a6f5a804b323a0a7-- From dan.taflin@gettyimages.com Fri Dec 2 14:41:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA4311E80A1 for ; Fri, 2 Dec 2011 14:41:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_72=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-3KUZptiTmt for ; Fri, 2 Dec 2011 14:41:02 -0800 (PST) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id 88D1C11E809A for ; Fri, 2 Dec 2011 14:41:02 -0800 (PST) Received: from mail102-ch1-R.bigfish.com (10.43.68.245) by CH1EHSOBE002.bigfish.com (10.43.70.52) with Microsoft SMTP Server id 14.1.225.22; Fri, 2 Dec 2011 22:41:01 +0000 Received: from mail102-ch1 (localhost [127.0.0.1]) by mail102-ch1-R.bigfish.com (Postfix) with ESMTP id B5FE6340115; Fri, 2 Dec 2011 22:41:01 +0000 (UTC) X-SpamScore: -44 X-BigFish: VPS-44(zf7Izbb2dK9371Kc89bh146fK542M1432N98dKzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h946h) X-Forefront-Antispam-Report: CIP:216.169.250.56; KIP:(null); UIP:(null); IPV:NLI; H:SEAPXCH10CAHT02.amer.gettywan.com; RD:mailtest.gettyimages.com; EFVD:NLI Received-SPF: pass (mail102-ch1: domain of gettyimages.com designates 216.169.250.56 as permitted sender) client-ip=216.169.250.56; envelope-from=dan.taflin@gettyimages.com; helo=SEAPXCH10CAHT02.amer.gettywan.com ; gettywan.com ; Received: from mail102-ch1 (localhost.localdomain [127.0.0.1]) by mail102-ch1 (MessageSwitch) id 1322865659485998_4116; Fri, 2 Dec 2011 22:40:59 +0000 (UTC) Received: from CH1EHSMHS021.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252]) by mail102-ch1.bigfish.com (Postfix) with ESMTP id 6FD12560048; Fri, 2 Dec 2011 22:40:59 +0000 (UTC) Received: from SEAPXCH10CAHT02.amer.gettywan.com (216.169.250.56) by CH1EHSMHS021.bigfish.com (10.43.70.21) with Microsoft SMTP Server (TLS) id 14.1.225.22; Fri, 2 Dec 2011 22:40:59 +0000 Received: from SEAPXCH10MBX01.amer.gettywan.com ([fe80::f054:280d:92db:5fff]) by SEAPXCH10CAHT02.amer.gettywan.com ([::1]) with mapi id 14.01.0289.001; Fri, 2 Dec 2011 14:40:57 -0800 From: Dan Taflin To: =?Windows-1252?Q?Andr=E9_DeMarre?= , OAuth WG Thread-Topic: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type Thread-Index: AcyxQ3KSK8qiea6r8k6/8g3eDyb7HQ== Date: Fri, 2 Dec 2011 22:40:56 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-Entourage/13.11.0.110726 x-originating-ip: [10.194.102.41] Content-Type: text/plain; charset="Windows-1252" Content-ID: <21262D636947F345928A84354F7D9300@gettyimages.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: gettyimages.com Subject: Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 22:41:03 -0000 +1 I agree with Andre and Stephen and others who argued against an MTI token t= ype. As an architect of a (soon-to-be) oauth server I can state that we wil= l almost certainly support bearer token only, and that we will be writing t= he code ourselves, not using a library. I don=92t really see how a generic = server-side library could be written anyway, since so much of what goes on = at the server is left unspecified (what to put in the token and how to read= it, for example). Maybe I just suffer from a lack of imagination. Client-side libraries that deal with opaque tokens seem like a more realist= ic expectation, and specifying an MTI token type for a library to be able t= o declare itself =93oauth 2.0 compliant=94 seems reasonable, though I=92m n= ot sure it=92s important to mandate it. Dan On 12/2/11 2:13 PM, "Andr=E9 DeMarre" wrote: +1 A server will issue whichever token types satisfy its own requirements, so = IMHO the idea of an MTI token type is a concern for client implementations.= We can distinguish between two categories of clients: (1) interoperable cl= ients and (2) service-specific clients. Obviously, service-specific clients must implement the token types used by = the authorization server. Interoperable clients (probably OAuth client libr= aries) is where an MTI token type might have value. We can extend the differentiation of interoperable/service-specific to auth= orization servers as well, where a generic OAuth server library is an inter= operable server, but it becomes a service-specific server when it is used t= o implement an actual service. Is this a good compromise? If the spec defines interoperable and service-sp= ecific clients and servers in such a way, then it can claim that interopera= ble clients and servers must implement bearer tokens (for example), but ser= vice-specific clients and servers have no MTI token type. Regards, Andre DeMarre On Fri, Dec 2, 2011 at 12:08 PM, Justin Richer wrote: Forwarding my response to the list. (oops) -- Justin -------- Original Message -------- Subject: Re: [OAUTH-WG] Mandatory-to-implement token type Date: Fri, 02 Dec 2011 15:07:39 -0500 From: Justin Richer To: Stephen Farrell I still don't think that having an MTI token type actually buys us anything, and what I *really* don't understand from this entire argument is the weight that's being put behind "Compliance with OAuth2" and what that means. With no MTI token type, we can still have interop for people who claim to be compliant with "OAuth2 + OAuth2 Bearer", or to borrow the example below, compliant with "OAuth2 + AWESOME". Both of these are compliant with "OAuth2" because they use OAuth2 to issue their tokens. *Those* parts of the library should work just fine to interop between each other. Since you're getting a JSON or fragment-encoded structure back as the token, you should be able to toss that into some kind of generic data structure and hand it to the token-handling part of your library, which is going to need more smarts to know what to do with it. A robust OAuth2 library, from server or client perspective, will likely do both Bearer and Mac and let you pick which you want. A good discovery system will aid that. An extended library will give you AWESOME tokens as well. *All* of these should be called compliant with OAuth2, in my opinion, and in this case it would be compliant with "OAuth2 + Bearer + MAC + AWESOME". A great library indeed! Making a MTI misses the point of the composability of the system, does absolutely nothing for real-world interop due to reasons I've already laid out in previous emails, will cause people to ignore the spec and be in noncompliance for something they think is dumb, have unused and untested code just to claim compliance that nobody cares about, and ultimately makes us look a bit silly for insisting that one solution will fit all use cases and that we can have any sense of real authority in this over developers. I'd like to point out that there's no MTI token-acquisition flow, which is arguably more important for worldwide interop and just as untenable a solution given the reality of the internet -- and I can also guarantee that we will never see agreement over an MTI grant type / token flow due to the simple fact that some instances will only do client credentials for 2-legged and some will do code for 3-legged, and the two of those probably don't want to talk to each other. In summary, I suggest that "compliance with OAuth2" be defined in terms of each of the separate composable documents and their combinations, and that "compliance with OAuth2" not be limited to a particular combination of any of them. -- Justin On 12/01/2011 09:27 PM, Stephen Farrell wrote: > > Hiya, > > On 12/02/2011 02:14 AM, Michael D Adams wrote: >> On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell >> wrote: >>> On 12/02/2011 01:38 AM, Michael D Adams wrote: >>>> So an MTI token type + no client preference is equivalent to there >>>> only existing one token type. >>> >>> Maybe. >>> >>> However, no MTI token type + no client preference =3D no interop. >>> >>> So I don't get your argument. (When thinking of interop.) >> >> I think it's me that doesn't understand your argument. > > That can be mutual:-) > >> Suppose an authorization server implements OAuth2 and has some >> requirement that the MTI token type doesn't provide (as William Mills >> suggested), so the server implements token type AWESOME in addition to >> token type MTI. >> >> Whenever a token is requested, the authorization server issues one of >> type AWESOME. Type MTI is never issued. >> >> Why bother implementing type MTI if it's never used? > > That, I think, assumes that the requesting party only ever works with > the AWESOME token-type issuer. Seems a shame to me that whoever wrote > that code can't work with any other MTI token-type issuer as well, at > least. > >> Additionally, the authorization server could not implement type MTI >> but claim it did. There's no way for a third party to verify the >> claim since the authorization server never issues a token of type MTI. > > Irrelevant. I could claim to be handsome. Would work equally > well. > >> If tokens of type MTI are never used by this server, how does the MTI >> token type help interop?Is your argument that this server would say >> "No, we do not support OAuth2. We do, however, support >> OAuth2+AWESOME."? That semantic argument I understand, but I am >> ignorant as to how/if it fits into the RFC. > > No, my argument is that there are many servers and many clients on > the Internet and having them all have a way to interop, if they > choose to do so, is a good thing in itself. Writing an RFC so that > its a random pick as to whether they do or don't interop is not IMO > a good thing. > > S. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From barryleiba.mailing.lists@gmail.com Sat Dec 3 13:37:50 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 309BB21F939E for ; Sat, 3 Dec 2011 13:37:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.077 X-Spam-Level: X-Spam-Status: No, score=-103.077 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tT6xRiadv+ak for ; Sat, 3 Dec 2011 13:37:49 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 953BC21F9343 for ; Sat, 3 Dec 2011 13:37:41 -0800 (PST) Received: by ggnk5 with SMTP id k5so502271ggn.31 for ; Sat, 03 Dec 2011 13:37:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=vWWKXAhBv0n8mLMy3pC5wlF9Nl2aSA9j32N+7cDzLsU=; b=uLVYSudaOVRePG98llF6cr+VYvnl/lXB7mqXttd7RgQuD8vDw7/pNYx8i2Jt5iEkA5 y+sBTejngGVggtZnwltb+OQPZBeepB+HzEZ6rm8Vo7ipAz8HpWXABmO98Eu4q9By+eUy oSxeI3p8UK/F+VV/3kBhDPNmz4ywq55p3hbnc= MIME-Version: 1.0 Received: by 10.100.115.17 with SMTP id n17mr693961anc.155.1322948261101; Sat, 03 Dec 2011 13:37:41 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.107.9 with HTTP; Sat, 3 Dec 2011 13:37:40 -0800 (PST) In-Reply-To: <4ED89384.9060603@cs.tcd.ie> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> Date: Sat, 3 Dec 2011 16:37:40 -0500 X-Google-Sender-Auth: Fd6l5asj6Yj51DHT9lKWIsSMg6s Message-ID: From: Barry Leiba To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2011 21:37:50 -0000 Stephen says: > On 12/02/2011 03:20 AM, Barry Leiba wrote: >> Maybe what would work best is some text that suggests what I say >> above: that toolkits intended for use in implementing OAuth services >> in general... implement [X and/or Y], and that code written for a >> specific environment implement what makes sense for that environment. >> It seems to me that to require any particular implementation in the >> latter case is arbitrary and counter-productive, and doesn't help >> anything interoperate. =A0Whereas general-purpose toolkits that >> implement everything DO help interop. > > That'd work just fine for me. OK, so here's what I suggest... I propose adding a new section 7.2, thus: ----------------------------------- 7.2 Access Token Implementation Considerations Access token types have to be mutually understood among the authorization server, the resource server, and the client -- the access token issues the token, the resource server validates it, and the client is required to understand the type, as noted in section 7.1, above. Because of that, interoperability of program code developed separately depends upon the token types that are supported in the code. Toolkits that are intended for general use (for building other clients and/or servers), therefore, SHOULD implement as many token types as practical, to ensure that programs developed with those toolkits are able to use the token types they need. In particular, all general-use toolkits MUST implement bearer tokens [...ref...] and MAC tokens [...ref...]. Purpose-built code, built without such toolkits, has somewhat more flexibility, as its developers know the specific environment they're developing for. There's clearly little point to including code to support a particular token type when it's known in advance that the type in question will never be used in the intended deployment. Developers of purpose-built code are encouraged to consider future extensions and to plan ahead for changes in circumstances, and might still want to include support for multiple token types. That said, the choice of token-type support for such purpose-built code is left to the developers and their specific requirements. ----------------------------------- I think that expresses a reasonable compromise that might actually be followed and might actually do some good. Comments? Can we go with this and close this issue? (And, sorry, I've been a Bad Chair, and haven't put this in the tracker.) Barry From barryleiba.mailing.lists@gmail.com Sat Dec 3 14:05:16 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F10F21F939A for ; Sat, 3 Dec 2011 14:05:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.072 X-Spam-Level: X-Spam-Status: No, score=-103.072 tagged_above=-999 required=5 tests=[AWL=-0.095, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeRXMVhfzISZ for ; Sat, 3 Dec 2011 14:05:16 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id F249D21F9358 for ; Sat, 3 Dec 2011 14:05:15 -0800 (PST) Received: by ggnk5 with SMTP id k5so510370ggn.31 for ; Sat, 03 Dec 2011 14:05:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=SMqpG6nyVsfV0XwgE5gN20mWUSBnNhPVcCCksNcWPEM=; b=sLsbPHzJ6EsDkojuUDxPg3W16spGWWAqwaPnGEmfPcdxfe/15f+XUt1tJE2/pQ7XYI xtgz9mDsHA08HDUgEotkQnJ9qrt/A1rUDTEAteUpbxtziSFNCIE2hn05nMNrW7OgsMON 4G2M+UNAIGwBeNDha75hipm2lP5ZkXvsMSxq4= MIME-Version: 1.0 Received: by 10.100.115.17 with SMTP id n17mr704062anc.155.1322949915615; Sat, 03 Dec 2011 14:05:15 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.107.9 with HTTP; Sat, 3 Dec 2011 14:05:15 -0800 (PST) In-Reply-To: References: Date: Sat, 3 Dec 2011 17:05:15 -0500 X-Google-Sender-Auth: 15OXJcM2sf-jEQdriP5dnN1V8YQ Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2011 22:05:16 -0000 > Working group last call begins today on the threat model document: > http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01 > > Please review this version and post last call comments by 9 December. Here's a reminder that we have about a week left for the working group last call on this, and I haven't seen any comments since WGLC started. That's OK, if it's because there are no comments. If you have something to say, say it now, please. If the document really is ready to go, then that's great. Barry, chairing From Michael.Jones@microsoft.com Sat Dec 3 18:26:13 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BE1621F8E0D for ; Sat, 3 Dec 2011 18:26:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T-+e4sNOd1+x for ; Sat, 3 Dec 2011 18:26:12 -0800 (PST) Received: from DB3EHSOBE001.bigfish.com (db3ehsobe001.messaging.microsoft.com [213.199.154.139]) by ietfa.amsl.com (Postfix) with ESMTP id 3F47A21F8DF3 for ; Sat, 3 Dec 2011 18:26:12 -0800 (PST) Received: from mail96-db3-R.bigfish.com (10.3.81.245) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 02:26:11 +0000 Received: from mail96-db3 (localhost [127.0.0.1]) by mail96-db3-R.bigfish.com (Postfix) with ESMTP id 56F5C260171; Sun, 4 Dec 2011 02:26:11 +0000 (UTC) X-SpamScore: -50 X-BigFish: VS-50(zzbb2dK9371K542Mdf9M1432N1418M98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail96-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail96-db3 (localhost.localdomain [127.0.0.1]) by mail96-db3 (MessageSwitch) id 132296557168208_31510; Sun, 4 Dec 2011 02:26:11 +0000 (UTC) Received: from DB3EHSMHS019.bigfish.com (unknown [10.3.81.253]) by mail96-db3.bigfish.com (Postfix) with ESMTP id 0D1332E0046; Sun, 4 Dec 2011 02:26:11 +0000 (UTC) Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS019.bigfish.com (10.3.87.119) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 4 Dec 2011 02:26:10 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0247.005; Sat, 3 Dec 2011 18:26:08 -0800 From: Mike Jones To: Barry Leiba , Stephen Farrell Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: AQHMpQLwA9RtSm1QTkeczilud+gNJJXIYlkAgAABeQCAABrqAIAAXtcAgAJmEwD//8n+kA== Date: Sun, 4 Dec 2011 02:26:07 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 02:26:13 -0000 I strongly object to a mandatory-to-implement clause for the MAC scheme. T= hey are unnecessary and market forces have shown that implementers do not w= ant or need this kind of an authentication scheme. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= arry Leiba Sent: Saturday, December 03, 2011 1:38 PM To: Stephen Farrell Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type Stephen says: > On 12/02/2011 03:20 AM, Barry Leiba wrote: >> Maybe what would work best is some text that suggests what I say >> above: that toolkits intended for use in implementing OAuth services=20 >> in general... implement [X and/or Y], and that code written for a=20 >> specific environment implement what makes sense for that environment. >> It seems to me that to require any particular implementation in the=20 >> latter case is arbitrary and counter-productive, and doesn't help=20 >> anything interoperate. =A0Whereas general-purpose toolkits that=20 >> implement everything DO help interop. > > That'd work just fine for me. OK, so here's what I suggest... I propose adding a new section 7.2, thus: ----------------------------------- 7.2 Access Token Implementation Considerations Access token types have to be mutually understood among the authorization s= erver, the resource server, and the client -- the access token issues the t= oken, the resource server validates it, and the client is required to under= stand the type, as noted in section 7.1, above. Because of that, interoper= ability of program code developed separately depends upon the token types t= hat are supported in the code. Toolkits that are intended for general use (for building other clients and/= or servers), therefore, SHOULD implement as many token types as practical, = to ensure that programs developed with those toolkits are able to use the t= oken types they need. In particular, all general-use toolkits MUST impleme= nt bearer tokens [...ref...] and MAC tokens [...ref...]. Purpose-built code, built without such toolkits, has somewhat more flexibil= ity, as its developers know the specific environment they're developing for= . There's clearly little point to including code to support a particular t= oken type when it's known in advance that the type in question will never b= e used in the intended deployment. Developers of purpose-built code are encouraged to consider future extensio= ns and to plan ahead for changes in circumstances, and might still want to = include support for multiple token types. That said, the choice of token-t= ype support for such purpose-built code is left to the developers and their= specific requirements. ----------------------------------- I think that expresses a reasonable compromise that might actually be follo= wed and might actually do some good. Comments? Can we go with this and cl= ose this issue? (And, sorry, I've been a Bad Chair, and haven't put this i= n the tracker.) Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From ve7jtb@ve7jtb.com Sat Dec 3 21:39:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DBC21F9311 for ; Sat, 3 Dec 2011 21:39:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhzA6XSTWvIa for ; Sat, 3 Dec 2011 21:39:51 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 57BB521F92E2 for ; Sat, 3 Dec 2011 21:39:51 -0800 (PST) Received: by iaek3 with SMTP id k3so4559671iae.31 for ; Sat, 03 Dec 2011 21:39:49 -0800 (PST) Received: by 10.231.29.79 with SMTP id p15mr1162397ibc.16.1322977189486; Sat, 03 Dec 2011 21:39:49 -0800 (PST) Received: from 210-170-097-163.jp.fiberbit.net (210-170-097-163.jp.fiberbit.net. [210.170.97.163]) by mx.google.com with ESMTPS id a2sm31980868igj.7.2011.12.03.21.39.47 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 03 Dec 2011 21:39:48 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: John Bradley In-Reply-To: Date: Sun, 4 Dec 2011 14:39:45 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: <069A2A4B-18C4-4440-BB13-1E259FC66958@ve7jtb.com> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> To: Barry Leiba X-Mailer: Apple Mail (2.1251.1) Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 05:39:52 -0000 I remain unconvinced that at this point MTI is going to be useful. =20 I appreciate that some people want MAC, I could not support it being = MTI. The below text with Bearer as MTI the only would be acceptable, if we = need a MTI token handler. (I tend to think of token type, as bearer token type JWT/SAML etc, and = this issue is more on the handling of classes of tokens) John Bradley On 2011-12-04, at 6:37 AM, Barry Leiba wrote: > Stephen says: >> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>> Maybe what would work best is some text that suggests what I say >>> above: that toolkits intended for use in implementing OAuth services >>> in general... implement [X and/or Y], and that code written for a >>> specific environment implement what makes sense for that = environment. >>> It seems to me that to require any particular implementation in the >>> latter case is arbitrary and counter-productive, and doesn't help >>> anything interoperate. Whereas general-purpose toolkits that >>> implement everything DO help interop. >>=20 >> That'd work just fine for me. >=20 > OK, so here's what I suggest... I propose adding a new section 7.2, = thus: >=20 > ----------------------------------- > 7.2 Access Token Implementation Considerations >=20 > Access token types have to be mutually understood among the > authorization server, the resource server, and the client -- the > access token issues the token, the resource server validates it, and > the client is required to understand the type, as noted in section > 7.1, above. Because of that, interoperability of program code > developed separately depends upon the token types that are supported > in the code. >=20 > Toolkits that are intended for general use (for building other clients > and/or servers), therefore, SHOULD implement as many token types as > practical, to ensure that programs developed with those toolkits are > able to use the token types they need. In particular, all general-use > toolkits MUST implement bearer tokens [...ref...] and MAC tokens > [...ref...]. >=20 > Purpose-built code, built without such toolkits, has somewhat more > flexibility, as its developers know the specific environment they're > developing for. There's clearly little point to including code to > support a particular token type when it's known in advance that the > type in question will never be used in the intended deployment. > Developers of purpose-built code are encouraged to consider future > extensions and to plan ahead for changes in circumstances, and might > still want to include support for multiple token types. That said, > the choice of token-type support for such purpose-built code is left > to the developers and their specific requirements. > ----------------------------------- >=20 > I think that expresses a reasonable compromise that might actually be > followed and might actually do some good. Comments? Can we go with > this and close this issue? (And, sorry, I've been a Bad Chair, and > haven't put this in the tracker.) >=20 > Barry > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From tonynad@microsoft.com Sun Dec 4 01:36:57 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0C8821F845F for ; Sun, 4 Dec 2011 01:36:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.467 X-Spam-Level: X-Spam-Status: No, score=-3.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kh2DLi265hh8 for ; Sun, 4 Dec 2011 01:36:57 -0800 (PST) Received: from TX2EHSOBE002.bigfish.com (tx2ehsobe001.messaging.microsoft.com [65.55.88.11]) by ietfa.amsl.com (Postfix) with ESMTP id C0B9621F8468 for ; Sun, 4 Dec 2011 01:36:56 -0800 (PST) Received: from mail157-tx2-R.bigfish.com (10.9.14.236) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 09:36:53 +0000 Received: from mail157-tx2 (localhost [127.0.0.1]) by mail157-tx2-R.bigfish.com (Postfix) with ESMTP id 4E97A4C0534 for ; Sun, 4 Dec 2011 09:36:53 +0000 (UTC) X-SpamScore: -47 X-BigFish: VS-47(zzbb2dK9371K542Mdf9M1432N1418M98dKzz1202h1082kzz1033IL8275dhz2fh2a8h683h839h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail157-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail157-tx2 (localhost.localdomain [127.0.0.1]) by mail157-tx2 (MessageSwitch) id 132299141335044_3818; Sun, 4 Dec 2011 09:36:53 +0000 (UTC) Received: from TX2EHSMHS004.bigfish.com (unknown [10.9.14.253]) by mail157-tx2.bigfish.com (Postfix) with ESMTP id ECFF732022B for ; Sun, 4 Dec 2011 09:36:52 +0000 (UTC) Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS004.bigfish.com (10.9.99.104) with Microsoft SMTP Server (TLS) id 14.1.225.22; Sun, 4 Dec 2011 09:36:53 +0000 Received: from AM1EHSOBE001.bigfish.com (157.54.51.112) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.2.247.5; Sun, 4 Dec 2011 01:36:49 -0800 Received: from mail69-am1-R.bigfish.com (10.3.201.250) by AM1EHSOBE001.bigfish.com (10.3.204.21) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 09:36:50 +0000 Received: from mail69-am1 (localhost [127.0.0.1]) by mail69-am1-R.bigfish.com (Postfix) with ESMTP id A43CE6C0423 for ; Sun, 4 Dec 2011 09:36:49 +0000 (UTC) Received: from mail69-am1 (localhost.localdomain [127.0.0.1]) by mail69-am1 (MessageSwitch) id 1322991409404092_19957; Sun, 4 Dec 2011 09:36:49 +0000 (UTC) Received: from AM1EHSMHS008.bigfish.com (unknown [10.3.201.248]) by mail69-am1.bigfish.com (Postfix) with ESMTP id 55B96140043; Sun, 4 Dec 2011 09:36:49 +0000 (UTC) Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by AM1EHSMHS008.bigfish.com (10.3.207.108) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 4 Dec 2011 09:36:49 +0000 Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.10.183]) by BL2PRD0310HT001.namprd03.prod.outlook.com ([10.255.97.36]) with mapi id 14.16.0094.000; Sun, 4 Dec 2011 09:36:47 +0000 From: Anthony Nadalin To: Mike Jones , Barry Leiba , Stephen Farrell Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: AQHMpQL0Sb85EJbey0aMx4cOTKVJd5XH3D0AgAABeQCAABrqAIAAXtYAgAJmFACAAFCYgIAAeAmw Date: Sun, 4 Dec 2011 09:36:46 +0000 Message-ID: References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [62.50.245.48] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OrganizationHeadersPreserved: BL2PRD0310HT001.namprd03.prod.outlook.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%CS.TCD.IE$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com X-OriginatorOrg: microsoft.com Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 09:36:57 -0000 I agree we have no plans to implement MAC if we wanted that we would have b= een happy with OAUTH 1.0a but that was not deployable -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= ike Jones Sent: Saturday, December 03, 2011 6:26 PM To: Barry Leiba; Stephen Farrell Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type I strongly object to a mandatory-to-implement clause for the MAC scheme. T= hey are unnecessary and market forces have shown that implementers do not w= ant or need this kind of an authentication scheme. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= arry Leiba Sent: Saturday, December 03, 2011 1:38 PM To: Stephen Farrell Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type Stephen says: > On 12/02/2011 03:20 AM, Barry Leiba wrote: >> Maybe what would work best is some text that suggests what I say >> above: that toolkits intended for use in implementing OAuth services=20 >> in general... implement [X and/or Y], and that code written for a=20 >> specific environment implement what makes sense for that environment. >> It seems to me that to require any particular implementation in the=20 >> latter case is arbitrary and counter-productive, and doesn't help=20 >> anything interoperate. =A0Whereas general-purpose toolkits that=20 >> implement everything DO help interop. > > That'd work just fine for me. OK, so here's what I suggest... I propose adding a new section 7.2, thus: ----------------------------------- 7.2 Access Token Implementation Considerations Access token types have to be mutually understood among the authorization s= erver, the resource server, and the client -- the access token issues the t= oken, the resource server validates it, and the client is required to under= stand the type, as noted in section 7.1, above. Because of that, interoper= ability of program code developed separately depends upon the token types t= hat are supported in the code. Toolkits that are intended for general use (for building other clients and/= or servers), therefore, SHOULD implement as many token types as practical, = to ensure that programs developed with those toolkits are able to use the t= oken types they need. In particular, all general-use toolkits MUST impleme= nt bearer tokens [...ref...] and MAC tokens [...ref...]. Purpose-built code, built without such toolkits, has somewhat more flexibil= ity, as its developers know the specific environment they're developing for= . There's clearly little point to including code to support a particular t= oken type when it's known in advance that the type in question will never b= e used in the intended deployment. Developers of purpose-built code are encouraged to consider future extensio= ns and to plan ahead for changes in circumstances, and might still want to = include support for multiple token types. That said, the choice of token-t= ype support for such purpose-built code is left to the developers and their= specific requirements. ----------------------------------- I think that expresses a reasonable compromise that might actually be follo= wed and might actually do some good. Comments? Can we go with this and cl= ose this issue? (And, sorry, I've been a Bad Chair, and haven't put this i= n the tracker.) Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From paul.madsen@gmail.com Sun Dec 4 05:15:32 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B69E21F84B2 for ; Sun, 4 Dec 2011 05:15:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9S-s8CeuY01 for ; Sun, 4 Dec 2011 05:15:31 -0800 (PST) Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 38B7E21F84B0 for ; Sun, 4 Dec 2011 05:15:31 -0800 (PST) Received: by qcsf15 with SMTP id f15so1190396qcs.31 for ; Sun, 04 Dec 2011 05:15:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=ues/FCxjNNLKOWPJk+yDmmmCm7x24xXVj+P0CyQPTMI=; b=DBzSZx2ZbY4QVFBuAzLobTUE+JjVrCwdxP9ll1LB4AqYVOhfNeFlaKsd4WKkpiAbBa jcof/isvJHFmmcqOTyST6c0MdhYd5gr4rVvba9DbiBbYIUppf/QsveODUeq4Pp47P/RA sLzgvcVBR5bAm8TZkjPbfBBQ1X8OblM8UhDEo= Received: by 10.229.65.3 with SMTP id g3mr1170312qci.23.1323004529186; Sun, 04 Dec 2011 05:15:29 -0800 (PST) Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [99.224.152.177]) by mx.google.com with ESMTPS id 8sm18754679qaf.9.2011.12.04.05.15.27 (version=SSLv3 cipher=OTHER); Sun, 04 Dec 2011 05:15:28 -0800 (PST) Message-ID: <4EDB726E.2060900@gmail.com> Date: Sun, 04 Dec 2011 08:15:26 -0500 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: oauth@ietf.org References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> In-Reply-To: Content-Type: multipart/alternative; boundary="------------070203090203090002040001" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 13:15:32 -0000 This is a multi-part message in MIME format. --------------070203090203090002040001 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Commercial OAuth authorization servers are neither 'toolkits' nor 'purpose built code' - not used to build OAuth clients/servers but yet required to support more variety in deployments than a single purpose built server. But, that variety is driven by customer demand, and none of ours (yet?) have demanded MAC. If and when that demand comes, we will add support. To stipulate MAC as MTI would in no way reflect what the market wants. And 'interop' nobody wants is not meaningful interop. paul On 12/3/11 4:37 PM, Barry Leiba wrote: > Stephen says: >> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>> Maybe what would work best is some text that suggests what I say >>> above: that toolkits intended for use in implementing OAuth services >>> in general... implement [X and/or Y], and that code written for a >>> specific environment implement what makes sense for that environment. >>> It seems to me that to require any particular implementation in the >>> latter case is arbitrary and counter-productive, and doesn't help >>> anything interoperate. Whereas general-purpose toolkits that >>> implement everything DO help interop. >> That'd work just fine for me. > OK, so here's what I suggest... I propose adding a new section 7.2, thus: > > ----------------------------------- > 7.2 Access Token Implementation Considerations > > Access token types have to be mutually understood among the > authorization server, the resource server, and the client -- the > access token issues the token, the resource server validates it, and > the client is required to understand the type, as noted in section > 7.1, above. Because of that, interoperability of program code > developed separately depends upon the token types that are supported > in the code. > > Toolkits that are intended for general use (for building other clients > and/or servers), therefore, SHOULD implement as many token types as > practical, to ensure that programs developed with those toolkits are > able to use the token types they need. In particular, all general-use > toolkits MUST implement bearer tokens [...ref...] and MAC tokens > [...ref...]. > > Purpose-built code, built without such toolkits, has somewhat more > flexibility, as its developers know the specific environment they're > developing for. There's clearly little point to including code to > support a particular token type when it's known in advance that the > type in question will never be used in the intended deployment. > Developers of purpose-built code are encouraged to consider future > extensions and to plan ahead for changes in circumstances, and might > still want to include support for multiple token types. That said, > the choice of token-type support for such purpose-built code is left > to the developers and their specific requirements. > ----------------------------------- > > I think that expresses a reasonable compromise that might actually be > followed and might actually do some good. Comments? Can we go with > this and close this issue? (And, sorry, I've been a Bad Chair, and > haven't put this in the tracker.) > > Barry > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------070203090203090002040001 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Commercial OAuth authorization servers are neither 'toolkits' nor 'purpose built code' - not used to build OAuth clients/servers but yet required to support more variety in deployments than a single purpose built server.

But, that variety is driven by customer demand, and none of ours (yet?) have demanded MAC. If and when that demand comes, we will add support.

To stipulate MAC as MTI would in no way reflect what the market wants. And 'interop' nobody wants is not meaningful interop.

paul

On 12/3/11 4:37 PM, Barry Leiba wrote: 
Stephen says:

On 12/02/2011 03:20 AM, Barry Leiba wrote:

Maybe what would work best is some text that suggests what I say
above: that toolkits intended for use in implementing OAuth services
in general... implement [X and/or Y], and that code written for a
specific environment implement what makes sense for that environment.
It seems to me that to require any particular implementation in the
latter case is arbitrary and counter-productive, and doesn't help
anything interoperate.  Whereas general-purpose toolkits that
implement everything DO help interop.

That'd work just fine for me.

OK, so here's what I suggest... I propose adding a new section 7.2, thus:

-----------------------------------
7.2 Access Token Implementation Considerations

Access token types have to be mutually understood among the
authorization server, the resource server, and the client -- the
access token issues the token, the resource server validates it, and
the client is required to understand the type, as noted in section
7.1, above.  Because of that, interoperability of program code
developed separately depends upon the token types that are supported
in the code.

Toolkits that are intended for general use (for building other clients
and/or servers), therefore, SHOULD implement as many token types as
practical, to ensure that programs developed with those toolkits are
able to use the token types they need.  In particular, all general-use
toolkits MUST implement bearer tokens [...ref...] and MAC tokens
[...ref...].

Purpose-built code, built without such toolkits, has somewhat more
flexibility, as its developers know the specific environment they're
developing for.  There's clearly little point to including code to
support a particular token type when it's known in advance that the
type in question will never be used in the intended deployment.
Developers of purpose-built code are encouraged to consider future
extensions and to plan ahead for changes in circumstances, and might
still want to include support for multiple token types.  That said,
the choice of token-type support for such purpose-built code is left
to the developers and their specific requirements.
-----------------------------------

I think that expresses a reasonable compromise that might actually be
followed and might actually do some good.  Comments?  Can we go with
this and close this issue?  (And, sorry, I've been a Bad Chair, and
haven't put this in the tracker.)

Barry
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--------------070203090203090002040001-- From stephen.farrell@cs.tcd.ie Sun Dec 4 06:20:31 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 348DC21F8538 for ; Sun, 4 Dec 2011 06:20:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIlEAtCS0QuK for ; Sun, 4 Dec 2011 06:20:30 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 269AF21F8532 for ; Sun, 4 Dec 2011 06:20:28 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 62CAF171C61; Sun, 4 Dec 2011 14:20:28 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1323008427; bh=lT+ioZJg74dWvt DuQSdHuqt2skt2OSYnVmBnDfmCGUM=; b=S4ZD0NC6kiLVR2+PvsRtEqBP222SFF ODg6vcvWM/u4RpxIMAqiUpE0td6kH6DF512Zq2fOiiaYWv07JpxuETZdsHoMRxuS VxADFFx92UZN87gsW/76NnqRGjCnC/oNWuu9GvP2kWflDM/1dFMcWDvyuqtMGL8A 8FhFBOiggz1L4dphAO5pDMCePR3V2FQO+gL6XpGtvbpMP7eILdR8r3iGbjBj7tvF rxYTsG+R9DY0CTAhSPkkk+ypvvVktNFd0i0p+/5UTzigTHz+KLd/JDtB68m245YZ c0RaX9omQQa693mL4fm57HiMZEWSSgMxAzvrdoms0AtjZEhoWbm04RIQ== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id WKft5MuH3L8X; Sun, 4 Dec 2011 14:20:27 +0000 (GMT) Received: from [10.87.48.10] (unknown [86.44.76.70]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 31DCE171CB4; Sun, 4 Dec 2011 14:20:25 +0000 (GMT) Message-ID: <4EDB81A9.5090007@cs.tcd.ie> Date: Sun, 04 Dec 2011 14:20:25 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Paul Madsen References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> In-Reply-To: <4EDB726E.2060900@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 14:20:31 -0000 FWIW, if Barry's suggested text was amended to say "MUST do bearer, MAY do mac" I'd still be ok with that. Much as I'd like if the mac scheme were more popular, my comment on -22 was interop and not really security related. S On 12/04/2011 01:15 PM, Paul Madsen wrote: > Commercial OAuth authorization servers are neither 'toolkits' nor > 'purpose built code' - not used to build OAuth clients/servers but yet > required to support more variety in deployments than a single purpose > built server. > > But, that variety is driven by customer demand, and none of ours (yet?) > have demanded MAC. If and when that demand comes, we will add support. > > To stipulate MAC as MTI would in no way reflect what the market wants. > And 'interop' nobody wants is not meaningful interop. > > paul > > On 12/3/11 4:37 PM, Barry Leiba wrote: >> Stephen says: >>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>> Maybe what would work best is some text that suggests what I say >>>> above: that toolkits intended for use in implementing OAuth services >>>> in general... implement [X and/or Y], and that code written for a >>>> specific environment implement what makes sense for that environment. >>>> It seems to me that to require any particular implementation in the >>>> latter case is arbitrary and counter-productive, and doesn't help >>>> anything interoperate. Whereas general-purpose toolkits that >>>> implement everything DO help interop. >>> That'd work just fine for me. >> OK, so here's what I suggest... I propose adding a new section 7.2, thus: >> >> ----------------------------------- >> 7.2 Access Token Implementation Considerations >> >> Access token types have to be mutually understood among the >> authorization server, the resource server, and the client -- the >> access token issues the token, the resource server validates it, and >> the client is required to understand the type, as noted in section >> 7.1, above. Because of that, interoperability of program code >> developed separately depends upon the token types that are supported >> in the code. >> >> Toolkits that are intended for general use (for building other clients >> and/or servers), therefore, SHOULD implement as many token types as >> practical, to ensure that programs developed with those toolkits are >> able to use the token types they need. In particular, all general-use >> toolkits MUST implement bearer tokens [...ref...] and MAC tokens >> [...ref...]. >> >> Purpose-built code, built without such toolkits, has somewhat more >> flexibility, as its developers know the specific environment they're >> developing for. There's clearly little point to including code to >> support a particular token type when it's known in advance that the >> type in question will never be used in the intended deployment. >> Developers of purpose-built code are encouraged to consider future >> extensions and to plan ahead for changes in circumstances, and might >> still want to include support for multiple token types. That said, >> the choice of token-type support for such purpose-built code is left >> to the developers and their specific requirements. >> ----------------------------------- >> >> I think that expresses a reasonable compromise that might actually be >> followed and might actually do some good. Comments? Can we go with >> this and close this issue? (And, sorry, I've been a Bad Chair, and >> haven't put this in the tracker.) >> >> Barry >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From Michael.Jones@microsoft.com Sun Dec 4 06:21:31 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7B921F8532 for ; Sun, 4 Dec 2011 06:21:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.099 X-Spam-Level: X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTuG0BOyXLAk for ; Sun, 4 Dec 2011 06:21:30 -0800 (PST) Received: from TX2EHSOBE009.bigfish.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 45FCC21F8538 for ; Sun, 4 Dec 2011 06:21:30 -0800 (PST) Received: from mail109-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE009.bigfish.com (10.9.40.29) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 14:21:30 +0000 Received: from mail109-tx2 (localhost [127.0.0.1]) by mail109-tx2-R.bigfish.com (Postfix) with ESMTP id BA20B4C01E5; Sun, 4 Dec 2011 14:21:29 +0000 (UTC) X-SpamScore: -50 X-BigFish: VS-50(zzbb2dK9371K542Mdf9M1432N1418M98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail109-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail109-tx2 (localhost.localdomain [127.0.0.1]) by mail109-tx2 (MessageSwitch) id 1323008489231198_17935; Sun, 4 Dec 2011 14:21:29 +0000 (UTC) Received: from TX2EHSMHS004.bigfish.com (unknown [10.9.14.238]) by mail109-tx2.bigfish.com (Postfix) with ESMTP id 31B9E640044; Sun, 4 Dec 2011 14:21:29 +0000 (UTC) Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS004.bigfish.com (10.9.99.104) with Microsoft SMTP Server (TLS) id 14.1.225.22; Sun, 4 Dec 2011 14:21:28 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0247.005; Sun, 4 Dec 2011 06:21:24 -0800 From: Mike Jones To: Stephen Farrell , Paul Madsen Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: AQHMpQLwA9RtSm1QTkeczilud+gNJJXIYlkAgAABeQCAABrqAIAAXtcAgAJmEwCAAQYDAIAAEiiA//96DYA= Date: Sun, 4 Dec 2011 14:21:24 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <4EDB81A9.5090007@cs.tcd.ie> In-Reply-To: <4EDB81A9.5090007@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 14:21:31 -0000 The core spec should be completely silent on MAC, as it is not ready for pr= ime time. -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of S= tephen Farrell Sent: Sunday, December 04, 2011 6:20 AM To: Paul Madsen Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Mandatory-to-implement token type FWIW, if Barry's suggested text was amended to say "MUST do bearer, MAY do = mac" I'd still be ok with that. Much as I'd like if the mac scheme were more popular, my comment on -22 was= interop and not really security related. S On 12/04/2011 01:15 PM, Paul Madsen wrote: > Commercial OAuth authorization servers are neither 'toolkits' nor=20 > 'purpose built code' - not used to build OAuth clients/servers but yet=20 > required to support more variety in deployments than a single purpose=20 > built server. > > But, that variety is driven by customer demand, and none of ours=20 > (yet?) have demanded MAC. If and when that demand comes, we will add supp= ort. > > To stipulate MAC as MTI would in no way reflect what the market wants. > And 'interop' nobody wants is not meaningful interop. > > paul > > On 12/3/11 4:37 PM, Barry Leiba wrote: >> Stephen says: >>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>> Maybe what would work best is some text that suggests what I say >>>> above: that toolkits intended for use in implementing OAuth=20 >>>> services in general... implement [X and/or Y], and that code=20 >>>> written for a specific environment implement what makes sense for that= environment. >>>> It seems to me that to require any particular implementation in the=20 >>>> latter case is arbitrary and counter-productive, and doesn't help=20 >>>> anything interoperate. Whereas general-purpose toolkits that=20 >>>> implement everything DO help interop. >>> That'd work just fine for me. >> OK, so here's what I suggest... I propose adding a new section 7.2, thus= : >> >> ----------------------------------- >> 7.2 Access Token Implementation Considerations >> >> Access token types have to be mutually understood among the=20 >> authorization server, the resource server, and the client -- the=20 >> access token issues the token, the resource server validates it, and=20 >> the client is required to understand the type, as noted in section=20 >> 7.1, above. Because of that, interoperability of program code=20 >> developed separately depends upon the token types that are supported=20 >> in the code. >> >> Toolkits that are intended for general use (for building other=20 >> clients and/or servers), therefore, SHOULD implement as many token=20 >> types as practical, to ensure that programs developed with those=20 >> toolkits are able to use the token types they need. In particular,=20 >> all general-use toolkits MUST implement bearer tokens [...ref...] and=20 >> MAC tokens [...ref...]. >> >> Purpose-built code, built without such toolkits, has somewhat more=20 >> flexibility, as its developers know the specific environment they're=20 >> developing for. There's clearly little point to including code to=20 >> support a particular token type when it's known in advance that the=20 >> type in question will never be used in the intended deployment. >> Developers of purpose-built code are encouraged to consider future=20 >> extensions and to plan ahead for changes in circumstances, and might=20 >> still want to include support for multiple token types. That said,=20 >> the choice of token-type support for such purpose-built code is left=20 >> to the developers and their specific requirements. >> ----------------------------------- >> >> I think that expresses a reasonable compromise that might actually be=20 >> followed and might actually do some good. Comments? Can we go with=20 >> this and close this issue? (And, sorry, I've been a Bad Chair, and=20 >> haven't put this in the tracker.) >> >> Barry >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Sun Dec 4 06:44:16 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0037A21F846C for ; Sun, 4 Dec 2011 06:44:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAAE8z0nSOG0 for ; Sun, 4 Dec 2011 06:44:15 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id E344621F8466 for ; Sun, 4 Dec 2011 06:44:14 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 089C2171CB4; Sun, 4 Dec 2011 14:44:14 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1323009853; bh=huo3QHd+hyzNox czHrf/J+7Pjkpo+kveoT+27OW1XAg=; b=pADakI2VWLv8YBf/9ItHjgJr9gUTYN BPUV+cM9kD5Z7j0BxeTczgqBXvHIzJ3B8Jd/YrCpnhfIIt8dSRCRyQThLflvLxSJ YubJzAfi768XBxeOMHHNsBmeQSQ9wa3/x4lJDRVCZSLTL//UdRZhle9jeDqqhL/s ASmDJ9mJ5TtWudfl6F46P7FaekDnaccA9aj0f+y+uZYxsJZxvGle8LYLO9xyrZqf SISKQdxEQEDG5BS+UYXWlXyNPUddgMesSvTqHFDjjVG7QxqImgC/O5uto2f/AJJG g/V4eXiROk0127xU8h0b+rCmcU2d4VnOKl9BI17Qz8tZ2qlyTTY+Tdqw== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 2sz4Ims9BIAB; Sun, 4 Dec 2011 14:44:13 +0000 (GMT) Received: from [10.87.48.10] (unknown [86.44.76.70]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id E9A38171C61; Sun, 4 Dec 2011 14:44:12 +0000 (GMT) Message-ID: <4EDB873C.4040005@cs.tcd.ie> Date: Sun, 04 Dec 2011 14:44:12 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <4EDB81A9.5090007@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 14:44:16 -0000 Whatever. If the entire WG want to get excited by the difference between MAY do mac and not mentioning it then fine. Personally, I'd be more interested in getting done rather than nailing that final nail into any coffin;-) S On 12/04/2011 02:21 PM, Mike Jones wrote: > The core spec should be completely silent on MAC, as it is not ready for prime time. > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell > Sent: Sunday, December 04, 2011 6:20 AM > To: Paul Madsen > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type > > > FWIW, if Barry's suggested text was amended to say "MUST do bearer, MAY do mac" I'd still be ok with that. > > Much as I'd like if the mac scheme were more popular, my comment on -22 was interop and not really security related. > > S > > On 12/04/2011 01:15 PM, Paul Madsen wrote: >> Commercial OAuth authorization servers are neither 'toolkits' nor >> 'purpose built code' - not used to build OAuth clients/servers but yet >> required to support more variety in deployments than a single purpose >> built server. >> >> But, that variety is driven by customer demand, and none of ours >> (yet?) have demanded MAC. If and when that demand comes, we will add support. >> >> To stipulate MAC as MTI would in no way reflect what the market wants. >> And 'interop' nobody wants is not meaningful interop. >> >> paul >> >> On 12/3/11 4:37 PM, Barry Leiba wrote: >>> Stephen says: >>>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>>> Maybe what would work best is some text that suggests what I say >>>>> above: that toolkits intended for use in implementing OAuth >>>>> services in general... implement [X and/or Y], and that code >>>>> written for a specific environment implement what makes sense for that environment. >>>>> It seems to me that to require any particular implementation in the >>>>> latter case is arbitrary and counter-productive, and doesn't help >>>>> anything interoperate. Whereas general-purpose toolkits that >>>>> implement everything DO help interop. >>>> That'd work just fine for me. >>> OK, so here's what I suggest... I propose adding a new section 7.2, thus: >>> >>> ----------------------------------- >>> 7.2 Access Token Implementation Considerations >>> >>> Access token types have to be mutually understood among the >>> authorization server, the resource server, and the client -- the >>> access token issues the token, the resource server validates it, and >>> the client is required to understand the type, as noted in section >>> 7.1, above. Because of that, interoperability of program code >>> developed separately depends upon the token types that are supported >>> in the code. >>> >>> Toolkits that are intended for general use (for building other >>> clients and/or servers), therefore, SHOULD implement as many token >>> types as practical, to ensure that programs developed with those >>> toolkits are able to use the token types they need. In particular, >>> all general-use toolkits MUST implement bearer tokens [...ref...] and >>> MAC tokens [...ref...]. >>> >>> Purpose-built code, built without such toolkits, has somewhat more >>> flexibility, as its developers know the specific environment they're >>> developing for. There's clearly little point to including code to >>> support a particular token type when it's known in advance that the >>> type in question will never be used in the intended deployment. >>> Developers of purpose-built code are encouraged to consider future >>> extensions and to plan ahead for changes in circumstances, and might >>> still want to include support for multiple token types. That said, >>> the choice of token-type support for such purpose-built code is left >>> to the developers and their specific requirements. >>> ----------------------------------- >>> >>> I think that expresses a reasonable compromise that might actually be >>> followed and might actually do some good. Comments? Can we go with >>> this and close this issue? (And, sorry, I've been a Bad Chair, and >>> haven't put this in the tracker.) >>> >>> Barry >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > From eran@hueniverse.com Sun Dec 4 10:31:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD2821F85A1 for ; Sun, 4 Dec 2011 10:31:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.524 X-Spam-Level: X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIQE4jjayHmD for ; Sun, 4 Dec 2011 10:30:59 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 63ED321F8538 for ; Sun, 4 Dec 2011 10:30:59 -0800 (PST) Received: (qmail 18164 invoked from network); 4 Dec 2011 18:30:58 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 4 Dec 2011 18:30:58 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sun, 4 Dec 2011 11:30:58 -0700 From: Eran Hammer-Lahav To: Anthony Nadalin , Mike Jones , Barry Leiba , Stephen Farrell Date: Sun, 4 Dec 2011 11:30:56 -0700 Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: AQHMpQL0Sb85EJbey0aMx4cOTKVJd5XH3D0AgAABeQCAABrqAIAAXtYAgAJmFACAAFCYgIAAeAmwgACVTyA= Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C7315@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 18:31:00 -0000 Bearer tokens are practically identical to OAuth 1.0 PLAINTEXT. Get your fa= cts right. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Anthony Nadalin > Sent: Sunday, December 04, 2011 1:37 AM > To: Mike Jones; Barry Leiba; Stephen Farrell > Cc: oauth WG > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >=20 > I agree we have no plans to implement MAC if we wanted that we would > have been happy with OAUTH 1.0a but that was not deployable >=20 > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Mike Jones > Sent: Saturday, December 03, 2011 6:26 PM > To: Barry Leiba; Stephen Farrell > Cc: oauth WG > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >=20 > I strongly object to a mandatory-to-implement clause for the MAC scheme. > They are unnecessary and market forces have shown that implementers do > not want or need this kind of an authentication scheme. >=20 > -- Mike >=20 > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Barry Leiba > Sent: Saturday, December 03, 2011 1:38 PM > To: Stephen Farrell > Cc: oauth WG > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >=20 > Stephen says: > > On 12/02/2011 03:20 AM, Barry Leiba wrote: > >> Maybe what would work best is some text that suggests what I say > >> above: that toolkits intended for use in implementing OAuth services > >> in general... implement [X and/or Y], and that code written for a > >> specific environment implement what makes sense for that environment. > >> It seems to me that to require any particular implementation in the > >> latter case is arbitrary and counter-productive, and doesn't help > >> anything interoperate. =A0Whereas general-purpose toolkits that > >> implement everything DO help interop. > > > > That'd work just fine for me. >=20 > OK, so here's what I suggest... I propose adding a new section 7.2, thus: >=20 > ----------------------------------- > 7.2 Access Token Implementation Considerations >=20 > Access token types have to be mutually understood among the authorization > server, the resource server, and the client -- the access token issues th= e > token, the resource server validates it, and the client is required to > understand the type, as noted in section 7.1, above. Because of that, > interoperability of program code developed separately depends upon the > token types that are supported in the code. >=20 > Toolkits that are intended for general use (for building other clients an= d/or > servers), therefore, SHOULD implement as many token types as practical, t= o > ensure that programs developed with those toolkits are able to use the > token types they need. In particular, all general-use toolkits MUST > implement bearer tokens [...ref...] and MAC tokens [...ref...]. >=20 > Purpose-built code, built without such toolkits, has somewhat more > flexibility, as its developers know the specific environment they're > developing for. There's clearly little point to including code to suppor= t a > particular token type when it's known in advance that the type in questio= n > will never be used in the intended deployment. > Developers of purpose-built code are encouraged to consider future > extensions and to plan ahead for changes in circumstances, and might stil= l > want to include support for multiple token types. That said, the choice = of > token-type support for such purpose-built code is left to the developers = and > their specific requirements. > ----------------------------------- >=20 > I think that expresses a reasonable compromise that might actually be > followed and might actually do some good. Comments? Can we go with this > and close this issue? (And, sorry, I've been a Bad Chair, and haven't pu= t this > in the tracker.) >=20 > Barry > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From eran@hueniverse.com Sun Dec 4 10:52:02 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260D421F87C5 for ; Sun, 4 Dec 2011 10:52:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.539 X-Spam-Level: X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nL9NbM-gpTZ1 for ; Sun, 4 Dec 2011 10:52:01 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 553E121F86F6 for ; Sun, 4 Dec 2011 10:52:01 -0800 (PST) Received: (qmail 10364 invoked from network); 4 Dec 2011 18:52:01 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 4 Dec 2011 18:52:01 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sun, 4 Dec 2011 11:52:01 -0700 From: Eran Hammer-Lahav To: Stephen Farrell , Mike Jones Date: Sun, 4 Dec 2011 11:51:58 -0700 Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type Thread-Index: AcyykzQ2Oxx3mj5cQ9OWymfyaXZNGAAH/qNw Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C7318@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <4EDB81A9.5090007@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EDB873C.4040005@cs.tcd.ie> In-Reply-To: <4EDB873C.4040005@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 18:52:02 -0000 This has been going on for far too long. There is a well-established gap between the two tokens and those who suppor= t them and we are NEVER going to reach consensus. Instead we have a war of = attrition were each side is just keeping at it hoping the other side will g= ive up. The only compromise we were able to reach in 2 years is to keep the= v2 specification token agnostic. If we are now going to violate that for t= he perceived notion of interoperability, we should at least do it with due = process. Stephen - In previous discussion, my understanding was that you were oppose= d to publishing OAuth 2.0 without MAC because that would make 2.0 a less se= cure option than 1.0. While, as you stated, this thread is not about securi= ty but about interoperability, the two are at odds here and you can only ha= ve one. If the specification picked a winner by making only one required, a= nd if that one is Bearer, I see no point whatsoever in spending any more of= my time on MAC. It would be DOA. The WG is clearly opposed to making MAC required, but that is not the only = question to ask. The question for the group is also, do you even want MAC? = Are you planning on using it? And will you use it alongside Bearer or exclu= sively? If there is sufficient WG support for MAC, making Bearer required alone vio= lates that spirit because it will make MAC another specification no one car= es about and we don't need more of those. If there is no sufficient support= , let's just drop it as a WG item and let it resurface later if at all. As for the "market has decided" argument - I only want to warn those who us= e it that it is a double-edge-sword. The same people who now use that argum= ent are also the members of this group responsible for some of the new astr= onaut architecture features proposed in the rechartering discussion. If you= intend to make this your winning argument, the WG must then apply the same= rational to your other proposals. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Stephen Farrell > Sent: Sunday, December 04, 2011 6:44 AM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >=20 >=20 > Whatever. If the entire WG want to get excited by the difference between > MAY do mac and not mentioning it then fine. >=20 > Personally, I'd be more interested in getting done rather than nailing th= at > final nail into any coffin;-) >=20 > S >=20 > On 12/04/2011 02:21 PM, Mike Jones wrote: > > The core spec should be completely silent on MAC, as it is not ready fo= r > prime time. > > > > -----Original Message----- > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > > Of Stephen Farrell > > Sent: Sunday, December 04, 2011 6:20 AM > > To: Paul Madsen > > Cc: oauth@ietf.org > > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type > > > > > > FWIW, if Barry's suggested text was amended to say "MUST do bearer, > MAY do mac" I'd still be ok with that. > > > > Much as I'd like if the mac scheme were more popular, my comment on -22 > was interop and not really security related. > > > > S > > > > On 12/04/2011 01:15 PM, Paul Madsen wrote: > >> Commercial OAuth authorization servers are neither 'toolkits' nor > >> 'purpose built code' - not used to build OAuth clients/servers but > >> yet required to support more variety in deployments than a single > >> purpose built server. > >> > >> But, that variety is driven by customer demand, and none of ours > >> (yet?) have demanded MAC. If and when that demand comes, we will > add support. > >> > >> To stipulate MAC as MTI would in no way reflect what the market wants. > >> And 'interop' nobody wants is not meaningful interop. > >> > >> paul > >> > >> On 12/3/11 4:37 PM, Barry Leiba wrote: > >>> Stephen says: > >>>> On 12/02/2011 03:20 AM, Barry Leiba wrote: > >>>>> Maybe what would work best is some text that suggests what I say > >>>>> above: that toolkits intended for use in implementing OAuth > >>>>> services in general... implement [X and/or Y], and that code > >>>>> written for a specific environment implement what makes sense for > that environment. > >>>>> It seems to me that to require any particular implementation in > >>>>> the latter case is arbitrary and counter-productive, and doesn't > >>>>> help anything interoperate. Whereas general-purpose toolkits that > >>>>> implement everything DO help interop. > >>>> That'd work just fine for me. > >>> OK, so here's what I suggest... I propose adding a new section 7.2, t= hus: > >>> > >>> ----------------------------------- > >>> 7.2 Access Token Implementation Considerations > >>> > >>> Access token types have to be mutually understood among the > >>> authorization server, the resource server, and the client -- the > >>> access token issues the token, the resource server validates it, and > >>> the client is required to understand the type, as noted in section > >>> 7.1, above. Because of that, interoperability of program code > >>> developed separately depends upon the token types that are supported > >>> in the code. > >>> > >>> Toolkits that are intended for general use (for building other > >>> clients and/or servers), therefore, SHOULD implement as many token > >>> types as practical, to ensure that programs developed with those > >>> toolkits are able to use the token types they need. In particular, > >>> all general-use toolkits MUST implement bearer tokens [...ref...] > >>> and MAC tokens [...ref...]. > >>> > >>> Purpose-built code, built without such toolkits, has somewhat more > >>> flexibility, as its developers know the specific environment they're > >>> developing for. There's clearly little point to including code to > >>> support a particular token type when it's known in advance that the > >>> type in question will never be used in the intended deployment. > >>> Developers of purpose-built code are encouraged to consider future > >>> extensions and to plan ahead for changes in circumstances, and might > >>> still want to include support for multiple token types. That said, > >>> the choice of token-type support for such purpose-built code is left > >>> to the developers and their specific requirements. > >>> ----------------------------------- > >>> > >>> I think that expresses a reasonable compromise that might actually > >>> be followed and might actually do some good. Comments? Can we go > >>> with this and close this issue? (And, sorry, I've been a Bad Chair, > >>> and haven't put this in the tracker.) > >>> > >>> Barry > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >> > >> > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From romeda@gmail.com Sun Dec 4 15:34:38 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65C3A21F89BA for ; Sun, 4 Dec 2011 15:34:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.599 X-Spam-Level: X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSM4EumW8TDq for ; Sun, 4 Dec 2011 15:34:38 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id D213F21F8888 for ; Sun, 4 Dec 2011 15:34:37 -0800 (PST) Received: by ggnk5 with SMTP id k5so994612ggn.31 for ; Sun, 04 Dec 2011 15:34:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=7rjGSNTu46Zhw0TKp3fUeHDrpHshNSCVWuYr0V1zoNY=; b=aYvEIVYdKN67nkMs/O27GzScQCoZBWp5jrjfjY1gWcu9plaDtKDeD1O6+5FxrVFbdg /uJlMcemssWBMNp2fyWpFi/YHbQrqnHKUGvGGkj+VzZvnfZ0aPLF7i/niSISQcAwNxc3 UJPmYKqVmS4fwcn0ySJ6hL1joF3OPI5NI4Rtk= Received: by 10.182.149.33 with SMTP id tx1mr1282959obb.62.1323041677258; Sun, 04 Dec 2011 15:34:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.114.68 with HTTP; Sun, 4 Dec 2011 15:34:16 -0800 (PST) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> From: Blaine Cook Date: Sun, 4 Dec 2011 23:34:16 +0000 Message-ID: To: Mike Jones Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 23:34:38 -0000 On 4 December 2011 02:26, Mike Jones wrote: > I strongly object to a mandatory-to-implement clause for the MAC scheme. = =C2=A0They are unnecessary and market forces have shown that implementers d= o not want or need this kind of an authentication scheme. I'd say that Twitter, Flickr, Dropbox and dozens of other sites that have shipped OAuth 1.0a (MAC) in production and for billions of requests per day is a pretty strong market force. People (especially politically incentivised standards wonks) arguing on a mailing list isn't a strong market force, and there are far fewer successful APIs that use Bearer tokens. Which isn't to say that they won't, just to say that what you want and what's used in the wild are very different things. Or, citation needed. b. From stephen.farrell@cs.tcd.ie Sun Dec 4 16:00:22 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A70C121F8B2E for ; Sun, 4 Dec 2011 16:00:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5FR9lnE-TRhy for ; Sun, 4 Dec 2011 16:00:21 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 5E12F21F8AF8 for ; Sun, 4 Dec 2011 16:00:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id EADBC171C61; Mon, 5 Dec 2011 00:00:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1323043218; bh=J5M4EbY/n448Vn zfzazinPA0RglcO4Pblb0lrJYaDPA=; b=PRf5qwd8tlyVLU6Aeo5hZ5IyDkm3Va au8yV/MQhh2UZrVT9CLv7uGFE2jn0paXwatnTkqiNohUmfZyogqPQ4XbZadeu3xu d/LLgB+VwtUsvI/M3TBwgtEygUpcxpHUb16JW50cAAEHdcNykpTzah2IAXLEHlBi GkD2sLdJrkgLGJlUePyqql7hA9J4W18M8Rx4zNwq1TSUZlyeqr9M+1Sg6Mo6anxU fbPqKiRdIZDsC/M6zEpkDFWW/t1QvnjUQlCq+GxraC+Po0aebcuPPwVP1aLG8EQO 3BEp1ZpX+b+2KX9BWaimM7cIN09HZCo69cf4wDccVeavZLlpTCq2EwGg== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id U6th0OSuuP0R; Mon, 5 Dec 2011 00:00:18 +0000 (GMT) Received: from [10.87.48.10] (unknown [86.44.76.70]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id C7FAB157BE0; Mon, 5 Dec 2011 00:00:17 +0000 (GMT) Message-ID: <4EDC0990.8040908@cs.tcd.ie> Date: Mon, 05 Dec 2011 00:00:16 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Eran Hammer-Lahav References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <4EDB81A9.5090007@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EDB873C.4040005@cs.tcd.ie> <90C41DD21FB7C64BB94121FBBC2E723452856C7318@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452856C7318@P3PW5EX1MB01.EX1.SECURESERVER.NET> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 00:00:22 -0000 Hiya, On 12/04/2011 06:51 PM, Eran Hammer-Lahav wrote: > This has been going on for far too long. > > There is a well-established gap between the two tokens and those who support them and we are NEVER going to reach consensus. Instead we have a war of attrition were each side is just keeping at it hoping the other side will give up. The only compromise we were able to reach in 2 years is to keep the v2 specification token agnostic. If we are now going to violate that for the perceived notion of interoperability, we should at least do it with due process. > > Stephen - In previous discussion, my understanding was that you were opposed to publishing OAuth 2.0 without MAC because that would make 2.0 a less secure option than 1.0. While, as you stated, this thread is not about security but about interoperability, the two are at odds here and you can only have one. If the specification picked a winner by making only one required, and if that one is Bearer, I see no point whatsoever in spending any more of my time on MAC. It would be DOA. I do dislike the idea of not having a "better" scheme than bearer. I don't have so much of an issue about its 2119 status (MUST vs. MAY) so long as its well defined (having said that I'd presonally prefer MUST). I guess you and I disagree about the significance of that "status" issue. But as you say though that's a different issue from the one currently under discussion so I'd rather keep things separate and move along. (That is, if someone wants to chat about desirable security levels please change at least the subject line.) > The WG is clearly opposed to making MAC required, but that is not the only question to ask. The question for the group is also, do you even want MAC? Are you planning on using it? And will you use it alongside Bearer or exclusively? > > If there is sufficient WG support for MAC, making Bearer required alone violates that spirit because it will make MAC another specification no one cares about and we don't need more of those. If there is no sufficient support, let's just drop it as a WG item and let it resurface later if at all. > > As for the "market has decided" argument - I only want to warn those who use it that it is a double-edge-sword. The same people who now use that argument are also the members of this group responsible for some of the new astronaut architecture features proposed in the rechartering discussion. If you intend to make this your winning argument, the WG must then apply the same rational to your other proposals. Well, I wouldn't be quite so black-and-white about it, but its a fair comment to say that arguing against mac but for use of oauth for higher security environments could raise some questions. I've not tracked if someone's actually making just that argument however, so I guess this won't come up until a) we've got the base spec out and b) the WG have proposed some new charter. If a proposed new charter assumes something the work-to-date has not delivered then something will have to give, so I'd encourage the WG to consider that as they discuss re-chartering. I'm confident however that the WG chairs would spot that and help try to direct the WG towards something self-consistent. Again though, that's also not the current issue under discussion, and in that case, I guess there is (or was, seems quiet now) a re-chartering thread that seems appropriate for that topic. Cheers, S. > > EHL > > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Stephen Farrell >> Sent: Sunday, December 04, 2011 6:44 AM >> To: Mike Jones >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >> >> >> Whatever. If the entire WG want to get excited by the difference between >> MAY do mac and not mentioning it then fine. >> >> Personally, I'd be more interested in getting done rather than nailing that >> final nail into any coffin;-) >> >> S >> >> On 12/04/2011 02:21 PM, Mike Jones wrote: >>> The core spec should be completely silent on MAC, as it is not ready for >> prime time. >>> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>> Of Stephen Farrell >>> Sent: Sunday, December 04, 2011 6:20 AM >>> To: Paul Madsen >>> Cc: oauth@ietf.org >>> Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >>> >>> >>> FWIW, if Barry's suggested text was amended to say "MUST do bearer, >> MAY do mac" I'd still be ok with that. >>> >>> Much as I'd like if the mac scheme were more popular, my comment on -22 >> was interop and not really security related. >>> >>> S >>> >>> On 12/04/2011 01:15 PM, Paul Madsen wrote: >>>> Commercial OAuth authorization servers are neither 'toolkits' nor >>>> 'purpose built code' - not used to build OAuth clients/servers but >>>> yet required to support more variety in deployments than a single >>>> purpose built server. >>>> >>>> But, that variety is driven by customer demand, and none of ours >>>> (yet?) have demanded MAC. If and when that demand comes, we will >> add support. >>>> >>>> To stipulate MAC as MTI would in no way reflect what the market wants. >>>> And 'interop' nobody wants is not meaningful interop. >>>> >>>> paul >>>> >>>> On 12/3/11 4:37 PM, Barry Leiba wrote: >>>>> Stephen says: >>>>>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>>>>> Maybe what would work best is some text that suggests what I say >>>>>>> above: that toolkits intended for use in implementing OAuth >>>>>>> services in general... implement [X and/or Y], and that code >>>>>>> written for a specific environment implement what makes sense for >> that environment. >>>>>>> It seems to me that to require any particular implementation in >>>>>>> the latter case is arbitrary and counter-productive, and doesn't >>>>>>> help anything interoperate. Whereas general-purpose toolkits that >>>>>>> implement everything DO help interop. >>>>>> That'd work just fine for me. >>>>> OK, so here's what I suggest... I propose adding a new section 7.2, thus: >>>>> >>>>> ----------------------------------- >>>>> 7.2 Access Token Implementation Considerations >>>>> >>>>> Access token types have to be mutually understood among the >>>>> authorization server, the resource server, and the client -- the >>>>> access token issues the token, the resource server validates it, and >>>>> the client is required to understand the type, as noted in section >>>>> 7.1, above. Because of that, interoperability of program code >>>>> developed separately depends upon the token types that are supported >>>>> in the code. >>>>> >>>>> Toolkits that are intended for general use (for building other >>>>> clients and/or servers), therefore, SHOULD implement as many token >>>>> types as practical, to ensure that programs developed with those >>>>> toolkits are able to use the token types they need. In particular, >>>>> all general-use toolkits MUST implement bearer tokens [...ref...] >>>>> and MAC tokens [...ref...]. >>>>> >>>>> Purpose-built code, built without such toolkits, has somewhat more >>>>> flexibility, as its developers know the specific environment they're >>>>> developing for. There's clearly little point to including code to >>>>> support a particular token type when it's known in advance that the >>>>> type in question will never be used in the intended deployment. >>>>> Developers of purpose-built code are encouraged to consider future >>>>> extensions and to plan ahead for changes in circumstances, and might >>>>> still want to include support for multiple token types. That said, >>>>> the choice of token-type support for such purpose-built code is left >>>>> to the developers and their specific requirements. >>>>> ----------------------------------- >>>>> >>>>> I think that expresses a reasonable compromise that might actually >>>>> be followed and might actually do some good. Comments? Can we go >>>>> with this and close this issue? (And, sorry, I've been a Bad Chair, >>>>> and haven't put this in the tracker.) >>>>> >>>>> Barry >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > From jricher@mitre.org Mon Dec 5 06:46:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7F121F8B50 for ; Mon, 5 Dec 2011 06:46:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.411 X-Spam-Level: X-Spam-Status: No, score=-6.411 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMEJd1UWIGE4 for ; Mon, 5 Dec 2011 06:46:46 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5914A21F8531 for ; Mon, 5 Dec 2011 06:46:46 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 780F021B077F for ; Mon, 5 Dec 2011 09:46:45 -0500 (EST) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 6B41E21B0766 for ; Mon, 5 Dec 2011 09:46:45 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 5 Dec 2011 09:46:45 -0500 Message-ID: <4EDCD945.9000207@mitre.org> Date: Mon, 5 Dec 2011 09:46:29 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <4EDB81A9.5090007@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EDB873C.4040005@cs.tcd.ie> <90C41DD21FB7C64BB94121FBBC2E723452856C7318@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452856C7318@P3PW5EX1MB01.EX1.SECURESERVER.NET> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [129.83.31.51] Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 14:46:47 -0000 I agree that the core should remain token agnostic. However, I do see value in MAC. The ability to have parameter values signed by a client key is important for security in depth, even in a world of pervasive server-side TLS. I would like to see MAC tokens mature to the point where we could use it in all of our current OAuth 1.0 use cases, but that's another thread that I haven't been able to give appropriate attention to. I still think that the MTI language (even the cleaner one that Barry proposed here) is a red herring and doesn't buy us much in reality. -- Justin On 12/04/2011 01:51 PM, Eran Hammer-Lahav wrote: > This has been going on for far too long. > > There is a well-established gap between the two tokens and those who support them and we are NEVER going to reach consensus. Instead we have a war of attrition were each side is just keeping at it hoping the other side will give up. The only compromise we were able to reach in 2 years is to keep the v2 specification token agnostic. If we are now going to violate that for the perceived notion of interoperability, we should at least do it with due process. > > Stephen - In previous discussion, my understanding was that you were opposed to publishing OAuth 2.0 without MAC because that would make 2.0 a less secure option than 1.0. While, as you stated, this thread is not about security but about interoperability, the two are at odds here and you can only have one. If the specification picked a winner by making only one required, and if that one is Bearer, I see no point whatsoever in spending any more of my time on MAC. It would be DOA. > > The WG is clearly opposed to making MAC required, but that is not the only question to ask. The question for the group is also, do you even want MAC? Are you planning on using it? And will you use it alongside Bearer or exclusively? > > If there is sufficient WG support for MAC, making Bearer required alone violates that spirit because it will make MAC another specification no one cares about and we don't need more of those. If there is no sufficient support, let's just drop it as a WG item and let it resurface later if at all. > > As for the "market has decided" argument - I only want to warn those who use it that it is a double-edge-sword. The same people who now use that argument are also the members of this group responsible for some of the new astronaut architecture features proposed in the rechartering discussion. If you intend to make this your winning argument, the WG must then apply the same rational to your other proposals. > > EHL > > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Stephen Farrell >> Sent: Sunday, December 04, 2011 6:44 AM >> To: Mike Jones >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >> >> >> Whatever. If the entire WG want to get excited by the difference between >> MAY do mac and not mentioning it then fine. >> >> Personally, I'd be more interested in getting done rather than nailing that >> final nail into any coffin;-) >> >> S >> >> On 12/04/2011 02:21 PM, Mike Jones wrote: >>> The core spec should be completely silent on MAC, as it is not ready for >> prime time. >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>> Of Stephen Farrell >>> Sent: Sunday, December 04, 2011 6:20 AM >>> To: Paul Madsen >>> Cc: oauth@ietf.org >>> Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >>> >>> >>> FWIW, if Barry's suggested text was amended to say "MUST do bearer, >> MAY do mac" I'd still be ok with that. >>> Much as I'd like if the mac scheme were more popular, my comment on -22 >> was interop and not really security related. >>> S >>> >>> On 12/04/2011 01:15 PM, Paul Madsen wrote: >>>> Commercial OAuth authorization servers are neither 'toolkits' nor >>>> 'purpose built code' - not used to build OAuth clients/servers but >>>> yet required to support more variety in deployments than a single >>>> purpose built server. >>>> >>>> But, that variety is driven by customer demand, and none of ours >>>> (yet?) have demanded MAC. If and when that demand comes, we will >> add support. >>>> To stipulate MAC as MTI would in no way reflect what the market wants. >>>> And 'interop' nobody wants is not meaningful interop. >>>> >>>> paul >>>> >>>> On 12/3/11 4:37 PM, Barry Leiba wrote: >>>>> Stephen says: >>>>>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>>>>> Maybe what would work best is some text that suggests what I say >>>>>>> above: that toolkits intended for use in implementing OAuth >>>>>>> services in general... implement [X and/or Y], and that code >>>>>>> written for a specific environment implement what makes sense for >> that environment. >>>>>>> It seems to me that to require any particular implementation in >>>>>>> the latter case is arbitrary and counter-productive, and doesn't >>>>>>> help anything interoperate. Whereas general-purpose toolkits that >>>>>>> implement everything DO help interop. >>>>>> That'd work just fine for me. >>>>> OK, so here's what I suggest... I propose adding a new section 7.2, thus: >>>>> >>>>> ----------------------------------- >>>>> 7.2 Access Token Implementation Considerations >>>>> >>>>> Access token types have to be mutually understood among the >>>>> authorization server, the resource server, and the client -- the >>>>> access token issues the token, the resource server validates it, and >>>>> the client is required to understand the type, as noted in section >>>>> 7.1, above. Because of that, interoperability of program code >>>>> developed separately depends upon the token types that are supported >>>>> in the code. >>>>> >>>>> Toolkits that are intended for general use (for building other >>>>> clients and/or servers), therefore, SHOULD implement as many token >>>>> types as practical, to ensure that programs developed with those >>>>> toolkits are able to use the token types they need. In particular, >>>>> all general-use toolkits MUST implement bearer tokens [...ref...] >>>>> and MAC tokens [...ref...]. >>>>> >>>>> Purpose-built code, built without such toolkits, has somewhat more >>>>> flexibility, as its developers know the specific environment they're >>>>> developing for. There's clearly little point to including code to >>>>> support a particular token type when it's known in advance that the >>>>> type in question will never be used in the intended deployment. >>>>> Developers of purpose-built code are encouraged to consider future >>>>> extensions and to plan ahead for changes in circumstances, and might >>>>> still want to include support for multiple token types. That said, >>>>> the choice of token-type support for such purpose-built code is left >>>>> to the developers and their specific requirements. >>>>> ----------------------------------- >>>>> >>>>> I think that expresses a reasonable compromise that might actually >>>>> be followed and might actually do some good. Comments? Can we go >>>>> with this and close this issue? (And, sorry, I've been a Bad Chair, >>>>> and haven't put this in the tracker.) >>>>> >>>>> Barry >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From zachary.zeltsan@alcatel-lucent.com Mon Dec 5 09:00:07 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C0021F8C7A for ; Mon, 5 Dec 2011 09:00:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxYd9QfRcDP6 for ; Mon, 5 Dec 2011 09:00:06 -0800 (PST) Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id E181421F8C6E for ; Mon, 5 Dec 2011 09:00:05 -0800 (PST) Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id pB5GxxLr017217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 5 Dec 2011 11:00:00 -0600 (CST) Received: from USNAVSXCHHUB01.ndc.alcatel-lucent.com (usnavsxchhub01.ndc.alcatel-lucent.com [135.3.39.110]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id pB5GxiL9002760 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 5 Dec 2011 10:59:59 -0600 Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.127]) by USNAVSXCHHUB01.ndc.alcatel-lucent.com ([135.3.39.110]) with mapi; Mon, 5 Dec 2011 10:59:52 -0600 From: "Zeltsan, Zachary (Zachary)" To: Stephen Farrell , Peter Saint-Andre Date: Mon, 5 Dec 2011 10:59:21 -0600 Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base Thread-Index: Acywa8r+mb9dVIALTSuwf/d+upx7hwC/ViuA Message-ID: <5710F82C0E73B04FA559560098BF95B1250CB2E0CB@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> In-Reply-To: <4ED7EA1C.1040208@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33 X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10 Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 17:00:07 -0000 BEAST is an attack against TLS 1.0. In order to succeed, an attacker, predi= cting that a user will eventually make an https connection to www.example.c= om, lures the user to an attacker-controlled web site. From that site the u= ser browser downloads the attacker's script (e.g., JavaScript). Then, if th= e user indeed establishes https connection to www.example.com using the sam= e browser window, an attacker can analyze the traffic generated by the norm= al user activity and the traffic generated on the same connection by the at= tacker's script. This may allow the attacker to decipher a targeted part (f= or example a part where the user's password should be) of the user traffic.= The attack requires significant time. For example, it took 103 seconds for= a published attack against PayPal to decipher a cookie. OAuth 2.0 requires (MUST) TLS protection of the connections between the use= r browser and authorization endpoint and between client and the token endpo= int. Both connections are not likely to last long enough for the attack to = succeed. The client's connection is a less likely target, because it is more difficu= lt to get a client engaged in the described scenario.=20 In my opinion vulnerability of TLS 1.0 to the BEAST attack does not affect = significantly security of OAuth 2.0. (TLS 1.1 and 1.2 are not vulnerable to the attack.) Zachary Zeltsan =20 -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of S= tephen Farrell Sent: Thursday, December 01, 2011 3:57 PM To: Peter Saint-Andre Cc: Barry Leiba; oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: > On 12/1/11 1:09 PM, Rob Richards wrote: >> On 11/28/11 10:39 PM, Barry Leiba wrote: >>>> The OAuth base doc refers in two places to TLS versions (with the=20 >>>> same text in both places: >>>> >>>> OLD >>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD=20 >>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY=20 >>>> support additional transport-layer mechanisms meeting its security=20 >>>> requirements. >>>> >>>> In both the shepherd review and the AD review, this was called into >>>> question: >>>> 1. MUST for an old version and SHOULD for the current version seems=20 >>>> wrong. >>>> 2. Having specific versions required locks us into those versions=20 >>>> (for example, all implementations will have to support TLS 1.0,=20 >>>> even long after it becomes obsolete, unless we rev the spec. >>> The comments I've gotten on this show a clear consensus against the=20 >>> change I suggest, and against any attempt to require a version of=20 >>> TLS other than 1.0. I still, though, am concerned that locking this=20 >>> spec into TLS 1.0 is limiting. So let me propose an alternative=20 >>> wording, which again tries to make the version(s) non-normative,=20 >>> while making it clear which version(s) need to be implemented to get >>> interoperability: >>> >>> NEW >>> -------------------------------------------- >>> The authorization server MUST implement TLS. Which version(s) ought=20 >>> to be implemented will vary over time, and depend on the widespread=20 >>> deployment and known security vulnerabilities at the time of=20 >>> implementation. At the time of this writing, TLS version >>> 1.2 [RFC5246] is the most recent version, but has very limited=20 >>> actual deployment, and might not be readily available in=20 >>> implementation toolkits. TLS version 1.0 [RFC2246] is the most=20 >>> widely deployed version, and will give the broadest=20 >>> interoperability. >>> >>> Servers MAY also implement additional transport-layer mechanisms=20 >>> that meet their security requirements. >>> -------------------------------------------- >>> >>> Comments on this version? >>> >>> Barry >>> >> >> Text is neutral enough for me as it's not mandating anything that=20 >> isn't readily available. Only comment is whether or not there is a=20 >> need to even talk about the specific versions or if just the following i= s enough: >> >> The authorization server MUST implement TLS. Which version(s) ought=20 >> to be implemented will vary over time, and depend on the widespread=20 >> deployment and known security vulnerabilities at the time of=20 >> implementation. >> >> Servers MAY also implement additional transport-layer mechanisms that=20 >> meet their security requirements. > > That seems fine to me. FWIW, I think I'd prefer Barry's as Rob's would be more likely to generate = discusses and we do know that there are some security advantages to TLS 1.2= vs. 1.0. (BTW, has anyone considered how or if the BEAST attack might affe= ct oauth? Be good to know if someone's done that analysis.) However, as AD, I could live with either, since lots of other specs just sa= y TLS. (But you need to point to the latest RFC as normative or that will I= bet generate discusses.) Cheers, S. > Peter > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From mscurtescu@google.com Mon Dec 5 10:48:10 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F271821F8C65 for ; Mon, 5 Dec 2011 10:48:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7BBdd9Z7pTW for ; Mon, 5 Dec 2011 10:48:09 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5131621F8C53 for ; Mon, 5 Dec 2011 10:48:09 -0800 (PST) Received: by ywm13 with SMTP id 13so5440429ywm.31 for ; Mon, 05 Dec 2011 10:48:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=tR55YWT1ye1SCaLZ/xBdl1hovrtW60YLVhhU0QESYiM=; b=C4Yni+Tu2hcF02difL7RM1q0hvJdfn2zmsiPVtzkroLnVJySylOE+raDDMq1i7nlhL QxLeRB/hn9FeXArCA+AA== Received: by 10.236.197.72 with SMTP id s48mr13960658yhn.81.1323110888894; Mon, 05 Dec 2011 10:48:08 -0800 (PST) Received: by 10.236.197.72 with SMTP id s48mr13960483yhn.81.1323110887691; Mon, 05 Dec 2011 10:48:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.101.209.22 with HTTP; Mon, 5 Dec 2011 10:47:46 -0800 (PST) In-Reply-To: <069A2A4B-18C4-4440-BB13-1E259FC66958@ve7jtb.com> References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <069A2A4B-18C4-4440-BB13-1E259FC66958@ve7jtb.com> From: Marius Scurtescu Date: Mon, 5 Dec 2011 10:47:46 -0800 Message-ID: To: John Bradley Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 18:48:10 -0000 +1, what John said. Marius On Sat, Dec 3, 2011 at 9:39 PM, John Bradley wrote: > I remain unconvinced that at this point MTI is going to be useful. > > I appreciate that some people want MAC, I could not support it being MTI. > > The below text with Bearer as MTI the only would be acceptable, if we nee= d a MTI token handler. > (I tend to think of token type, as bearer token type JWT/SAML etc, =A0and= this issue is more on the handling of classes of tokens) > > John Bradley > > On 2011-12-04, at 6:37 AM, Barry Leiba wrote: > >> Stephen says: >>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>> Maybe what would work best is some text that suggests what I say >>>> above: that toolkits intended for use in implementing OAuth services >>>> in general... implement [X and/or Y], and that code written for a >>>> specific environment implement what makes sense for that environment. >>>> It seems to me that to require any particular implementation in the >>>> latter case is arbitrary and counter-productive, and doesn't help >>>> anything interoperate. =A0Whereas general-purpose toolkits that >>>> implement everything DO help interop. >>> >>> That'd work just fine for me. >> >> OK, so here's what I suggest... I propose adding a new section 7.2, thus= : >> >> ----------------------------------- >> 7.2 Access Token Implementation Considerations >> >> Access token types have to be mutually understood among the >> authorization server, the resource server, and the client -- the >> access token issues the token, the resource server validates it, and >> the client is required to understand the type, as noted in section >> 7.1, above. =A0Because of that, interoperability of program code >> developed separately depends upon the token types that are supported >> in the code. >> >> Toolkits that are intended for general use (for building other clients >> and/or servers), therefore, SHOULD implement as many token types as >> practical, to ensure that programs developed with those toolkits are >> able to use the token types they need. =A0In particular, all general-use >> toolkits MUST implement bearer tokens [...ref...] and MAC tokens >> [...ref...]. >> >> Purpose-built code, built without such toolkits, has somewhat more >> flexibility, as its developers know the specific environment they're >> developing for. =A0There's clearly little point to including code to >> support a particular token type when it's known in advance that the >> type in question will never be used in the intended deployment. >> Developers of purpose-built code are encouraged to consider future >> extensions and to plan ahead for changes in circumstances, and might >> still want to include support for multiple token types. =A0That said, >> the choice of token-type support for such purpose-built code is left >> to the developers and their specific requirements. >> ----------------------------------- >> >> I think that expresses a reasonable compromise that might actually be >> followed and might actually do some good. =A0Comments? =A0Can we go with >> this and close this issue? =A0(And, sorry, I've been a Bad Chair, and >> haven't put this in the tracker.) >> >> Barry >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From crew@cs.stanford.edu Mon Dec 5 12:01:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 747381F0C61 for ; Mon, 5 Dec 2011 12:01:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.665 X-Spam-Level: X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_36=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pC2QJd+sk-20 for ; Mon, 5 Dec 2011 12:01:23 -0800 (PST) Received: from mail.fyigm.com (mail.fyigm.com [69.17.114.80]) by ietfa.amsl.com (Postfix) with ESMTP id F30731F0C71 for ; Mon, 5 Dec 2011 12:01:18 -0800 (PST) Received: from rfc by mail.fyigm.com with local (Exim 4.72) (envelope-from ) id 1RXek8-00074E-E7; Mon, 05 Dec 2011 12:02:28 -0800 From: Roger Crew MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20189.9044.430712.457196@hagen.valhalla> Date: Mon, 5 Dec 2011 12:02:28 -0800 To: oauth@ietf.org References: <20160.24172.942808.563672@hagen.valhalla> In-Reply-To: <20160.24172.942808.563672@hagen.valhalla> X-Mailman-Approved-At: Mon, 05 Dec 2011 16:50:43 -0800 Subject: Re: [OAUTH-WG] error codes in 4.1.2.1 and 4.2.2.1 and extension response types (8.4) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 20:01:24 -0000 It now occurs to me that "bug" for item (1) below is perhaps a bit understated; it's really more of a security issue, since if the implementer follows what the current spec is apparently saying, the authorization server essentially becomes an open redirector. (... Apologies if this was obvious and someone already took care of it for the next draft, but the lack of response led me to believe this issue was falling through the cracks. And it seems likely I hit a really busy spot in last month's schedule. Thanks for your time...) Roger Crew a.k.a. someone who's attempting to implement the spec... ===== Original message ===== Date: Sun, 13 Nov 2011 16:18:52 -0800 [With respect to OAuth v2 draft 22] I have some observations about the error responses at the authorization endpoint (4.1.2.1 and 4.2.2.1 for the authorization_code and implicit grant_types, respectively). (1) looks like a bug, (2) is an ambiguity and may also apply to Section 5.2, (3-5) are suggestions. Onward... ----- (1) 4.1.2.1, and 4.2.2.1 both say that in the case that client_id is provided and invalid/unknown, the auth server MUST NOT automatically redirect. However, if the client_id is MISSING, that clause of 4.1.2.1/4.2.2.1 does not apply, and thence this becomes a malformed request (i.e., a required parameter is missing) which then results in an error='invalid_request' redirection. Which looks like a mistake to me, because in that situation what reason do we have to be trusting redirect_uri? ----- (2) If the response_type is provided but unknown, is that an 'invalid_request' (since this is clearly an "unsupported parameter value") or is it an 'unsupported_response_type'? Seems to me it should be the latter. If so, then... Given that for ALL currently defined parameters to authorization endpoint requests, there are already provisions for what happens if the value is provided but invalid/unsupported/etc, i.e., bad client_id => do not redirect bad redirect_uri => do not redirect bad response_type => redirect error='unsupported_response_type' bad scope => redirect error='invalid_scope' bad state => undetectable from the server side should the description for 'invalid_request' even be referring to "unsupported values" at all? A couple of alternatives (again these are for 4.1.2.1/4.2.2.1): invalid_request a required *extension* parameter is missing or has an unsupported value, or the request is otherwise malformed. invalid_request the request is malformed in some manner not covered by any of the other error codes defined for this response type Either of these would make clear that 'unsupported_response_type' is indeed the error code for the case of a provided-but-unrecognized response_type. Section 5.2 has the same problem w.r.t. 'unsupported_grant_type' ----- (3) If 'server_error' and 'temporarily_unavailable' are intended to correspond to HTTP status codes 500 and 503, it might be good to say so explicitly, e.g., The authorization server SHOULD, where possible, use these redirection error responses in preference to sending the corresponding status=(500|503) HTTP response in situations where the latter would otherwise be appropriate. Admittedly, there's no way an implementation is going to catch all of these, but I'm assuming the intent is to catch as many as possible? ----- (4) The lists of error codes in 4.1.2.1 and 4.2.2.1 are essentially identical. I believe these can be merged without any loss of clarity. (... As a matter of general principle, I'm not a huge fan of having to chase down swaths of cut&pasted text and then having to use 'diff' to figure out whether/how they are different. Better to combine the common stuff in a single place, use a cross reference and highlight the differences. And I absolutely do not mind following cross-references...) In this case, the ONLY place where there's ANY variance at all is in the descriptions of 'unauthorized_client' and 'unsupported_response_type'. I figure either of the following works: unauthorized_client The client is not authorized to use any of the supported authorization grant types implied by the requested response_type. unauthorized_client The client is not authorized to use this response_type. the latter having the advantage that we don't then get bogged down in the question of how response_types and grant_types relate to each other (see (5) below). And similarly for 'unsupported_response_type', viz unsupported_response_type The authorization server does not support any of the authorization grant types implied by the requested response type. unsupported_response_type The authorization server does not support this response type. at which point you can replace 4.2.2.1 with a single sentence referring to 4.1.2.1. ----- (5) I am assuming that each authorization endpoint response_type is NOT necessarily unique to a particular authorization grant type. It would be helpful to state this explicitly (probably in 8.4) so that implementers can plan accordingly. And if this IS intended otherwise (i.e., that every response type MUST imply a particular grant type, as is the case for the current spec so long as no new response types are ever defined), then that really should be stated somewhere in 8.4. The reason I assume not is that this seems a straightforward (to me, at least) use of response_type="token code", i.e., to allow the server to respond EITHER as per 4.1.2 or 4.2.2 as it sees fit (but evidently WG members are not agreeing on whether this response_type is needed, hence its absence from the current spec other than as a remark in 8.4). -- Roger Crew crew@cs.stanford.edu From aaron@parecki.com Tue Dec 6 09:42:06 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 331A521F84DB for ; Tue, 6 Dec 2011 09:42:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1iiiR7NfatQ for ; Tue, 6 Dec 2011 09:42:05 -0800 (PST) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4861321F8BF0 for ; Tue, 6 Dec 2011 09:42:04 -0800 (PST) Received: by faas1 with SMTP id s1so2244616faa.31 for ; Tue, 06 Dec 2011 09:42:04 -0800 (PST) Received: by 10.216.139.2 with SMTP id b2mr2780896wej.90.1323193324082; Tue, 06 Dec 2011 09:42:04 -0800 (PST) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by mx.google.com with ESMTPS id hn15sm15735556wib.22.2011.12.06.09.42.02 (version=SSLv3 cipher=OTHER); Tue, 06 Dec 2011 09:42:03 -0800 (PST) Received: by wgbdr13 with SMTP id dr13so5288821wgb.13 for ; Tue, 06 Dec 2011 09:42:02 -0800 (PST) MIME-Version: 1.0 Received: by 10.227.197.70 with SMTP id ej6mr2563624wbb.13.1323193322219; Tue, 06 Dec 2011 09:42:02 -0800 (PST) Received: by 10.223.96.201 with HTTP; Tue, 6 Dec 2011 09:42:02 -0800 (PST) Date: Tue, 6 Dec 2011 09:42:02 -0800 Message-ID: From: Aaron Parecki To: OAuth WG Content-Type: multipart/alternative; boundary=0015174a0524f0a79d04b36ff3d4 Subject: [OAUTH-WG] Preventing phishing attacks with auth server verification? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2011 17:42:06 -0000 --0015174a0524f0a79d04b36ff3d4 Content-Type: text/plain; charset=UTF-8 Has there been any discussion about supporting a 2-stage login similar to what many banks are doing, where they show you an image or a word that you previously chose so that you can verify you're talking to the right server? For example, when I log in to my bank I first enter my username. Then they show me my secret word, and if I recognize it, I enter my password. This gives me a chance to verify the server I'm logging in to really is my bank, and not a third party intercepting my login attempt. It seems that this would be a nice way to solve the security concern around embedded user agents in mobile apps. I realize this would not be part of the OAuth spec since this describes how to sign in to the authorization server. But I'm curious if this would allow native apps (especially mobile apps) to safely use an embedded browser to complete the OAuth flow? Or is the general consensus that opening an external browser is better because the user may already be signed in in that session? Aaron Parecki Geoloqi.com --0015174a0524f0a79d04b36ff3d4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Has there been any discussion about supporting a 2-stage login similar to w= hat many banks are doing, where they show you an image or a word that you p= reviously chose so that you can verify you're talking to the right serv= er?

For example, when I log in to my bank I first enter my usern= ame. Then they show me my secret word, and if I recognize it, I enter my pa= ssword.=C2=A0This gives me a chance to verify the server I'm logging in= to really is my bank, and not a third party intercepting my login attempt.= =C2=A0

It seems that this would be a nice way to solve the sec= urity concern around embedded user agents in mobile apps.

I realize this would not be part of the OAuth spec since this descr= ibes how to sign in to the authorization server. But I'm curious if thi= s would allow native apps (especially mobile apps) to safely use an embedde= d browser to complete the OAuth flow? Or is the general consensus that open= ing an external browser is better because the user may already be signed in= in that session?

Aaron Parecki
Geoloqi.com

--0015174a0524f0a79d04b36ff3d4-- From wmills@yahoo-inc.com Tue Dec 6 10:10:57 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4960721F8C06 for ; Tue, 6 Dec 2011 10:10:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.548 X-Spam-Level: X-Spam-Status: No, score=-17.548 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BROYCYM6YxQ for ; Tue, 6 Dec 2011 10:10:52 -0800 (PST) Received: from nm14-vm0.bullet.mail.ac4.yahoo.com (nm14-vm0.bullet.mail.ac4.yahoo.com [98.139.52.234]) by ietfa.amsl.com (Postfix) with SMTP id 0D79C21F8BEF for ; Tue, 6 Dec 2011 10:10:16 -0800 (PST) Received: from [98.139.52.188] by nm14.bullet.mail.ac4.yahoo.com with NNFMP; 06 Dec 2011 18:10:05 -0000 Received: from [98.139.52.159] by tm1.bullet.mail.ac4.yahoo.com with NNFMP; 06 Dec 2011 18:10:05 -0000 Received: from [127.0.0.1] by omp1042.mail.ac4.yahoo.com with NNFMP; 06 Dec 2011 18:10:05 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 402039.53642.bm@omp1042.mail.ac4.yahoo.com Received: (qmail 69827 invoked by uid 60001); 6 Dec 2011 18:10:05 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1323195004; bh=2Eryy/G4RD2CCQ81JPIT7hpmtB4oOqJm2Kw9kQ5AfWs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=YawlWB8YaJ+YJ0H1gx/eVPTsvH3jgDnwmL2HYCctcZwnkVUCznUjGPtkNmDFMRQFRdXVVih7o/RgwZX05VdXD3yfPGzJYf8qeAqxMphmCVoaKVj4SDrQ0YC8Ss+DiAr59+F1XUsm+GHZRsTkOxrQN5MkEgVyY9/JlU57tMHp7yE= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=rnccdIyfhgEG1J9EHACTQerRfVcBybL9BTJ7ETStzes1U4WtNExpNXPB07y7fcWWzD6PBIu6QbGF/iowveK7QjLFTy5Fy0y1ehYOXW+gOayGxLmK938OZkSK9Qz+2JXmrkyyoYWLccIR1QH65FBc/Hg3cehjU8ip2T7b6zcO4C8=; X-YMail-OSG: gns_yWQVM1kG4dX53bpAX0eEfkLJ7f5G6tTscyJUWeR.mqv _c7iGfZa4OoSmaBBMtLk.SsCAb1wbzh_fnUMqDoBjt1TvS_kkLTI2j5mqqv_ 6HKCmZjja74oVn39eEN4LP6.L.RlixAWkvs.X01jf1yeuogikPiEwJt.NEm_ kqgc46zcVf4x2ZX1WBuzhuRelUSmr4kquRRaAgcbZg1HUCjshz9Uzvq.nrgb M.T4jbU6ewmpZzwHMOC7YlBJDU6AbBZhK81yrmkIOvpkiPPo4Wx.AMa6fnX7 15RVhnldI2wm7efD2dqHF63qlwrKIkAZmVw4qeAZqYQFmzaR5aG4yfChYXWT NLZqQiAIyz6aVQqdfGXarBJbIkNhMjzXSn1nBt6QGIGey49tcDl6Z7KUsUO_ 4OSHfVU8MMHuFfoWPcmc2Qa_CDNggs092T8c4msX3YE7i7hSXG6p9NFUa6YN hOdUPKlI- Received: from [99.31.212.42] by web31812.mail.mud.yahoo.com via HTTP; Tue, 06 Dec 2011 10:10:04 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: Message-ID: <1323195004.74431.YahooMailNeo@web31812.mail.mud.yahoo.com> Date: Tue, 6 Dec 2011 10:10:04 -0800 (PST) From: William Mills To: Aaron Parecki , OAuth WG In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1458549034-1924750945-1323195004=:74431" Subject: Re: [OAUTH-WG] Preventing phishing attacks with auth server verification? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2011 18:10:57 -0000 --1458549034-1924750945-1323195004=:74431 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable An OAuth authentication server can implement that in the Web UI, no need to= include it in the spec.=0A=0A=0A=0A________________________________=0A Fro= m: Aaron Parecki =0ATo: OAuth WG =0ASen= t: Tuesday, December 6, 2011 9:42 AM=0ASubject: [OAUTH-WG] Preventing phish= ing attacks with auth server verification?=0A =0A=0AHas there been any disc= ussion about supporting a 2-stage login similar to what many banks are doin= g, where they show you an image or a word that you previously chose so that= you can verify you're talking to the right server?=0A=0AFor example, when = I log in to my bank I first enter my username. Then they show me my secret = word, and if I recognize it, I enter my password.=A0This gives me a chance = to verify the server I'm logging in to really is my bank, and not a third p= arty intercepting my login attempt.=A0=0A=0AIt seems that this would be a n= ice way to solve the security concern around embedded user agents in mobile= apps.=0A=0AI realize this would not be part of the OAuth spec since this d= escribes how to sign in to the authorization server. But I'm curious if thi= s would allow native apps (especially mobile apps) to safely use an embedde= d browser to complete the OAuth flow? Or is the general consensus that open= ing an external browser is better because the user may already be signed in= in that session?=0A=0AAaron Parecki=0AGeoloqi.com=0A=0A___________________= ____________________________=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps:= //www.ietf.org/mailman/listinfo/oauth --1458549034-1924750945-1323195004=:74431 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
An OAuth authentication server can implement that in the Web UI, no need = to include it in the spec.

<= span style=3D"font-weight:bold;">From: Aaron Parecki <aaron@p= arecki.com>
To: OAu= th WG <oauth@ietf.org>
Sen= t: Tuesday, December 6, 2011 9:42 AM
Subject: [OAUTH-WG] Preventing phishing attacks w= ith auth server verification?
=0A
= Has there been any discussion about supporting a 2-stage login similar to w= hat many banks are doing, where they show you an image or a word that you p= reviously chose so that you can verify you're talking to the right server?<= div>=0A
For example, when I log in to my bank I first enter m= y username. Then they show me my secret word, and if I recognize it, I ente= r my password. This gives me a chance to verify the server I'm logging= in to really is my bank, and not a third party intercepting my login attem= pt. 
=0A

It seems that this would be a nice wa= y to solve the security concern around embedded user agents in mobile apps.=

I realize this would not be part of the OAuth spe= c since this describes how to sign in to the authorization server. But I'm = curious if this would allow native apps (especially mobile apps) to safely = use an embedded browser to complete the OAuth flow? Or is the general conse= nsus that opening an external browser is better because the user may alread= y be signed in in that session?
=0A

Aaron Parecki
___________________________________________= ____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/li= stinfo/oauth


--1458549034-1924750945-1323195004=:74431-- From hannes.tschofenig@gmx.net Thu Dec 8 06:20:08 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E7421F88AB for ; Thu, 8 Dec 2011 06:20:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rLHgxkqJ5Dy for ; Thu, 8 Dec 2011 06:20:08 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id A1EBB21F8888 for ; Thu, 8 Dec 2011 06:20:07 -0800 (PST) Received: (qmail invoked by alias); 08 Dec 2011 14:20:04 -0000 Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [10.0.0.4]) [88.115.216.191] by mail.gmx.net (mp038) with SMTP; 08 Dec 2011 15:20:04 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX1/FEccvg/PF8XlL9TBZQ1T3b7/sv+0WQsmLkrMPeU 8OuBzj0WC+azGG From: Hannes Tschofenig Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 8 Dec 2011 16:18:47 +0200 Message-Id: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> To: "oauth@ietf.org WG" Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Y-GMX-Trusted: 0 Subject: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 14:20:09 -0000 Hi all,=20 I read through this rather long mail thread again and see whether we are = reaching any conclusion on this discussion.=20 In turns out that there are actually two types of discussions that = relate to each other, namely the TLS version support and the token type.=20= Let me go back in time a little bit when I was still chairing another = working group (years ago), namely the KEYPROV working group. There we = ran into a similar issue, which looked fairly simple at the beginning. = We worked on Portable Symmetric Key Container (PSKC), later published = as RFC 6030. We were at the stage where we thought we had to decide on a = mandatory-to-implement cryptographic algorithm and, similar to the OAuth = case, PSKC is one building block in a larger protocol suite. As you can = imagine, everyone had their own deployment environment in mind and did = not like the suggestion others made about what as mandatory to = implement. Russ (now IETF chair and at that time security area director) told the = group not to worry - we don't need to pick an algorithm. He suggested to = just provide a recommendation of what is best in a specific deployment = environment (at the time of writing). In fact, he proposed to publish a = separate document instead to discussing it in that document.=20 I was surprised because I was couldn't see how one would accomplish = interoperability. Russ told me that this is in practice not a problem = because implementations often implement a range of cryptographic = algorithms anyway. Then, as part of the algorithm negotiation procedure = (or some discovery) they will figure out what both end points support. = He further argued that algorithm preferences will change (as algorithms = get old) and we don't want to update our specifications all the time. = (This was a bit motivated by the MD5 clean-up that happened at that = time.) [Please forgive me if I do not recall the exact words he said = many years ago.] I believe we are having a similar discussion here as well, both with the = token type but also with the TLS version. We look at individual = specifications because we are used to add security consideration = sections to each and every document. Unfortunately, the most useful = statements about security (for these multi-party protocols where the = functionality is spread over multiple documents) can really only be made = at a higher level. Our approach for describing security threats and for = recommending countermeasures isn't suitable to all the documents we = produce. Let me list a few desirable results of our standardization work:=20 1) Everyone wants interoperability. We can do interop testing of = building blocks to see whether a client and a server are able to = interact. For example, we could write a few test cases to see how two = independent bearer token specifications work with each other. That = approach works for some of our building blocks. I do, however, believe = that we are more interested of an interoperable system consisting of = several components rather than having interop between random components. = Even if we do not like it, OAuth is an application level protocol that = requires a number of things to be in place to make sense.=20 2) We want libraries to be available that allow implementers to quickly = "OAuth-enable" their Web applications, i.e., by quickly I mean that an = application develop shouldn't have to write everything from scratch. = Most of the development time will be spent on aspects that are not = subject to standardization in the working group (such as the user = interface and the actual application semantic -- the data sharing that = happens once the authorization step is completed). These libraries are = likely to support various extensions and getting two different = implementations to interwork will IMHO in practice not be a problem. = However, for a real deployment it seems that the current direction where = people are going is more in the line of trust frameworks where much more = than just technical interoperability is needed for a working system. See = the discussions around NSTIC for that matter.=20 3) We want the ability for algorithm negotiation/discovery, at least up = to a certain degree. For example, it would would nice if a client talks = to a server and they both implement TLS 1.2 then they actually use it. = The requirement for crypto-agility fits in here as well.=20 4) We want to separate the protocol specification from the cryptographic = algorithms and other faster changing components. We don't want to update = our protocol specification just because an algorithm becomes obsolete or = the protocol suddenly gets used in a different environment where other = constraints may be prevalent. =20 5) The security analysis and the solution approaches will vary based on = the deployment environment. During the Taipei OAuth WG meeting I tried = to explain what I mean with this statement with my reference to NIST SP = 800-63. For some reason I failed to get the story across and so I try it = again here.=20 The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF = security AD) noticed that identity management protocols will be used for = a variety of different usages, each with different security properties, = and varying privacy requirements. For this purpose, the NIST guys had = introduced the famous "Level of Assurance (LoA)" concept. Different = levels put different requirements on different parts of the protocol = suite. There is no expectation that bearer assertions will be issued by = an authorization server for usage with a client at LoA level 4. A client = implementation for the health care environment may also not expect to = accept LoA 1 only suitable mechanisms.=20 While it may be fine for certain environments not to care about the = installed code size there are certainly cases where size of code = matters. I am not only thinking about the Internet of Things space but = also about the vulnerabilities that are introduced by unnecessary code. =20= While I understand that it would be great if anything interworks with = anything else out of the box I don't see how to get there. =20 Hence, I suggest that we =20 a) skip specifying a mandatory-to-implement token-type, TLS version, = etc. in the individual specifications,=20 b) complete re-chartering and to get some of the other needed building = blocks done that get us closer to an more complete "system,=20 c) develop OAuth profiles and security recommendations for different = security levels (in the style of what SP 800-63 outlines), d) capture this discussion on mandatory-to-implement security mechanisms = in a draft and socialize it with the rest of the IETF security = community, e) have a broader discussion about what we envision the Web identity = eco-system to look like. = http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to = make a first step but it is still at an early stage.=20 Ciao Hannes From jricher@mitre.org Thu Dec 8 06:30:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D383A21F8A62 for ; Thu, 8 Dec 2011 06:30:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.449 X-Spam-Level: X-Spam-Status: No, score=-6.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOqKSoLt2sI3 for ; Thu, 8 Dec 2011 06:30:47 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id D0DF721F85B8 for ; Thu, 8 Dec 2011 06:30:46 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 8D51321B124D for ; Thu, 8 Dec 2011 09:30:45 -0500 (EST) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 69EAC21B1247 for ; Thu, 8 Dec 2011 09:30:45 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.1.339.1; Thu, 8 Dec 2011 09:30:45 -0500 Message-ID: <4EE0CA01.7080503@mitre.org> Date: Thu, 8 Dec 2011 09:30:25 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> In-Reply-To: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [129.83.31.51] Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 14:30:47 -0000 +1 Very well said, Hannes. -- Justin On 12/08/2011 09:18 AM, Hannes Tschofenig wrote: > Hi all, > > I read through this rather long mail thread again and see whether we are reaching any conclusion on this discussion. > In turns out that there are actually two types of discussions that relate to each other, namely the TLS version support and the token type. > > Let me go back in time a little bit when I was still chairing another working group (years ago), namely the KEYPROV working group. There we ran into a similar issue, which looked fairly simple at the beginning. We worked on Portable Symmetric Key Container (PSKC), later published as RFC 6030. We were at the stage where we thought we had to decide on a mandatory-to-implement cryptographic algorithm and, similar to the OAuth case, PSKC is one building block in a larger protocol suite. As you can imagine, everyone had their own deployment environment in mind and did not like the suggestion others made about what as mandatory to implement. > > Russ (now IETF chair and at that time security area director) told the group not to worry - we don't need to pick an algorithm. He suggested to just provide a recommendation of what is best in a specific deployment environment (at the time of writing). In fact, he proposed to publish a separate document instead to discussing it in that document. > > I was surprised because I was couldn't see how one would accomplish interoperability. Russ told me that this is in practice not a problem because implementations often implement a range of cryptographic algorithms anyway. Then, as part of the algorithm negotiation procedure (or some discovery) they will figure out what both end points support. He further argued that algorithm preferences will change (as algorithms get old) and we don't want to update our specifications all the time. (This was a bit motivated by the MD5 clean-up that happened at that time.) [Please forgive me if I do not recall the exact words he said many years ago.] > > I believe we are having a similar discussion here as well, both with the token type but also with the TLS version. We look at individual specifications because we are used to add security consideration sections to each and every document. Unfortunately, the most useful statements about security (for these multi-party protocols where the functionality is spread over multiple documents) can really only be made at a higher level. Our approach for describing security threats and for recommending countermeasures isn't suitable to all the documents we produce. > > Let me list a few desirable results of our standardization work: > > 1) Everyone wants interoperability. We can do interop testing of building blocks to see whether a client and a server are able to interact. For example, we could write a few test cases to see how two independent bearer token specifications work with each other. That approach works for some of our building blocks. I do, however, believe that we are more interested of an interoperable system consisting of several components rather than having interop between random components. Even if we do not like it, OAuth is an application level protocol that requires a number of things to be in place to make sense. > > 2) We want libraries to be available that allow implementers to quickly "OAuth-enable" their Web applications, i.e., by quickly I mean that an application develop shouldn't have to write everything from scratch. Most of the development time will be spent on aspects that are not subject to standardization in the working group (such as the user interface and the actual application semantic -- the data sharing that happens once the authorization step is completed). These libraries are likely to support various extensions and getting two different implementations to interwork will IMHO in practice not be a problem. However, for a real deployment it seems that the current direction where people are going is more in the line of trust frameworks where much more than just technical interoperability is needed for a working system. See the discussions around NSTIC for that matter. > > 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well. > > 4) We want to separate the protocol specification from the cryptographic algorithms and other faster changing components. We don't want to update our protocol specification just because an algorithm becomes obsolete or the protocol suddenly gets used in a different environment where other constraints may be prevalent. > > 5) The security analysis and the solution approaches will vary based on the deployment environment. During the Taipei OAuth WG meeting I tried to explain what I mean with this statement with my reference to NIST SP 800-63. For some reason I failed to get the story across and so I try it again here. > > The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF security AD) noticed that identity management protocols will be used for a variety of different usages, each with different security properties, and varying privacy requirements. For this purpose, the NIST guys had introduced the famous "Level of Assurance (LoA)" concept. Different levels put different requirements on different parts of the protocol suite. There is no expectation that bearer assertions will be issued by an authorization server for usage with a client at LoA level 4. A client implementation for the health care environment may also not expect to accept LoA 1 only suitable mechanisms. > > While it may be fine for certain environments not to care about the installed code size there are certainly cases where size of code matters. I am not only thinking about the Internet of Things space but also about the vulnerabilities that are introduced by unnecessary code. > > While I understand that it would be great if anything interworks with anything else out of the box I don't see how to get there. > > Hence, I suggest that we > > a) skip specifying a mandatory-to-implement token-type, TLS version, etc. in the individual specifications, > b) complete re-chartering and to get some of the other needed building blocks done that get us closer to an more complete "system, > c) develop OAuth profiles and security recommendations for different security levels (in the style of what SP 800-63 outlines), > d) capture this discussion on mandatory-to-implement security mechanisms in a draft and socialize it with the rest of the IETF security community, > e) have a broader discussion about what we envision the Web identity eco-system to look like. http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to make a first step but it is still at an early stage. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From ve7jtb@ve7jtb.com Thu Dec 8 06:37:37 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD6B21F88AB for ; Thu, 8 Dec 2011 06:37:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUXaee49BD6E for ; Thu, 8 Dec 2011 06:37:36 -0800 (PST) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 26A6421F85B8 for ; Thu, 8 Dec 2011 06:37:36 -0800 (PST) Received: by yenm7 with SMTP id m7so1734538yen.31 for ; Thu, 08 Dec 2011 06:37:35 -0800 (PST) Received: by 10.236.131.4 with SMTP id l4mr4699574yhi.79.1323355055666; Thu, 08 Dec 2011 06:37:35 -0800 (PST) Received: from [192.168.1.213] ([190.22.74.129]) by mx.google.com with ESMTPS id l11sm14938335anm.22.2011.12.08.06.37.31 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08 Dec 2011 06:37:34 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: multipart/signed; boundary="Apple-Mail=_2EBF777C-5F64-4CD7-A01C-9D05EAB8E37E"; protocol="application/pkcs7-signature"; micalg=sha1 From: John Bradley In-Reply-To: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> Date: Thu, 8 Dec 2011 11:37:25 -0300 Message-Id: <0D1ED2C6-09F6-47FE-8105-CEF5CA24236B@ve7jtb.com> References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> To: Hannes Tschofenig X-Mailer: Apple Mail (2.1251.1) Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 14:37:37 -0000 --Apple-Mail=_2EBF777C-5F64-4CD7-A01C-9D05EAB8E37E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Agreed, The best place for Token type and some of the other issues is = in higher level profiles. John B. On 2011-12-08, at 11:18 AM, Hannes Tschofenig wrote: > Hi all,=20 >=20 > I read through this rather long mail thread again and see whether we = are reaching any conclusion on this discussion.=20 > In turns out that there are actually two types of discussions that = relate to each other, namely the TLS version support and the token type.=20= >=20 > Let me go back in time a little bit when I was still chairing another = working group (years ago), namely the KEYPROV working group. There we = ran into a similar issue, which looked fairly simple at the beginning. = We worked on Portable Symmetric Key Container (PSKC), later published = as RFC 6030. We were at the stage where we thought we had to decide on a = mandatory-to-implement cryptographic algorithm and, similar to the OAuth = case, PSKC is one building block in a larger protocol suite. As you can = imagine, everyone had their own deployment environment in mind and did = not like the suggestion others made about what as mandatory to = implement. >=20 > Russ (now IETF chair and at that time security area director) told the = group not to worry - we don't need to pick an algorithm. He suggested to = just provide a recommendation of what is best in a specific deployment = environment (at the time of writing). In fact, he proposed to publish a = separate document instead to discussing it in that document.=20 >=20 > I was surprised because I was couldn't see how one would accomplish = interoperability. Russ told me that this is in practice not a problem = because implementations often implement a range of cryptographic = algorithms anyway. Then, as part of the algorithm negotiation procedure = (or some discovery) they will figure out what both end points support. = He further argued that algorithm preferences will change (as algorithms = get old) and we don't want to update our specifications all the time. = (This was a bit motivated by the MD5 clean-up that happened at that = time.) [Please forgive me if I do not recall the exact words he said = many years ago.] >=20 > I believe we are having a similar discussion here as well, both with = the token type but also with the TLS version. We look at individual = specifications because we are used to add security consideration = sections to each and every document. Unfortunately, the most useful = statements about security (for these multi-party protocols where the = functionality is spread over multiple documents) can really only be made = at a higher level. Our approach for describing security threats and for = recommending countermeasures isn't suitable to all the documents we = produce. >=20 > Let me list a few desirable results of our standardization work:=20 >=20 > 1) Everyone wants interoperability. We can do interop testing of = building blocks to see whether a client and a server are able to = interact. For example, we could write a few test cases to see how two = independent bearer token specifications work with each other. That = approach works for some of our building blocks. I do, however, believe = that we are more interested of an interoperable system consisting of = several components rather than having interop between random components. = Even if we do not like it, OAuth is an application level protocol that = requires a number of things to be in place to make sense.=20 >=20 > 2) We want libraries to be available that allow implementers to = quickly "OAuth-enable" their Web applications, i.e., by quickly I mean = that an application develop shouldn't have to write everything from = scratch. Most of the development time will be spent on aspects that are = not subject to standardization in the working group (such as the user = interface and the actual application semantic -- the data sharing that = happens once the authorization step is completed). These libraries are = likely to support various extensions and getting two different = implementations to interwork will IMHO in practice not be a problem. = However, for a real deployment it seems that the current direction where = people are going is more in the line of trust frameworks where much more = than just technical interoperability is needed for a working system. See = the discussions around NSTIC for that matter.=20 >=20 > 3) We want the ability for algorithm negotiation/discovery, at least = up to a certain degree. For example, it would would nice if a client = talks to a server and they both implement TLS 1.2 then they actually use = it. The requirement for crypto-agility fits in here as well.=20 >=20 > 4) We want to separate the protocol specification from the = cryptographic algorithms and other faster changing components. We don't = want to update our protocol specification just because an algorithm = becomes obsolete or the protocol suddenly gets used in a different = environment where other constraints may be prevalent. =20 >=20 > 5) The security analysis and the solution approaches will vary based = on the deployment environment. During the Taipei OAuth WG meeting I = tried to explain what I mean with this statement with my reference to = NIST SP 800-63. For some reason I failed to get the story across and so = I try it again here.=20 >=20 > The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF = security AD) noticed that identity management protocols will be used for = a variety of different usages, each with different security properties, = and varying privacy requirements. For this purpose, the NIST guys had = introduced the famous "Level of Assurance (LoA)" concept. Different = levels put different requirements on different parts of the protocol = suite. There is no expectation that bearer assertions will be issued by = an authorization server for usage with a client at LoA level 4. A client = implementation for the health care environment may also not expect to = accept LoA 1 only suitable mechanisms.=20 >=20 > While it may be fine for certain environments not to care about the = installed code size there are certainly cases where size of code = matters. I am not only thinking about the Internet of Things space but = also about the vulnerabilities that are introduced by unnecessary code. =20= >=20 > While I understand that it would be great if anything interworks with = anything else out of the box I don't see how to get there. =20 >=20 > Hence, I suggest that we =20 >=20 > a) skip specifying a mandatory-to-implement token-type, TLS version, = etc. in the individual specifications,=20 > b) complete re-chartering and to get some of the other needed building = blocks done that get us closer to an more complete "system,=20 > c) develop OAuth profiles and security recommendations for different = security levels (in the style of what SP 800-63 outlines), > d) capture this discussion on mandatory-to-implement security = mechanisms in a draft and socialize it with the rest of the IETF = security community, > e) have a broader discussion about what we envision the Web identity = eco-system to look like. = http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to = make a first step but it is still at an early stage.=20 >=20 > Ciao > Hannes >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_2EBF777C-5F64-4CD7-A01C-9D05EAB8E37E Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIO9TCCBwsw ggXzoAMCAQICAgZDMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMTAwMzE3MTM0NDQ1WhcNMTIwMzE4MTE1NTExWjCBzTEgMB4GA1UEDRMXMTY1NTU1LTJHU3FU T1ZUbkk4OHhOSW4xCzAJBgNVBAYTAkNMMSIwIAYDVQQIExlNZXRyb3BvbGl0YW5hIGRlIFNhbnRp YWdvMREwDwYDVQQHEwhWaXRhY3VyYTEtMCsGA1UECxMkU3RhcnRDb20gVmVyaWZpZWQgQ2VydGlm aWNhdGUgTWVtYmVyMRUwEwYDVQQDEwxKb2huIEJyYWRsZXkxHzAdBgkqhkiG9w0BCQEWEGpicmFk bGV5QG1hYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB7DXf6x80dsJiB9B9 Ds4cBQdA+9bNuZMBeXkUAHrvYH2taw6y8fcadbhgk92FyPiCbsHtB1VTaJThaMqtXuTkS4r5Sfb8 k5kboz3OQVPMmrOJIUpaoDP2heKEhMUSL6ev9CvsuYs+XXe7f9vY3w/A8cVg/NoOXbdqKXbWOMMd NSdg7uJWSsmpqILFzQsumwqVH24tYX0sqvpJy/r+pc84j6QM+Ew0B9bz3OkEMafjcCeGRfdsQnLB +rIR8BPDeeKRP6a5e8Lf6slUQ3s/rh33otnkNaz6DMLTJrj0qoAD7FxB7LlLalIjrg08BNZDJUQK 7zTlNxkPqVHVTg3H0OG/AgMBAAGjggMyMIIDLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMjJGKHWsNb6VU54Wkktqcu2on3B MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MFQGA1UdEQRNMEuBEGpicmFkbGV5QG1h Yy5jb22BEXZlN2p0YkB2ZTdqdGIuY29tgRNqYnJhZGxleUB3aW5nYWEuY29tgQ9qYnJhZGxleUBt ZS5jb20wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcCARYi aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYBBQUHAgIwgaowFBYNU3RhcnRD b20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1p dGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBh dmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBa MCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMCugKaAnhiVodHRw Oi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYI KwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50 LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEF BQADggEBAHu8WZHdSu+I5GMzGDrkxFVUzZ2JAcwzgSscYNFX2CFJlU8ncC+/E5Y18oiGcIR9o7J3 Hh4fGrjJmxTsq2O3E9/qg0yWSEzlCBhAXl/D+GTyUJA/KfIuCbdsuS5opprSrBZztqMYcGSCQJFz lE+esdbCXazdyEww5XfiGVgKiRyV2ycXyxNjekowbcDffSsOYplGBjJwPRYpESgfCYDXm+yyDQhy Xk0pxNEA7ob5fAMellN8FcgLfQtwSRcg8cYl/m8/BeVl6+eZuzCb061PdUN+mDf6erS55tXqgWJ3 toTp3GGaaOwwGs/bA1UnLqYm93RfTyL3kU1OWG8syPFMLoIwggfiMIIFyqADAgECAgEOMA0GCSqG SIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0xMjEwMjIyMTAyNTRaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmlt YXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3MbQ2Gd+mehh9GBZ+36uUQ A7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7OYPYSR68mdmnEnJ83M4wQ gKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMOeh8xJVSKGEmd6uPkSbj1 13yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7TpM1K3hv/wrBZwffrmmEpU euXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/ MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3jrLswgagGA1UdIwSBoDCB nYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9 BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIB VDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFydGNvbS5vcmcv aW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQgQ29tbWVyY2lhbCAoU3Rh cnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpM ZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYw EQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENvbSBDbGFzcyAyIFByaW1h cnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUF AAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVtR/7/yeNFAV7MPQylPE8p ROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8tRmEyfoT4gRL9B5h5w8Y4 ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONCvq9zeJcpMkkDadhJSCfB 9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpXn8HkLO/g2FCt7KYkJCaT e6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7QLN2Q+S98p/SwnXito+GW 0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhBobkFojhUqGt+VyU3GH/+ BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQPYIu+zpzwWC/8sZFxoJCw vbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDNL8bIIQE2LHVDwcOq+mcQ x416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi++YyqjPyhPO6q4fRarYvW yqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzAJBgUr DgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTEy MDgxNDM3MjZaMCMGCSqGSIb3DQEJBDEWBBTjPx0jdToe8XEltdnXiKRyiHKyeTCBpAYJKwYBBAGC NxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgZDMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIGQzANBgkqhkiG9w0BAQEFAASC AQBlE8UNAFpsqsMmoF7kUj/jE8YvhKOfSXHNj0JWOgKAe2muZy2qXXcuSkHWhzXVr6yd9ssAEMfP Fuw0hRyUP/TVc2oLu95VIB3K9i69YYrSYTV0X+aRN1/aycnuViPcEdzsP/JKz0AeMn7Pyk+Cm0f2 jD/QWUTEthm0AbZx05jVSf1br6kpSfI3tyG377IeocLXhT+r1wMyGd2mZjaWxe48jR3DkOGXDS+5 wFdvY5oh053OmCI3Z9xeKdpaYWfqR3na1QOvjP11cJyFbNbzKng5Ei4MV4Ll4Q2v4gjPPzE44cYl oJXSU6sNHqzfbgzJZ88tzWoahSKeOcnDy0I16xOyAAAAAAAA --Apple-Mail=_2EBF777C-5F64-4CD7-A01C-9D05EAB8E37E-- From mike@mtcc.com Thu Dec 8 07:08:08 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C96A21F8ACE for ; Thu, 8 Dec 2011 07:08:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mb-CGgAoLEhl for ; Thu, 8 Dec 2011 07:08:07 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 2949321F8ABB for ; Thu, 8 Dec 2011 07:08:07 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pB8F82hr005507 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 8 Dec 2011 07:08:02 -0800 Message-ID: <4EE0D2D2.2010209@mtcc.com> Date: Thu, 08 Dec 2011 07:08:02 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Hannes Tschofenig References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> In-Reply-To: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1334; t=1323356883; x=1324220883; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory=20to=20Implement =20&=20Interoperability |Sender:=20 |To:=20Hannes=20Tschofenig=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=ZyDWxlDGfAQ45aOD3sjNNobuBM61DHocwybgw3IkDyc=; b=g04cmBJc9KRyDyzp+5rD5OgQ7cR8P3u/DB0GVbGb6JyetkfEdQTAZgQs6e x8NBT48EeoZ1T1pGlb2X9KYspvb1v8QWFdmlObUxJB3iI26oJ9z2wiHnHSF1 neYpYDd0DyGxXCzJNc1usc5TfacX7Y4UfDWXa2ex7ZxPuOMAAGTok=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 15:08:08 -0000 On 12/08/2011 06:18 AM, Hannes Tschofenig wrote: > 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well. > I don't think that certain degree even needs to be all that complicated. Suppose that in the future there exists a kitchen sink liboauth which is widely available. As a service provider, all I really care is that the client can interoperate with me. So suppose I just generate a sdk that looks like this: client--->MyServiceShim->liboauth ---------- liboauth->MyserviceShim--->server No need for discovery or anything like that: it's baked into the shim which I make available for all the usual suspect language bindings. And it's still a better situation for the service provider because they don't have to maintain liboauth... the shim becomes nothing more than a the set of policy decisions that turn the right knobs in the underlying library. So did the MTI buy us anything in this -- rather likely -- scenario? No. Whoever builds liboauth is almost by definition going to be silent about winners and losers -- it's job is to implement everything, not take sides. Mike From hannes.tschofenig@gmx.net Thu Dec 8 07:17:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42FCF21F85CE for ; Thu, 8 Dec 2011 07:17:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-3reoZiZ5wO for ; Thu, 8 Dec 2011 07:17:08 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 61CC621F8557 for ; Thu, 8 Dec 2011 07:17:08 -0800 (PST) Received: (qmail invoked by alias); 08 Dec 2011 15:17:07 -0000 Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [10.0.0.4]) [88.115.216.191] by mail.gmx.net (mp006) with SMTP; 08 Dec 2011 16:17:07 +0100 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX18Ez+dYrisEA/f9ZCPqOIwBbCpeInVpYpJXmdkoUt OvOrIAEzEaOtWA Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Hannes Tschofenig In-Reply-To: <4EE0D2D2.2010209@mtcc.com> Date: Thu, 8 Dec 2011 17:17:05 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <4EE0D2D2.2010209@mtcc.com> To: Michael Thomas X-Mailer: Apple Mail (2.1084) X-Y-GMX-Trusted: 0 Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 15:17:09 -0000 Hi Mike,=20 I guess we are on the same page with regard to discovery/negotiation. I = do not care so much how it is implemented as long it is there.=20 While certain libraries may implement everything I don't think it is = reasonable to assume that every deployment will have every functionality = implemented. I would be super surprised. Even on a server with enough = storage this is not a viable option. On constrained devices this is = certainly not possible and our story cannot be built on such an = assumption.=20 Ciao hannes On Dec 8, 2011, at 5:08 PM, Michael Thomas wrote: > On 12/08/2011 06:18 AM, Hannes Tschofenig wrote: >> 3) We want the ability for algorithm negotiation/discovery, at least = up to a certain degree. For example, it would would nice if a client = talks to a server and they both implement TLS 1.2 then they actually use = it. The requirement for crypto-agility fits in here as well. >> =20 >=20 > I don't think that certain degree even needs to be all that > complicated. Suppose that in the future there exists a kitchen > sink liboauth which is widely available. As a service provider, > all I really care is that the client can interoperate with > me. So suppose I just generate a sdk that looks like this: >=20 > client--->MyServiceShim->liboauth ---------- = liboauth->MyserviceShim--->server >=20 > No need for discovery or anything like that: it's baked into the > shim which I make available for all the usual suspect language > bindings. And it's still a better situation for the service provider > because they don't have to maintain liboauth... the shim becomes > nothing more than a the set of policy decisions that turn the > right knobs in the underlying library. >=20 > So did the MTI buy us anything in this -- rather likely -- scenario? > No. Whoever builds liboauth is almost by definition going to be > silent about winners and losers -- it's job is to implement = everything, > not take sides. >=20 > Mike From phil.hunt@oracle.com Thu Dec 8 07:42:16 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4824521F8ADC for ; Thu, 8 Dec 2011 07:42:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYeYNJflwgLD for ; Thu, 8 Dec 2011 07:42:15 -0800 (PST) Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE8D21F8AD1 for ; Thu, 8 Dec 2011 07:42:15 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pB8FgAKN021055 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 8 Dec 2011 15:42:10 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pB8Fg8XX014701 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Dec 2011 15:42:09 GMT Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pB8Fg3ax011085; Thu, 8 Dec 2011 09:42:03 -0600 Received: from dhcp184-48-56-147.ssb.sjc.wayport.net (/184.48.56.147) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 08 Dec 2011 07:42:03 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Phil Hunt In-Reply-To: <0D1ED2C6-09F6-47FE-8105-CEF5CA24236B@ve7jtb.com> Date: Thu, 8 Dec 2011 07:42:02 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <2944CBEA-2FA7-4A20-8F46-93093C802E57@oracle.com> References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <0D1ED2C6-09F6-47FE-8105-CEF5CA24236B@ve7jtb.com> To: John Bradley X-Mailer: Apple Mail (2.1251.1) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] X-CT-RefId: str=0001.0A020208.4EE0DAD3.0096,ss=1,re=0.000,fgs=0 Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 15:42:16 -0000 +1 to both John and Hannes comments. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-12-08, at 6:37 AM, John Bradley wrote: > Agreed, The best place for Token type and some of the other issues = is in higher level profiles. >=20 > John B. > On 2011-12-08, at 11:18 AM, Hannes Tschofenig wrote: >=20 >> Hi all,=20 >>=20 >> I read through this rather long mail thread again and see whether we = are reaching any conclusion on this discussion.=20 >> In turns out that there are actually two types of discussions that = relate to each other, namely the TLS version support and the token type.=20= >>=20 >> Let me go back in time a little bit when I was still chairing another = working group (years ago), namely the KEYPROV working group. There we = ran into a similar issue, which looked fairly simple at the beginning. = We worked on Portable Symmetric Key Container (PSKC), later published = as RFC 6030. We were at the stage where we thought we had to decide on a = mandatory-to-implement cryptographic algorithm and, similar to the OAuth = case, PSKC is one building block in a larger protocol suite. As you can = imagine, everyone had their own deployment environment in mind and did = not like the suggestion others made about what as mandatory to = implement. >>=20 >> Russ (now IETF chair and at that time security area director) told = the group not to worry - we don't need to pick an algorithm. He = suggested to just provide a recommendation of what is best in a specific = deployment environment (at the time of writing). In fact, he proposed to = publish a separate document instead to discussing it in that document.=20= >>=20 >> I was surprised because I was couldn't see how one would accomplish = interoperability. Russ told me that this is in practice not a problem = because implementations often implement a range of cryptographic = algorithms anyway. Then, as part of the algorithm negotiation procedure = (or some discovery) they will figure out what both end points support. = He further argued that algorithm preferences will change (as algorithms = get old) and we don't want to update our specifications all the time. = (This was a bit motivated by the MD5 clean-up that happened at that = time.) [Please forgive me if I do not recall the exact words he said = many years ago.] >>=20 >> I believe we are having a similar discussion here as well, both with = the token type but also with the TLS version. We look at individual = specifications because we are used to add security consideration = sections to each and every document. Unfortunately, the most useful = statements about security (for these multi-party protocols where the = functionality is spread over multiple documents) can really only be made = at a higher level. Our approach for describing security threats and for = recommending countermeasures isn't suitable to all the documents we = produce. >>=20 >> Let me list a few desirable results of our standardization work:=20 >>=20 >> 1) Everyone wants interoperability. We can do interop testing of = building blocks to see whether a client and a server are able to = interact. For example, we could write a few test cases to see how two = independent bearer token specifications work with each other. That = approach works for some of our building blocks. I do, however, believe = that we are more interested of an interoperable system consisting of = several components rather than having interop between random components. = Even if we do not like it, OAuth is an application level protocol that = requires a number of things to be in place to make sense.=20 >>=20 >> 2) We want libraries to be available that allow implementers to = quickly "OAuth-enable" their Web applications, i.e., by quickly I mean = that an application develop shouldn't have to write everything from = scratch. Most of the development time will be spent on aspects that are = not subject to standardization in the working group (such as the user = interface and the actual application semantic -- the data sharing that = happens once the authorization step is completed). These libraries are = likely to support various extensions and getting two different = implementations to interwork will IMHO in practice not be a problem. = However, for a real deployment it seems that the current direction where = people are going is more in the line of trust frameworks where much more = than just technical interoperability is needed for a working system. See = the discussions around NSTIC for that matter.=20 >>=20 >> 3) We want the ability for algorithm negotiation/discovery, at least = up to a certain degree. For example, it would would nice if a client = talks to a server and they both implement TLS 1.2 then they actually use = it. The requirement for crypto-agility fits in here as well.=20 >>=20 >> 4) We want to separate the protocol specification from the = cryptographic algorithms and other faster changing components. We don't = want to update our protocol specification just because an algorithm = becomes obsolete or the protocol suddenly gets used in a different = environment where other constraints may be prevalent. =20 >>=20 >> 5) The security analysis and the solution approaches will vary based = on the deployment environment. During the Taipei OAuth WG meeting I = tried to explain what I mean with this statement with my reference to = NIST SP 800-63. For some reason I failed to get the story across and so = I try it again here.=20 >>=20 >> The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF = security AD) noticed that identity management protocols will be used for = a variety of different usages, each with different security properties, = and varying privacy requirements. For this purpose, the NIST guys had = introduced the famous "Level of Assurance (LoA)" concept. Different = levels put different requirements on different parts of the protocol = suite. There is no expectation that bearer assertions will be issued by = an authorization server for usage with a client at LoA level 4. A client = implementation for the health care environment may also not expect to = accept LoA 1 only suitable mechanisms.=20 >>=20 >> While it may be fine for certain environments not to care about the = installed code size there are certainly cases where size of code = matters. I am not only thinking about the Internet of Things space but = also about the vulnerabilities that are introduced by unnecessary code. =20= >>=20 >> While I understand that it would be great if anything interworks with = anything else out of the box I don't see how to get there. =20 >>=20 >> Hence, I suggest that we =20 >>=20 >> a) skip specifying a mandatory-to-implement token-type, TLS version, = etc. in the individual specifications,=20 >> b) complete re-chartering and to get some of the other needed = building blocks done that get us closer to an more complete "system,=20 >> c) develop OAuth profiles and security recommendations for different = security levels (in the style of what SP 800-63 outlines), >> d) capture this discussion on mandatory-to-implement security = mechanisms in a draft and socialize it with the rest of the IETF = security community, >> e) have a broader discussion about what we envision the Web identity = eco-system to look like. = http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to = make a first step but it is still at an early stage.=20 >>=20 >> Ciao >> Hannes >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From wmills@yahoo-inc.com Thu Dec 8 08:05:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6418421F8B21 for ; Thu, 8 Dec 2011 08:05:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.555 X-Spam-Level: X-Spam-Status: No, score=-17.555 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HX6xTiaP1Zp for ; Thu, 8 Dec 2011 08:04:59 -0800 (PST) Received: from nm30-vm0.bullet.mail.sp2.yahoo.com (nm30-vm0.bullet.mail.sp2.yahoo.com [98.139.91.238]) by ietfa.amsl.com (Postfix) with SMTP id 28C9921F8B11 for ; Thu, 8 Dec 2011 08:04:59 -0800 (PST) Received: from [98.139.91.67] by nm30.bullet.mail.sp2.yahoo.com with NNFMP; 08 Dec 2011 16:04:59 -0000 Received: from [98.139.91.18] by tm7.bullet.mail.sp2.yahoo.com with NNFMP; 08 Dec 2011 16:03:59 -0000 Received: from [127.0.0.1] by omp1018.mail.sp2.yahoo.com with NNFMP; 08 Dec 2011 16:03:59 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 56048.38111.bm@omp1018.mail.sp2.yahoo.com Received: (qmail 83846 invoked by uid 60001); 8 Dec 2011 16:03:58 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1323360238; bh=cNaAcdpocy/sMUWoV0mxZGCEl4+WE2UF+XPsRUNNiD0=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Ohg8+/FHKmDFw7vrW3HUugzFgXvPPdSJTz2scu3UXcl3Kg8VyioJf7Vh8tc0at4iI3PEzuhWWk/TNuaVl//jgCNmpFil4/F0m7amRpl4jHDIUuDTVIvRqzNyap/hNyoh1DsS1lUWrZlJEgaF4RpYJHk+rUrVb7F33p7Tno7LGvQ= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=ZW9THPxTfLvIdbg2JrZjZIW/FqNocJD3A9uA4lrWdZHcWeqNoj9zaEs6hBPaeju7spRfM7Z4yQcH07/KLLXZkPZ8iJS312RbOhkajNieRyjkcOUpoTIoQG14iQgad/lLNdmRe3JOtEXOUTwC5hTujzWSYzha/3WKppy3yQZlSvs=; X-YMail-OSG: coQolEQVM1mybShBd.TFTJb.Wb8.2D1ejdlC5hnJsoXW3E2 HjGsYuYB6vKgXIuwjbzNn743pf40e4fVIg6HBBtEJ8i3VPMBmY3Mjl.TC0ZY JlgUHW018fuVvgvSFfJUg6fgGJVCd7D01l._61rG52jlq9qv0akYmXLFI2EB hNUpMfs9rdmsIay4sui8oOq4WTY2c1rhaipFl8.PCN__kCPRr.4rp4WWYREk md33NH9boW5ZQYYsyicIrjjVnHvHUUCSZbXSMu6mE3hd7BC0p8oXGhhmCzwW ekHzViWehoQN.ooTA8aJbnoTw65vIuoLzxFteTJGTdZAO.6Co7O5.ReTIseJ MsQonZdfVAlceGOVGvuCw7n3yknqf3qnmQkWhCkwklg._U_ErrGpTnmFI6Jw wOS_v_KLQMhA27A-- Received: from [99.31.212.42] by web31810.mail.mud.yahoo.com via HTTP; Thu, 08 Dec 2011 08:03:58 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <4EE0CA01.7080503@mitre.org> Message-ID: <1323360238.51562.YahooMailNeo@web31810.mail.mud.yahoo.com> Date: Thu, 8 Dec 2011 08:03:58 -0800 (PST) From: William Mills To: Justin Richer , "oauth@ietf.org" In-Reply-To: <4EE0CA01.7080503@mitre.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1935884094-1144025276-1323360238=:51562" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 16:05:00 -0000 --1935884094-1144025276-1323360238=:51562 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable +1=0A=0A=0A=0A________________________________=0A From: Justin Richer =0ATo: oauth@ietf.org =0ASent: Thursday, December 8, 2011 6:3= 0 AM=0ASubject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability=0A= =0A+1=0A=0AVery well said, Hannes.=0A=0A=A0 -- Justin=0A=0AOn 12/08/2011 0= 9:18 AM, Hannes Tschofenig wrote:=0A> Hi all,=0A>=0A> I read through this r= ather long mail thread again and see whether we are reaching any conclusion= on this discussion.=0A> In turns out that there are actually two types of = discussions that relate to each other, namely the TLS version support and t= he token type.=0A>=0A> Let me go back in time a little bit when I was still= chairing another working group (years ago), namely the KEYPROV working gro= up. There we ran into a similar issue, which looked fairly simple at the be= ginning. We worked on Portable Symmetric Key Container (PSKC),=A0 later pub= lished as RFC 6030. We were at the stage where we thought we had to decide = on a mandatory-to-implement cryptographic algorithm and, similar to the OAu= th case, PSKC is one building block in a larger protocol suite. As you can = imagine, everyone had their own deployment environment in mind and did not = like the suggestion others made about what as mandatory to implement.=0A>= =0A> Russ (now IETF chair and at that time security area director) told the= group not to worry - we don't need to pick an algorithm. He suggested to j= ust provide a recommendation of what is best in a specific deployment envir= onment (at the time of writing). In fact, he proposed to publish a separate= document instead to discussing it in that document.=0A>=0A> I was surprise= d because I was couldn't see how one would accomplish interoperability. Rus= s told me that this is in practice not a problem because implementations of= ten implement a range of cryptographic algorithms anyway. Then, as part of = the algorithm negotiation procedure (or some discovery) they will figure ou= t what both end points support. He further argued that algorithm preference= s will change (as algorithms get old) and we don't want to update our speci= fications all the time. (This was a bit motivated by the MD5 clean-up that = happened at that time.) [Please forgive me if I do not recall the exact wor= ds he said many years ago.]=0A>=0A> I believe we are having a similar discu= ssion here as well, both with the token type but also with the TLS version.= We look at individual specifications because we are used to add security c= onsideration sections to each and every document. Unfortunately, the most u= seful statements about security (for these multi-party protocols where the = functionality is spread over multiple documents) can really only be made at= a higher level. Our approach for describing security threats and for recom= mending countermeasures isn't suitable to all the documents we produce.=0A>= =0A> Let me list a few desirable results of our standardization work:=0A>= =0A> 1) Everyone wants interoperability. We can do interop testing of build= ing blocks to see whether a client and a server are able to interact. For e= xample, we could write a few test cases to see how two independent bearer t= oken specifications work with each other. That approach works for some of o= ur building blocks. I do, however, believe that we are more interested of a= n interoperable system consisting of several components rather than having = interop between random components. Even if we do not like it, OAuth is an a= pplication level protocol that requires a number of things to be in place t= o make sense.=0A>=0A> 2) We want libraries to be available that allow imple= menters to quickly "OAuth-enable" their Web applications, i.e., by quickly = I mean that an application develop shouldn't have to write everything from = scratch. Most of the development time will be spent on aspects that are not= subject to standardization in the working group (such as the user interfac= e and the actual application semantic -- the data sharing that happens once= the authorization step is completed). These libraries are likely to suppor= t various extensions and getting two different implementations to interwork= will IMHO in practice not be a problem. However, for a real deployment it = seems that the current direction where people are going is more in the line= of trust frameworks where much more than just technical interoperability i= s needed for a working system. See the discussions around NSTIC for that ma= tter.=0A>=0A> 3) We want the ability for algorithm negotiation/discovery, a= t least up to a certain degree. For example, it would would nice if a clien= t talks to a server and they both implement TLS 1.2 then they actually use = it. The requirement for crypto-agility fits in here as well.=0A>=0A> 4) We = want to separate the protocol specification from the cryptographic algorith= ms and other faster changing components. We don't want to update our protoc= ol specification just because an algorithm becomes obsolete or the protocol= suddenly gets used in a different environment where other constraints may = be prevalent.=0A>=0A> 5) The security analysis and the solution approaches = will vary based on the deployment environment. During the Taipei OAuth WG m= eeting I tried to explain what I mean with this statement with my reference= to NIST SP 800-63. For some reason I failed to get the story across and so= I try it again here.=0A>=0A> The authors of NIST SP 800-63 (of which one i= s Tim Polk, former IETF security AD) noticed that identity management proto= cols will be used for a variety of different usages, each with different se= curity properties, and varying privacy requirements. For this purpose, the = NIST guys had introduced the famous "Level of Assurance (LoA)" concept. Dif= ferent levels put different requirements on different parts of the protocol= suite. There is no expectation that bearer assertions will be issued by an= authorization server for usage with a client at LoA level 4. A client impl= ementation for the health care environment may also not expect to accept Lo= A 1 only suitable mechanisms.=0A>=0A> While it may be fine for certain envi= ronments not to care about the installed code size there are certainly case= s where size of code matters. I am not only thinking about the Internet of = Things space but also about the vulnerabilities that are introduced by unne= cessary code.=0A>=0A> While I understand that it would be great if anything= interworks with anything else out of the box I don't see how to get there.= =0A>=0A> Hence, I suggest that we=0A>=0A> a) skip specifying a mandatory-to= -implement token-type, TLS version, etc. in the individual specifications,= =0A> b) complete re-chartering and to get some of the other needed building= blocks done that get us closer to an more complete "system,=0A> c) develop= OAuth profiles and security recommendations for different security levels = (in the style of what SP 800-63 outlines),=0A> d) capture this discussion o= n mandatory-to-implement security mechanisms in a draft and socialize it wi= th the rest of the IETF security community,=0A> e) have a broader discussio= n about what we envision the Web identity eco-system to look like. http://t= ools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to make a first= step but it is still at an early stage.=0A>=0A> Ciao=0A> Hannes=0A>=0A> __= _____________________________________________=0A> OAuth mailing list=0A> OA= uth@ietf.org=0A> https://www.ietf.org/mailman/listinfo/oauth=0A=0A_________= ______________________________________=0AOAuth mailing list=0AOAuth@ietf.or= g=0Ahttps://www.ietf.org/mailman/listinfo/oauth --1935884094-1144025276-1323360238=:51562 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
+1

From: Justin Richer <jricher@mitre.org>
To: oauth@ietf.org
Sent: Thursday, December 8, 2011 6:= 30 AM
Subject: Re: [OA= UTH-WG] Mandatory to Implement & Interoperability

=0A+1=

Very well said, Hannes.

  -- Justin

On 12/08/201= 1 09:18 AM, Hannes Tschofenig wrote:
> Hi all,
>
> I read= through this rather long mail thread again and see whether we are reaching= any conclusion on this discussion.
> In turns out that there are act= ually two types of discussions that relate to each other, namely the TLS ve= rsion support and the token type.
>
> Let me go back in time a = little bit when I was still chairing another working group (years ago), nam= ely the KEYPROV working group. There we ran into a similar issue, which loo= ked fairly simple at the beginning. We worked on Portable Symmetric Key Con= tainer (PSKC),  later published as RFC 6030. We were at the stage wher= e we thought we had to decide on a mandatory-to-implement cryptographic alg= orithm and, similar to the OAuth case, PSKC is one building block in a larg= er protocol suite. As you can imagine, everyone had their own deployment environment in mind and did not like the suggestion others made= about what as mandatory to implement.
>
> Russ (now IETF chair= and at that time security area director) told the group not to worry - we = don't need to pick an algorithm. He suggested to just provide a recommendat= ion of what is best in a specific deployment environment (at the time of wr= iting). In fact, he proposed to publish a separate document instead to disc= ussing it in that document.
>
> I was surprised because I was c= ouldn't see how one would accomplish interoperability. Russ told me that th= is is in practice not a problem because implementations often implement a r= ange of cryptographic algorithms anyway. Then, as part of the algorithm neg= otiation procedure (or some discovery) they will figure out what both end p= oints support. He further argued that algorithm preferences will change (as= algorithms get old) and we don't want to update our specifications all the time. (This was a bit motivated by the MD5 clean-up that happened = at that time.) [Please forgive me if I do not recall the exact words he sai= d many years ago.]
>
> I believe we are having a similar discus= sion here as well, both with the token type but also with the TLS version. = We look at individual specifications because we are used to add security co= nsideration sections to each and every document. Unfortunately, the most us= eful statements about security (for these multi-party protocols where the f= unctionality is spread over multiple documents) can really only be made at = a higher level. Our approach for describing security threats and for recomm= ending countermeasures isn't suitable to all the documents we produce.
&= gt;
> Let me list a few desirable results of our standardization work= :
>
> 1) Everyone wants interoperability. We can do interop tes= ting of building blocks to see whether a client and a server are able to interact. For example, we could write a few test cases to see how = two independent bearer token specifications work with each other. That appr= oach works for some of our building blocks. I do, however, believe that we = are more interested of an interoperable system consisting of several compon= ents rather than having interop between random components. Even if we do no= t like it, OAuth is an application level protocol that requires a number of= things to be in place to make sense.
>
> 2) We want libraries = to be available that allow implementers to quickly "OAuth-enable" their Web= applications, i.e., by quickly I mean that an application develop shouldn'= t have to write everything from scratch. Most of the development time will = be spent on aspects that are not subject to standardization in the working = group (such as the user interface and the actual application semantic -- th= e data sharing that happens once the authorization step is completed). These libraries are likely to support various extensions and g= etting two different implementations to interwork will IMHO in practice not= be a problem. However, for a real deployment it seems that the current dir= ection where people are going is more in the line of trust frameworks where= much more than just technical interoperability is needed for a working sys= tem. See the discussions around NSTIC for that matter.
>
> 3) W= e want the ability for algorithm negotiation/discovery, at least up to a ce= rtain degree. For example, it would would nice if a client talks to a serve= r and they both implement TLS 1.2 then they actually use it. The requiremen= t for crypto-agility fits in here as well.
>
> 4) We want to se= parate the protocol specification from the cryptographic algorithms and oth= er faster changing components. We don't want to update our protocol specifi= cation just because an algorithm becomes obsolete or the protocol suddenly gets used in a different environment where other constraints may = be prevalent.
>
> 5) The security analysis and the solution app= roaches will vary based on the deployment environment. During the Taipei OA= uth WG meeting I tried to explain what I mean with this statement with my r= eference to NIST SP 800-63. For some reason I failed to get the story acros= s and so I try it again here.
>
> The authors of NIST SP 800-63= (of which one is Tim Polk, former IETF security AD) noticed that identity = management protocols will be used for a variety of different usages, each w= ith different security properties, and varying privacy requirements. For th= is purpose, the NIST guys had introduced the famous "Level of Assurance (Lo= A)" concept. Different levels put different requirements on different parts= of the protocol suite. There is no expectation that bearer assertions will= be issued by an authorization server for usage with a client at LoA level 4. A client implementation for the health care environment may also = not expect to accept LoA 1 only suitable mechanisms.
>
> While = it may be fine for certain environments not to care about the installed cod= e size there are certainly cases where size of code matters. I am not only = thinking about the Internet of Things space but also about the vulnerabilit= ies that are introduced by unnecessary code.
>
> While I unders= tand that it would be great if anything interworks with anything else out o= f the box I don't see how to get there.
>
> Hence, I suggest th= at we
>
> a) skip specifying a mandatory-to-implement token-typ= e, TLS version, etc. in the individual specifications,
> b) complete = re-chartering and to get some of the other needed building blocks done that= get us closer to an more complete "system,
> c) develop OAuth profil= es and security recommendations for different security levels (in the style of what SP 800-63 outlines),
> d) capture this discussion = on mandatory-to-implement security mechanisms in a draft and socialize it w= ith the rest of the IETF security community,
> e) have a broader disc= ussion about what we envision the Web identity eco-system to look like. http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00= tries to make a first step but it is still at an early stage.
><= br>> Ciao
> Hannes
>
> _______________________________= ________________
> OAuth mailing list
> OAuth@ietf.org
> http= s://www.ietf.org/mailman/listinfo/oauth

________________________= _______________________
OAuth mailing list
OAuth@iet= f.org
https://www.ietf.org/mailman/listinfo/oauth


--1935884094-1144025276-1323360238=:51562-- From mike@mtcc.com Thu Dec 8 08:14:07 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB97121F8678 for ; Thu, 8 Dec 2011 08:14:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uu9kJSjiQL9C for ; Thu, 8 Dec 2011 08:14:06 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 93CC921F863E for ; Thu, 8 Dec 2011 08:14:06 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pB8GE1wo031248 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 8 Dec 2011 08:14:02 -0800 Message-ID: <4EE0E249.5000705@mtcc.com> Date: Thu, 08 Dec 2011 08:14:01 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Hannes Tschofenig References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <4EE0D2D2.2010209@mtcc.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2274; t=1323360843; x=1324224843; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Mandatory=20to=20Implement =20&=20Interoperability |Sender:=20 |To:=20Hannes=20Tschofenig=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=YWw7I5FGcOhaLw6loauoZXbg8mXCXfceVVNzs5znSDI=; b=dsPJpoMUNA9a4HFTzozooQZ68aR/wXTikn2VES2K4paGXPH38CehBVPeXN TpqgfhiwgWWFzTolyH1AC/572S3c26NatQTTmMPkPihUbmp4giR2TgFv8Eqf gFq4FklwA4J2cZKMGGHPR1UM3sw9Wz5xZb8TZ7ldiHXorRZczuTWI=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 16:14:07 -0000 On 12/08/2011 07:17 AM, Hannes Tschofenig wrote: > Hi Mike, > > I guess we are on the same page with regard to discovery/negotiation. I do not care so much how it is implemented as long it is there. > > While certain libraries may implement everything I don't think it is reasonable to assume that every deployment will have every functionality implemented. I would be super surprised. Even on a server with enough storage this is not a viable option. On constrained devices this is certainly not possible and our story cannot be built on such an assumption. > Considering that things using oauth are likely to have some sort of browser rendering engine around, g*d help us all if an oauth library becomes a flash space consideration :) Mike > Ciao > hannes > > On Dec 8, 2011, at 5:08 PM, Michael Thomas wrote: > > >> On 12/08/2011 06:18 AM, Hannes Tschofenig wrote: >> >>> 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well. >>> >>> >> I don't think that certain degree even needs to be all that >> complicated. Suppose that in the future there exists a kitchen >> sink liboauth which is widely available. As a service provider, >> all I really care is that the client can interoperate with >> me. So suppose I just generate a sdk that looks like this: >> >> client--->MyServiceShim->liboauth ---------- liboauth->MyserviceShim--->server >> >> No need for discovery or anything like that: it's baked into the >> shim which I make available for all the usual suspect language >> bindings. And it's still a better situation for the service provider >> because they don't have to maintain liboauth... the shim becomes >> nothing more than a the set of policy decisions that turn the >> right knobs in the underlying library. >> >> So did the MTI buy us anything in this -- rather likely -- scenario? >> No. Whoever builds liboauth is almost by definition going to be >> silent about winners and losers -- it's job is to implement everything, >> not take sides. >> >> Mike >> From torsten@lodderstedt.net Thu Dec 8 10:30:33 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3637521F8B24 for ; Thu, 8 Dec 2011 10:30:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.248 X-Spam-Level: X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATasc+dnNPE4 for ; Thu, 8 Dec 2011 10:30:32 -0800 (PST) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6EF21F8B3D for ; Thu, 8 Dec 2011 10:30:31 -0800 (PST) Received: from [79.253.58.163] (helo=[192.168.71.31]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from ) id 1RYijk-00047m-3p; Thu, 08 Dec 2011 19:30:28 +0100 References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <4EE0CA01.7080503@mitre.org> <1323360238.51562.YahooMailNeo@web31810.mail.mud.yahoo.com> User-Agent: K-9 Mail for Android In-Reply-To: <1323360238.51562.YahooMailNeo@web31810.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----2U98BIR3YRFAUBL5VO8LOHGQJQVYJM" From: Torsten Lodderstedt Date: Thu, 08 Dec 2011 19:30:20 +0100 To: William Mills , Justin Richer , "oauth@ietf.org" Message-ID: X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 18:30:33 -0000 ------2U98BIR3YRFAUBL5VO8LOHGQJQVYJM Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +1 William Mills schrieb: +1 _____________________________________________ From: Justin Richer To: oauth@ietf.org Sent: Thursday, December 8, 2011 6:30 AM Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability +1 Very well said, Hannes. -- Justin On 12/08/2011 09:18 AM, Hannes Tschofenig wrote: > Hi all, > > I read through this rather long mail thread again and see whether we are reaching any conclusion on this discussion. > In turns out that there are actually two types of discussions that relate to each other, namely the TLS version support and the token type. > > Let me go back in time a little bit when I was still chairing another working group (years ago), namely the KEYPROV working group. There we ran into a similar issue, which looked fairly simple at the beginning. We worked on Portable Symmetric Key Container (PSKC), later published as RFC 6030. We were at the stage where we thought we had to decide on a mandatory-to-implement cryptographic algorithm and, similar to the OAuth case, PSKC is one building block in a larger protocol suite. As you can imagine, everyone had their own deployment environment in mind and did not like the suggestion others made about what as mandatory to implement. > > Russ (now IETF chair and at that time security area director) told the group not to worry - we don't need to pick an algorithm. He suggested to just provide a recommendation of what is best in a specific deployment environment (at the time of writing). In fact, he proposed to publish a separate document instead to discussing it in that document. > > I was surprised because I was couldn't see how one would accomplish interoperability. Russ told me that this is in practice not a problem because implementations often implement a range of cryptographic algorithms anyway. Then, as part of the algorithm negotiation procedure (or some discovery) they will figure out what both end points support. He further argued that algorithm preferences will change (as algorithms get old) and we don't want to update our specifications all the time. (This was a bit motivated by the MD5 clean-up that happened at that time.) [Please forgive me if I do not recall the exact words he said many years ago.] > > I believe we are having a similar discussion here as well, both with the token type but also with the TLS version. We look at individual specifications because we are used to add security consideration sections to each and every document. Unfortunately, the most useful statements about security (for these multi-party protocols where the functionality is spread over multiple documents) can really only be made at a higher level. Our approach for describing security threats and for recommending countermeasures isn't suitable to all the documents we produce. > > Let me list a few desirable results of our standardization work: > > 1) Everyone wants interoperability. We can do interop testing of building blocks to see whether a client and a server are able to interact. For example, we could write a few test cases to see how two independent bearer token specifications work with each other. That approach works for some of our building blocks. I do, however, believe that we are more interested of an interoperable system consisting of several components rather than having interop between random components. Even if we do not like it, OAuth is an application level protocol that requires a number of things to be in place to make sense. > > 2) We want libraries to be available that allow implementers to quickly "OAuth-enable" their Web applications, i.e., by quickly I mean that an application develop shouldn't have to write everything from scratch. Most of the development time will be spent on aspects that are not subject to standardization in the working group (such as the user interface and the actual application semantic -- the data sharing that happens once the authorization step is completed). These libraries are likely to support various extensions and getting two different implementations to interwork will IMHO in practice not be a problem. However, for a real deployment it seems that the current direction where people are going is more in the line of trust frameworks where much more than just technical interoperability is needed for a working system. See the discussions around NSTIC for that matter. > > 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well. > > 4) We want to separate the protocol specification from the cryptographic algorithms and other faster changing components. We don't want to update our protocol specification just because an algorithm becomes obsolete or the protocol suddenly gets used in a different environment where other constraints may be prevalent. > > 5) The security analysis and the solution approaches will vary based on the deployment environment. During the Taipei OAuth WG meeting I tried to explain what I mean with this statement with my reference to NIST SP 800-63. For some reason I failed to get the story across and so I try it again here. > > The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF security AD) noticed that identity management protocols will be used for a variety of different usages, each with different security properties, and varying privacy requirements. For this purpose, the NIST guys had introduced the famous "Level of Assurance (LoA)" concept. Different levels put different requirements on different parts of the protocol suite. There is no expectation that bearer assertions will be issued by an authorization server for usage with a client at LoA level 4. A client implementation for the health care environment may also not expect to accept LoA 1 only suitable mechanisms. > > While it may be fine for certain environments not to care about the installed code size there are certainly cases where size of code matters. I am not only thinking about the Internet of Things space but also about the vulnerabilities that are introduced by unnecessary code. > > While I understand that it would be great if anything interworks with anything else out of the box I don't see how to get there. > > Hence, I suggest that we > > a) skip specifying a mandatory-to-implement token-type, TLS version, etc. in the individual specifications, > b) complete re-chartering and to get some of the other needed building blocks done that get us closer to an more complete "system, > c) develop OAuth profiles and security recommendations for different security levels (in the style of what SP 800-63 outlines), > d) capture this discussion on mandatory-to-implement security mechanisms in a draft and socialize it with the rest of the IETF security community, > e) have a broader discussion about what we envision the Web identity eco-system to look like. http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to make a first step but it is still at an early stage. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------2U98BIR3YRFAUBL5VO8LOHGQJQVYJM Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit +1



William Mills <wmills@yahoo-inc.com> schrieb:
+1

From: Justin Richer <jricher@mitre.org>
To: oauth@ietf.org
Sent: Thursday, December 8, 2011 6:30 AM
Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability
+1

Very well said, Hannes.

  -- Justin

On 12/08/2011 09:18 AM, Hannes Tschofenig wrote:
> Hi all,
>
> I read through this rather long mail thread again and see whether we are reaching any conclusion on this discussion.
> In turns out that there are actually two types of discussions that relate to each other, namely the TLS version support and the token type.
>
> Let me go back in time a little bit when I was still chairing another working group (years ago), namely the KEYPROV working group. There we ran into a similar issue, which looked fairly simple at the beginning. We worked on Portable Symmetric Key Container (PSKC),  later published as RFC 6030. We were at the stage where we thought we had to decide on a mandatory-to-implement cryptographic algorithm and, similar to the OAuth case, PSKC is one building block in a larger protocol suite. As you can imagine, everyone had their own deployment environment in mind and did not like the suggestion others made about what as mandatory to implement.
>
> Russ (now IETF chair and at that time security area director) told the group not to worry - we don't need to pick an algorithm. He suggested to just provide a recommendation of what is best in a specific deployment environment (at the time of writing). In fact, he proposed to publish a separate document instead to discussing it in that document.
>
> I was surprised because I was couldn't see how one would accomplish interoperability. Russ told me that this is in practice not a problem because implementations often implement a range of cryptographic algorithms anyway. Then, as part of the algorithm negotiation procedure (or some discovery) they will figure out what both end points support. He further argued that algorithm preferences will change (as algorithms get old) and we don't want to update our specifications all the time. (This was a bit motivated by the MD5 clean-up that happened at that time.) [Please forgive me if I do not recall the exact words he said many years ago.]
>
> I believe we are having a similar discussion here as well, both with the token type but also with the TLS version. We look at individual specifications because we are used to add security consideration sections to each and every document. Unfortunately, the most useful statements about security (for these multi-party protocols where the functionality is spread over multiple documents) can really only be made at a higher level. Our approach for describing security threats and for recommending countermeasures isn't suitable to all the documents we produce.
>
> Let me list a few desirable results of our standardization work:
>
> 1) Everyone wants interoperability. We can do interop testing of building blocks to see whether a client and a server are able to interact. For example, we could write a few test cases to see how two independent bearer token specifications work with each other. That approach works for some of our building blocks. I do, however, believe that we are more interested of an interoperable system consisting of several components rather than having interop between random components. Even if we do not like it, OAuth is an application level protocol that requires a number of things to be in place to make sense.
>
> 2) We want libraries to be available that allow implementers to quickly "OAuth-enable" their Web applications, i.e., by quickly I mean that an application develop shouldn't have to write everything from scratch. Most of the development time will be spent on aspects that are not subject to standardization in the working group (such as the user interface and the actual application semantic -- the data sharing that happens once the authorization step is completed). These libraries are likely to support various extensions and getting two different implementations to interwork will IMHO in practice not be a problem. However, for a real deployment it seems that the current direction where people are going is more in the line of trust frameworks where much more than just technical interoperability is needed for a working system. See the discussions around NSTIC for that matter.
>
> 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well.
>
> 4) We want to separate the protocol specification from the cryptographic algorithms and other faster changing components. We don't want to update our protocol specification just because an algorithm becomes obsolete or the protocol suddenly gets used in a different environment where other constraints may be prevalent.
>
> 5) The security analysis and the solution approaches will vary based on the deployment environment. During the Taipei OAuth WG meeting I tried to explain what I mean with this statement with my reference to NIST SP 800-63. For some reason I failed to get the story across and so I try it again here.
>
> The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF security AD) noticed that identity management protocols will be used for a variety of different usages, each with different security properties, and varying privacy requirements. For this purpose, the NIST guys had introduced the famous "Level of Assurance (LoA)" concept. Different levels put different requirements on different parts of the protocol suite. There is no expectation that bearer assertions will be issued by an authorization server for usage with a client at LoA level 4. A client implementation for the health care environment may also not expect to accept LoA 1 only suitable mechanisms.
>
> While it may be fine for certain environments not to care about the installed code size there are certainly cases where size of code matters. I am not only thinking about the Internet of Things space but also about the vulnerabilities that are introduced by unnecessary code.
>
> While I understand that it would be great if anything interworks with anything else out of the box I don't see how to get there.
>
> Hence, I suggest that we
>
> a) skip specifying a mandatory-to-implement token-type, TLS version, etc. in the individual specifications,
> b) complete re-chartering and to get some of the other needed building blocks done that get us closer to an more complete "system,
> c) develop OAuth profiles and security recommendations for different security levels (in the style of what SP 800-63 outlines),
> d) capture this discussion on mandatory-to-implement security mechanisms in a draft and socialize it with the rest of the IETF security community,
> e) have a broader discussion about what we envision the Web identity eco-system to look like. http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to make a first step but it is still at an early stage.
>
> Ciao
> Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


------2U98BIR3YRFAUBL5VO8LOHGQJQVYJM-- From alexey.melnikov@isode.com Fri Dec 9 04:10:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BA2B21F88B7 for ; Fri, 9 Dec 2011 04:10:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.71 X-Spam-Level: X-Spam-Status: No, score=-101.71 tagged_above=-999 required=5 tests=[AWL=-0.602, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, GB_ABOUTYOU=0.5, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIao5e5gECwG for ; Fri, 9 Dec 2011 04:10:41 -0800 (PST) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 24E8421F8A6C for ; Fri, 9 Dec 2011 04:10:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1323432619; d=isode.com; s=selector; i=@isode.com; bh=9vIXJzVKJ2xJqVTsuxhjOra+Lk/V455CyYw31OFEQNM=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=NnnOCZ/LFu8AN1mjgwbtofFcxS4SAbaP+B/Zarm+KnaPQkwD+4et9bRjH0PGtRv8dxf/7b 93U/rvfmZy3uS7kgYmYIe9vB7RiSpr1NBi8s2zTy28I/aNzY/5cd6YXVclpUAu3Au2FVf5 PigtWBkd5Fx1Yu1mmcwQiCrxjapqZjI=; Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id ; Fri, 9 Dec 2011 12:10:18 +0000 Message-ID: <4EE128E1.8070801@isode.com> Date: Thu, 08 Dec 2011 21:15:13 +0000 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20111105 Thunderbird/8.0 To: Hannes Tschofenig References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> In-Reply-To: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 12:10:47 -0000 On 08/12/2011 14:18, Hannes Tschofenig wrote: > Hi all, Hi Hannes, Some random thoughts about your message below: > I read through this rather long mail thread again and see whether we are reaching any conclusion on this discussion. > In turns out that there are actually two types of discussions that relate to each other, namely the TLS version support and the token type. > > Let me go back in time a little bit when I was still chairing another working group (years ago), namely the KEYPROV working group. There we ran into a similar issue, which looked fairly simple at the beginning. We worked on Portable Symmetric Key Container (PSKC), later published as RFC 6030. We were at the stage where we thought we had to decide on a mandatory-to-implement cryptographic algorithm and, similar to the OAuth case, PSKC is one building block in a larger protocol suite. As you can imagine, everyone had their own deployment environment in mind and did not like the suggestion others made about what as mandatory to implement. > > Russ (now IETF chair and at that time security area director) told the group not to worry - we don't need to pick an algorithm. He suggested to just provide a recommendation of what is best in a specific deployment environment (at the time of writing). In fact, he proposed to publish a separate document instead to discussing it in that document. > > I was surprised because I was couldn't see how one would accomplish interoperability. Russ told me that this is in practice not a problem because implementations often implement a range of cryptographic algorithms anyway. Then, as part of the algorithm negotiation procedure (or some discovery) they will figure out what both end points support. He further argued that algorithm preferences will change (as algorithms get old) and we don't want to update our specifications all the time. (This was a bit motivated by the MD5 clean-up that happened at that time.) [Please forgive me if I do not recall the exact words he said many years ago.] > > I believe we are having a similar discussion here as well, both with the token type but also with the TLS version. We look at individual specifications because we are used to add security consideration sections to each and every document. Unfortunately, the most useful statements about security (for these multi-party protocols where the functionality is spread over multiple documents) can really only be made at a higher level. Our approach for describing security threats and for recommending countermeasures isn't suitable to all the documents we produce. > > Let me list a few desirable results of our standardization work: > > 1) Everyone wants interoperability. We can do interop testing of building blocks to see whether a client and a server are able to interact. For example, we could write a few test cases to see how two independent bearer token specifications work with each other. That approach works for some of our building blocks. I do, however, believe that we are more interested of an interoperable system consisting of several components rather than having interop between random components. Even if we do not like it, OAuth is an application level protocol that requires a number of things to be in place to make sense. > > 2) We want libraries to be available that allow implementers to quickly "OAuth-enable" their Web applications, i.e., by quickly I mean that an application develop shouldn't have to write everything from scratch. Most of the development time will be spent on aspects that are not subject to standardization in the working group (such as the user interface and the actual application semantic -- the data sharing that happens once the authorization step is completed). These libraries are likely to support various extensions and getting two different implementations to interwork will IMHO in practice not be a problem. However, for a real deployment it seems that the current direction where people are going is more in the line of trust frameworks where much more than just technical interoperability is needed for a working system. See the discussions around NSTIC for that matter. > > 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well. Algorithm negotiation/discovery is always a good thing. TLS already have this capability builtin, so doing TLS version negotiation at the application layer would be wrong. > 4) We want to separate the protocol specification from the cryptographic algorithms and other faster changing components. We don't want to update our protocol specification just because an algorithm becomes obsolete or the protocol suddenly gets used in a different environment where other constraints may be prevalent. Separating requirement on crypto from the rest of the protocol is generally a good thing. > 5) The security analysis and the solution approaches will vary based on the deployment environment. During the Taipei OAuth WG meeting I tried to explain what I mean with this statement with my reference to NIST SP 800-63. For some reason I failed to get the story across and so I try it again here. > > The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF security AD) noticed that identity management protocols will be used for a variety of different usages, each with different security properties, and varying privacy requirements. For this purpose, the NIST guys had introduced the famous "Level of Assurance (LoA)" concept. Different levels put different requirements on different parts of the protocol suite. There is no expectation that bearer assertions will be issued by an authorization server for usage with a client at LoA level 4. A client implementation for the health care environment may also not expect to accept LoA 1 only suitable mechanisms. > > While it may be fine for certain environments not to care about the installed code size there are certainly cases where size of code matters. I am not only thinking about the Internet of Things space but also about the vulnerabilities that are introduced by unnecessary code. If the WG is making a claim that OAuth is always going to be a part of bigger environments (e.g. healthcare, military, etc), each with its own requirements on security mechanisms, then I think this needs to be captured in one of the OAuth documents. This is your escape clause from the de-facto requirement to specify mandatory-to-implement mechanisms. > While I understand that it would be great if anything interworks with anything else out of the box I don't see how to get there. > > Hence, I suggest that we > > a) skip specifying a mandatory-to-implement token-type, TLS version, etc. in the individual specifications, > b) complete re-chartering and to get some of the other needed building blocks done that get us closer to an more complete "system, > c) develop OAuth profiles and security recommendations for different security levels (in the style of what SP 800-63 outlines), > d) capture this discussion on mandatory-to-implement security mechanisms in a draft and socialize it with the rest of the IETF security community, If I were your AD, I would have asked for some demonstrated effort on d) and possibly c) [e.g. some drafts written] before allowing a) and b) to go forward. > e) have a broader discussion about what we envision the Web identity eco-system to look like. http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to make a first step but it is still at an early stage. > > Ciao > Hannes From stephen.farrell@cs.tcd.ie Fri Dec 9 04:36:06 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 951D421F86B3 for ; Fri, 9 Dec 2011 04:36:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.349 X-Spam-Level: X-Spam-Status: No, score=-102.349 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, GB_ABOUTYOU=0.5, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xA7teQOPbzaa for ; Fri, 9 Dec 2011 04:36:03 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 747AE21F85F1 for ; Fri, 9 Dec 2011 04:36:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 434A6157594; Fri, 9 Dec 2011 12:36:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1323434160; bh=QZETRs+Q8YqGY+ xfYx41Q5xBIGePos7UbzqNAmgRQ/g=; b=4wA+q3rokqxysFz1lYKTls2cowkYib qt/fplo+Cd+QXVEAb2V9OODBuFzXyTaui3yrR5VU4AlzkNoA9pUUmNuYzp17khL3 xzrY+l05GqZfikYzMi1rNzd9nB6NoxKw5HFaQU/udV2JRMTeK+Nuf0I2sMQ5CXk1 9CMRrWeaHuYL1c5E8Oi3gxPxyr6XQeE0t59win3LaD+oYRQoZT4myIBXUGr9xvIv 1zmDVTajY5SZSoBqYClyXRoT5GfQkqqamVsQe1TvZM7GEK7wXDhJqSfRznU1t7Ae kfdG/r8UQ9ZWsKuMX8fC8n1NN9tE5TYKpsv1x1ddOzFlpZ4R0mkNrz6g== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id Zmv8sscEMeF0; Fri, 9 Dec 2011 12:36:00 +0000 (GMT) Received: from [10.87.48.3] (unknown [86.42.29.40]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 094F81539C3; Fri, 9 Dec 2011 12:35:59 +0000 (GMT) Message-ID: <4EE200AF.20902@cs.tcd.ie> Date: Fri, 09 Dec 2011 12:35:59 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Hannes Tschofenig References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <4EE128E1.8070801@isode.com> In-Reply-To: <4EE128E1.8070801@isode.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 12:36:06 -0000 Hannes, I don't see any proposed text here, I see re-chartering suggestions. The latter is not going to happen if the current main documents are wedged. Please focus on the former now. You know that I disagree with you and a number of WG participants about this, so no need for me to repeat myself, other than to say that I've always said "pick an MTI, *or* say (convincingly) what that's not needed" and you've not addressed the latter. Barry's text did do that. The fact that a) the room in Taipei seemed to agree with MTI, b) the list seemed to agree with Barry's suggested text, and c) this new suggested programme also gets a bunch of +1's all seems to me to imply that people are not sufficiently focused on getting this finished but would still prefer to get what they think of as perfection. S. PS: I would also quibble that the lessons from keyprov are highly relevant here, but let's not:-) On 12/08/2011 09:15 PM, Alexey Melnikov wrote: > On 08/12/2011 14:18, Hannes Tschofenig wrote: >> Hi all, > Hi Hannes, > Some random thoughts about your message below: >> I read through this rather long mail thread again and see whether we >> are reaching any conclusion on this discussion. >> In turns out that there are actually two types of discussions that >> relate to each other, namely the TLS version support and the token type. >> >> Let me go back in time a little bit when I was still chairing another >> working group (years ago), namely the KEYPROV working group. There we >> ran into a similar issue, which looked fairly simple at the beginning. >> We worked on Portable Symmetric Key Container (PSKC), later published >> as RFC 6030. We were at the stage where we thought we had to decide on >> a mandatory-to-implement cryptographic algorithm and, similar to the >> OAuth case, PSKC is one building block in a larger protocol suite. As >> you can imagine, everyone had their own deployment environment in mind >> and did not like the suggestion others made about what as mandatory to >> implement. >> >> Russ (now IETF chair and at that time security area director) told the >> group not to worry - we don't need to pick an algorithm. He suggested >> to just provide a recommendation of what is best in a specific >> deployment environment (at the time of writing). In fact, he proposed >> to publish a separate document instead to discussing it in that document. >> >> I was surprised because I was couldn't see how one would accomplish >> interoperability. Russ told me that this is in practice not a problem >> because implementations often implement a range of cryptographic >> algorithms anyway. Then, as part of the algorithm negotiation >> procedure (or some discovery) they will figure out what both end >> points support. He further argued that algorithm preferences will >> change (as algorithms get old) and we don't want to update our >> specifications all the time. (This was a bit motivated by the MD5 >> clean-up that happened at that time.) [Please forgive me if I do not >> recall the exact words he said many years ago.] >> >> I believe we are having a similar discussion here as well, both with >> the token type but also with the TLS version. We look at individual >> specifications because we are used to add security consideration >> sections to each and every document. Unfortunately, the most useful >> statements about security (for these multi-party protocols where the >> functionality is spread over multiple documents) can really only be >> made at a higher level. Our approach for describing security threats >> and for recommending countermeasures isn't suitable to all the >> documents we produce. >> >> Let me list a few desirable results of our standardization work: >> >> 1) Everyone wants interoperability. We can do interop testing of >> building blocks to see whether a client and a server are able to >> interact. For example, we could write a few test cases to see how two >> independent bearer token specifications work with each other. That >> approach works for some of our building blocks. I do, however, believe >> that we are more interested of an interoperable system consisting of >> several components rather than having interop between random >> components. Even if we do not like it, OAuth is an application level >> protocol that requires a number of things to be in place to make sense. >> >> 2) We want libraries to be available that allow implementers to >> quickly "OAuth-enable" their Web applications, i.e., by quickly I mean >> that an application develop shouldn't have to write everything from >> scratch. Most of the development time will be spent on aspects that >> are not subject to standardization in the working group (such as the >> user interface and the actual application semantic -- the data sharing >> that happens once the authorization step is completed). These >> libraries are likely to support various extensions and getting two >> different implementations to interwork will IMHO in practice not be a >> problem. However, for a real deployment it seems that the current >> direction where people are going is more in the line of trust >> frameworks where much more than just technical interoperability is >> needed for a working system. See the discussions around NSTIC for that >> matter. >> >> 3) We want the ability for algorithm negotiation/discovery, at least >> up to a certain degree. For example, it would would nice if a client >> talks to a server and they both implement TLS 1.2 then they actually >> use it. The requirement for crypto-agility fits in here as well. > Algorithm negotiation/discovery is always a good thing. > > TLS already have this capability builtin, so doing TLS version > negotiation at the application layer would be wrong. >> 4) We want to separate the protocol specification from the >> cryptographic algorithms and other faster changing components. We >> don't want to update our protocol specification just because an >> algorithm becomes obsolete or the protocol suddenly gets used in a >> different environment where other constraints may be prevalent. > Separating requirement on crypto from the rest of the protocol is > generally a good thing. >> 5) The security analysis and the solution approaches will vary based >> on the deployment environment. During the Taipei OAuth WG meeting I >> tried to explain what I mean with this statement with my reference to >> NIST SP 800-63. For some reason I failed to get the story across and >> so I try it again here. >> >> The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF >> security AD) noticed that identity management protocols will be used >> for a variety of different usages, each with different security >> properties, and varying privacy requirements. For this purpose, the >> NIST guys had introduced the famous "Level of Assurance (LoA)" >> concept. Different levels put different requirements on different >> parts of the protocol suite. There is no expectation that bearer >> assertions will be issued by an authorization server for usage with a >> client at LoA level 4. A client implementation for the health care >> environment may also not expect to accept LoA 1 only suitable mechanisms. >> >> While it may be fine for certain environments not to care about the >> installed code size there are certainly cases where size of code >> matters. I am not only thinking about the Internet of Things space but >> also about the vulnerabilities that are introduced by unnecessary code. > If the WG is making a claim that OAuth is always going to be a part of > bigger environments (e.g. healthcare, military, etc), each with its own > requirements on security mechanisms, then I think this needs to be > captured in one of the OAuth documents. This is your escape clause from > the de-facto requirement to specify mandatory-to-implement mechanisms. >> While I understand that it would be great if anything interworks with >> anything else out of the box I don't see how to get there. >> >> Hence, I suggest that we >> >> a) skip specifying a mandatory-to-implement token-type, TLS version, >> etc. in the individual specifications, >> b) complete re-chartering and to get some of the other needed building >> blocks done that get us closer to an more complete "system, >> c) develop OAuth profiles and security recommendations for different >> security levels (in the style of what SP 800-63 outlines), >> d) capture this discussion on mandatory-to-implement security >> mechanisms in a draft and socialize it with the rest of the IETF >> security community, > If I were your AD, I would have asked for some demonstrated effort on d) > and possibly c) [e.g. some drafts written] before allowing a) and b) to > go forward. >> e) have a broader discussion about what we envision the Web identity >> eco-system to look like. >> http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to >> make a first step but it is still at an early stage. >> >> Ciao >> Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From eran@hueniverse.com Fri Dec 9 07:30:40 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC8821F848D for ; Fri, 9 Dec 2011 07:30:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, GB_ABOUTYOU=0.5] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bB4qeQpUSyqw for ; Fri, 9 Dec 2011 07:30:39 -0800 (PST) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 5AD0421F853A for ; Fri, 9 Dec 2011 07:30:39 -0800 (PST) Received: (qmail 14276 invoked from network); 9 Dec 2011 15:30:38 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 9 Dec 2011 15:30:35 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 9 Dec 2011 08:30:29 -0700 From: Eran Hammer-Lahav To: Stephen Farrell , Hannes Tschofenig Date: Fri, 9 Dec 2011 08:30:18 -0700 Thread-Topic: [OAUTH-WG] Mandatory to Implement & Interoperability Thread-Index: Acy2byJcDSEuY1IpT6+nyYmPH+Ra8gAF3wDA Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C79B8@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <8808AF69-6454-4ADF-96E9-C7CE6430E22C@gmx.net> <4EE128E1.8070801@isode.com> <4EE200AF.20902@cs.tcd.ie> In-Reply-To: <4EE200AF.20902@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 15:30:40 -0000 I can work with Berry's text. Another alternative is to: * Require the server to implement at least one of Bearer and MAC, or provid= e the client with a method for discovering or requesting a specific token t= ype (which is beyond the scope). This way, until there is a discovery method, each server must support at le= ast one of these two (which is not an unreasonable requirement given that t= hese two cover all the use cases the community has come up with in 5 years)= . Clients that want to ensure interoperability then, must understand both, = but the requirement isn't on the client. In practice, this will keep every = existing implementation already in compliance, and will offer clients a gua= ranteed path to interop is the client so chooses. The advantage of this approach is that it can be expressed with one sentenc= e and it should not offend those objecting to MTI MAC tokens. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Stephen Farrell > Sent: Friday, December 09, 2011 4:36 AM > To: Hannes Tschofenig > Cc: oauth@ietf.org WG > Subject: Re: [OAUTH-WG] Mandatory to Implement & Interoperability >=20 >=20 > Hannes, >=20 > I don't see any proposed text here, I see re-chartering suggestions. The > latter is not going to happen if the current main documents are wedged. > Please focus on the former now. >=20 > You know that I disagree with you and a number of WG participants about > this, so no need for me to repeat myself, other than to say that I've alw= ays > said "pick an MTI, *or* say (convincingly) what that's not needed" > and you've not addressed the latter. Barry's text did do that. >=20 > The fact that a) the room in Taipei seemed to agree with MTI, b) the list > seemed to agree with Barry's suggested text, and c) this new suggested > programme also gets a bunch of +1's all seems to me to imply that people = are > not sufficiently focused on getting this finished but would still prefer = to get > what they think of as perfection. >=20 > S. >=20 > PS: I would also quibble that the lessons from keyprov are highly relevan= t > here, but let's not:-) >=20 > On 12/08/2011 09:15 PM, Alexey Melnikov wrote: > > On 08/12/2011 14:18, Hannes Tschofenig wrote: > >> Hi all, > > Hi Hannes, > > Some random thoughts about your message below: > >> I read through this rather long mail thread again and see whether we > >> are reaching any conclusion on this discussion. > >> In turns out that there are actually two types of discussions that > >> relate to each other, namely the TLS version support and the token typ= e. > >> > >> Let me go back in time a little bit when I was still chairing another > >> working group (years ago), namely the KEYPROV working group. There we > >> ran into a similar issue, which looked fairly simple at the beginning. > >> We worked on Portable Symmetric Key Container (PSKC), later published > >> as RFC 6030. We were at the stage where we thought we had to decide > >> on a mandatory-to-implement cryptographic algorithm and, similar to > >> the OAuth case, PSKC is one building block in a larger protocol > >> suite. As you can imagine, everyone had their own deployment > >> environment in mind and did not like the suggestion others made about > >> what as mandatory to implement. > >> > >> Russ (now IETF chair and at that time security area director) told > >> the group not to worry - we don't need to pick an algorithm. He > >> suggested to just provide a recommendation of what is best in a > >> specific deployment environment (at the time of writing). In fact, he > >> proposed to publish a separate document instead to discussing it in th= at > document. > >> > >> I was surprised because I was couldn't see how one would accomplish > >> interoperability. Russ told me that this is in practice not a problem > >> because implementations often implement a range of cryptographic > >> algorithms anyway. Then, as part of the algorithm negotiation > >> procedure (or some discovery) they will figure out what both end > >> points support. He further argued that algorithm preferences will > >> change (as algorithms get old) and we don't want to update our > >> specifications all the time. (This was a bit motivated by the MD5 > >> clean-up that happened at that time.) [Please forgive me if I do not > >> recall the exact words he said many years ago.] > >> > >> I believe we are having a similar discussion here as well, both with > >> the token type but also with the TLS version. We look at individual > >> specifications because we are used to add security consideration > >> sections to each and every document. Unfortunately, the most useful > >> statements about security (for these multi-party protocols where the > >> functionality is spread over multiple documents) can really only be > >> made at a higher level. Our approach for describing security threats > >> and for recommending countermeasures isn't suitable to all the > >> documents we produce. > >> > >> Let me list a few desirable results of our standardization work: > >> > >> 1) Everyone wants interoperability. We can do interop testing of > >> building blocks to see whether a client and a server are able to > >> interact. For example, we could write a few test cases to see how two > >> independent bearer token specifications work with each other. That > >> approach works for some of our building blocks. I do, however, > >> believe that we are more interested of an interoperable system > >> consisting of several components rather than having interop between > >> random components. Even if we do not like it, OAuth is an application > >> level protocol that requires a number of things to be in place to make > sense. > >> > >> 2) We want libraries to be available that allow implementers to > >> quickly "OAuth-enable" their Web applications, i.e., by quickly I > >> mean that an application develop shouldn't have to write everything > >> from scratch. Most of the development time will be spent on aspects > >> that are not subject to standardization in the working group (such as > >> the user interface and the actual application semantic -- the data > >> sharing that happens once the authorization step is completed). These > >> libraries are likely to support various extensions and getting two > >> different implementations to interwork will IMHO in practice not be a > >> problem. However, for a real deployment it seems that the current > >> direction where people are going is more in the line of trust > >> frameworks where much more than just technical interoperability is > >> needed for a working system. See the discussions around NSTIC for > >> that matter. > >> > >> 3) We want the ability for algorithm negotiation/discovery, at least > >> up to a certain degree. For example, it would would nice if a client > >> talks to a server and they both implement TLS 1.2 then they actually > >> use it. The requirement for crypto-agility fits in here as well. > > Algorithm negotiation/discovery is always a good thing. > > > > TLS already have this capability builtin, so doing TLS version > > negotiation at the application layer would be wrong. > >> 4) We want to separate the protocol specification from the > >> cryptographic algorithms and other faster changing components. We > >> don't want to update our protocol specification just because an > >> algorithm becomes obsolete or the protocol suddenly gets used in a > >> different environment where other constraints may be prevalent. > > Separating requirement on crypto from the rest of the protocol is > > generally a good thing. > >> 5) The security analysis and the solution approaches will vary based > >> on the deployment environment. During the Taipei OAuth WG meeting I > >> tried to explain what I mean with this statement with my reference to > >> NIST SP 800-63. For some reason I failed to get the story across and > >> so I try it again here. > >> > >> The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF > >> security AD) noticed that identity management protocols will be used > >> for a variety of different usages, each with different security > >> properties, and varying privacy requirements. For this purpose, the > >> NIST guys had introduced the famous "Level of Assurance (LoA)" > >> concept. Different levels put different requirements on different > >> parts of the protocol suite. There is no expectation that bearer > >> assertions will be issued by an authorization server for usage with a > >> client at LoA level 4. A client implementation for the health care > >> environment may also not expect to accept LoA 1 only suitable > mechanisms. > >> > >> While it may be fine for certain environments not to care about the > >> installed code size there are certainly cases where size of code > >> matters. I am not only thinking about the Internet of Things space > >> but also about the vulnerabilities that are introduced by unnecessary > code. > > If the WG is making a claim that OAuth is always going to be a part of > > bigger environments (e.g. healthcare, military, etc), each with its > > own requirements on security mechanisms, then I think this needs to be > > captured in one of the OAuth documents. This is your escape clause > > from the de-facto requirement to specify mandatory-to-implement > mechanisms. > >> While I understand that it would be great if anything interworks with > >> anything else out of the box I don't see how to get there. > >> > >> Hence, I suggest that we > >> > >> a) skip specifying a mandatory-to-implement token-type, TLS version, > >> etc. in the individual specifications, > >> b) complete re-chartering and to get some of the other needed > >> building blocks done that get us closer to an more complete "system, > >> c) develop OAuth profiles and security recommendations for different > >> security levels (in the style of what SP 800-63 outlines), > >> d) capture this discussion on mandatory-to-implement security > >> mechanisms in a draft and socialize it with the rest of the IETF > >> security community, > > If I were your AD, I would have asked for some demonstrated effort on > > d) and possibly c) [e.g. some drafts written] before allowing a) and > > b) to go forward. > >> e) have a broader discussion about what we envision the Web identity > >> eco-system to look like. > >> http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries > >> to make a first step but it is still at an early stage. > >> > >> Ciao > >> Hannes > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From Michael.Jones@microsoft.com Fri Dec 9 10:30:17 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C83D721F85FF for ; Fri, 9 Dec 2011 10:30:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.349 X-Spam-Level: X-Spam-Status: No, score=-4.349 tagged_above=-999 required=5 tests=[AWL=-0.750, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t9KAs7ty9VGs for ; Fri, 9 Dec 2011 10:30:16 -0800 (PST) Received: from DB3EHSOBE005.bigfish.com (db3ehsobe005.messaging.microsoft.com [213.199.154.143]) by ietfa.amsl.com (Postfix) with ESMTP id 6143021F85BB for ; Fri, 9 Dec 2011 10:30:16 -0800 (PST) Received: from mail55-db3-R.bigfish.com (10.3.81.241) by DB3EHSOBE005.bigfish.com (10.3.84.25) with Microsoft SMTP Server id 14.1.225.23; Fri, 9 Dec 2011 18:30:00 +0000 Received: from mail55-db3 (localhost [127.0.0.1]) by mail55-db3-R.bigfish.com (Postfix) with ESMTP id C66594803EB; Fri, 9 Dec 2011 18:30:20 +0000 (UTC) X-SpamScore: -36 X-BigFish: VS-36(zzbb2dI9371I542M1432N98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI X-FB-SS: 13, Received-SPF: pass (mail55-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail55-db3 (localhost.localdomain [127.0.0.1]) by mail55-db3 (MessageSwitch) id 1323455420613587_16952; Fri, 9 Dec 2011 18:30:20 +0000 (UTC) Received: from DB3EHSMHS017.bigfish.com (unknown [10.3.81.252]) by mail55-db3.bigfish.com (Postfix) with ESMTP id 7F58E4C0050; Fri, 9 Dec 2011 18:30:20 +0000 (UTC) Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS017.bigfish.com (10.3.87.117) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 9 Dec 2011 18:29:59 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0247.005; Fri, 9 Dec 2011 10:30:09 -0800 From: Mike Jones To: Peter Saint-Andre , Stephen Farrell Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base Thread-Index: AQHMpQS3rrgWikVnJ0eTUo1lILA6vJXDzSWAgAQ5RwCAAAA4gIAADPgAgAAAoACAC+J6QA== Date: Fri, 9 Dec 2011 18:30:08 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> <4ED7EAA2.40402@stpeter.im> In-Reply-To: <4ED7EAA2.40402@stpeter.im> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.74] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 18:30:17 -0000 It looks to me like there is consensus for Barry's text (below). Agreed? -- Mike NEW -------------------------------------------- The authorization server MUST implement TLS. Which version(s) ought to be = implemented will vary over time, and depend on the widespread deployment an= d known security vulnerabilities at the time of implementation. At the tim= e of this writing, TLS version 1.2 [RFC5246] is the most recent version, bu= t has very limited actual deployment, and might not be readily available in= implementation toolkits. TLS version 1.0 [RFC2246] is the most widely dep= loyed version, and will give the broadest interoperability. Servers MAY also implement additional transport-layer mechanisms that meet = their security requirements. -------------------------------------------- -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P= eter Saint-Andre Sent: Thursday, December 01, 2011 12:59 PM To: Stephen Farrell Cc: Barry Leiba; oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base On 12/1/11 1:57 PM, Stephen Farrell wrote: >=20 >=20 > On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: >> On 12/1/11 1:09 PM, Rob Richards wrote: >>> On 11/28/11 10:39 PM, Barry Leiba wrote: >>>>> The OAuth base doc refers in two places to TLS versions (with the=20 >>>>> same text in both places: >>>>> >>>>> OLD >>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD=20 >>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY=20 >>>>> support additional transport-layer mechanisms meeting its security=20 >>>>> requirements. >>>>> >>>>> In both the shepherd review and the AD review, this was called=20 >>>>> into >>>>> question: >>>>> 1. MUST for an old version and SHOULD for the current version=20 >>>>> seems wrong. >>>>> 2. Having specific versions required locks us into those versions=20 >>>>> (for example, all implementations will have to support TLS 1.0,=20 >>>>> even long after it becomes obsolete, unless we rev the spec. >>>> The comments I've gotten on this show a clear consensus against the=20 >>>> change I suggest, and against any attempt to require a version of=20 >>>> TLS other than 1.0. I still, though, am concerned that locking=20 >>>> this spec into TLS 1.0 is limiting. So let me propose an=20 >>>> alternative wording, which again tries to make the version(s)=20 >>>> non-normative, while making it clear which version(s) need to be=20 >>>> implemented to get >>>> interoperability: >>>> >>>> NEW >>>> -------------------------------------------- >>>> The authorization server MUST implement TLS. Which version(s)=20 >>>> ought to be implemented will vary over time, and depend on the=20 >>>> widespread deployment and known security vulnerabilities at the=20 >>>> time of implementation. At the time of this writing, TLS version >>>> 1.2 [RFC5246] is the most recent version, but has very limited=20 >>>> actual deployment, and might not be readily available in=20 >>>> implementation toolkits. TLS version 1.0 [RFC2246] is the most=20 >>>> widely deployed version, and will give the broadest=20 >>>> interoperability. >>>> >>>> Servers MAY also implement additional transport-layer mechanisms=20 >>>> that meet their security requirements. >>>> -------------------------------------------- >>>> >>>> Comments on this version? >>>> >>>> Barry >>>> >>> >>> Text is neutral enough for me as it's not mandating anything that=20 >>> isn't readily available. Only comment is whether or not there is a=20 >>> need to even talk about the specific versions or if just the=20 >>> following is >>> enough: >>> >>> The authorization server MUST implement TLS. Which version(s) ought=20 >>> to be implemented will vary over time, and depend on the widespread=20 >>> deployment and known security vulnerabilities at the time of=20 >>> implementation. >>> >>> Servers MAY also implement additional transport-layer mechanisms=20 >>> that meet their security requirements. >> >> That seems fine to me. >=20 > FWIW, I think I'd prefer Barry's as Rob's would be more likely to=20 > generate discusses and we do know that there are some security=20 > advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if=20 > the BEAST attack might affect oauth? Be good to know if someone's done=20 > that analysis.) >=20 > However, as AD, I could live with either, since lots of other specs=20 > just say TLS. (But you need to point to the latest RFC as normative or=20 > that will I bet generate discusses.) Agreed. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From stephen.farrell@cs.tcd.ie Fri Dec 9 11:43:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59EB821F848F for ; Fri, 9 Dec 2011 11:43:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.549 X-Spam-Level: X-Spam-Status: No, score=-102.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AJjkom7o8jH for ; Fri, 9 Dec 2011 11:43:43 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id DF59A21F8462 for ; Fri, 9 Dec 2011 11:43:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id CD1861539C3; Fri, 9 Dec 2011 19:43:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1323459820; bh=2DIMDtaPoMbbH4 tOIVGxQ7Rhw+c0wndLVstLD/u1eBA=; b=JIEySrB9gZkg/ap9ysPboCrsBIZs8Y oGdUcLS6lMrgsvxg7nq9G1YkLikDIvdn2aVyR511D0h+LDyTAMQ4+SiiwQO/Jt76 b3cFd7dspezTFzwargO36koSyw++c9fzf+Yz3lqg381215Q0BcGfa7RgWHROpi1M 58CXphmSPtVlKy/MxsSzok5I+FRqOF6USxAlNei1NPADljGwOuxN9hJlrDOI8g+T TGLcP9gPpHrke6Ru8S86fVOV3K5LRCYVrBxT4snWzO+HJbdmwTTdj3AcbanXxYLf D7tKaz06kmgtTQtn+eyEVpaCyXFtpY8GeZXzxsFY5ez/QA8o5Rkhb2ew== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id RlRoQ7F6XwN7; Fri, 9 Dec 2011 19:43:40 +0000 (GMT) Received: from [10.87.48.3] (unknown [86.42.189.0]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 90504171C61; Fri, 9 Dec 2011 19:43:38 +0000 (GMT) Message-ID: <4EE264EA.9060900@cs.tcd.ie> Date: Fri, 09 Dec 2011 19:43:38 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> <4ED7EAA2.40402@stpeter.im> <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 19:43:47 -0000 All but the last bit seems ok to me FWIW. I don't know what an "additional transport-layer mechanism" might be. I'd say just leave that bit out. TLS is already a MUST implement. S On 12/09/2011 06:30 PM, Mike Jones wrote: > It looks to me like there is consensus for Barry's text (below). Agreed? > > -- Mike > > NEW > -------------------------------------------- > The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability. > > Servers MAY also implement additional transport-layer mechanisms that meet their security requirements. > -------------------------------------------- > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Peter Saint-Andre > Sent: Thursday, December 01, 2011 12:59 PM > To: Stephen Farrell > Cc: Barry Leiba; oauth WG > Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > > On 12/1/11 1:57 PM, Stephen Farrell wrote: >> >> >> On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: >>> On 12/1/11 1:09 PM, Rob Richards wrote: >>>> On 11/28/11 10:39 PM, Barry Leiba wrote: >>>>>> The OAuth base doc refers in two places to TLS versions (with the >>>>>> same text in both places: >>>>>> >>>>>> OLD >>>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD >>>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY >>>>>> support additional transport-layer mechanisms meeting its security >>>>>> requirements. >>>>>> >>>>>> In both the shepherd review and the AD review, this was called >>>>>> into >>>>>> question: >>>>>> 1. MUST for an old version and SHOULD for the current version >>>>>> seems wrong. >>>>>> 2. Having specific versions required locks us into those versions >>>>>> (for example, all implementations will have to support TLS 1.0, >>>>>> even long after it becomes obsolete, unless we rev the spec. >>>>> The comments I've gotten on this show a clear consensus against the >>>>> change I suggest, and against any attempt to require a version of >>>>> TLS other than 1.0. I still, though, am concerned that locking >>>>> this spec into TLS 1.0 is limiting. So let me propose an >>>>> alternative wording, which again tries to make the version(s) >>>>> non-normative, while making it clear which version(s) need to be >>>>> implemented to get >>>>> interoperability: >>>>> >>>>> NEW >>>>> -------------------------------------------- >>>>> The authorization server MUST implement TLS. Which version(s) >>>>> ought to be implemented will vary over time, and depend on the >>>>> widespread deployment and known security vulnerabilities at the >>>>> time of implementation. At the time of this writing, TLS version >>>>> 1.2 [RFC5246] is the most recent version, but has very limited >>>>> actual deployment, and might not be readily available in >>>>> implementation toolkits. TLS version 1.0 [RFC2246] is the most >>>>> widely deployed version, and will give the broadest >>>>> interoperability. >>>>> >>>>> Servers MAY also implement additional transport-layer mechanisms >>>>> that meet their security requirements. >>>>> -------------------------------------------- >>>>> >>>>> Comments on this version? >>>>> >>>>> Barry >>>>> >>>> >>>> Text is neutral enough for me as it's not mandating anything that >>>> isn't readily available. Only comment is whether or not there is a >>>> need to even talk about the specific versions or if just the >>>> following is >>>> enough: >>>> >>>> The authorization server MUST implement TLS. Which version(s) ought >>>> to be implemented will vary over time, and depend on the widespread >>>> deployment and known security vulnerabilities at the time of >>>> implementation. >>>> >>>> Servers MAY also implement additional transport-layer mechanisms >>>> that meet their security requirements. >>> >>> That seems fine to me. >> >> FWIW, I think I'd prefer Barry's as Rob's would be more likely to >> generate discusses and we do know that there are some security >> advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if >> the BEAST attack might affect oauth? Be good to know if someone's done >> that analysis.) >> >> However, as AD, I could live with either, since lots of other specs >> just say TLS. (But you need to point to the latest RFC as normative or >> that will I bet generate discusses.) > > Agreed. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > From rrichards@cdatazone.org Sat Dec 10 11:26:13 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8822821F8BF9 for ; Sat, 10 Dec 2011 11:26:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gl9-zLHCXhFF for ; Sat, 10 Dec 2011 11:26:12 -0800 (PST) Received: from smtp2go.com (smtp2go.com [207.58.142.213]) by ietfa.amsl.com (Postfix) with ESMTP id 85D9821F8BF7 for ; Sat, 10 Dec 2011 11:26:12 -0800 (PST) Message-ID: <4EE3B24D.6000907@cdatazone.org> Date: Sat, 10 Dec 2011 14:26:05 -0500 From: Rob Richards User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> <4ED7EAA2.40402@stpeter.im> <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2011 19:26:13 -0000 I am fine with it Rob On 12/9/11 1:30 PM, Mike Jones wrote: > It looks to me like there is consensus for Barry's text (below). Agreed? > > -- Mike > > NEW > -------------------------------------------- > The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability. > > Servers MAY also implement additional transport-layer mechanisms that meet their security requirements. > -------------------------------------------- > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Peter Saint-Andre > Sent: Thursday, December 01, 2011 12:59 PM > To: Stephen Farrell > Cc: Barry Leiba; oauth WG > Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > > On 12/1/11 1:57 PM, Stephen Farrell wrote: >> >> On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: >>> On 12/1/11 1:09 PM, Rob Richards wrote: >>>> On 11/28/11 10:39 PM, Barry Leiba wrote: >>>>>> The OAuth base doc refers in two places to TLS versions (with the >>>>>> same text in both places: >>>>>> >>>>>> OLD >>>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD >>>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY >>>>>> support additional transport-layer mechanisms meeting its security >>>>>> requirements. >>>>>> >>>>>> In both the shepherd review and the AD review, this was called >>>>>> into >>>>>> question: >>>>>> 1. MUST for an old version and SHOULD for the current version >>>>>> seems wrong. >>>>>> 2. Having specific versions required locks us into those versions >>>>>> (for example, all implementations will have to support TLS 1.0, >>>>>> even long after it becomes obsolete, unless we rev the spec. >>>>> The comments I've gotten on this show a clear consensus against the >>>>> change I suggest, and against any attempt to require a version of >>>>> TLS other than 1.0. I still, though, am concerned that locking >>>>> this spec into TLS 1.0 is limiting. So let me propose an >>>>> alternative wording, which again tries to make the version(s) >>>>> non-normative, while making it clear which version(s) need to be >>>>> implemented to get >>>>> interoperability: >>>>> >>>>> NEW >>>>> -------------------------------------------- >>>>> The authorization server MUST implement TLS. Which version(s) >>>>> ought to be implemented will vary over time, and depend on the >>>>> widespread deployment and known security vulnerabilities at the >>>>> time of implementation. At the time of this writing, TLS version >>>>> 1.2 [RFC5246] is the most recent version, but has very limited >>>>> actual deployment, and might not be readily available in >>>>> implementation toolkits. TLS version 1.0 [RFC2246] is the most >>>>> widely deployed version, and will give the broadest >>>>> interoperability. >>>>> >>>>> Servers MAY also implement additional transport-layer mechanisms >>>>> that meet their security requirements. >>>>> -------------------------------------------- >>>>> >>>>> Comments on this version? >>>>> >>>>> Barry >>>>> >>>> Text is neutral enough for me as it's not mandating anything that >>>> isn't readily available. Only comment is whether or not there is a >>>> need to even talk about the specific versions or if just the >>>> following is >>>> enough: >>>> >>>> The authorization server MUST implement TLS. Which version(s) ought >>>> to be implemented will vary over time, and depend on the widespread >>>> deployment and known security vulnerabilities at the time of >>>> implementation. >>>> >>>> Servers MAY also implement additional transport-layer mechanisms >>>> that meet their security requirements. >>> That seems fine to me. >> FWIW, I think I'd prefer Barry's as Rob's would be more likely to >> generate discusses and we do know that there are some security >> advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if >> the BEAST attack might affect oauth? Be good to know if someone's done >> that analysis.) >> >> However, as AD, I could live with either, since lots of other specs >> just say TLS. (But you need to point to the latest RFC as normative or >> that will I bet generate discusses.) > Agreed. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From leifj@mnt.se Sun Dec 11 03:26:45 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA70C21F8A6C for ; Sun, 11 Dec 2011 03:26:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.294 X-Spam-Level: X-Spam-Status: No, score=-0.294 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8Wd0UNppHVD for ; Sun, 11 Dec 2011 03:26:44 -0800 (PST) Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5EE0621F8A66 for ; Sun, 11 Dec 2011 03:26:44 -0800 (PST) Received: by laah2 with SMTP id h2so963412laa.31 for ; Sun, 11 Dec 2011 03:26:43 -0800 (PST) Received: by 10.152.109.105 with SMTP id hr9mr6006445lab.24.1323602799239; Sun, 11 Dec 2011 03:26:39 -0800 (PST) Received: from [172.20.10.8] (2.67.73.229.mobile.tre.se. [2.67.73.229]) by mx.google.com with ESMTPS id ne3sm13253484lab.7.2011.12.11.03.26.35 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 11 Dec 2011 03:26:37 -0800 (PST) References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> In-Reply-To: <4EDB726E.2060900@gmail.com> Mime-Version: 1.0 (iPad Mail 8L1) Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary=Apple-Mail-6--449156745 Message-Id: <6A17C741-8F1F-44A6-8E20-52A58272C2BE@mnt.se> X-Mailer: iPad Mail (8L1) From: Leif Johansson Date: Sun, 11 Dec 2011 12:28:24 +0100 To: Paul Madsen Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2011 11:26:45 -0000 --Apple-Mail-6--449156745 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii As an implementor of a toolkit let me offer this: the only use/requirement o= f mac that I've seen is for backwards compat with 1.0a.=20 4 dec 2011 kl. 14:15 skrev Paul Madsen : > Commercial OAuth authorization servers are neither 'toolkits' nor 'purpose= built code' - not used to build OAuth clients/servers but yet required to s= upport more variety in deployments than a single purpose built server. >=20 > But, that variety is driven by customer demand, and none of ours (yet?) ha= ve demanded MAC. If and when that demand comes, we will add support.=20 >=20 > To stipulate MAC as MTI would in no way reflect what the market wants. And= 'interop' nobody wants is not meaningful interop. >=20 > paul >=20 > On 12/3/11 4:37 PM, Barry Leiba wrote: >>=20 >> Stephen says: >>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>> Maybe what would work best is some text that suggests what I say >>>> above: that toolkits intended for use in implementing OAuth services >>>> in general... implement [X and/or Y], and that code written for a >>>> specific environment implement what makes sense for that environment. >>>> It seems to me that to require any particular implementation in the >>>> latter case is arbitrary and counter-productive, and doesn't help >>>> anything interoperate. Whereas general-purpose toolkits that >>>> implement everything DO help interop. >>> That'd work just fine for me. >> OK, so here's what I suggest... I propose adding a new section 7.2, thus:= >>=20 >> ----------------------------------- >> 7.2 Access Token Implementation Considerations >>=20 >> Access token types have to be mutually understood among the >> authorization server, the resource server, and the client -- the >> access token issues the token, the resource server validates it, and >> the client is required to understand the type, as noted in section >> 7.1, above. Because of that, interoperability of program code >> developed separately depends upon the token types that are supported >> in the code. >>=20 >> Toolkits that are intended for general use (for building other clients >> and/or servers), therefore, SHOULD implement as many token types as >> practical, to ensure that programs developed with those toolkits are >> able to use the token types they need. In particular, all general-use >> toolkits MUST implement bearer tokens [...ref...] and MAC tokens >> [...ref...]. >>=20 >> Purpose-built code, built without such toolkits, has somewhat more >> flexibility, as its developers know the specific environment they're >> developing for. There's clearly little point to including code to >> support a particular token type when it's known in advance that the >> type in question will never be used in the intended deployment. >> Developers of purpose-built code are encouraged to consider future >> extensions and to plan ahead for changes in circumstances, and might >> still want to include support for multiple token types. That said, >> the choice of token-type support for such purpose-built code is left >> to the developers and their specific requirements. >> ----------------------------------- >>=20 >> I think that expresses a reasonable compromise that might actually be >> followed and might actually do some good. Comments? Can we go with >> this and close this issue? (And, sorry, I've been a Bad Chair, and >> haven't put this in the tracker.) >>=20 >> Barry >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-6--449156745 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=utf-8
As an implementor of a toolkit let me offer this: the only use/requirement of mac that I've seen is for backwards compat with 1.0a. 



4 dec 2011 kl. 14:15 skrev Paul Madsen <paul.madsen@gmail.com>:

Commercial OAuth authorization servers are neither 'toolkits' nor 'purpose built code' - not used to build OAuth clients/servers but yet required to support more variety in deployments than a single purpose built server.

But, that variety is driven by customer demand, and none of ours (yet?) have demanded MAC. If and when that demand comes, we will add support.

To stipulate MAC as MTI would in no way reflect what the market wants. And 'interop' nobody wants is not meaningful interop.

paul

On 12/3/11 4:37 PM, Barry Leiba wrote: 
Stephen says:

On 12/02/2011 03:20 AM, Barry Leiba wrote:

Maybe what would work best is some text that suggests what I say
above: that toolkits intended for use in implementing OAuth services
in general... implement [X and/or Y], and that code written for a
specific environment implement what makes sense for that environment.
It seems to me that to require any particular implementation in the
latter case is arbitrary and counter-productive, and doesn't help
anything interoperate.  Whereas general-purpose toolkits that
implement everything DO help interop.

That'd work just fine for me.

OK, so here's what I suggest... I propose adding a new section 7.2, thus:

-----------------------------------
7.2 Access Token Implementation Considerations

Access token types have to be mutually understood among the
authorization server, the resource server, and the client -- the
access token issues the token, the resource server validates it, and
the client is required to understand the type, as noted in section
7.1, above.  Because of that, interoperability of program code
developed separately depends upon the token types that are supported
in the code.

Toolkits that are intended for general use (for building other clients
and/or servers), therefore, SHOULD implement as many token types as
practical, to ensure that programs developed with those toolkits are
able to use the token types they need.  In particular, all general-use
toolkits MUST implement bearer tokens [...ref...] and MAC tokens
[...ref...].

Purpose-built code, built without such toolkits, has somewhat more
flexibility, as its developers know the specific environment they're
developing for.  There's clearly little point to including code to
support a particular token type when it's known in advance that the
type in question will never be used in the intended deployment.
Developers of purpose-built code are encouraged to consider future
extensions and to plan ahead for changes in circumstances, and might
still want to include support for multiple token types.  That said,
the choice of token-type support for such purpose-built code is left
to the developers and their specific requirements.
-----------------------------------

I think that expresses a reasonable compromise that might actually be
followed and might actually do some good.  Comments?  Can we go with
this and close this issue?  (And, sorry, I've been a Bad Chair, and
haven't put this in the tracker.)

Barry
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--Apple-Mail-6--449156745-- From leifj@mnt.se Sun Dec 11 03:28:54 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7528A21F86A5 for ; Sun, 11 Dec 2011 03:28:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.295 X-Spam-Level: X-Spam-Status: No, score=-0.295 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKUExglgEFQb for ; Sun, 11 Dec 2011 03:28:54 -0800 (PST) Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA4221F84C1 for ; Sun, 11 Dec 2011 03:28:53 -0800 (PST) Received: by laah2 with SMTP id h2so963770laa.31 for ; Sun, 11 Dec 2011 03:28:52 -0800 (PST) Received: by 10.152.109.105 with SMTP id hr9mr6010640lab.24.1323602932599; Sun, 11 Dec 2011 03:28:52 -0800 (PST) Received: from [172.20.10.8] (2.67.73.229.mobile.tre.se. [2.67.73.229]) by mx.google.com with ESMTPS id fq5sm4025010lab.2.2011.12.11.03.28.50 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 11 Dec 2011 03:28:51 -0800 (PST) References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: Mime-Version: 1.0 (iPad Mail 8L1) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPad Mail (8L1) From: Leif Johansson Date: Sun, 11 Dec 2011 12:30:38 +0100 To: Blaine Cook Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2011 11:28:54 -0000 5 dec 2011 kl. 00:34 skrev Blaine Cook : > On 4 December 2011 02:26, Mike Jones wrote: >> I strongly object to a mandatory-to-implement clause for the MAC scheme. = They are unnecessary and market forces have shown that implementers do not w= ant or need this kind of an authentication scheme. >=20 > I'd say that Twitter, Flickr, Dropbox and dozens of other sites that > have shipped OAuth 1.0a (MAC) in production and for billions of > requests per day is a pretty strong market force. >=20 > People (especially politically incentivised standards wonks) arguing > on a mailing list isn't a strong market force, and there are far fewer > successful APIs that use Bearer tokens. Which isn't to say that they > won't, just to say that what you want and what's used in the wild are > very different things. Or, citation needed. >=20 >=20 Oauth 1.0a mac and 2.0 mac are not the same thing. Yours is an argument for b= ackwards compat I think.= From wmills@yahoo-inc.com Sun Dec 11 09:27:38 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD7521F84C3 for ; Sun, 11 Dec 2011 09:27:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.561 X-Spam-Level: X-Spam-Status: No, score=-17.561 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkI8ZvjTvcpO for ; Sun, 11 Dec 2011 09:27:37 -0800 (PST) Received: from nm21.bullet.mail.ac4.yahoo.com (nm21.bullet.mail.ac4.yahoo.com [98.139.52.218]) by ietfa.amsl.com (Postfix) with SMTP id 238F121F84BD for ; Sun, 11 Dec 2011 09:27:36 -0800 (PST) Received: from [98.139.52.194] by nm21.bullet.mail.ac4.yahoo.com with NNFMP; 11 Dec 2011 17:27:30 -0000 Received: from [98.139.52.141] by tm7.bullet.mail.ac4.yahoo.com with NNFMP; 11 Dec 2011 17:27:30 -0000 Received: from [127.0.0.1] by omp1024.mail.ac4.yahoo.com with NNFMP; 11 Dec 2011 17:27:30 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 467004.38146.bm@omp1024.mail.ac4.yahoo.com Received: (qmail 42247 invoked by uid 60001); 11 Dec 2011 17:27:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1323624449; bh=de2qcG96HdfH7IzZ2HR4T7PgQ6sboyYJnWi4JrRWZuM=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=IO/kekGjsb4bBVY/LxNSszBkGSJoUdP7AscxLA9EoLjIy0VMa8MxDNSq2Cjf9wY0nJI8yuYBjfMFo7OxUm0Y1EJvZkTSQd/IOkV6uWNSosKPi8z5Mmr7rKAwJg2/PxKqTrz9iGYzSHHgSvcdGk9JNHpsiAQioM0aZJ7XPJi+im0= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gaH4v9ijgaUpkRw4Wm0eEG6h8qquywxuxEnWEijNCcC9XLiRYemkRHDRgUEHbd8su8/5WcXiXmfDepSebEDywHbMh1a0vPIlb/sgZqr/vYxZ5cJVdHKxC9/SHT6HL4Vp+ki3MB/ktzby2GZ7wzunb84bQG3r7IPD8OraivWJ2AY=; X-YMail-OSG: ew13.YAVM1kFSerFi6xNzDs1lsubeSPeU9.h6eXVVZB9SPY HOKuqx.hJdrYfzvRqx7J2b36rzuLfSTEDAjevxmDuZAwBO7NIBmf.0lSxUke mraldRYv.en0LjpkZOQI4aH3qz6WkYFpV.SgSDSYyg9Oyqay2noGlT60jC2q rZ4gzwQjythj4DxcspAGpYFQgVuJDdzfZSypysn9dPPHGa4DO7c4uHrQwiTe L24Ny7bzl3DxXE3jl.vlsNRpa0dmQSRZ2pJnddm8j_.nN1q9MD6ZYftQm3co WRws51CgK7V13FtUWfwx6W6vq3ibNY.zlQOHZsomjVJqn2is4EQqo6X8m1Hz LMr2kuYu1Czcx8A9gmAxOuaJJlFa5PZR4DMehLnfkL0rhQ7N9wqf4ji8gt1. VNcUd_tWglbLiTVM- Received: from [99.31.212.42] by web31812.mail.mud.yahoo.com via HTTP; Sun, 11 Dec 2011 09:27:29 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <6A17C741-8F1F-44A6-8E20-52A58272C2BE@mnt.se> Message-ID: <1323624449.41873.YahooMailNeo@web31812.mail.mud.yahoo.com> Date: Sun, 11 Dec 2011 09:27:29 -0800 (PST) From: William Mills To: Leif Johansson , Paul Madsen In-Reply-To: <6A17C741-8F1F-44A6-8E20-52A58272C2BE@mnt.se> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1458549034-688701768-1323624449=:41873" Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2011 17:27:38 -0000 --1458549034-688701768-1323624449=:41873 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable They are only compatible in the sense that they share the same security cha= racteristics.=0A=0A=0A=0A________________________________=0A From: Leif Joh= ansson =0ATo: Paul Madsen =0ACc: "oau= th@ietf.org" =0ASent: Sunday, December 11, 2011 3:28 AM=0A= Subject: Re: [OAUTH-WG] Mandatory-to-implement token type=0A =0A=0AAs an im= plementor of a toolkit let me offer this: the only use/requirement of mac t= hat I've seen is for backwards compat with 1.0a.=A0=0A=0A=0A=0A=0A4 dec 201= 1 kl. 14:15 skrev Paul Madsen :=0A=0A=0ACommercial O= Auth authorization servers are neither 'toolkits' nor 'purpose built code' = - not used to build OAuth clients/servers but yet required to support more = variety in deployments than a single purpose built server.=0A>=0A>But, that= variety is driven by customer demand, and none of ours=0A (yet?) have d= emanded MAC. If and when that demand comes, we will add=0A support. =0A>= =0A>To stipulate MAC as MTI would in no way reflect what the market=0A w= ants. And 'interop' nobody wants is not meaningful interop.=0A>=0A>paul=0A>= =0A>On 12/3/11 4:37 PM, Barry Leiba wrote: =0A>Stephen says: =0A>>On 12/02/= 2011 03:20 AM, Barry Leiba wrote: =0A>>>Maybe what would work best is some = text that suggests what I say=0Aabove: that toolkits intended for use in im= plementing OAuth services=0Ain general... implement [X and/or Y], and that = code written for a=0Aspecific environment implement what makes sense for th= at environment.=0AIt seems to me that to require any particular implementat= ion in the=0Alatter case is arbitrary and counter-productive, and doesn't h= elp=0Aanything interoperate. =A0Whereas general-purpose toolkits that=0Aimp= lement everything DO help interop. =0A>>>That'd work just fine for me. =0A>= >OK, so here's what I suggest... I propose adding a new section 7.2, thus: = -----------------------------------=0A7.2 Access Token Implementation Consi= derations Access token types have to be mutually understood among the=0Aaut= horization server, the resource server, and the client -- the=0Aaccess toke= n issues the token, the resource server validates it, and=0Athe client is r= equired to understand the type, as noted in section=0A7.1, above. Because = of that, interoperability of program code=0Adeveloped separately depends up= on the token types that are supported=0Ain the code. Toolkits that are inte= nded for general use (for building other clients=0Aand/or servers), therefo= re, SHOULD implement as many token types as=0Apractical, to ensure that pro= grams developed with those toolkits are=0Aable to use the token types they = need. In particular, all general-use=0Atoolkits MUST implement bearer toke= ns [...ref...] and MAC tokens=0A[...ref...]. Purpose-built code, built with= out such toolkits, has somewhat more=0Aflexibility, as its developers know = the specific environment they're=0Adeveloping for. There's clearly little = point to including code to=0Asupport a particular token type when it's know= n in advance that the=0Atype in question will never be used in the intended= deployment.=0ADevelopers of purpose-built code are encouraged to consider = future=0Aextensions and to plan ahead for changes in circumstances, and mig= ht=0Astill want to include support for multiple token types. That said,=0A= the choice of token-type support for such purpose-built code is left=0Ato t= he developers and their specific requirements.=0A--------------------------= --------- I think that expresses a reasonable compromise that might actuall= y be=0Afollowed and might actually do some good. Comments? Can we go with= =0Athis and close this issue? (And, sorry, I've been a Bad Chair, and=0Aha= ven't put this in the tracker.) Barry=0A___________________________________= ____________=0AOAuth mailing list OAuth@ietf.org https://www.ietf.org/mailm= an/listinfo/oauth =0A_______________________________________________=0A>OAu= th mailing list=0A>OAuth@ietf.org=0A>https://www.ietf.org/mailman/listinfo/= oauth=0A>=0A_______________________________________________=0AOAuth mailing= list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth --1458549034-688701768-1323624449=:41873 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
They are only compatible in the sense that they share the same security c= haracteristics.

From: Leif Johansson <leifj@mnt.se>=
To: Paul Madsen <p= aul.madsen@gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Sent: Sunday, December 11, 2011 3:28 AM
Subject: Re: [OAUTH-WG] Mandato= ry-to-implement token type
=0A
As an imp= lementor of a toolkit let me offer this: the only use/requirement of mac th= at I've seen is for backwards compat with 1.0a. 



4 dec 2011 kl. 14:15 skrev Paul Madsen <paul.madsen@gmail.com>:

=0A Commercial OAuth auth= orization servers are=0A neither 'toolkits' nor 'purpose built code' - not used to=0A build OAuth clients/servers but yet required to s= upport more variety=0A in deployments than a single purpose built server= .
=0A
=0A But, that variety is driven by customer demand, and = none of ours=0A (yet?) have demanded MAC. If and when that demand comes,= we will add=0A support.
=0A
=0A To stipulate MAC as MTI w= ould in no way reflect what the market=0A wants. And 'interop' nobody wa= nts is not meaningful interop.
=0A
=0A paul
=0A
=0A = On 12/3/11 4:37 PM, Barry Leiba wrote:=0A
= =0A 
Stephen says:=0A
=0A
=0A = 
On 12/02/2011 03:20 AM, Barry Leiba wrote:=0A
=0A <= blockquote type=3D"cite">=0A 
Maybe what would work best is so=
me text that suggests what I say=0Aabove: that toolkits intended for use in=
 implementing OAuth services=0Ain general... implement [X and/or Y], and th=
at code written for a=0Aspecific environment implement what makes sense for=
 that environment.=0AIt seems to me that to require any particular implemen=
tation in the=0Alatter case is arbitrary and counter-productive, and doesn'=
t help=0Aanything interoperate.  Whereas general-purpose toolkits that=
=0Aimplement everything DO help interop.=0A
=0A
= =0A 
That'd work just fine for me.=0A
=0A =0A 
OK, so here's what I suggest... I propose adding a new secti=
on 7.2, thus:=0A=0A-----------------------------------=0A7.2 Access Token I=
mplementation Considerations=0A=0AAccess token types have to be mutually un=
derstood among the=0Aauthorization server, the resource server, and the cli=
ent -- the=0Aaccess token issues the token, the resource server validates i=
t, and=0Athe client is required to understand the type, as noted in section=
=0A7.1, above.  Because of that, interoperability of program code=0Adevelop=
ed separately depends upon the token types that are supported=0Ain the code=
.=0A=0AToolkits that are intended for general use (for building other clien=
ts=0Aand/or servers), therefore, SHOULD implement as many token types as=0A=
practical, to ensure that programs developed with those toolkits are=0Aable=
 to use the token types they need.  In particular, all general-use=0Atoolki=
ts MUST implement bearer tokens [...ref...] and MAC tokens=0A[...ref...].=
=0A=0APurpose-built code, built without such toolkits, has somewhat more=0A=
flexibility, as its developers know the specific environment they're=0Adeve=
loping for.  There's clearly little point to including code to=0Asupport a =
particular token type when it's known in advance that the=0Atype in questio=
n will never be used in the intended deployment.=0ADevelopers of purpose-bu=
ilt code are encouraged to consider future=0Aextensions and to plan ahead f=
or changes in circumstances, and might=0Astill want to include support for =
multiple token types.  That said,=0Athe choice of token-type support for su=
ch purpose-built code is left=0Ato the developers and their specific requir=
ements.=0A-----------------------------------=0A=0AI think that expresses a=
 reasonable compromise that might actually be=0Afollowed and might actually=
 do some good.  Comments?  Can we go with=0Athis and close this issue?  (An=
d, sorry, I've been a Bad Chair, and=0Ahaven't put this in the tracker.)=0A=
=0ABarry=0A_______________________________________________=0AOAuth mailing =
list=0AOAuth@ietf.org=0Ahttps://ww=
w.ietf.org/mailman/listinfo/oauth=0A
=0A
=0A =0A= =0A
________________= _______________________________
OAuth mailing listOAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_____________________________________________= __
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/list= info/oauth


--1458549034-688701768-1323624449=:41873-- From wmills@yahoo-inc.com Sun Dec 11 09:28:21 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A576A21F8436 for ; Sun, 11 Dec 2011 09:28:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.565 X-Spam-Level: X-Spam-Status: No, score=-17.565 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtkbR885KZlH for ; Sun, 11 Dec 2011 09:28:20 -0800 (PST) Received: from nm28.bullet.mail.sp2.yahoo.com (nm28.bullet.mail.sp2.yahoo.com [98.139.91.98]) by ietfa.amsl.com (Postfix) with SMTP id 7F54021F8435 for ; Sun, 11 Dec 2011 09:28:20 -0800 (PST) Received: from [98.139.91.62] by nm28.bullet.mail.sp2.yahoo.com with NNFMP; 11 Dec 2011 17:28:14 -0000 Received: from [98.139.91.15] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 11 Dec 2011 17:28:14 -0000 Received: from [127.0.0.1] by omp1015.mail.sp2.yahoo.com with NNFMP; 11 Dec 2011 17:28:14 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 637005.84451.bm@omp1015.mail.sp2.yahoo.com Received: (qmail 42921 invoked by uid 60001); 11 Dec 2011 17:28:14 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1323624494; bh=kwSkLS24NbVjixB67lj0kKOAExt40At+G8nVEy+twxA=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=sxRXcl72Hiqk0HZHZRwtqBCkLIBhHpTkupdfyqZPQVHqmAkNYJ++7jDv/QkQ3YMEOQ8j3DP71vdTu3bbs151o2FkzG6GzzeP2QpaDUmsYVBbbPSOYhDWOM7JPo3YQhT3DltwXpn2S9bV3Pp27u2t0tAGjNen31dpcKX2NLuu2R8= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Ldr42hf02eRxr1icVXiczI3jlmw4ky601DUWj66ZPdO/kiOP/Kg+tQvG6CuD7o7nwFr5zn+fZf+k7YAy1PzQDtrzRzfoggmBDphKqL5FLR/H2O7an5WYzM0WgUVnw1kXN6vKLkpohgXi4Jw9cvfa/+MHyEVDx7FoFGqb09x/730=; X-YMail-OSG: uMW401cVM1kog06mxRnfsbevzpKdf5uEcEgOTOXvpoMAhDx rXvhwLu7j3kqnjTNAFl_Q0ZRGiMua.0VTrEOiHm0Nwr0Xdglhb9XNxEF5FRI gBOwcCFfBJjidP3eN7e49D4_kj0dZDiQ5pLhrr8TIj22bbVBT1j2MJI.i4Hh uyc_64M80qyh3mSnK9BzoDSQyfyO7bOSJWkaELFREyippzwcY_2dWXJLkeu. 2vgxfqqBxfc0j2d_JmD5GMzeoAhDmzCTkELNqQWfjymxFSKKN0Ng2EZ.tjXG mCVxbVtf9QdzXLMQlhOxiTrYIcE84iQr.V8J4PK4p7Pru86wg8vzHQ2RWh7Q kyxuc2ezQpskc71tgTTo95f4UR9zlCJkrdDlpK4uNXbK9KdPiBvBYEBbd30l NXPwyM1Sz8.8WAoPFQFDeeajn_hXoY4n4xJq9fFSQwLE.0VqWzMXaqwh3pBU N3L7FND0fsNtqUuk- Received: from [99.31.212.42] by web31812.mail.mud.yahoo.com via HTTP; Sun, 11 Dec 2011 09:28:13 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> <4ED7EAA2.40402@stpeter.im> <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE3B24D.6000907@cdatazone.org> Message-ID: <1323624493.42216.YahooMailNeo@web31812.mail.mud.yahoo.com> Date: Sun, 11 Dec 2011 09:28:13 -0800 (PST) From: William Mills To: Rob Richards , Mike Jones In-Reply-To: <4EE3B24D.6000907@cdatazone.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1458549034-1054284888-1323624493=:42216" Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2011 17:28:21 -0000 --1458549034-1054284888-1323624493=:42216 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I think it's overkill, but I don't think it causes any problems.=0A=0A=0A= =0A________________________________=0A From: Rob Richards =0ATo: Mike Jones =0ACc: Barry Leiba = ; oauth WG =0ASent: Saturday, Dec= ember 10, 2011 11:26 AM=0ASubject: Re: [OAUTH-WG] TLS version requirements = in OAuth 2.0 base=0A =0AI am fine with it=0A=0ARob=0A=0AOn 12/9/11 1:30 PM,= Mike Jones wrote:=0A> It looks to me like there is consensus for Barry's t= ext (below).=A0 Agreed?=0A>=0A> =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 -- = Mike=0A>=0A> NEW=0A> --------------------------------------------=0A> The a= uthorization server MUST implement TLS.=A0 Which version(s) ought to be imp= lemented will vary over time, and depend on the widespread deployment and k= nown security vulnerabilities at the time of implementation.=A0 At the time= of this writing, TLS version 1.2 [RFC5246] is the most recent version, but= has very limited actual deployment, and might not be readily available in = implementation toolkits.=A0 TLS version 1.0 [RFC2246] is the most widely de= ployed version, and will give the broadest interoperability.=0A>=0A> Server= s MAY also implement additional transport-layer mechanisms that meet their = security requirements.=0A> --------------------------------------------=0A>= =0A> -----Original Message-----=0A> From: oauth-bounces@ietf.org [mailto:oa= uth-bounces@ietf.org] On Behalf Of Peter Saint-Andre=0A> Sent: Thursday, De= cember 01, 2011 12:59 PM=0A> To: Stephen Farrell=0A> Cc: Barry Leiba; oauth= WG=0A> Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base= =0A>=0A> On 12/1/11 1:57 PM, Stephen Farrell wrote:=0A>>=0A>> On 12/01/2011= 08:10 PM, Peter Saint-Andre wrote:=0A>>> On 12/1/11 1:09 PM, Rob Richards = wrote:=0A>>>> On 11/28/11 10:39 PM, Barry Leiba wrote:=0A>>>>>> The OAuth b= ase doc refers in two places to TLS versions (with the=0A>>>>>> same text i= n both places:=0A>>>>>>=0A>>>>>> OLD=0A>>>>>> The authorization server MUST= support TLS 1.0 ([RFC2246]), SHOULD=0A>>>>>> support TLS 1.2 ([RFC5246]) a= nd its future replacements, and MAY=0A>>>>>> support additional transport-l= ayer mechanisms meeting its security=0A>>>>>> requirements.=0A>>>>>>=0A>>>>= >> In both the shepherd review and the AD review, this was called=0A>>>>>> = into=0A>>>>>> question:=0A>>>>>> 1. MUST for an old version and SHOULD for = the current version=0A>>>>>> seems wrong.=0A>>>>>> 2. Having specific versi= ons required locks us into those versions=0A>>>>>> (for example, all implem= entations will have to support TLS 1.0,=0A>>>>>> even long after it becomes= obsolete, unless we rev the spec.=0A>>>>> The comments I've gotten on this= show a clear consensus against the=0A>>>>> change I suggest, and against a= ny attempt to require a version of=0A>>>>> TLS other than 1.0.=A0 I still, = though, am concerned that locking=0A>>>>> this spec into TLS 1.0 is limitin= g.=A0 So let me propose an=0A>>>>> alternative wording, which again tries t= o make the version(s)=0A>>>>> non-normative, while making it clear which ve= rsion(s) need to be=0A>>>>> implemented to get=0A>>>>> interoperability:=0A= >>>>>=0A>>>>> NEW=0A>>>>> --------------------------------------------=0A>>= >>> The authorization server MUST implement TLS.=A0 Which version(s)=0A>>>>= > ought to be implemented will vary over time, and depend on the=0A>>>>> wi= despread deployment and known security vulnerabilities at the=0A>>>>> time = of implementation.=A0 At the time of this writing, TLS version=0A>>>>> 1.2 = [RFC5246] is the most recent version, but has very limited=0A>>>>> actual d= eployment, and might not be readily available in=0A>>>>> implementation too= lkits.=A0 TLS version 1.0 [RFC2246] is the most=0A>>>>> widely deployed ver= sion, and will give the broadest=0A>>>>> interoperability.=0A>>>>>=0A>>>>> = Servers MAY also implement additional transport-layer mechanisms=0A>>>>> th= at meet their security requirements.=0A>>>>> ------------------------------= --------------=0A>>>>>=0A>>>>> Comments on this version?=0A>>>>>=0A>>>>> Ba= rry=0A>>>>>=0A>>>> Text is neutral enough for me as it's not mandating anyt= hing that=0A>>>> isn't readily available. Only comment is whether or not th= ere is a=0A>>>> need to even talk about the specific versions or if just th= e=0A>>>> following is=0A>>>> enough:=0A>>>>=0A>>>> The authorization server= MUST implement TLS. Which version(s) ought=0A>>>> to be implemented will v= ary over time, and depend on the widespread=0A>>>> deployment and known sec= urity vulnerabilities at the time of=0A>>>> implementation.=0A>>>>=0A>>>> S= ervers MAY also implement additional transport-layer mechanisms=0A>>>> that= meet their security requirements.=0A>>> That seems fine to me.=0A>> FWIW, = I think I'd prefer Barry's as Rob's would be more likely to=0A>> generate d= iscusses and we do know that there are some security=0A>> advantages to TLS= 1.2 vs. 1.0. (BTW, has anyone considered how or if=0A>> the BEAST attack m= ight affect oauth? Be good to know if someone's done=0A>> that analysis.)= =0A>>=0A>> However, as AD, I could live with either, since lots of other sp= ecs=0A>> just say TLS. (But you need to point to the latest RFC as normativ= e or=0A>> that will I bet generate discusses.)=0A> Agreed.=0A>=0A> Peter=0A= >=0A> --=0A> Peter Saint-Andre=0A> https://stpeter.im/=0A>=0A>=0A> ________= _______________________________________=0A> OAuth mailing list=0A> OAuth@ie= tf.org=0A> https://www.ietf.org/mailman/listinfo/oauth=0A>=0A>=0A> ________= _______________________________________=0A> OAuth mailing list=0A> OAuth@ie= tf.org=0A> https://www.ietf.org/mailman/listinfo/oauth=0A>=0A=0A___________= ____________________________________=0AOAuth mailing list=0AOAuth@ietf.org= =0Ahttps://www.ietf.org/mailman/listinfo/oauth --1458549034-1054284888-1323624493=:42216 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
I think it's overkill, but I don't think it causes any problems.

Fr= om: Rob Richards <rrichards@cdatazone.org>
To: Mike Jones <Michael.Jones@micr= osoft.com>
Cc: Barr= y Leiba <barryleiba@computer.org>; oauth WG <oauth@ietf.org> Sent: Saturday, Decembe= r 10, 2011 11:26 AM
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
=0AI= am fine with it

Rob

On 12/9/11 1:30 PM, Mike Jones wrote:> It looks to me like there is consensus for Barry's text (below). = ; Agreed?
>
>           = ;      -- Mike
>
> NEW
> ------------= --------------------------------
> The authorization server MUST impl= ement TLS.  Which version(s) ought to be implemented will vary over ti= me, and depend on the widespread deployment and known security vulnerabilit= ies at the time of implementation.  At the time of this writing, TLS v= ersion 1.2 [RFC5246] is the most recent version, but has very limited actua= l deployment, and might not be readily available in implementation toolkits= .  TLS version 1.0 [RFC2246] is the most widely deployed version, and = will give the broadest interoperability.
>
> Servers MAY also i= mplement additional transport-layer mechanisms that meet their security requirements.
> -------------------------------------------= -
>
> -----Original Message-----
> From: oauth-b= ounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf = Of Peter Saint-Andre
> Sent: Thursday, December 01, 2011 12:59 PM
= > To: Stephen Farrell
> Cc: Barry Leiba; oauth WG
> Subject:= Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
>
> = On 12/1/11 1:57 PM, Stephen Farrell wrote:
>>
>> On 12/01= /2011 08:10 PM, Peter Saint-Andre wrote:
>>> On 12/1/11 1:09 PM= , Rob Richards wrote:
>>>> On 11/28/11 10:39 PM, Barry Leiba= wrote:
>>>>>> The OAuth base doc refers in two places= to TLS versions (with the
>>>>>> same text in both places:
>>>>>>
>>>>>> OLD
>= ;>>>>> The authorization server MUST support TLS 1.0 ([RFC22= 46]), SHOULD
>>>>>> support TLS 1.2 ([RFC5246]) and it= s future replacements, and MAY
>>>>>> support addition= al transport-layer mechanisms meeting its security
>>>>>&= gt; requirements.
>>>>>>
>>>>>> I= n both the shepherd review and the AD review, this was called
>>&g= t;>>> into
>>>>>> question:
>>>&g= t;>> 1. MUST for an old version and SHOULD for the current version>>>>>> seems wrong.
>>>>>> 2. Havin= g specific versions required locks us into those versions
>>>&g= t;>> (for example, all implementations will have to support TLS 1.0,<= br>>>>>>> even long after it becomes obsolete, unless we rev the spec.
>>>>> The comments I've gotten o= n this show a clear consensus against the
>>>>> change I = suggest, and against any attempt to require a version of
>>>>= ;> TLS other than 1.0.  I still, though, am concerned that locking<= br>>>>>> this spec into TLS 1.0 is limiting.  So let me= propose an
>>>>> alternative wording, which again tries = to make the version(s)
>>>>> non-normative, while making = it clear which version(s) need to be
>>>>> implemented to= get
>>>>> interoperability:
>>>>>
&= gt;>>>> NEW
>>>>> ---------------------------= -----------------
>>>>> The authorization server MUST imp= lement TLS.  Which version(s)
>>>>> ought to be impl= emented will vary over time, and depend on the
>>>>> widespread deployment and known security vulne= rabilities at the
>>>>> time of implementation.  At = the time of this writing, TLS version
>>>>> 1.2 [RFC5246]= is the most recent version, but has very limited
>>>>> a= ctual deployment, and might not be readily available in
>>>>= > implementation toolkits.  TLS version 1.0 [RFC2246] is the most>>>>> widely deployed version, and will give the broadest<= br>>>>>> interoperability.
>>>>>
>&g= t;>>> Servers MAY also implement additional transport-layer mechan= isms
>>>>> that meet their security requirements.
>= >>>> --------------------------------------------
>>&g= t;>>
>>>>> Comments on this version?
>>>= ;>>
>>>>> Barry
>>>>>
>>>> Text is neutral enough f= or me as it's not mandating anything that
>>>> isn't readily= available. Only comment is whether or not there is a
>>>> n= eed to even talk about the specific versions or if just the
>>>= > following is
>>>> enough:
>>>>
>&g= t;>> The authorization server MUST implement TLS. Which version(s) ou= ght
>>>> to be implemented will vary over time, and depend o= n the widespread
>>>> deployment and known security vulnerab= ilities at the time of
>>>> implementation.
>>>&= gt;
>>>> Servers MAY also implement additional transport-lay= er mechanisms
>>>> that meet their security requirements.>>> That seems fine to me.
>> FWIW, I think I'd prefer B= arry's as Rob's would be more likely to
>> generate discusses and we do know that there are some security
>> advantag= es to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if
>> th= e BEAST attack might affect oauth? Be good to know if someone's done
>= ;> that analysis.)
>>
>> However, as AD, I could live = with either, since lots of other specs
>> just say TLS. (But you n= eed to point to the latest RFC as normative or
>> that will I bet = generate discusses.)
> Agreed.
>
> Peter
>
> = --
> Peter Saint-Andre
> https://stpeter.im/
>
>
> _______________= ________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://www.ietf.org/mailman/listinfo/oauth
><= br>>
> _______________________________________________
> OAu= th mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/lis= tinfo/oauth
>

____________________________________________= ___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/lis= tinfo/oauth


--1458549034-1054284888-1323624493=:42216-- From romeda@gmail.com Mon Dec 12 07:10:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFF421F8B74 for ; Mon, 12 Dec 2011 07:10:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.599 X-Spam-Level: X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oh1pcfjfmQ47 for ; Mon, 12 Dec 2011 07:10:45 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id AE94F21F8B70 for ; Mon, 12 Dec 2011 07:10:45 -0800 (PST) Received: by ggnk5 with SMTP id k5so6391281ggn.31 for ; Mon, 12 Dec 2011 07:10:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Z50GNkNMAsQSL9wiNPtzK8nBgDm7KcYag10eXpMA+i8=; b=UOmW3XAsBmyd8L2lTBgyv+RWBZFjLcbVcbl254nd+xqSCGOWIuZTxYnG9QzKEWallz hST0JMkJ3yrmj52+qnQcSblyBiwgKr8mRSk+xrzx6niNl+AEYb3rTOUf0Qb/TYq3Go8q Aef/dGK2Q6O2B8n1sWYA+gsMHiIrXBEm8GrpM= Received: by 10.182.89.65 with SMTP id bm1mr3014105obb.58.1323702645163; Mon, 12 Dec 2011 07:10:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.114.68 with HTTP; Mon, 12 Dec 2011 07:10:24 -0800 (PST) In-Reply-To: References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com> From: Blaine Cook Date: Mon, 12 Dec 2011 15:10:24 +0000 Message-ID: To: Leif Johansson Content-Type: text/plain; charset=UTF-8 Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 15:10:46 -0000 On 11 December 2011 11:30, Leif Johansson wrote: > > 5 dec 2011 kl. 00:34 skrev Blaine Cook : > > Oauth 1.0a mac and 2.0 mac are not the same thing. Yours is an argument for backwards compat I think. The syntax is different / better, the spec is cleaner, but they specify exactly the same thing. I couldn't care less about all this at this point, but I do take issue with the claim that the MAC approach in general (as typified by OAuth 1.0a and the MAC Token draft as-is) doesn't have adoption. b. From jricher@mitre.org Mon Dec 12 07:41:09 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D1A21F8B65 for ; Mon, 12 Dec 2011 07:41:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.473 X-Spam-Level: X-Spam-Status: No, score=-6.473 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FkVlekgz+4Py for ; Mon, 12 Dec 2011 07:41:08 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2076A21F87E2 for ; Mon, 12 Dec 2011 07:41:08 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 479CB21B0F57 for ; Mon, 12 Dec 2011 10:41:07 -0500 (EST) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3002B21B0F53 for ; Mon, 12 Dec 2011 10:41:07 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 12 Dec 2011 10:41:06 -0500 Message-ID: <4EE6207C.9010002@mitre.org> Date: Mon, 12 Dec 2011 10:40:44 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: References: <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> <4ED7EAA2.40402@stpeter.im> <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE3B24D.6000907@cdatazone.org> <1323624493.42216.YahooMailNeo@web31812.mail.mud.yahoo.com> In-Reply-To: <1323624493.42216.YahooMailNeo@web31812.mail.mud.yahoo.com> Content-Type: multipart/alternative; boundary="------------050103020804080106070409" X-Originating-IP: [129.83.31.51] Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 15:41:09 -0000 --------------050103020804080106070409 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Agreed -- I think that this text addresses the concerns of those who had them without getting in too deep to things that are, quite frankly, ancillary to OAuth. I still contend that the vast majority of implementors reading this will see that line and say "Oh, I need an https there instead of an http" and call it a day, but the proposed text doesn't *hurt* that case, so I'm relatively fine with it. -- Justin On 12/11/2011 12:28 PM, William Mills wrote: > I think it's overkill, but I don't think it causes any problems. > > ------------------------------------------------------------------------ > *From:* Rob Richards > *To:* Mike Jones > *Cc:* Barry Leiba ; oauth WG > *Sent:* Saturday, December 10, 2011 11:26 AM > *Subject:* Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > > I am fine with it > > Rob > > On 12/9/11 1:30 PM, Mike Jones wrote: > > It looks to me like there is consensus for Barry's text (below). > Agreed? > > > > -- Mike > > > > NEW > > -------------------------------------------- > > The authorization server MUST implement TLS. Which version(s) ought > to be implemented will vary over time, and depend on the widespread > deployment and known security vulnerabilities at the time of > implementation. At the time of this writing, TLS version 1.2 > [RFC5246] is the most recent version, but has very limited actual > deployment, and might not be readily available in implementation > toolkits. TLS version 1.0 [RFC2246] is the most widely deployed > version, and will give the broadest interoperability. > > > > Servers MAY also implement additional transport-layer mechanisms > that meet their security requirements. > > -------------------------------------------- > > > > -----Original Message----- > > From: oauth-bounces@ietf.org > [mailto:oauth-bounces@ietf.org ] On > Behalf Of Peter Saint-Andre > > Sent: Thursday, December 01, 2011 12:59 PM > > To: Stephen Farrell > > Cc: Barry Leiba; oauth WG > > Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > > > > On 12/1/11 1:57 PM, Stephen Farrell wrote: > >> > >> On 12/01/2011 08:10 PM, Peter Saint-Andre wrote: > >>> On 12/1/11 1:09 PM, Rob Richards wrote: > >>>> On 11/28/11 10:39 PM, Barry Leiba wrote: > >>>>>> The OAuth base doc refers in two places to TLS versions (with the > >>>>>> same text in both places: > >>>>>> > >>>>>> OLD > >>>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > >>>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > >>>>>> support additional transport-layer mechanisms meeting its security > >>>>>> requirements. > >>>>>> > >>>>>> In both the shepherd review and the AD review, this was called > >>>>>> into > >>>>>> question: > >>>>>> 1. MUST for an old version and SHOULD for the current version > >>>>>> seems wrong. > >>>>>> 2. Having specific versions required locks us into those versions > >>>>>> (for example, all implementations will have to support TLS 1.0, > >>>>>> even long after it becomes obsolete, unless we rev the spec. > >>>>> The comments I've gotten on this show a clear consensus against the > >>>>> change I suggest, and against any attempt to require a version of > >>>>> TLS other than 1.0. I still, though, am concerned that locking > >>>>> this spec into TLS 1.0 is limiting. So let me propose an > >>>>> alternative wording, which again tries to make the version(s) > >>>>> non-normative, while making it clear which version(s) need to be > >>>>> implemented to get > >>>>> interoperability: > >>>>> > >>>>> NEW > >>>>> -------------------------------------------- > >>>>> The authorization server MUST implement TLS. Which version(s) > >>>>> ought to be implemented will vary over time, and depend on the > >>>>> widespread deployment and known security vulnerabilities at the > >>>>> time of implementation. At the time of this writing, TLS version > >>>>> 1.2 [RFC5246] is the most recent version, but has very limited > >>>>> actual deployment, and might not be readily available in > >>>>> implementation toolkits. TLS version 1.0 [RFC2246] is the most > >>>>> widely deployed version, and will give the broadest > >>>>> interoperability. > >>>>> > >>>>> Servers MAY also implement additional transport-layer mechanisms > >>>>> that meet their security requirements. > >>>>> -------------------------------------------- > >>>>> > >>>>> Comments on this version? > >>>>> > >>>>> Barry > >>>>> > >>>> Text is neutral enough for me as it's not mandating anything that > >>>> isn't readily available. Only comment is whether or not there is a > >>>> need to even talk about the specific versions or if just the > >>>> following is > >>>> enough: > >>>> > >>>> The authorization server MUST implement TLS. Which version(s) ought > >>>> to be implemented will vary over time, and depend on the widespread > >>>> deployment and known security vulnerabilities at the time of > >>>> implementation. > >>>> > >>>> Servers MAY also implement additional transport-layer mechanisms > >>>> that meet their security requirements. > >>> That seems fine to me. > >> FWIW, I think I'd prefer Barry's as Rob's would be more likely to > >> generate discusses and we do know that there are some security > >> advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if > >> the BEAST attack might affect oauth? Be good to know if someone's done > >> that analysis.) > >> > >> However, as AD, I could live with either, since lots of other specs > >> just say TLS. (But you need to point to the latest RFC as normative or > >> that will I bet generate discusses.) > > Agreed. > > > > Peter > > > > -- > > Peter Saint-Andre > > https://stpeter.im/ > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------050103020804080106070409 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Agreed -- I think that this text addresses the concerns of those who had them without getting in too deep to things that are, quite frankly, ancillary to OAuth. I still contend that the vast majority of implementors reading this will see that line and say "Oh, I need an https there instead of an http" and call it a day, but the proposed text doesn't *hurt* that case, so I'm relatively fine with it.

 -- Justin

On 12/11/2011 12:28 PM, William Mills wrote:
I think it's overkill, but I don't think it causes any problems.

From: Rob Richards <rrichards@cdatazone.org>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Barry Leiba <barryleiba@computer.org>; oauth WG <oauth@ietf.org>
Sent: Saturday, December 10, 2011 11:26 AM
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
I am fine with it

Rob

On 12/9/11 1:30 PM, Mike Jones wrote:
> It looks to me like there is consensus for Barry's text (below).  Agreed?
>
>                 -- Mike
>
> NEW
> --------------------------------------------
> The authorization server MUST implement TLS.  Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation.  At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits.  TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability.
>
> Servers MAY also implement additional transport-layer mechanisms that meet their security requirements.
> --------------------------------------------
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Peter Saint-Andre
> Sent: Thursday, December 01, 2011 12:59 PM
> To: Stephen Farrell
> Cc: Barry Leiba; oauth WG
> Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
>
> On 12/1/11 1:57 PM, Stephen Farrell wrote:
>>
>> On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
>>> On 12/1/11 1:09 PM, Rob Richards wrote:
>>>> On 11/28/11 10:39 PM, Barry Leiba wrote:
>>>>>> The OAuth base doc refers in two places to TLS versions (with the
>>>>>> same text in both places:
>>>>>>
>>>>>> OLD
>>>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
>>>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
>>>>>> support additional transport-layer mechanisms meeting its security
>>>>>> requirements.
>>>>>>
>>>>>> In both the shepherd review and the AD review, this was called
>>>>>> into
>>>>>> question:
>>>>>> 1. MUST for an old version and SHOULD for the current version
>>>>>> seems wrong.
>>>>>> 2. Having specific versions required locks us into those versions
>>>>>> (for example, all implementations will have to support TLS 1.0,
>>>>>> even long after it becomes obsolete, unless we rev the spec.
>>>>> The comments I've gotten on this show a clear consensus against the
>>>>> change I suggest, and against any attempt to require a version of
>>>>> TLS other than 1.0.  I still, though, am concerned that locking
>>>>> this spec into TLS 1.0 is limiting.  So let me propose an
>>>>> alternative wording, which again tries to make the version(s)
>>>>> non-normative, while making it clear which version(s) need to be
>>>>> implemented to get
>>>>> interoperability:
>>>>>
>>>>> NEW
>>>>> --------------------------------------------
>>>>> The authorization server MUST implement TLS.  Which version(s)
>>>>> ought to be implemented will vary over time, and depend on the
>>>>> widespread deployment and known security vulnerabilities at the
>>>>> time of implementation.  At the time of this writing, TLS version
>>>>> 1.2 [RFC5246] is the most recent version, but has very limited
>>>>> actual deployment, and might not be readily available in
>>>>> implementation toolkits.  TLS version 1.0 [RFC2246] is the most
>>>>> widely deployed version, and will give the broadest
>>>>> interoperability.
>>>>>
>>>>> Servers MAY also implement additional transport-layer mechanisms
>>>>> that meet their security requirements.
>>>>> --------------------------------------------
>>>>>
>>>>> Comments on this version?
>>>>>
>>>>> Barry
>>>>>
>>>> Text is neutral enough for me as it's not mandating anything that
>>>> isn't readily available. Only comment is whether or not there is a
>>>> need to even talk about the specific versions or if just the
>>>> following is
>>>> enough:
>>>>
>>>> The authorization server MUST implement TLS. Which version(s) ought
>>>> to be implemented will vary over time, and depend on the widespread
>>>> deployment and known security vulnerabilities at the time of
>>>> implementation.
>>>>
>>>> Servers MAY also implement additional transport-layer mechanisms
>>>> that meet their security requirements.
>>> That seems fine to me.
>> FWIW, I think I'd prefer Barry's as Rob's would be more likely to
>> generate discusses and we do know that there are some security
>> advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if
>> the BEAST attack might affect oauth? Be good to know if someone's done
>> that analysis.)
>>
>> However, as AD, I could live with either, since lots of other specs
>> just say TLS. (But you need to point to the latest RFC as normative or
>> that will I bet generate discusses.)
> Agreed.
>
> Peter
>
> --
> Peter Saint-Andre
> https://stpeter.im/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------050103020804080106070409-- From Michael.Jones@microsoft.com Mon Dec 12 08:51:16 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C767521F8B26 for ; Mon, 12 Dec 2011 08:51:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7OpRkqjSctec for ; Mon, 12 Dec 2011 08:51:16 -0800 (PST) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 0C37C21F851A for ; Mon, 12 Dec 2011 08:51:15 -0800 (PST) Received: from mail181-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE011.bigfish.com (10.43.70.61) with Microsoft SMTP Server id 14.1.225.23; Mon, 12 Dec 2011 16:51:12 +0000 Received: from mail181-ch1 (localhost [127.0.0.1]) by mail181-ch1-R.bigfish.com (Postfix) with ESMTP id 59DA342049D; Mon, 12 Dec 2011 16:51:12 +0000 (UTC) X-SpamScore: -41 X-BigFish: VS-41(zzbb2dI9371Ic89bh1be0L1447M1b0bM542Mc857hzz1202hzz8275ch1033IL8275bh8275dhz2fh793h2a8h668h839h34h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI X-FB-SS: 13, Received-SPF: pass (mail181-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail181-ch1 (localhost.localdomain [127.0.0.1]) by mail181-ch1 (MessageSwitch) id 1323708671137536_29811; Mon, 12 Dec 2011 16:51:11 +0000 (UTC) Received: from CH1EHSMHS014.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.244]) by mail181-ch1.bigfish.com (Postfix) with ESMTP id 161C640047; Mon, 12 Dec 2011 16:51:11 +0000 (UTC) Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS014.bigfish.com (10.43.70.14) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 12 Dec 2011 16:51:08 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0247.005; Mon, 12 Dec 2011 08:51:07 -0800 From: Mike Jones To: Mark Nottingham , Stephen Farrell , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 Thread-Index: Acy47iNp13oTBlqgSku13D4DVT123Q== Date: Mon, 12 Dec 2011 16:51:06 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/mixed; boundary="_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 16:51:17 -0000 --_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_" --_000_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciB0aGUgZGV0YWlsZWQgcmV2aWV3LCBNYXJrLg0KDQoNCg0KUHJlbGltaW5hcnkg ZHJhZnQgMTUgb2YgdGhlIE9BdXRoIEJlYXJlciBzcGVjaWZpY2F0aW9uIGlzIGF0dGFjaGVkLiAg SXQgcmVzb2x2ZXMgdGhlIGZvcm0gZW5jb2RpbmcgaXNzdWVzIHJhaXNlZCBieSBKdWxpYW4gUmVz Y2hrZSBpbiB0aGUgbWFubmVyIGRpc2N1c3NlZCBhdCB0aGUgd29ya2luZyBncm91cCBtZWV0aW5n IGluIFRhaXBlaSwgaW5jb3Jwb3JhdGVzIHRoZSBjb25zZW5zdXMgdGV4dCBvbiBUTFMgdmVyc2lv biByZXF1aXJlbWVudHMsIGFuZCBjb250YWlucyBzZXZlcmFsIGltcHJvdmVtZW50cyBzdWdnZXN0 ZWQgYnkgTWFyayBOb3R0aW5naGFtIGR1cmluZyBBUFBTIGFyZWEgcmV2aWV3Lg0KDQoNCg0KTWFy aywgY29tbWVudHMgb24gYWxsIHlvdXIgcHJvcG9zZWQgY2hhbmdlcyBmb2xsb3cgYmVsb3c6DQoN Cg0KDQoqIFNlY3Rpb24gMi4zIFVSSSBRdWVyeSBQYXJhbWV0ZXINCg0KDQoNClRoaXMgc2VjdGlv biBlZmZlY3RpdmVseSByZXNlcnZlcyBhIFVSSSBxdWVyeSBwYXJhbWV0ZXIgZm9yIHRoZSBkcmFm dCdzIHVzZS4gVGhpcyBzaG91bGQgbm90IGJlIGRvbmUgbGlnaHRseSwgc2luY2UgdGhpcyB3b3Vs ZCBiZSBhIHByZWNlZGVudCBmb3IgdGhlIElFVEYgZW5jcm9hY2hpbmcgdXBvbiBhIHNlcnZlcidz IFVSSXMgKGRvbmUgcHJldmlvdXNseSBpbiBSRkM1Nzg1LCBidXQgaW4gYSBtdWNoIG1vcmUgbGlt aXRlZCBmYXNoaW9uLCBhcyBhIHRhY3RpYyB0byBwcmV2ZW50IGZ1cnRoZXIsIHVuY29udHJvbGxl ZCBlbmNyb2FjaG1lbnQpLg0KDQoNCg0KR2l2ZW4gdGhhdCB0aGUgZHJhZnQgYWxyZWFkeSBkaXNj b3VyYWdlcyB0aGUgdXNlIG9mIHRoaXMgbWVjaGFuaXNtLCBJJ2QgcmVjb21tZW5kIGRyb3BwaW5n IGl0IGFsdG9nZXRoZXIuIElmIHRoZSBXb3JraW5nIEdyb3VwIHdpc2hlcyBpdCB0byByZW1haW4s IHRoaXMgaXNzdWVzIHNob3VsZCBiZSB2ZXR0ZWQgYm90aCB0aHJvdWdoIHRoZSBBUFBTIGFyZWEg YW5kIHRoZSBXM0MgbGlhaXNvbi4NCg0KDQoNCihUaGUgc2FtZSBjcml0aWNpc20gY291bGQgYmUg bGV2ZWxlZCBhdCBTZWN0aW9uIDIuMiBGb3JtLUVuY29kZWQgQm9keSBQYXJhbWV0ZXIsIGJ1dCB0 aGF0IGF0IGxlYXN0IGlzbid0IHN1cmZhY2VkIGluIGFuIGlkZW50aWZpZXIpDQoNCg0KDQpUaGVy ZSBhcmUgc29tZSBjb250ZXh0cywgZXNwZWNpYWxseSBsaW1pdGVkIGJyb3dzZXJzIGFuZC9vciBk ZXZlbG9wbWVudCBlbnZpcm9ubWVudHMsIHdoZXJlIHF1ZXJ5IHBhcmFtZXRlcnMgYXJlIHVzYWJs ZSBidXQgdGhlIG90aGVyIG1ldGhvZHMgYXJlIG5vdC4gIFRodXMsIHRoZSBxdWVyeSBwYXJhbWV0 ZXIgbWV0aG9kIG11c3QgYmUgcmV0YWluZWQuICBBbHNvLCBKdXN0aW4gUmljaHRlcuKAmXMgY29t bWVudHMgZGVzY3JpYmluZyB0aGUgdmFsdWUgdG8gaGltIG9mIHRoZSBxdWVyeSBwYXJhbWV0ZXIg bWV0aG9kIGFyZSBwZXJ0aW5lbnQ6ICDigJxBIFVSTCB3aXRoIGFsbCBwYXJhbWV0ZXJzIGluY2x1 ZGluZyBhdXRob3JpemF0aW9uIGlzIGEgcG93ZXJmdWwgYXJ0aWZhY3Qgd2hpY2ggY2FuIGJlIHBh c3NlZCBhcm91bmQgYmV0d2VlbiBzeXN0ZW1zIGFzIGEgdW5pdOKAnS4NCg0KDQoNCkFzIHRvIHVz aW5nIGEgc3RhbmRhcmQgcGFyYW1ldGVyIG5hbWUsIHRoaXMgaXMgZXNzZW50aWFsIGZvciBpbnRl cm9wZXJhYmlsaXR5LiAgSXQgaXMgbm90IOKAnHJlc2VydmVk4oCdIGluIGFueSBjb250ZXh0cyBv dGhlciB0aGFuIHdoZW4gdGhlIEJlYXJlciBzcGVjIGlzIGVtcGxveWVkLCB3aGljaCBpcyBhIHZv bHVudGFyeSBhY3QgYnkgYm90aCBwYXJ0aWVzLiAgVGh1cywgdGhpcyBwb3NlcyBubyB1bmR1ZSBi dXJkZW5zIG9yIG5hbWVzcGFjZSByZXN0cmljdGlvbnMgb24gaW1wbGVtZW50YXRpb25zIGluIHBy YWN0aWNlLg0KDQoNCg0KRmluYWxseSwgeW914oCZbGwgZmluZCB0aGF0IE9BdXRoIDEuMCBbUkZD IDU4NDk8aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNTg0OT5dIHNpbWlsYXJseSBkZWZp bmVkLCBub3Qgb25lLCBidXQgdHdvIHN0YW5kYXJkIHF1ZXJ5IHBhcmFtZXRlciB2YWx1ZXM6ICBv YXV0aF90b2tlbiBhbmQgb2F1dGhfdmVyaWZpZXIuICBBcyB0aGlzIGRpZG7igJl0IGNhdXNlIGFu eSBwcm9ibGVtcyBpbiBwcmFjdGljZSB0aGVuLCBJ4oCZbSBzdXJlIHRoYXQgZGVmaW5pbmcgYW4g YWNjZXNzX3Rva2VuIHBhcmFtZXRlciB3aXRoaW4gdGhlIEJlYXJlciBzcGVjIGZvciBpbnRlcm9w ZXJhYmlsaXR5IHB1cnBvc2VzIHdvbuKAmXQgY2F1c2UgYSBwcm9ibGVtIGVpdGhlci4NCg0KDQoN CiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZA0K DQoNCg0KVGhlIGRyYWZ0IHJlZmVyZW5jZXMgdGhlIHF1b3RlZC1zdHJpbmcgQUJORiBmcm9tIEhU VFAsIGJ1dCBjaGFuZ2VzIGl0cyBwcm9jZXNzaW5nIGluIGEgbGF0ZXIgcGFyYWdyYXBoOg0KDQoN Cg0KIiIiSW4gYWxsIHRoZXNlIGNhc2VzLCBubyBjaGFyYWN0ZXIgcXVvdGluZyB3aWxsIG9jY3Vy LCBhcyBzZW5kZXJzIGFyZSBwcm9oaWJpdGVkIGZyb20gdXNpbmcgdGhlICU1QyAoJ1wnKSBjaGFy YWN0ZXIuIiIiDQoNCg0KDQpUaGlzIGlzIGF0IGJlc3Qgc3VycHJpc2luZyAoYXMgbWFueSByZWFk ZXJzIHdpbGwgcmVhc29uYWJseSBzdXJtaXNlIHRoYXQgdXNpbmcgdGhlIHF1b3RlZC1zdHJpbmcg QUJORiBpbXBsaWVzIHRoYXQgdGhlIHNhbWUgY29kZSBjYW4gYmUgdXNlZCkuDQoNClBsZWFzZSBl aXRoZXIgdXNlIHF1b3RlZC1zdHJpbmcgYXMgZGVmaW5lZCAoaS5lLiwgd2l0aCBlc2NhcGluZyku DQoNCg0KDQpUaGlzIHBhcmFtZXRlciBkZWZpbml0aW9uIHdhcyBhIHJlc3VsdCBvZiBzaWduaWZp Y2FudCB3b3JraW5nIGdyb3VwIGRpc2N1c3Npb24gYW5kIHJlZmxlY3RzIGEgc29saWQgY29uc2Vu c3VzIHBvc2l0aW9uLiAgVXNpbmcgdGhlIHF1b3RlZCBzdHJpbmcgQk5GIG1ha2VzIGl0IGNsZWFy LCBwZXIgSnVsaWFuIFJlc2Noa2XigJlzIHN1Z2dlc3Rpb25zLCB0aGF0IGdlbmVyaWMgcGFyYW1l dGVyIHBhcnNpbmcgY29kZSBjYW4gYmUgc2FmZWx5IHVzZWQuICBXaGVyZWFzIHByb2hpYml0aW5n IHRoZSB1c2Ugb2YgYmFja3NsYXNoIHF1b3RpbmcgYnkgc2VuZGVycyBhbHNvIG1ha2VzIGl0IGNs ZWFyIHRoYXQgY3VzdG9tIGltcGxlbWVudGF0aW9ucyBjYW4gZGlyZWN0bHkgdXRpbGl6ZSB0aGUg cGFyYW1ldGVyIHZhbHVlcyBhcyB0cmFuc21pdHRlZCB3aXRob3V0IHBlcmZvcm1pbmcgYW55IHF1 b3RlIHByb2Nlc3NpbmcuDQoNCg0KDQpJbiBzaG9ydCwgdGhlIHNwZWMgZG9lc27igJl0IGNoYW5n ZSB0aGUgcHJvY2Vzc2luZyBvZiBxdW90ZWQgc3RyaW5ncy4gIEl0IHNpbXBseSByZXN0cmljdHMg dGhlIHNldCBvZiBsZWdhbCBpbnB1dCBjaGFyYWN0ZXJzIHdpdGhpbiB0aGUgcXVvdGVkIHN0cmlu Z3MuDQoNCg0KDQoqIFNlY3Rpb24gMTogSW50cm9kdWN0aW9uDQoNCg0KDQpUaGUgaW50cm9kdWN0 aW9uIGV4cGxhaW5zIG9hdXRoLCBidXQgaXQgZG9lc24ndCBmdWxseSBleHBsYWluIHRoZSByZWxh dGlvbnNoaXAgb2YgdGhpcyBzcGVjaWZpY2F0aW9uIHRvIE9BdXRoIDIuMC4gRS5nLiwgY2FuIGl0 IGJlIHVzZWQgaW5kZXBlbmRlbnRseSBmcm9tIHRoZSByZXN0IG9mIE9BdXRoPyBMaWtld2lzZSwg dGhlIG92ZXJ2aWV3IChzZWN0aW9uDQoNCjEuMykgc2VlbXMgbW9yZSBzcGVjaWZpYyB0byB0aGUg T0F1dGggc3BlY2lmaWNhdGlvbiB0aGFuIHRoaXMgZG9jdW1lbnQuDQoNCkFzIEkgcmVhZCBpdCwg dGhpcyBtZWNoYW5pc20gY291bGQgYmUgdXNlZCBmb3IgQU5ZIGJlYXJlciB0b2tlbiwgbm90IGp1 c3Qgb25lIGdlbmVyYXRlZCB0aHJvdWdoIE9BdXRoIGZsb3dzLg0KDQoNCg0KSWYgaXQgaXMgaW5k ZWVkIG1vcmUgZ2VuZXJhbCwgSSdkIHJlY29tbWVuZCBtaW5pbWlzaW5nIHRoZSBkaXNjdXNzaW9u IG9mIE9BdXRoLCBwZXJoYXBzIGV2ZW4gcmVtb3ZpbmcgaXQgZnJvbSB0aGUgZG9jdW1lbnQgdGl0 bGUuDQoNCg0KDQpQZXIgeW91ciBzdWdnZXN0aW9uLCBJ4oCZdmUgbWFkZSBpdCBjbGVhciBpbiB0 aGUgaW50cm9kdWN0aW9uIHRoYXQgYmVhcmVyIHRva2VucyBmcm9tIGFueSBzb3VyY2UgY2FuIGJl IHVzZWQgdG8gYWNjZXNzIGFzc29jaWF0ZWQgcHJvdGVjdGVkIHJlc291cmNlcy4gIFRoZSBuZXcg bGFuZ3VhZ2UgaW4gdGhlIGludHJvZHVjdGlvbiBpczoNCg0KDQoNCuKAnFRoaXMgc3BlY2lmaWNh dGlvbiBkZWZpbmVzIHRoZSB1c2Ugb2YgYmVhcmVyIHRva2VucyBvdmVyIEhUVFAvMS4xIFtJ4oCR RC5pZXRm4oCRaHR0cGJpc+KAkXAx4oCRbWVzc2FnaW5nXSB1c2luZyBUTFMgW1JGQzUyNDZdIHRv IGFjY2VzcyBwcm90ZWN0ZWQgcmVzb3VyY2VzLiDigKYgV2hpbGUgZGVzaWduZWQgZm9yIHVzZSB3 aXRoIGFjY2VzcyB0b2tlbnMgcmVzdWx0aW5nIGZyb20gT0F1dGggMi4wIEF1dGhvcml6YXRpb24g W0nigJFELmlldGbigJFvYXV0aOKAkXYyXSBmbG93cyB0byBhY2Nlc3MgT0F1dGggcHJvdGVjdGVk IHJlc291cmNlcywgdGhpcyBzcGVjaWZpY2F0aW9uIGFjdHVhbGx5IGRlZmluZXMgYSBnZW5lcmFs IEhUVFAgYXV0aG9yaXphdGlvbiBtZXRob2QgdGhhdCBjYW4gYmUgdXNlZCB3aXRoIGJlYXJlciB0 b2tlbnMgZnJvbSBhbnkgc291cmNlIHRvIGFjY2VzcyBhbnkgcmVzb3VyY2VzIHByb3RlY3RlZCBi eSB0aG9zZSBiZWFyZXIgdG9rZW5zLuKAnQ0KDQoNCg0KKiBTZWN0aW9uIDMgVGhlIFdXVy1BdXRo ZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkDQoNCg0KDQpUaGUgZGlmZmVyZW5jZSBiZXR3 ZWVuIGEgcmVhbG0gYW5kIGEgc2NvcGUgaXMgbm90IGV4cGxhaW5lZC4gQXJlIHRoZSBmdW5jdGlv bmFsbHkgZXF1aXZhbGVudCwganVzdCBhIHNpbmdsZSB2YWx1ZSB2cy4gYSBsaXN0Pw0KDQoNCg0K UmVhbG0gaXMgYXMgZGVmaW5lZCBieSBIVFRQYmlzLiAgSXQgc2F5cyB0aGF0IOKAnFRoZSByZWFs bSB2YWx1ZSBpcyBhIHN0cmluZywgZ2VuZXJhbGx5IGFzc2lnbmVkIGJ5IHRoZSBvcmlnaW4gc2Vy dmVyLCB3aGljaCBjYW4gaGF2ZSBhZGRpdGlvbmFsIHNlbWFudGljcyBzcGVjaWZpYyB0byB0aGUg YXV0aGVudGljYXRpb24gc2NoZW1lLuKAnSAgVGhlIEJlYXJlciBzcGVjaWZpY2F0aW9uIGludGVu dGlvbmFsbHkgYWRkcyBubyBleHRyYSBzZW1hbnRpY3MgdG8gdGhlIHJlYWxtIGRlZmluaXRpb24u ICBXaGVyZWFzIHRoZSBzY29wZSBwYXJhbWV0ZXIgaXMgZGVmaW5lZCBhcyBhbiBvcmRlci1pbmRl cGVuZGVudCBzcGFjZS1zZXBhcmF0ZWQgbGlzdCBvZiBzY29wZSB2YWx1ZXMuICBUaGUgY29udGV4 dHVhbCBtZWFuaW5nIG9mIGJvdGggdGhlIHJlYWxtIGFuZCBzY29wZSBwYXJhbWV0ZXJzIGlzIGRl cGxveW1lbnQtZGVwZW5kZW50Lg0KDQoNCg0KRG8geW91IHJlYWxseSBpbnRlbmQgdG8gZGlzYWxs b3cgKmFsbCogZXh0ZW5zaW9uIHBhcmFtZXRlcnMgb24gdGhlIGNoYWxsZW5nZT8NCg0KDQoNClll cy4gIFRoZXJlIHdhcyBhbiBleHBsaWNpdCB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBkZWNpc2lv biB0byBkbyBzby4NCg0KDQoNCkFsc28sIHRoZSBzY29wZSwgZXJyb3IsIGVycm9yX2Rlc2NyaXB0 aW9uIGFuZCBlcnJvcl91cmkgcGFyYW1ldGVycyBhbGwgc3BlY2lmeSBvbmx5IGEgcXVvdGVkLXN0 cmluZyBzZXJpYWxpc2F0aW9uLiBIVFRQYmlzIHN0cm9uZ2x5IHN1Z2dlc3RzIHRoYXQgbmV3IHNj aGVtZXMgYWxsb3cgYm90aCBmb3JtcywgYmVjYXVzZSBpbXBsZW1lbnRhdGlvbiBleHBlcmllbmNl IGhhcyBzaG93biB0aGF0IGltcGxlbWVudGF0aW9ucyB3aWxsIGxpa2VseSBzdXBwb3J0IGJvdGgs IG5vIG1hdHRlciBob3cgZGVmaW5lZDsgdGhpcyBpbXByb3ZlcyBpbnRlcm9wZXJhYmlsaXR5IChz ZWUgcDcgMi4zLjEpLg0KDQoNCg0KT25jZSBhZ2FpbiwgdGhlIGN1cnJlbnQgdGV4dCByZWZsZWN0 cyBhIGNvbnNlbnN1cyBkZWNpc2lvbiBvZiB0aGUgd29ya2luZyBncm91cC4gIEl0IHdhcyB2aWV3 ZWQgdGhhdCByZXF1aXJpbmcgc3VwcG9ydCBmb3IgbXVsdGlwbGUgd2F5cyBvZiBkb2luZyB0aGUg c2FtZSB0aGluZyB1bm5lY2Vzc2FyaWx5IGNvbXBsaWNhdGVkIGltcGxlbWVudGF0aW9ucyB3aXRo b3V0IGFueSBjb21wZW5zYXRpbmcgYmVuZWZpdDsgYmV0dGVyIHRvIHN1cHBvcnQgb25lIHN5bnRh eCBmb3IgZWFjaCBzZW1hbnRpYyBvcGVyYXRpb24gYW5kIHJlcXVpcmUgYWxsIGltcGxlbWVudGF0 aW9ucyB0byB1c2UgaXQuDQoNCg0KDQpGaW5hbGx5LCB0aGUgZXJyb3JfZGVzY3JpcHRpb24gcGFy YW1ldGVyIGNhbiBjYXJyeSBvbmx5IEFTQ0lJIGNoYXJhY3RlcnMuIFdoaWxlIEkgdW5kZXJzdGFu ZCBhIHRyYWRlb2ZmIGhhcyBiZWVuIG1hZGUgaGVyZSAoYW5kLCBpbiBteSBqdWRnZW1lbnQsIGFu IGFwcHJvcHJpYXRlIG9uZSksIGl0J3MgYXBwcm9wcmlhdGUgdG8gaGlnaGxpZ2h0IHRoaXMgaW4g cmV2aWV3Lg0KDQoNCg0KTm90ZWQNCg0KDQoNCiogR2VuZXJhbA0KDQoNCg0KVGhlIGRyYWZ0IGN1 cnJlbnRseSBkb2Vzbid0IG1lbnRpb24gd2hldGhlciBCZWFyZXIgaXMgc3VpdGFibGUgZm9yIHVz ZSBhcyBhIHByb3h5IGF1dGhlbnRpY2F0aW9uIHNjaGVtZS4gSSBzdXNwZWN0IGl0ICptYXkqOyBp dCB3b3VsZCBiZSB3b3J0aCBkaXNjdXNzaW5nIHRoaXMgd2l0aCBzb21lIHByb3h5IGltcGxlbWVu dGVycyB0byBnYXVnZSB0aGVpciBpbnRlcmVzdCAoZS5nLiwgU3F1aWQpLg0KDQoNCg0KV2hvIHdv dWxkIHlvdSByZWNvbW1lbmQgcmV2aWV3IHRoZSBkcmFmdCBmcm9tIHRoaXMgcGVyc3BlY3RpdmU/ DQoNCg0KDQpGaW5hbGx5LCBNYXJrLCBJIGFwcGxpZWQgYWxsIHRoZSBlZGl0b3JpYWwgc3VnZ2Vz dGlvbnMgeW91IG1hZGUuICBUaGFua3MgZm9yIHRob3NlLg0KDQoNCg0KTWFyaywgU3RlcGhlbiwg YW5kIGNoYWlycywgcGxlYXNlIGxldCBtZSBrbm93IHdoZXRoZXIgdG8gbm93IHBvc3QgdGhpcyBk cmFmdCBhcyBhbiBhY3R1YWwgc3VibWlzc2lvbi4NCg0KDQoNCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRoYW5rcyBhbGwsDQoNCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IC0tIE1pa2UNCg0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBvYXV0aC1i b3VuY2VzQGlldGYub3JnIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxm IE9mIFRzY2hvZmVuaWcsIEhhbm5lcyAoTlNOIC0gRkkvRXNwb28pDQpTZW50OiBXZWRuZXNkYXks IE5vdmVtYmVyIDIzLCAyMDExIDExOjUxIFBNDQpUbzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6 IFtPQVVUSC1XR10gRlc6IFthcHBzLWRpc2N1c3NdIEFQUFMgQXJlYSByZXZpZXcgb2YgZHJhZnQt aWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQNCg0KDQoNCkZZSQ0KDQoNCg0KLS0tLS1PcmlnaW5hbCBN ZXNzYWdlLS0tLS0NCg0KRnJvbTogYXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRv OmFwcHMtZGlzY3Vzcy1ib3VuY2VzQGlldGYub3JnPg0KDQpbbWFpbHRvOmFwcHMtZGlzY3Vzcy1i b3VuY2VzQGlldGYub3JnXTxtYWlsdG86W21haWx0bzphcHBzLWRpc2N1c3MtYm91bmNlc0BpZXRm Lm9yZ10+IE9uIEJlaGFsZiBPZiBleHQgTWFyayBOb3R0aW5naGFtDQoNClNlbnQ6IFRodXJzZGF5 LCBOb3ZlbWJlciAyNCwgMjAxMSA4OjIyIEFNDQoNClRvOiBJRVRGIEFwcHMgRGlzY3VzczsgZHJh ZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIuYWxsQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW9h dXRoLXYyLWJlYXJlci5hbGxAaWV0Zi5vcmc+DQoNCkNjOiBUaGUgSUVTRw0KDQpTdWJqZWN0OiBb YXBwcy1kaXNjdXNzXSBBUFBTIEFyZWEgcmV2aWV3IG9mDQoNCmRyYWZ0LWlldGYtb2F1dGgtdjIt YmVhcmVyLTE0DQoNCg0KDQpJIGhhdmUgYmVlbiBzZWxlY3RlZCBhcyB0aGUgQXBwbGljYXRpb25z IEFyZWEgUmV2aWV3IFRlYW0gcmV2aWV3ZXIgZm9yIHRoaXMgZHJhZnQgKGZvciBiYWNrZ3JvdW5k IG9uIGFwcHMtcmV2aWV3LCBwbGVhc2Ugc2VlIDxodHRwOi8vd3d3LmFwcHMuaWV0Zi5vcmcvY29u dGVudC9hcHBsaWNhdGlvbnMtYXJlYS1yZXZpZXctdGVhbT4pLg0KDQoNCg0KUGxlYXNlIHJlc29s dmUgdGhlc2UgY29tbWVudHMgYWxvbmcgd2l0aCBhbnkgb3RoZXIgTGFzdCBDYWxsIGNvbW1lbnRz IHlvdSBtYXkgcmVjZWl2ZS4gUGxlYXNlIHdhaXQgZm9yIGRpcmVjdGlvbiBmcm9tIHlvdXIgZG9j dW1lbnQgc2hlcGhlcmQgb3IgQUQgYmVmb3JlIHBvc3RpbmcgYSBuZXcgdmVyc2lvbiBvZiB0aGUg ZHJhZnQuDQoNCg0KDQpEb2N1bWVudDogZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQNCg0K VGl0bGU6IE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zDQoNClJldmlld2VyOiBNYXJrIE5vdHRpbmdo YW0NCg0KUmV2aWV3IERhdGU6IDI0LzExLzIwMTENCg0KDQoNClN1bW1hcnk6IFRoaXMgZHJhZnQg aXMgYWxtb3N0IHJlYWR5IGZvciBwdWJsaWNhdGlvbiBhcyBhIFByb3Bvc2VkIFN0YW5kYXJkLCBi dXQgaGFzIGEgZmV3IGlzc3VlcyB0aGF0IHNob3VsZCBiZSBmaXhlZC4NCg0KDQoNCk1ham9yIElz c3Vlcw0KDQotLS0tLS0tLS0tLS0NCg0KDQoNCiogU2VjdGlvbiAyLjMgVVJJIFF1ZXJ5IFBhcmFt ZXRlcg0KDQoNCg0KVGhpcyBzZWN0aW9uIGVmZmVjdGl2ZWx5IHJlc2VydmVzIGEgVVJJIHF1ZXJ5 IHBhcmFtZXRlciBmb3IgdGhlIGRyYWZ0J3MgdXNlLiBUaGlzIHNob3VsZCBub3QgYmUgZG9uZSBs aWdodGx5LCBzaW5jZSB0aGlzIHdvdWxkIGJlIGEgcHJlY2VkZW50IGZvciB0aGUgSUVURiBlbmNy b2FjaGluZyB1cG9uIGEgc2VydmVyJ3MgVVJJcyAoZG9uZSBwcmV2aW91c2x5IGluIFJGQzU3ODUs IGJ1dCBpbiBhIG11Y2ggbW9yZSBsaW1pdGVkIGZhc2hpb24sIGFzIGEgdGFjdGljIHRvIHByZXZl bnQgZnVydGhlciwgdW5jb250cm9sbGVkIGVuY3JvYWNobWVudCkuDQoNCg0KDQpHaXZlbiB0aGF0 IHRoZSBkcmFmdCBhbHJlYWR5IGRpc2NvdXJhZ2VzIHRoZSB1c2Ugb2YgdGhpcyBtZWNoYW5pc20s IEknZCByZWNvbW1lbmQgZHJvcHBpbmcgaXQgYWx0b2dldGhlci4gSWYgdGhlIFdvcmtpbmcgR3Jv dXAgd2lzaGVzIGl0IHRvIHJlbWFpbiwgdGhpcyBpc3N1ZXMgc2hvdWxkIGJlIHZldHRlZCBib3Ro IHRocm91Z2ggdGhlIEFQUFMgYXJlYSBhbmQgdGhlIFczQyBsaWFpc29uLg0KDQoNCg0KKFRoZSBz YW1lIGNyaXRpY2lzbSBjb3VsZCBiZSBsZXZlbGVkIGF0IFNlY3Rpb24gMi4yIEZvcm0tRW5jb2Rl ZCBCb2R5IFBhcmFtZXRlciwgYnV0IHRoYXQgYXQgbGVhc3QgaXNuJ3Qgc3VyZmFjZWQgaW4gYW4g aWRlbnRpZmllcikNCg0KDQoNCiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3Bv bnNlIEhlYWRlciBGaWVsZA0KDQoNCg0KVGhlIGRyYWZ0IHJlZmVyZW5jZXMgdGhlIHF1b3RlZC1z dHJpbmcgQUJORiBmcm9tIEhUVFAsIGJ1dCBjaGFuZ2VzIGl0cyBwcm9jZXNzaW5nIGluIGEgbGF0 ZXIgcGFyYWdyYXBoOg0KDQoNCg0KIiIiSW4gYWxsIHRoZXNlIGNhc2VzLCBubyBjaGFyYWN0ZXIg cXVvdGluZyB3aWxsIG9jY3VyLCBhcyBzZW5kZXJzIGFyZSBwcm9oaWJpdGVkIGZyb20gdXNpbmcg dGhlICU1QyAoJ1wnKSBjaGFyYWN0ZXIuIiIiDQoNCg0KDQpUaGlzIGlzIGF0IGJlc3Qgc3VycHJp c2luZyAoYXMgbWFueSByZWFkZXJzIHdpbGwgcmVhc29uYWJseSBzdXJtaXNlIHRoYXQgdXNpbmcg dGhlIHF1b3RlZC1zdHJpbmcgQUJORiBpbXBsaWVzIHRoYXQgdGhlIHNhbWUgY29kZSBjYW4gYmUg dXNlZCkuDQoNClBsZWFzZSBlaXRoZXIgdXNlIHF1b3RlZC1zdHJpbmcgYXMgZGVmaW5lZCAoaS5l Liwgd2l0aCBlc2NhcGluZykuDQoNCg0KDQoNCg0KTWlub3IgSXNzdWVzDQoNCi0tLS0tLS0tLS0t LQ0KDQoNCg0KKiBTZWN0aW9uIDE6IEludHJvZHVjdGlvbg0KDQoNCg0KVGhlIGludHJvZHVjdGlv biBleHBsYWlucyBvYXV0aCwgYnV0IGl0IGRvZXNuJ3QgZnVsbHkgZXhwbGFpbiB0aGUgcmVsYXRp b25zaGlwIG9mIHRoaXMgc3BlY2lmaWNhdGlvbiB0byBPQXV0aCAyLjAuIEUuZy4sIGNhbiBpdCBi ZSB1c2VkIGluZGVwZW5kZW50bHkgZnJvbSB0aGUgcmVzdCBvZiBPQXV0aD8gTGlrZXdpc2UsIHRo ZSBvdmVydmlldyAoc2VjdGlvbg0KDQoxLjMpIHNlZW1zIG1vcmUgc3BlY2lmaWMgdG8gdGhlIE9B dXRoIHNwZWNpZmljYXRpb24gdGhhbiB0aGlzIGRvY3VtZW50Lg0KDQpBcyBJIHJlYWQgaXQsIHRo aXMgbWVjaGFuaXNtIGNvdWxkIGJlIHVzZWQgZm9yIEFOWSBiZWFyZXIgdG9rZW4sIG5vdCBqdXN0 IG9uZSBnZW5lcmF0ZWQgdGhyb3VnaCBPQXV0aCBmbG93cy4NCg0KDQoNCklmIGl0IGlzIGluZGVl ZCBtb3JlIGdlbmVyYWwsIEknZCByZWNvbW1lbmQgbWluaW1pc2luZyB0aGUgZGlzY3Vzc2lvbiBv ZiBPQXV0aCwgcGVyaGFwcyBldmVuIHJlbW92aW5nIGl0IGZyb20gdGhlIGRvY3VtZW50IHRpdGxl Lg0KDQoNCg0KKiBTZWN0aW9uIDMgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVy IEZpZWxkDQoNCg0KDQpUaGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGEgcmVhbG0gYW5kIGEgc2NvcGUg aXMgbm90IGV4cGxhaW5lZC4gQXJlIHRoZSBmdW5jdGlvbmFsbHkgZXF1aXZhbGVudCwganVzdCBh IHNpbmdsZSB2YWx1ZSB2cy4gYSBsaXN0Pw0KDQoNCg0KRG8geW91IHJlYWxseSBpbnRlbmQgdG8g ZGlzYWxsb3cgKmFsbCogZXh0ZW5zaW9uIHBhcmFtZXRlcnMgb24gdGhlIGNoYWxsZW5nZT8NCg0K DQoNCkFsc28sIHRoZSBzY29wZSwgZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uIGFuZCBlcnJvcl91 cmkgcGFyYW1ldGVycyBhbGwgc3BlY2lmeSBvbmx5IGEgcXVvdGVkLXN0cmluZyBzZXJpYWxpc2F0 aW9uLiBIVFRQYmlzIHN0cm9uZ2x5IHN1Z2dlc3RzIHRoYXQgbmV3IHNjaGVtZXMgYWxsb3cgYm90 aCBmb3JtcywgYmVjYXVzZSBpbXBsZW1lbnRhdGlvbiBleHBlcmllbmNlIGhhcyBzaG93biB0aGF0 IGltcGxlbWVudGF0aW9ucyB3aWxsIGxpa2VseSBzdXBwb3J0IGJvdGgsIG5vIG1hdHRlciBob3cg ZGVmaW5lZDsgdGhpcyBpbXByb3ZlcyBpbnRlcm9wZXJhYmlsaXR5IChzZWUgcDcgMi4zLjEpLg0K DQoNCg0KRmluYWxseSwgdGhlIGVycm9yX2Rlc2NyaXB0aW9uIHBhcmFtZXRlciBjYW4gY2Fycnkg b25seSBBU0NJSSBjaGFyYWN0ZXJzLiBXaGlsZSBJIHVuZGVyc3RhbmQgYSB0cmFkZW9mZiBoYXMg YmVlbiBtYWRlIGhlcmUgKGFuZCwgaW4gbXkganVkZ2VtZW50LCBhbiBhcHByb3ByaWF0ZSBvbmUp LCBpdCdzIGFwcHJvcHJpYXRlIHRvIGhpZ2hsaWdodCB0aGlzIGluIHJldmlldy4NCg0KDQoNCiog R2VuZXJhbA0KDQoNCg0KVGhlIGRyYWZ0IGN1cnJlbnRseSBkb2Vzbid0IG1lbnRpb24gd2hldGhl ciBCZWFyZXIgaXMgc3VpdGFibGUgZm9yIHVzZSBhcyBhIHByb3h5IGF1dGhlbnRpY2F0aW9uIHNj aGVtZS4gSSBzdXNwZWN0IGl0ICptYXkqOyBpdCB3b3VsZCBiZSB3b3J0aCBkaXNjdXNzaW5nIHRo aXMgd2l0aCBzb21lIHByb3h5IGltcGxlbWVudGVycyB0byBnYXVnZSB0aGVpciBpbnRlcmVzdCAo ZS5nLiwgU3F1aWQpLg0KDQoNCg0KDQoNCk5pdHMNCg0KLS0tLQ0KDQoNCg0KKiBTZWN0aW9uIDIu MSBBdXRob3JpemF0aW9uIFJlcXVlc3QgSGVhZGVyIEZpZWxkDQoNCg0KDQoic2ltcGxpY2l0eSBy ZWFzb25zIiAtLT4gInNpbXBsaWNpdHkiDQoNCg0KDQoiSWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJz IGFyZSBkZXNpcmVkIGluIHRoZSBmdXR1cmUsIGEgZGlmZmVyZW50IHNjaGVtZSBjb3VsZCBiZSBk ZWZpbmVkLiIgLS0+ICJJZiBhZGRpdGlvbmFsIHBhcmFtZXRlcnMgYXJlIG5lZWRlZCBpbiB0aGUg ZnV0dXJlLCBhIGRpZmZlcmVudCBzY2hlbWUgd291bGQgbmVlZCB0byBiZSBkZWZpbmVkLiINCg0K DQoNCiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIEhlYWRlciBGaWVs ZA0KDQoNCg0KVGhlIHJlcXVpcmVtZW50IHRoYXQgYSByZXNvdXJjZSBzZXJ2ZXIgTVVTVCBpbmNs dWRlIHRoZSBIVFRQIFdXVy1BdXRoZW50aWNhdGUgcmVzcG9uc2UgaGVhZGVyIGZpZWxkIGlzIG9k ZDsgcmVhbGx5IHRoaXMgaXMgYXQgdGhlIGRpc2NyZXRpb24gb2YgdGhlIHNlcnZlci4gSXMgaXQg cmVhbGx5IG5lY2Vzc2FyeSB0byB1c2UgYSBjb25mb3JtYW5jZSByZXF1aXJlbWVudCBoZXJlPw0K DQoNCg0KVVJJLXJlZmVyZW5jZSAtLT4gVVJJLVJlZmVyZW5jZQ0KDQoNCg0KKiBTZWN0aW9uIDMu MSBFcnJvciBDb2Rlcw0KDQoNCg0KNDA1IGJlbG9uZ3MgaW4gdGhlIGxpc3Qgb2YgdHlwaWNhbGx5 IGFwcHJvcHJpYXRlIHN0YXR1cyBjb2RlcyBhcyB3ZWxsLg0KDQoNCg0KDQoNCktpbmQgcmVnYXJk cywNCg0KDQoNCi0tDQoNCk1hcmsgTm90dGluZ2hhbSAgIGh0dHA6Ly93d3cubW5vdC5uZXQvDQoN Cg0KDQoNCg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fDQoNCmFwcHMtZGlzY3VzcyBtYWlsaW5nIGxpc3QNCg0KYXBwcy1kaXNjdXNzQGlldGYub3Jn PG1haWx0bzphcHBzLWRpc2N1c3NAaWV0Zi5vcmc+DQoNCmh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vYXBwcy1kaXNjdXNzDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fDQoNCk9BdXRoIG1haWxpbmcgbGlzdA0KDQpPQXV0aEBpZXRm Lm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQoNCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vb2F1dGgNCg0KDQo= --_000_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Ik1TIEdvdGhpYyI7DQoJcGFub3NlLTE6MiAxMSA2IDkgNyAyIDUgOCAyIDQ7fQ0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiTVMgR290aGljIjsNCglwYW5vc2UtMToyIDExIDYgOSA3IDIgNSA4 IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJ cGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWls eToiXEBNUyBHb3RoaWMiOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDcgMiA1IDggMiA0O30NCi8qIFN0 eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9y bWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTox MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQphOmxpbmssIHNw YW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0K CXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlu a0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4 dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLk1zb1BsYWluVGV4dCwgbGkuTXNvUGxhaW5UZXh0 LCBkaXYuTXNvUGxhaW5UZXh0DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUt bGluazoiUGxhaW4gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAw MDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi SFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N CnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFy Z2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZv bnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRD aGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglm b250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uUGxhaW5UZXh0Q2hhcg0KCXttc28tc3R5 bGUtbmFtZToiUGxhaW4gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNv LXN0eWxlLWxpbms6IlBsYWluIFRleHQiOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24g VGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJh bGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4u RW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLWNvbXBvc2U7fQ0KLk1zb0No cERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBw dDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEu MGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2Vj dGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVm YXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48 IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxv OmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwh W2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5r PSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPlRoYW5rcyBmb3IgdGhlIGRldGFpbGVkIHJldmlldywgTWFyay48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+UHJlbGltaW5hcnkgZHJhZnQgMTUgb2YgdGhlIE9BdXRoIEJlYXJl ciBzcGVjaWZpY2F0aW9uIGlzIGF0dGFjaGVkLiZuYnNwOyBJdCByZXNvbHZlcyB0aGUgZm9ybSBl bmNvZGluZyBpc3N1ZXMgcmFpc2VkIGJ5IEp1bGlhbiBSZXNjaGtlIGluIHRoZSBtYW5uZXIgZGlz Y3Vzc2VkIGF0IHRoZSB3b3JraW5nIGdyb3VwIG1lZXRpbmcgaW4gVGFpcGVpLCBpbmNvcnBvcmF0 ZXMgdGhlIGNvbnNlbnN1cyB0ZXh0IG9uIFRMUw0KIHZlcnNpb24gcmVxdWlyZW1lbnRzLCBhbmQg Y29udGFpbnMgc2V2ZXJhbCBpbXByb3ZlbWVudHMgc3VnZ2VzdGVkIGJ5IE1hcmsgTm90dGluZ2hh bSBkdXJpbmcgQVBQUyBhcmVhIHJldmlldy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ TWFyaywgY29tbWVudHMgb24gYWxsIHlvdXIgcHJvcG9zZWQgY2hhbmdlcyBmb2xsb3cgYmVsb3c6 PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4q IFNlY3Rpb24gMi4zIFVSSSBRdWVyeSBQYXJhbWV0ZXI8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5U aGlzIHNlY3Rpb24gZWZmZWN0aXZlbHkgcmVzZXJ2ZXMgYSBVUkkgcXVlcnkgcGFyYW1ldGVyIGZv ciB0aGUgZHJhZnQncyB1c2UuIFRoaXMgc2hvdWxkIG5vdCBiZSBkb25lIGxpZ2h0bHksIHNpbmNl IHRoaXMgd291bGQgYmUgYSBwcmVjZWRlbnQgZm9yIHRoZSBJRVRGIGVuY3JvYWNoaW5nIHVwb24g YSBzZXJ2ZXIncyBVUklzIChkb25lIHByZXZpb3VzbHkgaW4NCiBSRkM1Nzg1LCBidXQgaW4gYSBt dWNoIG1vcmUgbGltaXRlZCBmYXNoaW9uLCBhcyBhIHRhY3RpYyB0byBwcmV2ZW50IGZ1cnRoZXIs IHVuY29udHJvbGxlZCBlbmNyb2FjaG1lbnQpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPkdpdmVu IHRoYXQgdGhlIGRyYWZ0IGFscmVhZHkgZGlzY291cmFnZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hh bmlzbSwgSSdkIHJlY29tbWVuZCBkcm9wcGluZyBpdCBhbHRvZ2V0aGVyLiBJZiB0aGUgV29ya2lu ZyBHcm91cCB3aXNoZXMgaXQgdG8gcmVtYWluLCB0aGlzIGlzc3VlcyBzaG91bGQgYmUgdmV0dGVk IGJvdGggdGhyb3VnaCB0aGUgQVBQUyBhcmVhIGFuZA0KIHRoZSBXM0MgbGlhaXNvbi48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj4oVGhlIHNhbWUgY3JpdGljaXNtIGNvdWxkIGJlIGxldmVsZWQgYXQg U2VjdGlvbiAyLjIgRm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyLCBidXQgdGhhdCBhdCBsZWFz dCBpc24ndCBzdXJmYWNlZCBpbiBhbiBpZGVudGlmaWVyKTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5UaGVyZSBhcmUgc29tZSBjb250ZXh0cywgZXNwZWNpYWxseSBsaW1pdGVkIGJyb3dz ZXJzIGFuZC9vciBkZXZlbG9wbWVudCBlbnZpcm9ubWVudHMsIHdoZXJlIHF1ZXJ5IHBhcmFtZXRl cnMgYXJlIHVzYWJsZSBidXQgdGhlIG90aGVyIG1ldGhvZHMgYXJlIG5vdC4mbmJzcDsgVGh1cywg dGhlIHF1ZXJ5IHBhcmFtZXRlciBtZXRob2QgbXVzdCBiZSByZXRhaW5lZC4mbmJzcDsgQWxzbywg SnVzdGluIFJpY2h0ZXLigJlzIGNvbW1lbnRzDQogZGVzY3JpYmluZyB0aGUgdmFsdWUgdG8gaGlt IG9mIHRoZSBxdWVyeSBwYXJhbWV0ZXIgbWV0aG9kIGFyZSBwZXJ0aW5lbnQ6ICZuYnNwO+KAnEEg VVJMIHdpdGggYWxsIHBhcmFtZXRlcnMgaW5jbHVkaW5nIGF1dGhvcml6YXRpb24gaXMgYSBwb3dl cmZ1bCBhcnRpZmFjdCB3aGljaCBjYW4gYmUgcGFzc2VkIGFyb3VuZCBiZXR3ZWVuIHN5c3RlbXMg YXMgYSB1bml04oCdLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkFzIHRvIHVzaW5n IGEgc3RhbmRhcmQgcGFyYW1ldGVyIG5hbWUsIHRoaXMgaXMgZXNzZW50aWFsIGZvciBpbnRlcm9w ZXJhYmlsaXR5LiZuYnNwOyBJdCBpcyBub3Qg4oCccmVzZXJ2ZWTigJ0gaW4gYW55IGNvbnRleHRz IG90aGVyIHRoYW4gd2hlbiB0aGUgQmVhcmVyIHNwZWMgaXMgZW1wbG95ZWQsIHdoaWNoIGlzIGEg dm9sdW50YXJ5IGFjdCBieSBib3RoIHBhcnRpZXMuJm5ic3A7IFRodXMsIHRoaXMgcG9zZXMgbm8g dW5kdWUgYnVyZGVucw0KIG9yIG5hbWVzcGFjZSByZXN0cmljdGlvbnMgb24gaW1wbGVtZW50YXRp b25zIGluIHByYWN0aWNlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5GaW5hbGx5LCB5 b3XigJlsbCBmaW5kIHRoYXQgT0F1dGggMS4wIFs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5v cmcvaHRtbC9yZmM1ODQ5Ij5SRkMgNTg0OTwvYT5dIHNpbWlsYXJseSBkZWZpbmVkLCBub3Qgb25l LCBidXQgdHdvIHN0YW5kYXJkIHF1ZXJ5IHBhcmFtZXRlciB2YWx1ZXM6Jm5ic3A7IG9hdXRoX3Rv a2VuIGFuZCBvYXV0aF92ZXJpZmllci4mbmJzcDsgQXMgdGhpcyBkaWRu4oCZdCBjYXVzZSBhbnkg cHJvYmxlbXMNCiBpbiBwcmFjdGljZSB0aGVuLCBJ4oCZbSBzdXJlIHRoYXQgZGVmaW5pbmcgYW4g YWNjZXNzX3Rva2VuIHBhcmFtZXRlciB3aXRoaW4gdGhlIEJlYXJlciBzcGVjIGZvciBpbnRlcm9w ZXJhYmlsaXR5IHB1cnBvc2VzIHdvbuKAmXQgY2F1c2UgYSBwcm9ibGVtIGVpdGhlci48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiogU2VjdGlv biAzIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZDxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPlRoZSBkcmFmdCByZWZlcmVuY2VzIHRoZSBxdW90ZWQtc3RyaW5nIEFCTkYg ZnJvbSBIVFRQLCBidXQgY2hhbmdlcyBpdHMgcHJvY2Vzc2luZyBpbiBhIGxhdGVyIHBhcmFncmFw aDo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4t bGVmdDouNWluIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4mcXVvdDsmcXVvdDsmcXVvdDtJbiBhbGwgdGhlc2Ug Y2FzZXMsIG5vIGNoYXJhY3RlciBxdW90aW5nIHdpbGwgb2NjdXIsIGFzIHNlbmRlcnMgYXJlIHBy b2hpYml0ZWQgZnJvbSB1c2luZyB0aGUgJTVDICgnXCcpIGNoYXJhY3Rlci4mcXVvdDsmcXVvdDsm cXVvdDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5UaGlzIGlzIGF0IGJlc3Qgc3VycHJpc2luZyAo YXMgbWFueSByZWFkZXJzIHdpbGwgcmVhc29uYWJseSBzdXJtaXNlIHRoYXQgdXNpbmcgdGhlIHF1 b3RlZC1zdHJpbmcgQUJORiBpbXBsaWVzIHRoYXQgdGhlIHNhbWUgY29kZSBjYW4gYmUgdXNlZCku PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxl ZnQ6LjVpbiI+UGxlYXNlIGVpdGhlciB1c2UgcXVvdGVkLXN0cmluZyBhcyBkZWZpbmVkIChpLmUu LCB3aXRoIGVzY2FwaW5nKS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhpcyBwYXJh bWV0ZXIgZGVmaW5pdGlvbiB3YXMgYSByZXN1bHQgb2Ygc2lnbmlmaWNhbnQgd29ya2luZyBncm91 cCBkaXNjdXNzaW9uIGFuZCByZWZsZWN0cyBhIHNvbGlkIGNvbnNlbnN1cyBwb3NpdGlvbi4mbmJz cDsgVXNpbmcgdGhlIHF1b3RlZCBzdHJpbmcgQk5GIG1ha2VzIGl0IGNsZWFyLCBwZXIgSnVsaWFu IFJlc2Noa2XigJlzIHN1Z2dlc3Rpb25zLCB0aGF0IGdlbmVyaWMgcGFyYW1ldGVyIHBhcnNpbmcg Y29kZQ0KIGNhbiBiZSBzYWZlbHkgdXNlZC4mbmJzcDsgV2hlcmVhcyBwcm9oaWJpdGluZyB0aGUg dXNlIG9mIGJhY2tzbGFzaCBxdW90aW5nIGJ5IHNlbmRlcnMgYWxzbyBtYWtlcyBpdCBjbGVhciB0 aGF0IGN1c3RvbSBpbXBsZW1lbnRhdGlvbnMgY2FuIGRpcmVjdGx5IHV0aWxpemUgdGhlIHBhcmFt ZXRlciB2YWx1ZXMgYXMgdHJhbnNtaXR0ZWQgd2l0aG91dCBwZXJmb3JtaW5nIGFueSBxdW90ZSBw cm9jZXNzaW5nLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5JbiBzaG9ydCwgdGhlIHNw ZWMgZG9lc27igJl0IGNoYW5nZSB0aGUgcHJvY2Vzc2luZyBvZiBxdW90ZWQgc3RyaW5ncy4mbmJz cDsgSXQgc2ltcGx5IHJlc3RyaWN0cyB0aGUgc2V0IG9mIGxlZ2FsIGlucHV0IGNoYXJhY3RlcnMg d2l0aGluIHRoZSBxdW90ZWQgc3RyaW5ncy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIg c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiogU2VjdGlvbiAxOiBJbnRyb2R1Y3Rpb248bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj5UaGUgaW50cm9kdWN0aW9uIGV4cGxhaW5zIG9hdXRoLCBidXQgaXQg ZG9lc24ndCBmdWxseSBleHBsYWluIHRoZSByZWxhdGlvbnNoaXAgb2YgdGhpcyBzcGVjaWZpY2F0 aW9uIHRvIE9BdXRoIDIuMC4gRS5nLiwgY2FuIGl0IGJlIHVzZWQgaW5kZXBlbmRlbnRseSBmcm9t IHRoZSByZXN0IG9mIE9BdXRoPyBMaWtld2lzZSwgdGhlIG92ZXJ2aWV3IChzZWN0aW9uPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+MS4zKSBzZWVtcyBtb3JlIHNwZWNpZmljIHRvIHRoZSBPQXV0aCBzcGVjaWZpY2F0aW9uIHRo YW4gdGhpcyBkb2N1bWVudC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5BcyBJIHJlYWQgaXQsIHRoaXMgbWVjaGFuaXNtIGNv dWxkIGJlIHVzZWQgZm9yIEFOWSBiZWFyZXIgdG9rZW4sIG5vdCBqdXN0IG9uZSBnZW5lcmF0ZWQg dGhyb3VnaCBPQXV0aCBmbG93cy4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPklmIGl0IGlzIGlu ZGVlZCBtb3JlIGdlbmVyYWwsIEknZCByZWNvbW1lbmQgbWluaW1pc2luZyB0aGUgZGlzY3Vzc2lv biBvZiBPQXV0aCwgcGVyaGFwcyBldmVuIHJlbW92aW5nIGl0IGZyb20gdGhlIGRvY3VtZW50IHRp dGxlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5QZXIgeW91ciBzdWdnZXN0aW9uLCBJ 4oCZdmUgbWFkZSBpdCBjbGVhciBpbiB0aGUgaW50cm9kdWN0aW9uIHRoYXQgYmVhcmVyIHRva2Vu cyBmcm9tIGFueSBzb3VyY2UgY2FuIGJlIHVzZWQgdG8gYWNjZXNzIGFzc29jaWF0ZWQgcHJvdGVj dGVkIHJlc291cmNlcy4mbmJzcDsgVGhlIG5ldyBsYW5ndWFnZSBpbiB0aGUgaW50cm9kdWN0aW9u IGlzOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij7igJxUaGlzIHNwZWNpZmljYXRpb24g ZGVmaW5lcyB0aGUgdXNlIG9mIGJlYXJlciB0b2tlbnMgb3ZlciBIVFRQLzEuMSBbSTxzcGFuIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtNUyBHb3RoaWMmcXVvdDsiPuKAkTwvc3Bhbj5ELmlldGY8 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7TVMgR290aGljJnF1b3Q7Ij7igJE8L3NwYW4+ aHR0cGJpczxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtNUyBHb3RoaWMmcXVvdDsiPuKA kTwvc3Bhbj5wMTxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtNUyBHb3RoaWMmcXVvdDsi PuKAkTwvc3Bhbj5tZXNzYWdpbmddDQogdXNpbmcgVExTIFtSRkM1MjQ2XSB0byBhY2Nlc3MgcHJv dGVjdGVkIHJlc291cmNlcy4g4oCmIFdoaWxlIGRlc2lnbmVkIGZvciB1c2Ugd2l0aCBhY2Nlc3Mg dG9rZW5zIHJlc3VsdGluZyBmcm9tIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFtJPHNwYW4gc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPkQuaWV0Zjxz cGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtNUyBHb3RoaWMmcXVvdDsiPuKAkTwvc3Bhbj5v YXV0aDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtNUyBHb3RoaWMmcXVvdDsiPuKAkTwv c3Bhbj52Ml0NCiBmbG93cyB0byBhY2Nlc3MgT0F1dGggcHJvdGVjdGVkIHJlc291cmNlcywgdGhp cyBzcGVjaWZpY2F0aW9uIGFjdHVhbGx5IGRlZmluZXMgYSBnZW5lcmFsIEhUVFAgYXV0aG9yaXph dGlvbiBtZXRob2QgdGhhdCBjYW4gYmUgdXNlZCB3aXRoIGJlYXJlciB0b2tlbnMgZnJvbSBhbnkg c291cmNlIHRvIGFjY2VzcyBhbnkgcmVzb3VyY2VzIHByb3RlY3RlZCBieSB0aG9zZSBiZWFyZXIg dG9rZW5zLuKAnTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxl ZnQ6LjVpbiI+KiBTZWN0aW9uIDMgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVy IEZpZWxkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFy Z2luLWxlZnQ6LjVpbiI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+VGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBhIHJl YWxtIGFuZCBhIHNjb3BlIGlzIG5vdCBleHBsYWluZWQuIEFyZSB0aGUgZnVuY3Rpb25hbGx5IGVx dWl2YWxlbnQsIGp1c3QgYSBzaW5nbGUgdmFsdWUgdnMuIGEgbGlzdD8NCjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij5SZWFsbSBpcyBhcyBkZWZpbmVkIGJ5IEhUVFBiaXMuJm5ic3A7IEl0 IHNheXMgdGhhdCDigJxUaGUgcmVhbG0gdmFsdWUgaXMgYSBzdHJpbmcsIGdlbmVyYWxseSBhc3Np Z25lZCBieSB0aGUgb3JpZ2luIHNlcnZlciwgd2hpY2ggY2FuIGhhdmUgYWRkaXRpb25hbCBzZW1h bnRpY3Mgc3BlY2lmaWMgdG8gdGhlIGF1dGhlbnRpY2F0aW9uIHNjaGVtZS7igJ0mbmJzcDsgVGhl IEJlYXJlciBzcGVjaWZpY2F0aW9uIGludGVudGlvbmFsbHkNCiBhZGRzIG5vIGV4dHJhIHNlbWFu dGljcyB0byB0aGUgcmVhbG0gZGVmaW5pdGlvbi4mbmJzcDsgV2hlcmVhcyB0aGUgc2NvcGUgcGFy YW1ldGVyIGlzIGRlZmluZWQgYXMgYW4gb3JkZXItaW5kZXBlbmRlbnQgc3BhY2Utc2VwYXJhdGVk IGxpc3Qgb2Ygc2NvcGUgdmFsdWVzLiZuYnNwOyBUaGUgY29udGV4dHVhbCBtZWFuaW5nIG9mIGJv dGggdGhlIHJlYWxtIGFuZCBzY29wZSBwYXJhbWV0ZXJzIGlzIGRlcGxveW1lbnQtZGVwZW5kZW50 LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ RG8geW91IHJlYWxseSBpbnRlbmQgdG8gZGlzYWxsb3cgKmFsbCogZXh0ZW5zaW9uIHBhcmFtZXRl cnMgb24gdGhlIGNoYWxsZW5nZT88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+WWVzLiZu YnNwOyBUaGVyZSB3YXMgYW4gZXhwbGljaXQgd29ya2luZyBncm91cCBjb25zZW5zdXMgZGVjaXNp b24gdG8gZG8gc28uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4t bGVmdDouNWluIj5BbHNvLCB0aGUgc2NvcGUsIGVycm9yLCBlcnJvcl9kZXNjcmlwdGlvbiBhbmQg ZXJyb3JfdXJpIHBhcmFtZXRlcnMgYWxsIHNwZWNpZnkgb25seSBhIHF1b3RlZC1zdHJpbmcgc2Vy aWFsaXNhdGlvbi4gSFRUUGJpcyBzdHJvbmdseSBzdWdnZXN0cyB0aGF0IG5ldyBzY2hlbWVzIGFs bG93IGJvdGggZm9ybXMsIGJlY2F1c2UgaW1wbGVtZW50YXRpb24gZXhwZXJpZW5jZQ0KIGhhcyBz aG93biB0aGF0IGltcGxlbWVudGF0aW9ucyB3aWxsIGxpa2VseSBzdXBwb3J0IGJvdGgsIG5vIG1h dHRlciBob3cgZGVmaW5lZDsgdGhpcyBpbXByb3ZlcyBpbnRlcm9wZXJhYmlsaXR5IChzZWUgcDcg Mi4zLjEpLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk9uY2UgYWdhaW4sIHRoZSBj dXJyZW50IHRleHQgcmVmbGVjdHMgYSBjb25zZW5zdXMgZGVjaXNpb24gb2YgdGhlIHdvcmtpbmcg Z3JvdXAuJm5ic3A7IEl0IHdhcyB2aWV3ZWQgdGhhdCByZXF1aXJpbmcgc3VwcG9ydCBmb3IgbXVs dGlwbGUgd2F5cyBvZiBkb2luZyB0aGUgc2FtZSB0aGluZyB1bm5lY2Vzc2FyaWx5IGNvbXBsaWNh dGVkIGltcGxlbWVudGF0aW9ucyB3aXRob3V0IGFueSBjb21wZW5zYXRpbmcgYmVuZWZpdDsNCiBi ZXR0ZXIgdG8gc3VwcG9ydCBvbmUgc3ludGF4IGZvciBlYWNoIHNlbWFudGljIG9wZXJhdGlvbiBh bmQgcmVxdWlyZSBhbGwgaW1wbGVtZW50YXRpb25zIHRvIHVzZSBpdC48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPkZpbmFsbHksIHRoZSBlcnJv cl9kZXNjcmlwdGlvbiBwYXJhbWV0ZXIgY2FuIGNhcnJ5IG9ubHkgQVNDSUkgY2hhcmFjdGVycy4g V2hpbGUgSSB1bmRlcnN0YW5kIGEgdHJhZGVvZmYgaGFzIGJlZW4gbWFkZSBoZXJlIChhbmQsIGlu IG15IGp1ZGdlbWVudCwgYW4gYXBwcm9wcmlhdGUgb25lKSwgaXQncyBhcHByb3ByaWF0ZSB0byBo aWdobGlnaHQgdGhpcyBpbiByZXZpZXcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk5v dGVkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij4qIEdlbmVyYWw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5UaGUgZHJhZnQgY3VycmVudGx5IGRv ZXNuJ3QgbWVudGlvbiB3aGV0aGVyIEJlYXJlciBpcyBzdWl0YWJsZSBmb3IgdXNlIGFzIGEgcHJv eHkgYXV0aGVudGljYXRpb24gc2NoZW1lLiBJIHN1c3BlY3QgaXQgKm1heSo7IGl0IHdvdWxkIGJl IHdvcnRoIGRpc2N1c3NpbmcgdGhpcyB3aXRoIHNvbWUgcHJveHkgaW1wbGVtZW50ZXJzIHRvIGdh dWdlIHRoZWlyIGludGVyZXN0DQogKGUuZy4sIFNxdWlkKS4gPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPldobyB3b3VsZCB5b3UgcmVjb21tZW5kIHJldmlldyB0aGUgZHJhZnQgZnJvbSB0 aGlzIHBlcnNwZWN0aXZlPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5GaW5hbGx5LCBN YXJrLCBJIGFwcGxpZWQgYWxsIHRoZSBlZGl0b3JpYWwgc3VnZ2VzdGlvbnMgeW91IG1hZGUuJm5i c3A7IFRoYW5rcyBmb3IgdGhvc2UuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk1hcmss IFN0ZXBoZW4sIGFuZCBjaGFpcnMsIHBsZWFzZSBsZXQgbWUga25vdyB3aGV0aGVyIHRvIG5vdyBw b3N0IHRoaXMgZHJhZnQgYXMgYW4gYWN0dWFsIHN1Ym1pc3Npb24uPG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MgYWxsLDxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08YnI+DQpGcm9tOiBvYXV0 aC1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVo YWxmIE9mIFRzY2hvZmVuaWcsIEhhbm5lcyAoTlNOIC0gRkkvRXNwb28pPGJyPg0KU2VudDogV2Vk bmVzZGF5LCBOb3ZlbWJlciAyMywgMjAxMSAxMTo1MSBQTTxicj4NClRvOiBvYXV0aEBpZXRmLm9y Zzxicj4NClN1YmplY3Q6IFtPQVVUSC1XR10gRlc6IFthcHBzLWRpc2N1c3NdIEFQUFMgQXJlYSBy ZXZpZXcgb2YgZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQ8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+RllJPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPi0tLS0tT3JpZ2lu YWwgTWVzc2FnZS0tLS0tPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5G cm9tOiA8YSBocmVmPSJtYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0Zi5vcmciPjxzcGFu IHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5hcHBzLWRpc2N1 c3MtYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48YSBocmVmPSJtYWlsdG86W21haWx0bzphcHBzLWRpc2N1c3MtYm91bmNl c0BpZXRmLm9yZ10iPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlv bjpub25lIj5bbWFpbHRvOmFwcHMtZGlzY3Vzcy1ib3VuY2VzQGlldGYub3JnXTwvc3Bhbj48L2E+ IE9uIEJlaGFsZiBPZiBleHQgTWFyayBOb3R0aW5naGFtPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij5TZW50OiBUaHVyc2RheSwgTm92ZW1iZXIgMjQsIDIwMTEgODoyMiBB TTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VG86IElFVEYgQXBwcyBE aXNjdXNzOyA8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXIuYWxsQGll dGYub3JnIj4NCjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpu b25lIj5kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci5hbGxAaWV0Zi5vcmc8L3NwYW4+PC9hPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Q2M6IFRoZSBJRVNHPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5TdWJqZWN0OiBbYXBwcy1kaXNjdXNz XSBBUFBTIEFyZWEgcmV2aWV3IG9mPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij5kcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5JIGhhdmUgYmVlbiBzZWxlY3RlZCBhcyB0aGUgQXBwbGljYXRpb25zIEFyZWEgUmV2 aWV3IFRlYW0gcmV2aWV3ZXIgZm9yIHRoaXMgZHJhZnQgKGZvciBiYWNrZ3JvdW5kIG9uIGFwcHMt cmV2aWV3LCBwbGVhc2Ugc2VlICZsdDs8YSBocmVmPSJodHRwOi8vd3d3LmFwcHMuaWV0Zi5vcmcv Y29udGVudC9hcHBsaWNhdGlvbnMtYXJlYS1yZXZpZXctdGVhbSI+PHNwYW4gc3R5bGU9ImNvbG9y OndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHA6Ly93d3cuYXBwcy5pZXRmLm9y Zy9jb250ZW50L2FwcGxpY2F0aW9ucy1hcmVhLXJldmlldy10ZWFtPC9zcGFuPjwvYT4mZ3Q7KS48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+UGxlYXNlIHJlc29sdmUgdGhlc2UgY29tbWVu dHMgYWxvbmcgd2l0aCBhbnkgb3RoZXIgTGFzdCBDYWxsIGNvbW1lbnRzIHlvdSBtYXkgcmVjZWl2 ZS4gUGxlYXNlIHdhaXQgZm9yIGRpcmVjdGlvbiBmcm9tIHlvdXIgZG9jdW1lbnQgc2hlcGhlcmQg b3IgQUQgYmVmb3JlIHBvc3RpbmcgYSBuZXcgdmVyc2lvbiBvZiB0aGUgZHJhZnQuPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPkRvY3VtZW50OiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJl ci0xNDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGl0bGU6IE9BdXRo IDIuMCBCZWFyZXIgVG9rZW5zPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij5SZXZpZXdlcjogTWFyayBOb3R0aW5naGFtPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij5SZXZpZXcgRGF0ZTogMjQvMTEvMjAxMTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5TdW1tYXJ5OiBUaGlzIGRyYWZ0IGlzIGFsbW9zdCByZWFkeSBmb3IgcHVibGljYXRp b24gYXMgYSBQcm9wb3NlZCBTdGFuZGFyZCwgYnV0IGhhcyBhIGZldyBpc3N1ZXMgdGhhdCBzaG91 bGQgYmUgZml4ZWQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk1ham9yIElzc3Vlczxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+LS0tLS0tLS0tLS0tPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiogU2VjdGlvbiAyLjMgVVJJIFF1ZXJ5IFBhcmFtZXRl cjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGlzIHNlY3Rpb24gZWZmZWN0aXZlbHkg cmVzZXJ2ZXMgYSBVUkkgcXVlcnkgcGFyYW1ldGVyIGZvciB0aGUgZHJhZnQncyB1c2UuIFRoaXMg c2hvdWxkIG5vdCBiZSBkb25lIGxpZ2h0bHksIHNpbmNlIHRoaXMgd291bGQgYmUgYSBwcmVjZWRl bnQgZm9yIHRoZSBJRVRGIGVuY3JvYWNoaW5nIHVwb24gYSBzZXJ2ZXIncyBVUklzIChkb25lIHBy ZXZpb3VzbHkgaW4gUkZDNTc4NSwgYnV0IGluIGEgbXVjaCBtb3JlDQogbGltaXRlZCBmYXNoaW9u LCBhcyBhIHRhY3RpYyB0byBwcmV2ZW50IGZ1cnRoZXIsIHVuY29udHJvbGxlZCBlbmNyb2FjaG1l bnQpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5HaXZlbiB0aGF0IHRoZSBkcmFmdCBh bHJlYWR5IGRpc2NvdXJhZ2VzIHRoZSB1c2Ugb2YgdGhpcyBtZWNoYW5pc20sIEknZCByZWNvbW1l bmQgZHJvcHBpbmcgaXQgYWx0b2dldGhlci4gSWYgdGhlIFdvcmtpbmcgR3JvdXAgd2lzaGVzIGl0 IHRvIHJlbWFpbiwgdGhpcyBpc3N1ZXMgc2hvdWxkIGJlIHZldHRlZCBib3RoIHRocm91Z2ggdGhl IEFQUFMgYXJlYSBhbmQgdGhlIFczQyBsaWFpc29uLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4oVGhlIHNhbWUgY3JpdGljaXNtIGNvdWxkIGJlIGxldmVsZWQgYXQgU2VjdGlvbiAyLjIg Rm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyLCBidXQgdGhhdCBhdCBsZWFzdCBpc24ndCBzdXJm YWNlZCBpbiBhbiBpZGVudGlmaWVyKTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4qIFNl Y3Rpb24gMyBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQ8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhlIGRyYWZ0IHJlZmVyZW5jZXMgdGhlIHF1b3RlZC1z dHJpbmcgQUJORiBmcm9tIEhUVFAsIGJ1dCBjaGFuZ2VzIGl0cyBwcm9jZXNzaW5nIGluIGEgbGF0 ZXIgcGFyYWdyYXBoOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mcXVvdDsmcXVvdDsm cXVvdDtJbiBhbGwgdGhlc2UgY2FzZXMsIG5vIGNoYXJhY3RlciBxdW90aW5nIHdpbGwgb2NjdXIs IGFzIHNlbmRlcnMgYXJlIHByb2hpYml0ZWQgZnJvbSB1c2luZyB0aGUgJTVDICgnXCcpIGNoYXJh Y3Rlci4mcXVvdDsmcXVvdDsmcXVvdDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhp cyBpcyBhdCBiZXN0IHN1cnByaXNpbmcgKGFzIG1hbnkgcmVhZGVycyB3aWxsIHJlYXNvbmFibHkg c3VybWlzZSB0aGF0IHVzaW5nIHRoZSBxdW90ZWQtc3RyaW5nIEFCTkYgaW1wbGllcyB0aGF0IHRo ZSBzYW1lIGNvZGUgY2FuIGJlIHVzZWQpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+UGxlYXNlIGVpdGhlciB1c2UgcXVvdGVkLXN0cmluZyBhcyBkZWZpbmVkIChpLmUu LCB3aXRoIGVzY2FwaW5nKS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5NaW5vciBJc3N1ZXM8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPi0tLS0tLS0tLS0tLTxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4qIFNlY3Rpb24gMTogSW50cm9kdWN0aW9uPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPlRoZSBpbnRyb2R1Y3Rpb24gZXhwbGFpbnMgb2F1dGgsIGJ1dCBp dCBkb2Vzbid0IGZ1bGx5IGV4cGxhaW4gdGhlIHJlbGF0aW9uc2hpcCBvZiB0aGlzIHNwZWNpZmlj YXRpb24gdG8gT0F1dGggMi4wLiBFLmcuLCBjYW4gaXQgYmUgdXNlZCBpbmRlcGVuZGVudGx5IGZy b20gdGhlIHJlc3Qgb2YgT0F1dGg/IExpa2V3aXNlLCB0aGUgb3ZlcnZpZXcgKHNlY3Rpb248bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjEuMykgc2VlbXMgbW9yZSBzcGVj aWZpYyB0byB0aGUgT0F1dGggc3BlY2lmaWNhdGlvbiB0aGFuIHRoaXMgZG9jdW1lbnQuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5BcyBJIHJlYWQgaXQsIHRoaXMgbWVj aGFuaXNtIGNvdWxkIGJlIHVzZWQgZm9yIEFOWSBiZWFyZXIgdG9rZW4sIG5vdCBqdXN0IG9uZSBn ZW5lcmF0ZWQgdGhyb3VnaCBPQXV0aCBmbG93cy4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij5JZiBpdCBpcyBpbmRlZWQgbW9yZSBnZW5lcmFsLCBJJ2QgcmVjb21tZW5kIG1pbmltaXNp bmcgdGhlIGRpc2N1c3Npb24gb2YgT0F1dGgsIHBlcmhhcHMgZXZlbiByZW1vdmluZyBpdCBmcm9t IHRoZSBkb2N1bWVudCB0aXRsZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+KiBTZWN0 aW9uIDMgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPlRoZSBkaWZmZXJlbmNlIGJldHdlZW4gYSByZWFsbSBhbmQg YSBzY29wZSBpcyBub3QgZXhwbGFpbmVkLiBBcmUgdGhlIGZ1bmN0aW9uYWxseSBlcXVpdmFsZW50 LCBqdXN0IGEgc2luZ2xlIHZhbHVlIHZzLiBhIGxpc3Q/DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+RG8geW91IHJlYWxseSBpbnRlbmQgdG8gZGlzYWxsb3cgKmFsbCogZXh0ZW5zaW9u IHBhcmFtZXRlcnMgb24gdGhlIGNoYWxsZW5nZT88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+QWxzbywgdGhlIHNjb3BlLCBlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24gYW5kIGVycm9yX3Vy aSBwYXJhbWV0ZXJzIGFsbCBzcGVjaWZ5IG9ubHkgYSBxdW90ZWQtc3RyaW5nIHNlcmlhbGlzYXRp b24uIEhUVFBiaXMgc3Ryb25nbHkgc3VnZ2VzdHMgdGhhdCBuZXcgc2NoZW1lcyBhbGxvdyBib3Ro IGZvcm1zLCBiZWNhdXNlIGltcGxlbWVudGF0aW9uIGV4cGVyaWVuY2UgaGFzIHNob3duIHRoYXQg aW1wbGVtZW50YXRpb25zDQogd2lsbCBsaWtlbHkgc3VwcG9ydCBib3RoLCBubyBtYXR0ZXIgaG93 IGRlZmluZWQ7IHRoaXMgaW1wcm92ZXMgaW50ZXJvcGVyYWJpbGl0eSAoc2VlIHA3IDIuMy4xKS4N CjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5GaW5hbGx5LCB0aGUgZXJyb3JfZGVzY3Jp cHRpb24gcGFyYW1ldGVyIGNhbiBjYXJyeSBvbmx5IEFTQ0lJIGNoYXJhY3RlcnMuIFdoaWxlIEkg dW5kZXJzdGFuZCBhIHRyYWRlb2ZmIGhhcyBiZWVuIG1hZGUgaGVyZSAoYW5kLCBpbiBteSBqdWRn ZW1lbnQsIGFuIGFwcHJvcHJpYXRlIG9uZSksIGl0J3MgYXBwcm9wcmlhdGUgdG8gaGlnaGxpZ2h0 IHRoaXMgaW4gcmV2aWV3LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4qIEdlbmVyYWw8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhlIGRyYWZ0IGN1cnJlbnRseSBkb2Vzbid0 IG1lbnRpb24gd2hldGhlciBCZWFyZXIgaXMgc3VpdGFibGUgZm9yIHVzZSBhcyBhIHByb3h5IGF1 dGhlbnRpY2F0aW9uIHNjaGVtZS4gSSBzdXNwZWN0IGl0ICptYXkqOyBpdCB3b3VsZCBiZSB3b3J0 aCBkaXNjdXNzaW5nIHRoaXMgd2l0aCBzb21lIHByb3h5IGltcGxlbWVudGVycyB0byBnYXVnZSB0 aGVpciBpbnRlcmVzdCAoZS5nLiwgU3F1aWQpLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Tml0czxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+LS0tLTxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4qIFNlY3Rpb24gMi4xIEF1dGhvcml6YXRpb24gUmVxdWVzdCBIZWFk ZXIgRmllbGQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+JnF1b3Q7c2ltcGxpY2l0eSBy ZWFzb25zJnF1b3Q7IC0tJmd0OyAmcXVvdDtzaW1wbGljaXR5JnF1b3Q7PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZxdW90O0lmIGFkZGl0aW9uYWwgcGFyYW1ldGVycyBhcmUgZGVzaXJl ZCBpbiB0aGUgZnV0dXJlLCBhIGRpZmZlcmVudCBzY2hlbWUgY291bGQgYmUgZGVmaW5lZC4mcXVv dDsgLS0mZ3Q7ICZxdW90O0lmIGFkZGl0aW9uYWwgcGFyYW1ldGVycyBhcmUgbmVlZGVkIGluIHRo ZSBmdXR1cmUsIGEgZGlmZmVyZW50IHNjaGVtZSB3b3VsZCBuZWVkIHRvIGJlIGRlZmluZWQuJnF1 b3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0 aGVudGljYXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij5UaGUgcmVxdWlyZW1lbnQgdGhhdCBhIHJlc291cmNlIHNlcnZlciBNVVNUIGluY2x1ZGUg dGhlIEhUVFAgV1dXLUF1dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIgZmllbGQgaXMgb2RkOyBy ZWFsbHkgdGhpcyBpcyBhdCB0aGUgZGlzY3JldGlvbiBvZiB0aGUgc2VydmVyLiBJcyBpdCByZWFs bHkgbmVjZXNzYXJ5IHRvIHVzZSBhIGNvbmZvcm1hbmNlIHJlcXVpcmVtZW50IGhlcmU/PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlVSSS1yZWZlcmVuY2UgLS0mZ3Q7IFVSSS1SZWZlcmVu Y2U8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+KiBTZWN0aW9uIDMuMSBFcnJvciBDb2Rl czxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij40MDUgYmVsb25ncyBpbiB0aGUgbGlzdCBv ZiB0eXBpY2FsbHkgYXBwcm9wcmlhdGUgc3RhdHVzIGNvZGVzIGFzIHdlbGwuPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+S2luZCByZWdhcmRzLDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLTxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+TWFyayBOb3R0aW5naGFtJm5i c3A7Jm5ic3A7IDxhIGhyZWY9Imh0dHA6Ly93d3cubW5vdC5uZXQvIj48c3BhbiBzdHlsZT0iY29s b3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cDovL3d3dy5tbm90Lm5ldC88 L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPmFwcHMt ZGlzY3VzcyBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPjxhIGhyZWY9Im1haWx0bzphcHBzLWRpc2N1c3NAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJj b2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5hcHBzLWRpc2N1c3NAaWV0Zi5v cmc8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PGEg aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9hcHBzLWRpc2N1c3Mi PjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FwcHMtZGlzY3Vzczwvc3Bhbj48L2E+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+T0F1dGggbWFpbGluZyBsaXN0PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPjxzcGFuIHN0 eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5PQXV0aEBpZXRmLm9y Zzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48YSBo cmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj48c3BhbiBz dHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvc3Bhbj48L2E+PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9ib2R5Pg0KPC9odG1sPg0K --_000_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_-- --_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: text/html; name="draft-ietf-oauth-v2-bearer-15 preliminary.html" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.html Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.html"; size=76941; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:06:10 GMT" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL2h0bWw0L2xvb3NlLmR0ZCI+CjxodG1sIGxhbmc9 ImVuIj48aGVhZD48dGl0bGU+VGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sOiBC ZWFyZXIgVG9rZW5zPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPgo8bWV0YSBuYW1lPSJkZXNjcmlwdGlvbiIg Y29udGVudD0iVGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sOiBCZWFyZXIgVG9r ZW5zIj4KPG1ldGEgbmFtZT0iZ2VuZXJhdG9yIiBjb250ZW50PSJ4bWwycmZjIHYxLjM2IChodHRw Oi8veG1sLnJlc291cmNlLm9yZy8pIj4KPHN0eWxlIHR5cGU9J3RleHQvY3NzJz48IS0tCiAgICAg ICAgYm9keSB7CiAgICAgICAgICAgICAgICBmb250LWZhbWlseTogdmVyZGFuYSwgY2hhcmNvYWws IGhlbHZldGljYSwgYXJpYWwsIHNhbnMtc2VyaWY7CiAgICAgICAgICAgICAgICBmb250LXNpemU6 IHNtYWxsOyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjogI0ZGRjsKICAgICAgICAgICAg ICAgIG1hcmdpbjogMmVtOwogICAgICAgIH0KICAgICAgICBoMSwgaDIsIGgzLCBoNCwgaDUsIGg2 IHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBoZWx2ZXRpY2EsIG1vbmFjbywgIk1TIFNh bnMgU2VyaWYiLCBhcmlhbCwgc2Fucy1zZXJpZjsKICAgICAgICAgICAgICAgIGZvbnQtd2VpZ2h0 OiBib2xkOyBmb250LXN0eWxlOiBub3JtYWw7CiAgICAgICAgfQogICAgICAgIGgxIHsgY29sb3I6 ICM5MDA7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB0ZXh0LWFsaWduOiByaWdodDsg fQogICAgICAgIGgzIHsgY29sb3I6ICMzMzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50 OyB9CgogICAgICAgIHRkLlJGQ2J1ZyB7CiAgICAgICAgICAgICAgICBmb250LXNpemU6IHgtc21h bGw7IHRleHQtZGVjb3JhdGlvbjogbm9uZTsKICAgICAgICAgICAgICAgIHdpZHRoOiAzMHB4OyBo ZWlnaHQ6IDMwcHg7IHBhZGRpbmctdG9wOiAycHg7CiAgICAgICAgICAgICAgICB0ZXh0LWFsaWdu OiBqdXN0aWZ5OyB2ZXJ0aWNhbC1hbGlnbjogbWlkZGxlOwogICAgICAgICAgICAgICAgYmFja2dy b3VuZC1jb2xvcjogIzAwMDsKICAgICAgICB9CiAgICAgICAgdGQuUkZDYnVnIHNwYW4uUkZDIHsK ICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBtb25hY28sIGNoYXJjb2FsLCBnZW5ldmEsICJN UyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCB2ZXJkYW5hLCBzYW5zLXNlcmlmOwogICAgICAgICAg ICAgICAgZm9udC13ZWlnaHQ6IGJvbGQ7IGNvbG9yOiAjNjY2OwogICAgICAgIH0KICAgICAgICB0 ZC5SRkNidWcgc3Bhbi5ob3RUZXh0IHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBjaGFy Y29hbCwgbW9uYWNvLCBnZW5ldmEsICJNUyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCB2ZXJkYW5h LCBzYW5zLXNlcmlmOwogICAgICAgICAgICAgICAgZm9udC13ZWlnaHQ6IG5vcm1hbDsgdGV4dC1h bGlnbjogY2VudGVyOyBjb2xvcjogI0ZGRjsKICAgICAgICB9CgogICAgICAgIHRhYmxlLlRPQ2J1 ZyB7IHdpZHRoOiAzMHB4OyBoZWlnaHQ6IDE1cHg7IH0KICAgICAgICB0ZC5UT0NidWcgewogICAg ICAgICAgICAgICAgdGV4dC1hbGlnbjogY2VudGVyOyB3aWR0aDogMzBweDsgaGVpZ2h0OiAxNXB4 OwogICAgICAgICAgICAgICAgY29sb3I6ICNGRkY7IGJhY2tncm91bmQtY29sb3I6ICM5MDA7CiAg ICAgICAgfQogICAgICAgIHRkLlRPQ2J1ZyBhIHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5 OiBtb25hY28sIGNoYXJjb2FsLCBnZW5ldmEsICJNUyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCBz YW5zLXNlcmlmOwogICAgICAgICAgICAgICAgZm9udC13ZWlnaHQ6IGJvbGQ7IGZvbnQtc2l6ZTog eC1zbWFsbDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogICAgICAgICAgICAgICAgY29sb3I6ICNG RkY7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OwogICAgICAgIH0KCiAgICAgICAgdGQu aGVhZGVyIHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBhcmlhbCwgaGVsdmV0aWNhLCBz YW5zLXNlcmlmOyBmb250LXNpemU6IHgtc21hbGw7CiAgICAgICAgICAgICAgICB2ZXJ0aWNhbC1h bGlnbjogdG9wOyB3aWR0aDogMzMlOwogICAgICAgICAgICAgICAgY29sb3I6ICNGRkY7IGJhY2tn cm91bmQtY29sb3I6ICM2NjY7CiAgICAgICAgfQogICAgICAgIHRkLmF1dGhvciB7IGZvbnQtd2Vp Z2h0OiBib2xkOyBmb250LXNpemU6IHgtc21hbGw7IG1hcmdpbi1sZWZ0OiA0ZW07IH0KICAgICAg ICB0ZC5hdXRob3ItdGV4dCB7IGZvbnQtc2l6ZTogeC1zbWFsbDsgfQoKICAgICAgICAvKiBpbmZv IGNvZGUgZnJvbSBTYW50YUtsYXVzcyBhdCBodHRwOi8vd3d3Lm1hZGFib3V0c3R5bGUuY29tL3Rv b2x0aXAyLmh0bWwgKi8KICAgICAgICBhLmluZm8gewogICAgICAgICAgICAgICAgLyogVGhpcyBp cyB0aGUga2V5LiAqLwogICAgICAgICAgICAgICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgICAg ICAgICAgICAgei1pbmRleDogMjQ7CiAgICAgICAgICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5v bmU7CiAgICAgICAgfQogICAgICAgIGEuaW5mbzpob3ZlciB7CiAgICAgICAgICAgICAgICB6LWlu ZGV4OiAyNTsKICAgICAgICAgICAgICAgIGNvbG9yOiAjRkZGOyBiYWNrZ3JvdW5kLWNvbG9yOiAj OTAwOwogICAgICAgIH0KICAgICAgICBhLmluZm8gc3BhbiB7IGRpc3BsYXk6IG5vbmU7IH0KICAg ICAgICBhLmluZm86aG92ZXIgc3Bhbi5pbmZvIHsKICAgICAgICAgICAgICAgIC8qIFRoZSBzcGFu IHdpbGwgZGlzcGxheSBqdXN0IG9uIDpob3ZlciBzdGF0ZS4gKi8KICAgICAgICAgICAgICAgIGRp c3BsYXk6IGJsb2NrOwogICAgICAgICAgICAgICAgcG9zaXRpb246IGFic29sdXRlOwogICAgICAg ICAgICAgICAgZm9udC1zaXplOiBzbWFsbGVyOwogICAgICAgICAgICAgICAgdG9wOiAyZW07IGxl ZnQ6IC01ZW07IHdpZHRoOiAxNWVtOwogICAgICAgICAgICAgICAgcGFkZGluZzogMnB4OyBib3Jk ZXI6IDFweCBzb2xpZCAjMzMzOwogICAgICAgICAgICAgICAgY29sb3I6ICM5MDA7IGJhY2tncm91 bmQtY29sb3I6ICNFRUU7CiAgICAgICAgICAgICAgICB0ZXh0LWFsaWduOiBsZWZ0OwogICAgICAg IH0KCiAgICAgICAgYSB7IGZvbnQtd2VpZ2h0OiBib2xkOyB9CiAgICAgICAgYTpsaW5rICAgIHsg Y29sb3I6ICM5MDA7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB9CiAgICAgICAgYTp2 aXNpdGVkIHsgY29sb3I6ICM2MzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB9CiAg ICAgICAgYTphY3RpdmUgIHsgY29sb3I6ICM2MzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFy ZW50OyB9CgogICAgICAgIHAgeyBtYXJnaW4tbGVmdDogMmVtOyBtYXJnaW4tcmlnaHQ6IDJlbTsg fQogICAgICAgIHAuY29weXJpZ2h0IHsgZm9udC1zaXplOiB4LXNtYWxsOyB9CiAgICAgICAgcC50 b2MgeyBmb250LXNpemU6IHNtYWxsOyBmb250LXdlaWdodDogYm9sZDsgbWFyZ2luLWxlZnQ6IDNl bTsgfQogICAgICAgIHRhYmxlLnRvYyB7IG1hcmdpbjogMCAwIDAgM2VtOyBwYWRkaW5nOiAwOyBi b3JkZXI6IDA7IHZlcnRpY2FsLWFsaWduOiB0ZXh0LXRvcDsgfQogICAgICAgIHRkLnRvYyB7IGZv bnQtc2l6ZTogc21hbGw7IGZvbnQtd2VpZ2h0OiBib2xkOyB2ZXJ0aWNhbC1hbGlnbjogdGV4dC10 b3A7IH0KCiAgICAgICAgb2wudGV4dCB7IG1hcmdpbi1sZWZ0OiAyZW07IG1hcmdpbi1yaWdodDog MmVtOyB9CiAgICAgICAgdWwudGV4dCB7IG1hcmdpbi1sZWZ0OiAyZW07IG1hcmdpbi1yaWdodDog MmVtOyB9CiAgICAgICAgbGkgICAgICB7IG1hcmdpbi1sZWZ0OiAzZW07IH0KCiAgICAgICAgLyog UkZDLTI2MjkgPHNwYW54PnMgYW5kIDxhcnR3b3JrPnMuICovCiAgICAgICAgZW0gICAgIHsgZm9u dC1zdHlsZTogaXRhbGljOyB9CiAgICAgICAgc3Ryb25nIHsgZm9udC13ZWlnaHQ6IGJvbGQ7IH0K ICAgICAgICBkZm4gICAgeyBmb250LXdlaWdodDogYm9sZDsgZm9udC1zdHlsZTogbm9ybWFsOyB9 CiAgICAgICAgY2l0ZSAgIHsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgZm9udC1zdHlsZTogbm9ybWFs OyB9CiAgICAgICAgdHQgICAgIHsgY29sb3I6ICMwMzY7IH0KICAgICAgICB0dCwgcHJlLCBwcmUg ZGZuLCBwcmUgZW0sIHByZSBjaXRlLCBwcmUgc3BhbiB7CiAgICAgICAgICAgICAgICBmb250LWZh bWlseTogIkNvdXJpZXIgTmV3IiwgQ291cmllciwgbW9ub3NwYWNlOyBmb250LXNpemU6IHNtYWxs OwogICAgICAgIH0KICAgICAgICBwcmUgewogICAgICAgICAgICAgICAgdGV4dC1hbGlnbjogbGVm dDsgcGFkZGluZzogNHB4OwogICAgICAgICAgICAgICAgY29sb3I6ICMwMDA7IGJhY2tncm91bmQt Y29sb3I6ICNDQ0M7CiAgICAgICAgfQogICAgICAgIHByZSBkZm4gIHsgY29sb3I6ICM5MDA7IH0K ICAgICAgICBwcmUgZW0gICB7IGNvbG9yOiAjNjZGOyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZDOyBm b250LXdlaWdodDogbm9ybWFsOyB9CiAgICAgICAgcHJlIC5rZXkgeyBjb2xvcjogIzMzQzsgZm9u dC13ZWlnaHQ6IGJvbGQ7IH0KICAgICAgICBwcmUgLmlkICB7IGNvbG9yOiAjOTAwOyB9CiAgICAg ICAgcHJlIC5zdHIgeyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjogI0NGRjsgfQogICAg ICAgIHByZSAudmFsIHsgY29sb3I6ICMwNjY7IH0KICAgICAgICBwcmUgLnJlcCB7IGNvbG9yOiAj OTA5OyB9CiAgICAgICAgcHJlIC5vdGggeyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjog I0ZDRjsgfQogICAgICAgIHByZSAuZXJyIHsgYmFja2dyb3VuZC1jb2xvcjogI0ZDQzsgfQoKICAg ICAgICAvKiBSRkMtMjYyOSA8dGV4dHRhYmxlPnMuICovCiAgICAgICAgdGFibGUuYWxsLCB0YWJs ZS5mdWxsLCB0YWJsZS5oZWFkZXJzLCB0YWJsZS5ub25lIHsKICAgICAgICAgICAgICAgIGZvbnQt c2l6ZTogc21hbGw7IHRleHQtYWxpZ246IGNlbnRlcjsgYm9yZGVyLXdpZHRoOiAycHg7CiAgICAg ICAgICAgICAgICB2ZXJ0aWNhbC1hbGlnbjogdG9wOyBib3JkZXItY29sbGFwc2U6IGNvbGxhcHNl OwogICAgICAgIH0KICAgICAgICB0YWJsZS5hbGwsIHRhYmxlLmZ1bGwgeyBib3JkZXItc3R5bGU6 IHNvbGlkOyBib3JkZXItY29sb3I6IGJsYWNrOyB9CiAgICAgICAgdGFibGUuaGVhZGVycywgdGFi bGUubm9uZSB7IGJvcmRlci1zdHlsZTogbm9uZTsgfQogICAgICAgIHRoIHsKICAgICAgICAgICAg ICAgIGZvbnQtd2VpZ2h0OiBib2xkOyBib3JkZXItY29sb3I6IGJsYWNrOwogICAgICAgICAgICAg ICAgYm9yZGVyLXdpZHRoOiAycHggMnB4IDNweCAycHg7CiAgICAgICAgfQogICAgICAgIHRhYmxl LmFsbCB0aCwgdGFibGUuZnVsbCB0aCB7IGJvcmRlci1zdHlsZTogc29saWQ7IH0KICAgICAgICB0 YWJsZS5oZWFkZXJzIHRoIHsgYm9yZGVyLXN0eWxlOiBub25lIG5vbmUgc29saWQgbm9uZTsgfQog ICAgICAgIHRhYmxlLm5vbmUgdGggeyBib3JkZXItc3R5bGU6IG5vbmU7IH0KICAgICAgICB0YWJs ZS5hbGwgdGQgewogICAgICAgICAgICAgICAgYm9yZGVyLXN0eWxlOiBzb2xpZDsgYm9yZGVyLWNv bG9yOiAjMzMzOwogICAgICAgICAgICAgICAgYm9yZGVyLXdpZHRoOiAxcHggMnB4OwogICAgICAg IH0KICAgICAgICB0YWJsZS5mdWxsIHRkLCB0YWJsZS5oZWFkZXJzIHRkLCB0YWJsZS5ub25lIHRk IHsgYm9yZGVyLXN0eWxlOiBub25lOyB9CgogICAgICAgIGhyIHsgaGVpZ2h0OiAxcHg7IH0KICAg ICAgICBoci5pbnNlcnQgewogICAgICAgICAgICAgICAgd2lkdGg6IDgwJTsgYm9yZGVyLXN0eWxl OiBub25lOyBib3JkZXItd2lkdGg6IDA7CiAgICAgICAgICAgICAgICBjb2xvcjogI0NDQzsgYmFj a2dyb3VuZC1jb2xvcjogI0NDQzsKICAgICAgICB9Ci0tPjwvc3R5bGU+CjwvaGVhZD4KPGJvZHk+ Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIg Y2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhy ZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPHRhYmxlIHN1 bW1hcnk9ImxheW91dCIgd2lkdGg9IjY2JSIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2Vs bHNwYWNpbmc9IjAiPjx0cj48dGQ+PHRhYmxlIHN1bW1hcnk9ImxheW91dCIgd2lkdGg9IjEwMCUi IGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjIiIGNlbGxzcGFjaW5nPSIxIj4KPHRyPjx0ZCBjbGFz cz0iaGVhZGVyIj5OZXR3b3JrIFdvcmtpbmcgR3JvdXA8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5N LiBKb25lczwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj5JbnRlcm5ldC1EcmFmdDwv dGQ+PHRkIGNsYXNzPSJoZWFkZXIiPk1pY3Jvc29mdDwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0i aGVhZGVyIj5JbnRlbmRlZCBzdGF0dXM6IFN0YW5kYXJkcyBUcmFjazwvdGQ+PHRkIGNsYXNzPSJo ZWFkZXIiPkQuIEhhcmR0PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJoZWFkZXIiPkV4cGlyZXM6 IEp1bmUgMTQsIDIwMTI8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5pbmRlcGVuZGVudDwvdGQ+PC90 cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj4mbmJzcDs8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5E LiBSZWNvcmRvbjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj4mbmJzcDs8L3RkPjx0 ZCBjbGFzcz0iaGVhZGVyIj5GYWNlYm9vazwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVy Ij4mbmJzcDs8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5EZWNlbWJlciAxMiwgMjAxMTwvdGQ+PC90 cj4KPC90YWJsZT48L3RkPjwvdHI+PC90YWJsZT4KPGgxPjxiciAvPlRoZSBPQXV0aCAyLjAgQXV0 aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVyIFRva2VuczxiciAvPmRyYWZ0LWlldGYtb2F1dGgt djItYmVhcmVyLTE1PC9oMT4KCjxoMz5BYnN0cmFjdDwvaDM+Cgo8cD4KICAgICAgICBUaGlzIHNw ZWNpZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byB1c2UgYmVhcmVyIHRva2VucyBpbiBIVFRQCiAg ICAgICAgcmVxdWVzdHMgdG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90ZWN0ZWQgcmVzb3VyY2VzLiAg QW55IHBhcnR5CiAgICAgICAgaW4gcG9zc2Vzc2lvbiBvZiBhIGJlYXJlciB0b2tlbiAoYSAiYmVh cmVyIikgY2FuIHVzZSBpdCB0byBnZXQKICAgICAgICBhY2Nlc3MgdG8gdGhlIGFzc29jaWF0ZWQg cmVzb3VyY2VzICh3aXRob3V0IGRlbW9uc3RyYXRpbmcgcG9zc2Vzc2lvbgogICAgICAgIG9mIGEg Y3J5cHRvZ3JhcGhpYyBrZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMKICAg ICAgICBuZWVkIHRvIGJlIHByb3RlY3RlZCBmcm9tIGRpc2Nsb3N1cmUgaW4gc3RvcmFnZSBhbmQg aW4gdHJhbnNwb3J0LgogICAgICAKPC9wPgo8aDM+U3RhdHVzIG9mIHRoaXMgTWVtbzwvaDM+Cjxw PgpUaGlzIEludGVybmV0LURyYWZ0IGlzIHN1Ym1pdHRlZCAgaW4gZnVsbApjb25mb3JtYW5jZSB3 aXRoIHRoZSBwcm92aXNpb25zIG9mIEJDUCZuYnNwOzc4IGFuZCBCQ1AmbmJzcDs3OS48L3A+Cjxw PgpJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBF bmdpbmVlcmluZwpUYXNrIEZvcmNlIChJRVRGKS4gIE5vdGUgdGhhdCBvdGhlciBncm91cHMgbWF5 IGFsc28gZGlzdHJpYnV0ZQp3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMuICBU aGUgbGlzdCBvZiBjdXJyZW50CkludGVybmV0LURyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNr ZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJlbnQvLjwvcD4KPHA+CkludGVybmV0LURyYWZ0cyBhcmUg ZHJhZnQgZG9jdW1lbnRzIHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocwphbmQgbWF5 IGJlIHVwZGF0ZWQsIHJlcGxhY2VkLCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1lbnRzIGF0 IGFueSB0aW1lLgpJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMg cmVmZXJlbmNlIG1hdGVyaWFsIG9yIHRvIGNpdGUKdGhlbSBvdGhlciB0aGFuIGFzICZsZHF1bzt3 b3JrIGluIHByb2dyZXNzLiZyZHF1bzs8L3A+CjxwPgpUaGlzIEludGVybmV0LURyYWZ0IHdpbGwg ZXhwaXJlIG9uIEp1bmUgMTQsIDIwMTIuPC9wPgoKPGgzPkNvcHlyaWdodCBOb3RpY2U8L2gzPgo8 cD4KQ29weXJpZ2h0IChjKSAyMDExIElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZp ZWQgYXMgdGhlCmRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2VydmVkLjwvcD4KPHA+ ClRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3Mg TGVnYWwKUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cwooaHR0cDovL3RydXN0 ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24gdGhlIGRhdGUgb2YKcHVibGlj YXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzCmNh cmVmdWxseSwgYXMgdGhleSBkZXNjcmliZSB5b3VyIHJpZ2h0cyBhbmQgcmVzdHJpY3Rpb25zIHdp dGggcmVzcGVjdAp0byB0aGlzIGRvY3VtZW50LiBDb2RlIENvbXBvbmVudHMgZXh0cmFjdGVkIGZy b20gdGhpcyBkb2N1bWVudCBtdXN0CmluY2x1ZGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0 IGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuZSBvZgp0aGUgVHJ1c3QgTGVnYWwgUHJvdmlzaW9u cyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2FycmFudHkgYXMKZGVzY3JpYmVkIGluIHRoZSBT aW1wbGlmaWVkIEJTRCBMaWNlbnNlLjwvcD4KPGEgbmFtZT0idG9jIj48L2E+PGJyIC8+PGhyIC8+ CjxoMz5UYWJsZSBvZiBDb250ZW50czwvaDM+CjxwIGNsYXNzPSJ0b2MiPgo8YSBocmVmPSIjYW5j aG9yMSI+MS48L2E+Jm5ic3A7CkludHJvZHVjdGlvbjxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsm bmJzcDs8YSBocmVmPSIjYW5jaG9yMiI+MS4xLjwvYT4mbmJzcDsKTm90YXRpb25hbCBDb252ZW50 aW9uczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjYW5jaG9yMyI+MS4y LjwvYT4mbmJzcDsKVGVybWlub2xvZ3k8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEg aHJlZj0iI2FuY2hvcjQiPjEuMy48L2E+Jm5ic3A7Ck92ZXJ2aWV3PGJyIC8+CjxhIGhyZWY9IiNh bmNob3I1Ij4yLjwvYT4mbmJzcDsKQXV0aGVudGljYXRlZCBSZXF1ZXN0czxiciAvPgombmJzcDsm bmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjYXV0aHotaGVhZGVyIj4yLjEuPC9hPiZuYnNwOwpB dXRob3JpemF0aW9uIFJlcXVlc3QgSGVhZGVyIEZpZWxkPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzxhIGhyZWY9IiNib2R5LXBhcmFtIj4yLjIuPC9hPiZuYnNwOwpGb3JtLUVuY29kZWQg Qm9keSBQYXJhbWV0ZXI8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI3F1 ZXJ5LXBhcmFtIj4yLjMuPC9hPiZuYnNwOwpVUkkgUXVlcnkgUGFyYW1ldGVyPGJyIC8+CjxhIGhy ZWY9IiNhdXRobi1oZWFkZXIiPjMuPC9hPiZuYnNwOwpUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNw b25zZSBIZWFkZXIgRmllbGQ8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0i I3Jlc291cmNlLWVycm9yLWNvZGVzIj4zLjEuPC9hPiZuYnNwOwpFcnJvciBDb2RlczxiciAvPgo8 YSBocmVmPSIjc2VjLWNvbiI+NC48L2E+Jm5ic3A7ClNlY3VyaXR5IENvbnNpZGVyYXRpb25zPGJy IC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhyZWY9IiN0aHJlYXRzIj40LjEuPC9hPiZu YnNwOwpTZWN1cml0eSBUaHJlYXRzPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhy ZWY9IiNtaXRpZ2F0aW9uIj40LjIuPC9hPiZuYnNwOwpUaHJlYXQgTWl0aWdhdGlvbjxiciAvPgom bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjYW5jaG9yNiI+NC4zLjwvYT4mbmJzcDsK U3VtbWFyeSBvZiBSZWNvbW1lbmRhdGlvbnM8YnIgLz4KPGEgaHJlZj0iI2FuY2hvcjciPjUuPC9h PiZuYnNwOwpJQU5BIENvbnNpZGVyYXRpb25zPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OzxhIGhyZWY9IiNhbmNob3I4Ij41LjEuPC9hPiZuYnNwOwpPQXV0aCBBY2Nlc3MgVG9rZW4gVHlw ZSBSZWdpc3RyYXRpb248YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI2FuY2hvcjkiPjUuMS4xLjwvYT4mbmJzcDsKVGhlICJCZWFy ZXIiIE9BdXRoIEFjY2VzcyBUb2tlbiBUeXBlPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OzxhIGhyZWY9IiNhbmNob3IxMCI+NS4yLjwvYT4mbmJzcDsKQXV0aGVudGljYXRpb24gU2NoZW1l IFJlZ2lzdHJhdGlvbjxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDs8YSBocmVmPSIjYW5jaG9yMTEiPjUuMi4xLjwvYT4mbmJzcDsKVGhlICJCZWFy ZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZTxiciAvPgo8YSBocmVmPSIjcmZjLnJlZmVyZW5jZXMx Ij42LjwvYT4mbmJzcDsKUmVmZXJlbmNlczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8 YSBocmVmPSIjcmZjLnJlZmVyZW5jZXMxIj42LjEuPC9hPiZuYnNwOwpOb3JtYXRpdmUgUmVmZXJl bmNlczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjcmZjLnJlZmVyZW5j ZXMyIj42LjIuPC9hPiZuYnNwOwpJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzPGJyIC8+CjxhIGhyZWY9 IiNhbmNob3IxNCI+QXBwZW5kaXgmbmJzcDtBLjwvYT4mbmJzcDsKQWNrbm93bGVkZ2VtZW50czxi ciAvPgo8YSBocmVmPSIjYW5jaG9yMTUiPkFwcGVuZGl4Jm5ic3A7Qi48L2E+Jm5ic3A7CkRvY3Vt ZW50IEhpc3Rvcnk8YnIgLz4KPGEgaHJlZj0iI3JmYy5hdXRob3JzIj4mIzE2Nzs8L2E+Jm5ic3A7 CkF1dGhvcnMnIEFkZHJlc3NlczxiciAvPgo8L3A+CjxiciBjbGVhcj0iYWxsIiAvPgoKPGEgbmFt ZT0iYW5jaG9yMSI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxs cGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+ PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+ PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjEiPjwvYT48aDM+MS4mbmJz cDsKSW50cm9kdWN0aW9uPC9oMz4KCjxwPgogICAgICAgIE9BdXRoIGVuYWJsZXMgY2xpZW50cyB0 byBhY2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcyBieQogICAgICAgIG9idGFpbmluZyBhbiBhY2Nl c3MgdG9rZW4sIHdoaWNoIGlzIGRlZmluZWQgaW4KCU9BdXRoIDIuMCBBdXRob3JpemF0aW9uIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtb2F1dGgtdjInPltJJiM4MjA5O0QuaWV0ZiYj ODIwOTtvYXV0aCYjODIwOTt2Ml08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+SGFt bWVyLUxhaGF2LCBFLiwgUmVjb3Jkb24sIEQuLCBhbmQgRC4gSGFyZHQsICZsZHF1bztUaGUgT0F1 dGggMi4wIEF1dGhvcml6YXRpb24gUHJvdG9jb2wsJnJkcXVvOyBTZXB0ZW1iZXImbmJzcDsyMDEx Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCWFzICJhIHN0cmluZyByZXByZXNlbnRpbmcgYW4g YWNjZXNzCiAgICAgICAgYXV0aG9yaXphdGlvbiBpc3N1ZWQgdG8gdGhlIGNsaWVudCIsIHJhdGhl ciB0aGFuIHVzaW5nIHRoZQogICAgICAgIHJlc291cmNlIG93bmVyJ3MgY3JlZGVudGlhbHMgZGly ZWN0bHkuCiAgICAgIAo8L3A+CjxwPgogICAgICAgIFRva2VucyBhcmUgaXNzdWVkIHRvIGNsaWVu dHMgYnkgYW4gYXV0aG9yaXphdGlvbiBzZXJ2ZXIgd2l0aCB0aGUgYXBwcm92YWwgb2YKICAgICAg ICB0aGUgcmVzb3VyY2Ugb3duZXIuIFRoZSBjbGllbnQgdXNlcyB0aGUgYWNjZXNzIHRva2VuIHRv IGFjY2VzcyB0aGUgcHJvdGVjdGVkIHJlc291cmNlcwogICAgICAgIGhvc3RlZCBieSB0aGUgcmVz b3VyY2Ugc2VydmVyLiBUaGlzIHNwZWNpZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byBtYWtlIHBy b3RlY3RlZCByZXNvdXJjZQogICAgICAgIHJlcXVlc3RzIHdoZW4gdGhlIE9BdXRoIGFjY2VzcyB0 b2tlbiBpcyBhIGJlYXJlciB0b2tlbi4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgVGhpcyBzcGVj aWZpY2F0aW9uIGRlZmluZXMgdGhlIHVzZSBvZiBiZWFyZXIgdG9rZW5zIG92ZXIKICAgICAgICBI VFRQLzEuMSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2Fn aW5nJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwMSYjODIwOTttZXNzYWdp bmddPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlz LCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJl cm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4x LCBwYXJ0IDE6IFVSSXMsIENvbm5lY3Rpb25zLCBhbmQgTWVzc2FnZSBQYXJzaW5nLCZyZHF1bzsg T2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPgoJdXNpbmcKCVRMUyA8 YSBjbGFzcz0naW5mbycgaHJlZj0nI1JGQzUyNDYnPltSRkM1MjQ2XTxzcGFuPiAoPC9zcGFuPjxz cGFuIGNsYXNzPSdpbmZvJz5EaWVya3MsIFQuIGFuZCBFLiBSZXNjb3JsYSwgJmxkcXVvO1RoZSBU cmFuc3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUykgUHJvdG9jb2wgVmVyc2lvbiAxLjIsJnJkcXVv OyBBdWd1c3QmbmJzcDsyMDA4Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4gdG8gYWNjZXNzIHBy b3RlY3RlZCByZXNvdXJjZXMuCglUTFMgaXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudAogICAgICAg IGFuZCB1c2Ugd2l0aCB0aGlzIHNwZWNpZmljYXRpb247IG90aGVyIHNwZWNpZmljYXRpb25zIG1h eQogICAgICAgIGV4dGVuZCB0aGlzIHNwZWNpZmljYXRpb24gZm9yIHVzZSB3aXRoIG90aGVyIHRy YW5zcG9ydAogICAgICAgIHByb3RvY29scy4KCVdoaWxlIGRlc2lnbmVkIGZvciB1c2Ugd2l0aCBh Y2Nlc3MgdG9rZW5zIHJlc3VsdGluZyBmcm9tCglPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiA8YSBj bGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLW9hdXRoLXYyJz5bSSYjODIwOTtELmlldGYmIzgy MDk7b2F1dGgmIzgyMDk7djJdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkhhbW1l ci1MYWhhdiwgRS4sIFJlY29yZG9uLCBELiwgYW5kIEQuIEhhcmR0LCAmbGRxdW87VGhlIE9BdXRo IDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sLCZyZHF1bzsgU2VwdGVtYmVyJm5ic3A7MjAxMS48 L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CglmbG93cyB0byBhY2Nlc3MgT0F1dGggcHJvdGVjdGVk IHJlc291cmNlcywgdGhpcwoJc3BlY2lmaWNhdGlvbiBhY3R1YWxseSBkZWZpbmVzIGEgZ2VuZXJh bCBIVFRQIGF1dGhvcml6YXRpb24KCW1ldGhvZCB0aGF0IGNhbiBiZSB1c2VkIHdpdGggYmVhcmVy IHRva2VucyBmcm9tIGFueSBzb3VyY2UKCXRvIGFjY2VzcyBhbnkgcmVzb3VyY2VzIHByb3RlY3Rl ZCBieSB0aG9zZSBiZWFyZXIgdG9rZW5zLgogICAgICAKPC9wPgo8YSBuYW1lPSJhbmNob3IyIj48 L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBj ZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNz PSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90 YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMS4xIj48L2E+PGgzPjEuMS4mbmJzcDsKTm90YXRp b25hbCBDb252ZW50aW9uczwvaDM+Cgo8cD4KICAgICAgICAgIFRoZSBrZXkgd29yZHMgJ01VU1Qn LCAnTVVTVCBOT1QnLCAnUkVRVUlSRUQnLCAnU0hBTEwnLCAnU0hBTEwgTk9UJywgJ1NIT1VMRCcs ICdTSE9VTEQKICAgICAgICAgIE5PVCcsICdSRUNPTU1FTkRFRCcsICdNQVknLCBhbmQgJ09QVElP TkFMJyBpbiB0aGlzIGRvY3VtZW50IGFyZSB0byBiZSBpbnRlcnByZXRlZCBhcwogICAgICAgICAg ZGVzY3JpYmVkIGluCgkgIEtleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3MgdG8gSW5kaWNhdGUgUmVx dWlyZW1lbnQgTGV2ZWxzIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDMjExOSc+W1JGQzIxMTld PHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkJyYWRuZXIsIFMuLCAmbGRxdW87S2V5 IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZSBSZXF1aXJlbWVudCBMZXZlbHMsJnJk cXVvOyBNYXJjaCZuYnNwOzE5OTcuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KICAgICAgICAK PC9wPgo8cD4KICAgICAgICAgIFRoaXMgZG9jdW1lbnQgdXNlcyB0aGUgQXVnbWVudGVkIEJhY2t1 cy1OYXVyIEZvcm0gKEFCTkYpCiAgICAgICAgICBub3RhdGlvbiBvZgoJICBIVFRQLzEuMSwgUGFy dCAxIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcn PltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3AxJiM4MjA5O21lc3NhZ2luZ108 c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEou LCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVy cy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBh cnQgMTogVVJJcywgQ29ubmVjdGlvbnMsIGFuZCBNZXNzYWdlIFBhcnNpbmcsJnJkcXVvOyBPY3Rv YmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LAogICAgICAgICAgd2hpY2gg aXMgYmFzZWQgdXBvbiB0aGUKCSAgQXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFCTkYpIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjUkZDNTIzNCc+W1JGQzUyMzRdPHNwYW4+ICg8L3NwYW4+PHNw YW4gY2xhc3M9J2luZm8nPkNyb2NrZXIsIEQuIGFuZCBQLiBPdmVyZWxsLCAmbGRxdW87QXVnbWVu dGVkIEJORiBmb3IgU3ludGF4IFNwZWNpZmljYXRpb25zOiBBQk5GLCZyZHF1bzsgSmFudWFyeSZu YnNwOzIwMDguPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPgoJICBub3RhdGlvbi4gIEFkZGl0aW9u YWxseSwgdGhlIGZvbGxvd2luZyBydWxlcyBhcmUgaW5jbHVkZWQgZnJvbQoJICBIVFRQLzEuMSwg UGFydCA3IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJz5b SSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwNyYjODIwOTthdXRoXTxzcGFuPiAo PC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3Vs LCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwg VC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCA3OiBB dXRoZW50aWNhdGlvbiwmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9z cGFuPjwvYT46CgkgIGI2NHRva2VuLCBhdXRoLXBhcmFtLCBhbmQgcmVhbG07IGZyb20KCSAgSFRU UC8xLjEsIFBhcnQgMSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDEt bWVzc2FnaW5nJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwMSYjODIwOTtt ZXNzYWdpbmddPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwg R2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwg UC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hU VFAvMS4xLCBwYXJ0IDE6IFVSSXMsIENvbm5lY3Rpb25zLCBhbmQgTWVzc2FnZSBQYXJzaW5nLCZy ZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPjoKCSAgcXVv dGVkLXN0cmluZzsgYW5kIGZyb20KCSAgVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkp IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDMzk4Nic+W1JGQzM5ODZdPHNwYW4+ICg8L3NwYW4+ PHNwYW4gY2xhc3M9J2luZm8nPkJlcm5lcnMtTGVlLCBULiwgRmllbGRpbmcsIFIuLCBhbmQgTC4g TWFzaW50ZXIsICZsZHF1bztVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6IEdlbmVy aWMgU3ludGF4LCZyZHF1bzsgSmFudWFyeSZuYnNwOzIwMDUuPC9zcGFuPjxzcGFuPik8L3NwYW4+ PC9hPjoKCSAgVVJJLVJlZmVyZW5jZS4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgIFVubGVz cyBvdGhlcndpc2Ugbm90ZWQsIGFsbCB0aGUgcHJvdG9jb2wgcGFyYW1ldGVyIG5hbWVzIGFuZCB2 YWx1ZXMgYXJlIGNhc2Ugc2Vuc2l0aXZlLgogICAgICAgIAo8L3A+CjxhIG5hbWU9ImFuY2hvcjMi PjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAi IGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xh c3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48 L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4xLjIiPjwvYT48aDM+MS4yLiZuYnNwOwpUZXJt aW5vbG9neTwvaDM+Cgo8cD4KICAgICAgICAgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQi PjxkbD4KPGR0PkJlYXJlciBUb2tlbjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAKICAgICAgICAg ICAgICBBIHNlY3VyaXR5IHRva2VuIHdpdGggdGhlIHByb3BlcnR5IHRoYXQgYW55IHBhcnR5IGlu CiAgICAgICAgICAgICAgcG9zc2Vzc2lvbiBvZiB0aGUgdG9rZW4gKGEgImJlYXJlciIpIGNhbiB1 c2UgdGhlIHRva2VuCiAgICAgICAgICAgICAgaW4gYW55IHdheSB0aGF0IGFueSBvdGhlciBwYXJ0 eSBpbiBwb3NzZXNzaW9uIG9mIGl0IGNhbi4KICAgICAgICAgICAgICBVc2luZyBhIGJlYXJlciB0 b2tlbiBkb2VzIG5vdCByZXF1aXJlIGEgYmVhcmVyIHRvIHByb3ZlCiAgICAgICAgICAgICAgcG9z c2Vzc2lvbiBvZiBjcnlwdG9ncmFwaGljIGtleSBtYXRlcmlhbAogICAgICAgICAgICAgIChwcm9v Zi1vZi1wb3NzZXNzaW9uKS4KICAgICAgICAgICAgCjwvZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxw PgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgQWxsIG90aGVyIHRlcm1zIGFyZSBhcyBkZWZp bmVkIGluCgkgIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIDxhIGNsYXNzPSdpbmZvJyBocmVmPScj SS1ELmlldGYtb2F1dGgtdjInPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtvYXV0aCYjODIwOTt2Ml08 c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+SGFtbWVyLUxhaGF2LCBFLiwgUmVjb3Jk b24sIEQuLCBhbmQgRC4gSGFyZHQsICZsZHF1bztUaGUgT0F1dGggMi4wIEF1dGhvcml6YXRpb24g UHJvdG9jb2wsJnJkcXVvOyBTZXB0ZW1iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFu PjwvYT4uCiAgICAgICAgCjwvcD4KPGEgbmFtZT0iYW5jaG9yNCI+PC9hPjxiciAvPjxociAvPgo8 dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNs YXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVm PSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJm Yy5zZWN0aW9uLjEuMyI+PC9hPjxoMz4xLjMuJm5ic3A7Ck92ZXJ2aWV3PC9oMz4KCjxwPgogICAg ICAgICAgT0F1dGggcHJvdmlkZXMgYSBtZXRob2QgZm9yIGNsaWVudHMgdG8gYWNjZXNzIGEgcHJv dGVjdGVkIHJlc291cmNlIG9uIGJlaGFsZiBvZiBhCiAgICAgICAgICByZXNvdXJjZSBvd25lci4g SW4gdGhlIGdlbmVyYWwgY2FzZSwKCSAgYmVmb3JlIGEgY2xpZW50IGNhbiBhY2Nlc3MgYSBwcm90 ZWN0ZWQgcmVzb3VyY2UsIGl0IG11c3QgZmlyc3Qgb2J0YWluCiAgICAgICAgICBhbiBhdXRob3Jp emF0aW9uIGdyYW50IGZyb20gdGhlIHJlc291cmNlIG93bmVyIGFuZCB0aGVuIGV4Y2hhbmdlIHRo ZSBhdXRob3JpemF0aW9uIGdyYW50IGZvcgogICAgICAgICAgYW4gYWNjZXNzIHRva2VuLgoJICBU aGUgYWNjZXNzIHRva2VuIHJlcHJlc2VudHMgdGhlIGdyYW50J3Mgc2NvcGUsIGR1cmF0aW9uLCBh bmQKCSAgb3RoZXIgYXR0cmlidXRlcyBncmFudGVkIGJ5IHRoZSBhdXRob3JpemF0aW9uIGdyYW50 LiBUaGUKCSAgY2xpZW50IGFjY2Vzc2VzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UgYnkgcHJlc2Vu dGluZyB0aGUKCSAgYWNjZXNzIHRva2VuIHRvIHRoZSByZXNvdXJjZSBzZXJ2ZXIuCgkgIEluIHNv bWUgY2FzZXMsIGEgY2xpZW50IGNhbiBkaXJlY3RseSBwcmVzZW50IGl0cyBvd24KCSAgY3JlZGVu dGlhbHMgdG8gYW4gYXV0aG9yaXphdGlvbiBzZXJ2ZXIgdG8gb2J0YWluIGFuIGFjY2VzcwoJICB0 b2tlbiB3aXRob3V0IGhhdmluZyB0byBmaXJzdCBvYnRhaW4gYW4gYXV0aG9yaXphdGlvbiBncmFu dCBmcm9tIGEKCSAgcmVzb3VyY2Ugb3duZXIuCiAgICAgICAgCjwvcD4KPHA+CiAgICAgICAgICBU aGUgYWNjZXNzIHRva2VuIHByb3ZpZGVzIGFuIGFic3RyYWN0aW9uLCByZXBsYWNpbmcgZGlmZmVy ZW50IGF1dGhvcml6YXRpb24KICAgICAgICAgIGNvbnN0cnVjdHMgKGUuZy4gdXNlcm5hbWUgYW5k IHBhc3N3b3JkLCBhc3NlcnRpb24pIGZvciBhIHNpbmdsZSB0b2tlbiB1bmRlcnN0b29kIGJ5IHRo ZQogICAgICAgICAgcmVzb3VyY2Ugc2VydmVyLiBUaGlzIGFic3RyYWN0aW9uIGVuYWJsZXMgaXNz dWluZyBhY2Nlc3MgdG9rZW5zIHZhbGlkIGZvciBhIHNob3J0IHRpbWUKICAgICAgICAgIHBlcmlv ZCwgYXMgd2VsbCBhcyByZW1vdmluZyB0aGUgcmVzb3VyY2Ugc2VydmVyJ3MgbmVlZCB0byB1bmRl cnN0YW5kIGEgd2lkZSByYW5nZSBvZgogICAgICAgICAgYXV0aGVudGljYXRpb24gc2NoZW1lcy4K ICAgICAgICAKPC9wPjxiciAvPjxociBjbGFzcz0iaW5zZXJ0IiAvPgo8YSBuYW1lPSJGaWd1cmUt MSI+PC9hPgo8ZGl2IHN0eWxlPSdkaXNwbGF5OiB0YWJsZTsgd2lkdGg6IDA7IG1hcmdpbi1sZWZ0 OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+PHByZT4KKy0tLS0tLS0tKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8LS0oQSktIEF1dGhv cml6YXRpb24gUmVxdWVzdCAtJmd0O3wgICBSZXNvdXJjZSAgICB8CnwgICAgICAgIHwgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgT3duZXIgICAgIHwKfCAgICAgICAgfCZsdDst KEIpLS0gQXV0aG9yaXphdGlvbiBHcmFudCAtLS18ICAgICAgICAgICAgICAgfAp8ICAgICAgICB8 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCnwgICAgICAg IHwKfCAgICAgICAgfCAgICAgICAgQXV0aG9yaXphdGlvbiBHcmFudCAmYW1wOyAgKy0tLS0tLS0t LS0tLS0tLSsKfCAgICAgICAgfC0tKEMpLS0tIENsaWVudCBDcmVkZW50aWFscyAtLSZndDt8IEF1 dGhvcml6YXRpb24gfAp8IENsaWVudCB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwg ICAgIFNlcnZlciAgICB8CnwgICAgICAgIHwmbHQ7LShEKS0tLS0tIEFjY2VzcyBUb2tlbiAtLS0t LS0tfCAgICAgICAgICAgICAgIHwKfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8CnwgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfC0tKEUpLS0tLS0g QWNjZXNzIFRva2VuIC0tLS0tLSZndDt8ICAgIFJlc291cmNlICAgfAp8ICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIFNlcnZlciAgICB8CnwgICAgICAgIHwmbHQ7 LShGKS0tLSBQcm90ZWN0ZWQgUmVzb3VyY2UgLS0tfCAgICAgICAgICAgICAgIHwKKy0tLS0tLS0t KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwo8L3ByZT48 L2Rpdj48dGFibGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGFs aWduPSJjZW50ZXIiPjx0cj48dGQgYWxpZ249ImNlbnRlciI+PGZvbnQgZmFjZT0ibW9uYWNvLCBN UyBTYW5zIFNlcmlmIiBzaXplPSIxIj48Yj4mbmJzcDtGaWd1cmUmbmJzcDsxOiBBYnN0cmFjdCBQ cm90b2NvbCBGbG93Jm5ic3A7PC9iPjwvZm9udD48YnIgLz48L3RkPjwvdHI+PC90YWJsZT48aHIg Y2xhc3M9Imluc2VydCIgLz4KCjxwPgogICAgICAgICAgVGhlIGFic3RyYWN0IGZsb3cgaWxsdXN0 cmF0ZWQgaW4gPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNGaWd1cmUtMSc+RmlndXJlJm5ic3A7MTxz cGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5BYnN0cmFjdCBQcm90b2NvbCBGbG93PC9z cGFuPjxzcGFuPik8L3NwYW4+PC9hPiBkZXNjcmliZXMgdGhlIG92ZXJhbGwKICAgICAgICAgIE9B dXRoIDIuMCBwcm90b2NvbCBhcmNoaXRlY3R1cmUuIFRoZSBmb2xsb3dpbmcgc3RlcHMgYXJlIHNw ZWNpZmllZCB3aXRoaW4gdGhpcwogICAgICAgICAgZG9jdW1lbnQ6CgogICAgICAgICAgPC9wPgo8 YmxvY2txdW90ZSBjbGFzcz0idGV4dCI+CjxwPgogICAgICAgICAgICAgIEUpIFRoZSBjbGllbnQg bWFrZXMgYSBwcm90ZWN0ZWQgcmVzb3VyY2UgcmVxdWVzdCB0byB0aGUgcmVzb3VyY2Ugc2VydmVy IGJ5IHByZXNlbnRpbmcKICAgICAgICAgICAgICB0aGUgYWNjZXNzIHRva2VuLgogICAgICAgICAg ICAKPC9wPgo8cD4KICAgICAgICAgICAgICBGKSBUaGUgcmVzb3VyY2Ugc2VydmVyIHZhbGlkYXRl cyB0aGUgYWNjZXNzIHRva2VuLCBhbmQgaWYgdmFsaWQsIHNlcnZlcyB0aGUgcmVxdWVzdC4KICAg ICAgICAgICAgCjwvcD4KPC9ibG9ja3F1b3RlPjxwPgogICAgICAgIAo8L3A+CjxhIG5hbWU9ImFu Y2hvcjUiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4yIj48L2E+PGgzPjIuJm5ic3A7CkF1 dGhlbnRpY2F0ZWQgUmVxdWVzdHM8L2gzPgoKPHA+CglUaGlzIHNlY3Rpb24gZGVmaW5lcyB0aHJl ZQoJbWV0aG9kcyBvZiBzZW5kaW5nIGJlYXJlciBhY2Nlc3MgdG9rZW5zIGluIHJlc291cmNlIHJl cXVlc3RzCgl0byByZXNvdXJjZSBzZXJ2ZXJzLiAgQ2xpZW50cyBNVVNUIE5PVCB1c2UgbW9yZSB0 aGFuIG9uZQoJbWV0aG9kIHRvIHRyYW5zbWl0IHRoZSB0b2tlbiBpbiBlYWNoIHJlcXVlc3QuCiAg ICAgIAo8L3A+CjxhIG5hbWU9ImF1dGh6LWhlYWRlciI+PC9hPjxiciAvPjxociAvPgo8dGFibGUg c3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJU T0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9j Ij4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0 aW9uLjIuMSI+PC9hPjxoMz4yLjEuJm5ic3A7CkF1dGhvcml6YXRpb24gUmVxdWVzdCBIZWFkZXIg RmllbGQ8L2gzPgoKPHA+CgkgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSA8 dHQ+QXV0aG9yaXphdGlvbjwvdHQ+IHJlcXVlc3QgaGVhZGVyIGZpZWxkCgkgIGRlZmluZWQgYnkK CSAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBi aXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7cDcmIzgyMDk7 YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0 eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwg QmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8x LjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3Nw YW4+PHNwYW4+KTwvc3Bhbj48L2E+LAoJICB0aGUKCSAgY2xpZW50IHVzZXMgdGhlIDx0dD5CZWFy ZXI8L3R0PgoJICBhdXRoZW50aWNhdGlvbiBzY2hlbWUgdG8gdHJhbnNtaXQgdGhlIGFjY2VzcyB0 b2tlbi4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgICAgRm9yIGV4YW1wbGU6CiAgICAgICAg ICAKPC9wPjxkaXYgc3R5bGU9J2Rpc3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6 IDNlbTsgbWFyZ2luLXJpZ2h0OiBhdXRvJz48cHJlPgpHRVQgL3Jlc291cmNlIEhUVFAvMS4xCkhv c3Q6IHNlcnZlci5leGFtcGxlLmNvbQpBdXRob3JpemF0aW9uOiBCZWFyZXIgdkY5ZGZ0NHFtVAo8 L3ByZT48L2Rpdj4KPHA+CiAgICAgICAgICBUaGUgPHR0PkF1dGhvcml6YXRpb248L3R0PiBoZWFk ZXIgZmllbGQgdXNlcyB0aGUgZnJhbWV3b3JrIGRlZmluZWQgYnkKICAgICAgICAgIEhUVFAvMS4x LCBQYXJ0IDcgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgn PltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9n dWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVl LCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6 IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8 L3NwYW4+PC9hPgoJICBhcyBmb2xsb3dzOgogICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxh eTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8n PjxwcmU+CmNyZWRlbnRpYWxzID0gIkJlYXJlciIgMSpTUCBiNjR0b2tlbgo8L3ByZT48L2Rpdj4K PHA+CgkgIFRoZSBiNjR0b2tlbiBzeW50YXggd2FzIGNob3NlbiBvdmVyIHRoZSBhbHRlcm5hdGl2 ZQoJICAjYXV0aC1wYXJhbSBzeW50YXggYWxzbyBkZWZpbmVkIGJ5CgkgIEhUVFAvMS4xLCBQYXJ0 IDcgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4 MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3Nw YW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEou LCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwg TGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhl bnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+ PC9hPgoJICBib3RoIGZvciBzaW1wbGljaXR5CgkgIGFuZCBmb3IgY29tcGF0aWJpbGl0eSB3aXRo IGV4aXN0aW5nIGltcGxlbWVudGF0aW9ucy4KCSAgSWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJzIGFy ZSBuZWVkZWQgaW4gdGhlIGZ1dHVyZSwgYQoJICBkaWZmZXJlbnQgc2NoZW1lIHdvdWxkIG5lZWQg dG8gYmUgZGVmaW5lZC4KCQo8L3A+CjxwPgoJICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1dGhlbnRp Y2F0ZWQgcmVxdWVzdHMgd2l0aCBhIGJlYXJlcgoJICB0b2tlbiB1c2luZyB0aGUgPHR0PkF1dGhv cml6YXRpb248L3R0PgoJICByZXF1ZXN0IGhlYWRlciBmaWVsZCB3aXRoIHRoZSA8dHQ+QmVhcmVy PC90dD4gSFRUUCBhdXRob3JpemF0aW9uIHNjaGVtZS4KCSAgUmVzb3VyY2Ugc2VydmVycyBNVVNU IHN1cHBvcnQgdGhpcyBtZXRob2QuCgkKPC9wPgo8YSBuYW1lPSJib2R5LXBhcmFtIj48L2E+PGJy IC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3Bh Y2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0Ni dWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4K PGEgbmFtZT0icmZjLnNlY3Rpb24uMi4yIj48L2E+PGgzPjIuMi4mbmJzcDsKRm9ybS1FbmNvZGVk IEJvZHkgUGFyYW1ldGVyPC9oMz4KCjxwPgogICAgICAgICAgV2hlbiBzZW5kaW5nIHRoZSBhY2Nl c3MgdG9rZW4gaW4gdGhlIEhUVFAgcmVxdWVzdAogICAgICAgICAgZW50aXR5LWJvZHksIHRoZSBj bGllbnQgYWRkcyB0aGUgYWNjZXNzIHRva2VuIHRvIHRoZSByZXF1ZXN0CiAgICAgICAgICBib2R5 IHVzaW5nIHRoZSA8dHQ+YWNjZXNzX3Rva2VuPC90dD4KICAgICAgICAgIHBhcmFtZXRlci4gIFRo ZSBjbGllbnQgTVVTVCBOT1QgdXNlIHRoaXMgbWV0aG9kIHVubGVzcwoJICBhbGwgb2YgdGhlIGZv bGxvd2luZyBjb25kaXRpb25zIGFyZSBtZXQ6CiAgICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4 dCI+CjxsaT4KICAgICAgICAgICAgICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1ib2R5IGlzIHNp bmdsZS1wYXJ0LgogICAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAgICAgIFRoZSBlbnRp dHktYm9keSBmb2xsb3dzIHRoZSBlbmNvZGluZyByZXF1aXJlbWVudHMgb2YgdGhlCiAgICAgICAg ICAgICAgPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDwvdHQ+IGNvbnRlbnQt dHlwZSBhcwogICAgICAgICAgICAgIGRlZmluZWQgYnkKCSAgICAgIEhUTUwgNC4wMSA8YSBjbGFz cz0naW5mbycgaHJlZj0nI1czQy5SRUMtaHRtbDQwMS0xOTk5MTIyNCc+W1czQy5SRUMmIzgyMDk7 aHRtbDQwMSYjODIwOTsxOTk5MTIyNF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ SmFjb2JzLCBJLiwgUmFnZ2V0dCwgRC4sIGFuZCBBLiBIb3JzLCAmbGRxdW87SFRNTCA0LjAxIFNw ZWNpZmljYXRpb24sJnJkcXVvOyBEZWNlbWJlciZuYnNwOzE5OTkuPC9zcGFuPjxzcGFuPik8L3Nw YW4+PC9hPi4KICAgICAgICAgICAgCjwvbGk+CjxsaT4KICAgICAgICAgICAgICBUaGUgSFRUUCBy ZXF1ZXN0IGVudGl0eS1oZWFkZXIgaW5jbHVkZXMgdGhlIDx0dD5Db250ZW50LVR5cGU8L3R0Pgog ICAgICAgICAgICAgIGhlYWRlciBmaWVsZCBzZXQgdG8gPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZv cm0tdXJsZW5jb2RlZDwvdHQ+LgogICAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAgICAg IFRoZSBIVFRQIHJlcXVlc3QgbWV0aG9kIGlzIG9uZSBmb3Igd2hpY2ggdGhlIHJlcXVlc3QKICAg ICAgICAgICAgICBib2R5IGhhcyBkZWZpbmVkIHNlbWFudGljcy4gIEluIHBhcnRpY3VsYXIsCiAg ICAgICAgICAgICAgdGhpcyBtZWFucyB0aGF0IHRoZSA8dHQ+R0VUPC90dD4KICAgICAgICAgICAg ICBtZXRob2QgTVVTVCBOT1QgYmUgdXNlZC4KICAgICAgICAgICAgCjwvbGk+CjxsaT4KCSAgICAg IFRoZSBjb250ZW50IHRvIGJlIGVuY29kZWQgaW4gdGhlIGVudGl0eS1ib2R5IE1VU1QKCSAgICAg IGNvbnNpc3QgZW50aXJlbHkgb2YgQVNDSUkgY2hhcmFjdGVycy4KCSAgICAKPC9saT4KPC91bD48 cD4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgIFRoZSBlbnRpdHktYm9keSBNQVkgaW5jbHVk ZSBvdGhlciByZXF1ZXN0LXNwZWNpZmljCiAgICAgICAgICBwYXJhbWV0ZXJzLCBpbiB3aGljaCBj YXNlLCB0aGUgPHR0PmFjY2Vzc190b2tlbjwvdHQ+IHBhcmFtZXRlciBNVVNUIGJlIHByb3Blcmx5 CiAgICAgICAgICBzZXBhcmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJz IHVzaW5nIDx0dD4mYW1wOzwvdHQ+IGNoYXJhY3RlcihzKSAoQVNDSUkgY29kZSAzOCkuCiAgICAg ICAgCjwvcD4KPHA+CiAgICAgICAgICAgIEZvciBleGFtcGxlLCB0aGUgY2xpZW50IG1ha2VzIHRo ZSBmb2xsb3dpbmcgSFRUUCByZXF1ZXN0IHVzaW5nIHRyYW5zcG9ydC1sYXllcgogICAgICAgICAg ICBzZWN1cml0eToKICAgICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdp ZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+ClBPU1Qg L3Jlc291cmNlIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbQpDb250ZW50LVR5cGU6 IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAoKYWNjZXNzX3Rva2VuPXZGOWRmdDRx bVQKPC9wcmU+PC9kaXY+CjxwPgoJICBUaGUgPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJs ZW5jb2RlZDwvdHQ+CgkgIG1ldGhvZCBTSE9VTEQgTk9UIGJlIHVzZWQgZXhjZXB0IGluIGFwcGxp Y2F0aW9uIGNvbnRleHRzCgkgIHdoZXJlIHBhcnRpY2lwYXRpbmcgYnJvd3NlcnMgZG8gbm90IGhh dmUgYWNjZXNzIHRvIHRoZQoJICA8dHQ+QXV0aG9yaXphdGlvbjwvdHQ+IHJlcXVlc3QgaGVhZGVy CgkgIGZpZWxkLiAgUmVzb3VyY2Ugc2VydmVycyBNQVkgc3VwcG9ydCB0aGlzIG1ldGhvZC4KCQo8 L3A+CjxhIG5hbWU9InF1ZXJ5LXBhcmFtIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5 PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIg YWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNw O1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMi4z Ij48L2E+PGgzPjIuMy4mbmJzcDsKVVJJIFF1ZXJ5IFBhcmFtZXRlcjwvaDM+Cgo8cD4KICAgICAg ICAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBIVFRQIHJlcXVlc3QgVVJJ LCB0aGUgY2xpZW50IGFkZHMgdGhlIGFjY2VzcwogICAgICAgICAgdG9rZW4gdG8gdGhlIHJlcXVl c3QgVVJJIHF1ZXJ5IGNvbXBvbmVudCBhcyBkZWZpbmVkIGJ5CgkgIFVuaWZvcm0gUmVzb3VyY2Ug SWRlbnRpZmllciAoVVJJKSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI1JGQzM5ODYnPltSRkMzOTg2 XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5CZXJuZXJzLUxlZSwgVC4sIEZpZWxk aW5nLCBSLiwgYW5kIEwuIE1hc2ludGVyLCAmbGRxdW87VW5pZm9ybSBSZXNvdXJjZSBJZGVudGlm aWVyIChVUkkpOiBHZW5lcmljIFN5bnRheCwmcmRxdW87IEphbnVhcnkmbmJzcDsyMDA1Ljwvc3Bh bj48c3Bhbj4pPC9zcGFuPjwvYT4KCSAgdXNpbmcKICAgICAgICAgIHRoZSA8dHQ+YWNjZXNzX3Rv a2VuPC90dD4gcGFyYW1ldGVyLgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgICBGb3IgZXhh bXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93aW5nIEhUVFAgcmVxdWVzdCB1c2luZyB0 cmFuc3BvcnQtbGF5ZXIKICAgICAgICAgICAgc2VjdXJpdHk6CiAgICAgICAgICAKPC9wPjxkaXYg c3R5bGU9J2Rpc3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsgbWFyZ2lu LXJpZ2h0OiBhdXRvJz48cHJlPgpHRVQgL3Jlc291cmNlP2FjY2Vzc190b2tlbj12RjlkZnQ0cW1U IEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbQo8L3ByZT48L2Rpdj4KPHA+CiAgICAg ICAgICBUaGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeSBjYW4gaW5jbHVkZSBvdGhlcgogICAgICAg ICAgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzLCBpbiB3aGljaCBjYXNlLCB0aGUgPHR0PmFj Y2Vzc190b2tlbjwvdHQ+IHBhcmFtZXRlciBNVVNUIGJlIHByb3Blcmx5CiAgICAgICAgICBzZXBh cmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVzaW5nIDx0dD4mYW1w OzwvdHQ+IGNoYXJhY3RlcihzKSAoQVNDSUkgY29kZSAzOCkuCiAgICAgICAgCjwvcD4KPHA+CiAg ICAgICAgICAgIEZvciBleGFtcGxlOgogICAgICAgICAgCjwvcD48ZGl2IHN0eWxlPSdkaXNwbGF5 OiB0YWJsZTsgd2lkdGg6IDA7IG1hcmdpbi1sZWZ0OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+ PHByZT4KaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vcmVzb3VyY2U/eD15JmFtcDthY2Nlc3Nf dG9rZW49dkY5ZGZ0NHFtVCZhbXA7cD1xCjwvcHJlPjwvZGl2Pgo8cD4KCSAgQmVjYXVzZSBvZiB0 aGUgc2VjdXJpdHkgd2Vha25lc3NlcyBhc3NvY2lhdGVkIHdpdGggdGhlIFVSSQoJICBtZXRob2Qg KHNlZSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI3NlYy1jb24nPlNlY3Rpb24mbmJzcDs0PHNwYW4+ ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPlNlY3VyaXR5IENvbnNpZGVyYXRpb25zPC9zcGFu PjxzcGFuPik8L3NwYW4+PC9hPiksIGluY2x1ZGluZyB0aGUgaGlnaAoJICBsaWtlbGlob29kIHRo YXQgdGhlIFVSTCBjb250YWluaW5nIHRoZSBhY2Nlc3MgdG9rZW4gd2lsbCBiZQoJICBsb2dnZWQs IGl0IFNIT1VMRCBOT1QgYmUgdXNlZCB1bmxlc3MgaXQgaXMgaW1wb3NzaWJsZSB0bwoJICB0cmFu c3BvcnQgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgPHR0PkF1dGhvcml6YXRpb248L3R0PiByZXF1 ZXN0IGhlYWRlciBmaWVsZCBvcgoJICB0aGUgSFRUUCByZXF1ZXN0IGVudGl0eS1ib2R5LiAgUmVz b3VyY2Ugc2VydmVycyBNQVkgc3VwcG9ydAoJICB0aGlzIG1ldGhvZC4KCQo8L3A+CjxhIG5hbWU9 ImF1dGhuLWhlYWRlciI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBj ZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdo dCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8 L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjMiPjwvYT48aDM+My4m bmJzcDsKVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPC9oMz4KCjxw PgoJSWYgdGhlIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IGRvZXMgbm90IGluY2x1ZGUKCWF1 dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIG9yIGRvZXMgbm90IGNvbnRhaW4gYW4gYWNjZXNzCgl0 b2tlbiB0aGF0IGVuYWJsZXMgYWNjZXNzIHRvIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UsCgl0aGUg cmVzb3VyY2Ugc2VydmVyIE1VU1QgaW5jbHVkZSB0aGUgSFRUUCA8dHQ+V1dXLUF1dGhlbnRpY2F0 ZTwvdHQ+IHJlc3BvbnNlIGhlYWRlciBmaWVsZDsKCWl0IE1BWSBpbmNsdWRlIGl0IGluIHJlc3Bv bnNlIHRvIG90aGVyIGNvbmRpdGlvbnMgYXMgd2VsbC4KCVRoZSA8dHQ+V1dXLUF1dGhlbnRpY2F0 ZTwvdHQ+IGhlYWRlcgoJZmllbGQgdXNlcyB0aGUgZnJhbWV3b3JrIGRlZmluZWQgYnkKCUhUVFAv MS4xLCBQYXJ0IDcgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1 dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNw YW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwg TW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMt TGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0 IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFu Pik8L3NwYW4+PC9hPgoJYXMgZm9sbG93czoKICAgICAgCjwvcD48ZGl2IHN0eWxlPSdkaXNwbGF5 OiB0YWJsZTsgd2lkdGg6IDA7IG1hcmdpbi1sZWZ0OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+ PHByZT4KY2hhbGxlbmdlICAgICAgID0gIkJlYXJlciIgWyAxKlNQIDEjcGFyYW0gXQoKcGFyYW0g ICAgICAgICAgID0gcmVhbG0gLyBzY29wZSAvCiAgICAgICAgICAgICAgICAgIGVycm9yIC8gZXJy b3ItZGVzYyAvIGVycm9yLXVyaSAvCiAgICAgICAgICAgICAgICAgIGF1dGgtcGFyYW0KCnNjb3Bl ICAgICAgICAgICA9ICJzY29wZSIgIj0iIHF1b3RlZC1zdHJpbmcKZXJyb3IgICAgICAgICAgID0g ImVycm9yIiAiPSIgcXVvdGVkLXN0cmluZwplcnJvci1kZXNjICAgICAgPSAiZXJyb3JfZGVzY3Jp cHRpb24iICI9IiBxdW90ZWQtc3RyaW5nCmVycm9yLXVyaSAgICAgICA9ICJlcnJvcl91cmkiICI9 IiBxdW90ZWQtc3RyaW5nCjwvcHJlPjwvZGl2Pgo8cD4KCUEgPHR0PnJlYWxtPC90dD4gYXR0cmli dXRlIE1BWSBiZSBpbmNsdWRlZAoJdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24g aW4gdGhlIG1hbm5lciBkZXNjcmliZWQgaW4KCUhUVFAvMS4xLCBQYXJ0IDcgPGEgY2xhc3M9J2lu Zm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIw OTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9 J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwg TWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQg Si4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1 bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCVRoZSA8dHQ+ cmVhbG08L3R0PiBhdHRyaWJ1dGUgTVVTVCBOT1QgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLgoJVGhl IDx0dD5yZWFsbTwvdHQ+IHZhbHVlIGlzIGludGVuZGVkIGZvcgoJcHJvZ3JhbW1hdGljIHVzZSBh bmQgaXMgbm90IG1lYW50IHRvIGJlIGRpc3BsYXllZCB0bwoJZW5kIHVzZXJzLgogICAgICAKPC9w Pgo8cD4KCVRoZSA8dHQ+c2NvcGU8L3R0PiBhdHRyaWJ1dGUgaXMgYSBzcGFjZS1kZWxpbWl0ZWQg bGlzdCBvZiBzY29wZSB2YWx1ZXMKCWluZGljYXRpbmcgdGhlIHJlcXVpcmVkIHNjb3BlIG9mIHRo ZSBhY2Nlc3MgdG9rZW4gZm9yIGFjY2Vzc2luZyB0aGUgcmVxdWVzdGVkIHJlc291cmNlLgoJSW4g c29tZSBjYXNlcywgdGhlIDx0dD5zY29wZTwvdHQ+IHZhbHVlCgl3aWxsIGJlIHVzZWQgd2hlbiBy ZXF1ZXN0aW5nIGEgbmV3IGFjY2VzcyB0b2tlbiB3aXRoCglzdWZmaWNpZW50IHNjb3BlIG9mIGFj Y2VzcyB0byB1dGlsaXplIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCglUaGUgPHR0PnNjb3BlPC90 dD4gYXR0cmlidXRlIE1VU1QgTk9UIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KCVRoZSA8dHQ+c2Nv cGU8L3R0PiB2YWx1ZSBpcyBpbnRlbmRlZCBmb3IKCXByb2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5v dCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8KCWVuZCB1c2Vycy4KICAgICAgCjwvcD4KPHA+CglJ ZiB0aGUgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3QgaW5jbHVkZWQgYW4gYWNjZXNzIHRva2Vu IGFuZCBmYWlsZWQgYXV0aGVudGljYXRpb24sIHRoZQoJcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBp bmNsdWRlIHRoZSA8dHQ+ZXJyb3I8L3R0PiBhdHRyaWJ1dGUgdG8gcHJvdmlkZQoJdGhlIGNsaWVu dCB3aXRoIHRoZSByZWFzb24gd2h5IHRoZSBhY2Nlc3MgcmVxdWVzdCB3YXMgZGVjbGluZWQuIFRo ZSBwYXJhbWV0ZXIgdmFsdWUgaXMKCWRlc2NyaWJlZCBpbiA8YSBjbGFzcz0naW5mbycgaHJlZj0n I3Jlc291cmNlLWVycm9yLWNvZGVzJz5TZWN0aW9uJm5ic3A7My4xPHNwYW4+ICg8L3NwYW4+PHNw YW4gY2xhc3M9J2luZm8nPkVycm9yIENvZGVzPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCUlu IGFkZGl0aW9uLCB0aGUgcmVzb3VyY2Ugc2VydmVyIE1BWSBpbmNsdWRlIHRoZSA8dHQ+ZXJyb3Jf ZGVzY3JpcHRpb248L3R0PiBhdHRyaWJ1dGUgdG8gcHJvdmlkZQoJZGV2ZWxvcGVycyBhIGh1bWFu LXJlYWRhYmxlIGV4cGxhbmF0aW9uIHRoYXQgaXMgbm90IG1lYW50Cgl0byBiZSBkaXNwbGF5ZWQg dG8gZW5kIHVzZXJzLgoJSXQgYWxzbyBNQVkgaW5jbHVkZQoJdGhlIDx0dD5lcnJvcl91cmk8L3R0 PiBhdHRyaWJ1dGUgd2l0aAoJYW4gYWJzb2x1dGUgVVJJIGlkZW50aWZ5aW5nIGEgaHVtYW4tcmVh ZGFibGUgd2ViIHBhZ2UgZXhwbGFpbmluZyB0aGUgZXJyb3IuCglUaGUgPHR0PmVycm9yPC90dD4s IDx0dD5lcnJvcl9kZXNjcmlwdGlvbjwvdHQ+LCBhbmQKCTx0dD5lcnJvcl91cmk8L3R0PiBhdHRy aWJ1dGVzIE1VU1QgTk9UIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KICAgICAgCjwvcD4KPHA+CglQ cm9kdWNlcnMgb2YgPHR0PnNjb3BlPC90dD4gc3RyaW5ncyBNVVNUCglOT1QgdXNlIGNoYXJhY3Rl cnMgb3V0c2lkZSB0aGUgc2V0ICV4MjEgLyAleDIzLTVCIC8gJXg1RC03RQoJZm9yIHJlcHJlc2Vu dGluZyB0aGUgc2NvcGUgdmFsdWVzIGFuZCAleDIwIGZvciB0aGUgZGVsaW1pdGVyLgoJUHJvZHVj ZXJzIG9mIDx0dD5lcnJvcjwvdHQ+IGFuZCA8dHQ+ZXJyb3JfZGVzY3JpcHRpb248L3R0PiBzdHJp bmdzIE1VU1QgTk9UIHVzZQoJY2hhcmFjdGVycyBvdXRzaWRlIHRoZSBzZXQgJXgyMC0yMSAvICV4 MjMtNUIgLyAleDVELTdFIGZvcgoJcmVwcmVzZW50aW5nIHRoZXNlIHZhbHVlcy4KCVByb2R1Y2Vy cyBvZiA8dHQ+ZXJyb3ItdXJpPC90dD4gc3RyaW5ncwoJTVVTVCBOT1QgdXNlIGNoYXJhY3RlcnMg b3V0c2lkZSB0aGUgc2V0ICV4MjEgLyAleDIzLTVCIC8KCSV4NUQtN0UgZm9yIHJlcHJlc2VudGlu ZyB0aGVzZSB2YWx1ZXMuICBGdXJ0aGVybW9yZSwKCTx0dD5lcnJvci11cmk8L3R0PiBzdHJpbmdz IE1VU1QgY29uZm9ybQoJdG8gdGhlIFVSSS1SZWZlcmVuY2Ugc3ludGF4LgoJSW4gYWxsIHRoZXNl IGNhc2VzLCBubyBjaGFyYWN0ZXIgcXVvdGluZyB3aWxsIG9jY3VyLCBhcwoJc2VuZGVycyBhcmUg cHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFjdGVyLgogICAgICAKPC9w Pgo8cD4KCSAgRm9yIGV4YW1wbGUsIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291cmNl IHJlcXVlc3Qgd2l0aG91dCBhdXRoZW50aWNhdGlvbjoKCQo8L3A+PGRpdiBzdHlsZT0nZGlzcGxh eTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8n PjxwcmU+CkhUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVy IHJlYWxtPSJleGFtcGxlIgo8L3ByZT48L2Rpdj4KPHA+CiAgICAgICAgICAgIEFuZCBpbiByZXNw b25zZSB0byBhIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IHdpdGggYW4gYXV0aGVudGljYXRp b24gYXR0ZW1wdCB1c2luZyBhbgogICAgICAgICAgICBleHBpcmVkIGFjY2VzcyB0b2tlbjoKICAg ICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4t bGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+CkhUVFAvMS4xIDQwMSBVbmF1dGhv cml6ZWQKV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIiwKICAgICAgICAg ICAgICAgICAgZXJyb3I9ImludmFsaWRfdG9rZW4iLAogICAgICAgICAgICAgICAgICBlcnJvcl9k ZXNjcmlwdGlvbj0iVGhlIGFjY2VzcyB0b2tlbiBleHBpcmVkIgo8L3ByZT48L2Rpdj4KPGEgbmFt ZT0icmVzb3VyY2UtZXJyb3ItY29kZXMiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9 ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBh bGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7 VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4zLjEi PjwvYT48aDM+My4xLiZuYnNwOwpFcnJvciBDb2RlczwvaDM+Cgo8cD4KCSAgV2hlbiBhIHJlcXVl c3QgZmFpbHMsIHRoZSByZXNvdXJjZSBzZXJ2ZXIgcmVzcG9uZHMgdXNpbmcgdGhlIGFwcHJvcHJp YXRlIEhUVFAgc3RhdHVzCgkgIGNvZGUgKHR5cGljYWxseSwgNDAwLCA0MDEsIDQwMywgb3IgNDA1 KSwKCSAgYW5kIGluY2x1ZGVzIG9uZSBvZiB0aGUgZm9sbG93aW5nIGVycm9yIGNvZGVzIGluCgkg IHRoZSByZXNwb25zZToKCgkgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4KPGR0 PmludmFsaWRfcmVxdWVzdDwvZHQ+CjxkZD4KCSAgICAgIAoJICAgICAgVGhlIHJlcXVlc3QgaXMg bWlzc2luZyBhIHJlcXVpcmVkIHBhcmFtZXRlciwgaW5jbHVkZXMgYW4gdW5zdXBwb3J0ZWQgcGFy YW1ldGVyIG9yCgkgICAgICBwYXJhbWV0ZXIgdmFsdWUsIHJlcGVhdHMgdGhlIHNhbWUgcGFyYW1l dGVyLCB1c2VzIG1vcmUgdGhhbiBvbmUgbWV0aG9kIGZvcgoJICAgICAgaW5jbHVkaW5nIGFuIGFj Y2VzcyB0b2tlbiwgb3IgaXMgb3RoZXJ3aXNlIG1hbGZvcm1lZC4gVGhlIHJlc291cmNlIHNlcnZl ciBTSE9VTEQKCSAgICAgIHJlc3BvbmQgd2l0aCB0aGUgSFRUUCA0MDAgKEJhZCBSZXF1ZXN0KSBz dGF0dXMgY29kZS4KCSAgICAKPC9kZD4KPGR0PmludmFsaWRfdG9rZW48L2R0Pgo8ZGQ+CgkgICAg ICAKCSAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZWQgaXMgZXhwaXJlZCwgcmV2b2tlZCwg bWFsZm9ybWVkLCBvciBpbnZhbGlkIGZvciBvdGhlcgoJICAgICAgcmVhc29ucy4gVGhlIHJlc291 cmNlIFNIT1VMRCByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAxIChVbmF1dGhvcml6ZWQpIHN0YXR1 cwoJICAgICAgY29kZS4gVGhlIGNsaWVudCBNQVkgcmVxdWVzdCBhIG5ldyBhY2Nlc3MgdG9rZW4g YW5kIHJldHJ5IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UKCSAgICAgIHJlcXVlc3QuCgkgICAgCjwv ZGQ+CjxkdD5pbnN1ZmZpY2llbnRfc2NvcGU8L2R0Pgo8ZGQ+CgkgICAgICAKCSAgICAgIFRoZSBy ZXF1ZXN0IHJlcXVpcmVzIGhpZ2hlciBwcml2aWxlZ2VzIHRoYW4gcHJvdmlkZWQgYnkgdGhlIGFj Y2VzcyB0b2tlbi4gVGhlCgkgICAgICByZXNvdXJjZSBzZXJ2ZXIgU0hPVUxEIHJlc3BvbmQgd2l0 aCB0aGUgSFRUUCA0MDMgKEZvcmJpZGRlbikgc3RhdHVzIGNvZGUgYW5kIE1BWQoJICAgICAgaW5j bHVkZSB0aGUgPHR0PnNjb3BlPC90dD4gYXR0cmlidXRlIHdpdGggdGhlIHNjb3BlIG5lY2Vzc2Fy eSB0bwoJICAgICAgYWNjZXNzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCgkgICAgCjwvZGQ+Cjwv ZGw+PC9ibG9ja3F1b3RlPjxwPgoJCjwvcD4KPHA+CgkgIElmIHRoZSByZXF1ZXN0IGxhY2tzIGFu eSBhdXRoZW50aWNhdGlvbiBpbmZvcm1hdGlvbiAoaS5lLiB0aGUgY2xpZW50IHdhcyB1bmF3YXJl CgkgIGF1dGhlbnRpY2F0aW9uIGlzIG5lY2Vzc2FyeSBvciBhdHRlbXB0ZWQgdXNpbmcgYW4gdW5z dXBwb3J0ZWQgYXV0aGVudGljYXRpb24gbWV0aG9kKSwKCSAgdGhlIHJlc291cmNlIHNlcnZlciBT SE9VTEQgTk9UIGluY2x1ZGUgYW4gZXJyb3IgY29kZSBvciBvdGhlciBlcnJvciBpbmZvcm1hdGlv bi4KCQo8L3A+CjxwPgoJICAgIEZvciBleGFtcGxlOgoJICAKPC9wPjxkaXYgc3R5bGU9J2Rpc3Bs YXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsgbWFyZ2luLXJpZ2h0OiBhdXRv Jz48cHJlPgpIVFRQLzEuMSA0MDEgVW5hdXRob3JpemVkCldXVy1BdXRoZW50aWNhdGU6IEJlYXJl ciByZWFsbT0iZXhhbXBsZSIKPC9wcmU+PC9kaXY+CjxhIG5hbWU9InNlYy1jb24iPjwvYT48YnIg Lz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFj aW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1 ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8 YSBuYW1lPSJyZmMuc2VjdGlvbi40Ij48L2E+PGgzPjQuJm5ic3A7ClNlY3VyaXR5IENvbnNpZGVy YXRpb25zPC9oMz4KCjxwPgoJVGhpcyBzZWN0aW9uIGRlc2NyaWJlcyB0aGUgcmVsZXZhbnQgc2Vj dXJpdHkgdGhyZWF0cyByZWdhcmRpbmcKCXRva2VuIGhhbmRsaW5nIHdoZW4gdXNpbmcgYmVhcmVy IHRva2VucyBhbmQgZGVzY3JpYmVzIGhvdyB0bwoJbWl0aWdhdGUgdGhlc2UgdGhyZWF0cy4KICAg ICAgCjwvcD4KPGEgbmFtZT0idGhyZWF0cyI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFy eT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWci IGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJz cDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjQu MSI+PC9hPjxoMz40LjEuJm5ic3A7ClNlY3VyaXR5IFRocmVhdHM8L2gzPgoKPHA+CgkgIFRoZSBm b2xsb3dpbmcgbGlzdCBwcmVzZW50cyBzZXZlcmFsIGNvbW1vbiB0aHJlYXRzIGFnYWluc3QKCSAg cHJvdG9jb2xzIHV0aWxpemluZyBzb21lIGZvcm0gb2YgdG9rZW5zLiBUaGlzIGxpc3Qgb2YKCSAg dGhyZWF0cyBpcyBiYXNlZCBvbgoJICBOSVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjTklTVDgwMC02Myc+W05JU1Q4MDAmIzgyMDk7NjNdPHNwYW4+ ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkJ1cnIsIFcuLCBEb2Rzb24sIEQuLCBQZXJsbmVy LCBSLiwgUG9saywgVC4sIEd1cHRhLCBTLiwgYW5kIEUuIE5hYmJ1cywgJmxkcXVvO05JU1QgU3Bl Y2lhbCBQdWJsaWNhdGlvbiA4MDAtNjMtMSwgSU5GT1JNQVRJT04gU0VDVVJJVFksJnJkcXVvOyBE ZWNlbWJlciZuYnNwOzIwMDguPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgU2luY2UgdGhp cyBkb2N1bWVudCBidWlsZHMgb24gdGhlCgkgIE9BdXRoIDIuMCBzcGVjaWZpY2F0aW9uLCB3ZSBl eGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0aHJlYXRzCgkgIHRoYXQgYXJlIGRlc2NyaWJlZCB0aGVy ZSBvciBpbiByZWxhdGVkIGRvY3VtZW50cy4KCQo8L3A+CjxwPgoJICA8L3A+CjxibG9ja3F1b3Rl IGNsYXNzPSJ0ZXh0Ij48ZGw+CjxkdD5Ub2tlbiBtYW51ZmFjdHVyZS9tb2RpZmljYXRpb246PC9k dD4KPGRkPgoJICAgICAgQW4gYXR0YWNrZXIgbWF5IGdlbmVyYXRlIGEgYm9ndXMgdG9rZW4gb3Ig bW9kaWZ5IHRoZQoJICAgICAgdG9rZW4gY29udGVudHMgKHN1Y2ggYXMgdGhlIGF1dGhlbnRpY2F0 aW9uIG9yIGF0dHJpYnV0ZQoJICAgICAgc3RhdGVtZW50cykgb2YgYW4gZXhpc3RpbmcgdG9rZW4s IGNhdXNpbmcgdGhlIHJlc291cmNlCgkgICAgICBzZXJ2ZXIgdG8gZ3JhbnQgaW5hcHByb3ByaWF0 ZSBhY2Nlc3MgdG8gdGhlIGNsaWVudC4KCSAgICAgIEZvciBleGFtcGxlLCBhbiBhdHRhY2tlciBt YXkgbW9kaWZ5IHRoZSB0b2tlbiB0byBleHRlbmQKCSAgICAgIHRoZSB2YWxpZGl0eSBwZXJpb2Q7 IGEgbWFsaWNpb3VzIGNsaWVudCBtYXkgbW9kaWZ5IHRoZQoJICAgICAgYXNzZXJ0aW9uIHRvIGdh aW4gYWNjZXNzIHRvIGluZm9ybWF0aW9uIHRoYXQgdGhleQoJICAgICAgc2hvdWxkIG5vdCBiZSBh YmxlIHRvIHZpZXcuCgkgICAgCjwvZGQ+CjxkdD5Ub2tlbiBkaXNjbG9zdXJlOjwvZHQ+CjxkZD4K CSAgICAgIFRva2VucyBtYXkgY29udGFpbiBhdXRoZW50aWNhdGlvbiBhbmQgYXR0cmlidXRlCgkg ICAgICBzdGF0ZW1lbnRzIHRoYXQgaW5jbHVkZSBzZW5zaXRpdmUgaW5mb3JtYXRpb24uCgkgICAg CjwvZGQ+CjxkdD5Ub2tlbiByZWRpcmVjdDo8L2R0Pgo8ZGQ+CgkgICAgICBBbiBhdHRhY2tlciB1 c2VzIGEgdG9rZW4gZ2VuZXJhdGVkIGZvciBjb25zdW1wdGlvbiBieSAKCSAgICAgIG9uZSByZXNv dXJjZSBzZXJ2ZXIgdG8gZ2FpbiBhY2Nlc3MgdG8gYSBkaWZmZXJlbnQKCSAgICAgIHJlc291cmNl IHNlcnZlciB0aGF0IG1pc3Rha2VubHkgYmVsaWV2ZXMgdGhlIHRva2VuIHRvIGJlCgkgICAgICBm b3IgaXQuCgkgICAgCjwvZGQ+CjxkdD5Ub2tlbiByZXBsYXk6PC9kdD4KPGRkPgoJICAgICAgQW4g YXR0YWNrZXIgYXR0ZW1wdHMgdG8gdXNlIGEgdG9rZW4gdGhhdCBoYXMgYWxyZWFkeQoJICAgICAg YmVlbiB1c2VkIHdpdGggdGhhdCByZXNvdXJjZSBzZXJ2ZXIgaW4gdGhlIHBhc3QuCgkgICAgCjwv ZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxwPiAKCQo8L3A+CjxhIG5hbWU9Im1pdGlnYXRpb24iPjwv YT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNl bGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9 IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3Rh YmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi40LjIiPjwvYT48aDM+NC4yLiZuYnNwOwpUaHJlYXQg TWl0aWdhdGlvbjwvaDM+Cgo8cD4KCSAgQSBsYXJnZSByYW5nZSBvZiB0aHJlYXRzIGNhbiBiZSBt aXRpZ2F0ZWQgYnkgcHJvdGVjdGluZyB0aGUKCSAgY29udGVudHMgb2YgdGhlIHRva2VuIGJ5IHVz aW5nIGEgZGlnaXRhbCBzaWduYXR1cmUgb3IgYQoJICBNZXNzYWdlIEF1dGhlbnRpY2F0aW9uIENv ZGUgKE1BQykuCgkgIEFsdGVybmF0aXZlbHksIGEgYmVhcmVyIHRva2VuIGNhbiBjb250YWluIGEg cmVmZXJlbmNlIHRvCgkgIGF1dGhvcml6YXRpb24gaW5mb3JtYXRpb24sIHJhdGhlciB0aGFuIGVu Y29kaW5nIHRoZQoJICBpbmZvcm1hdGlvbiBkaXJlY3RseS4gU3VjaCByZWZlcmVuY2VzIE1VU1Qg YmUgaW5mZWFzaWJsZSBmb3IKCSAgYW4gYXR0YWNrZXIgdG8gZ3Vlc3M7IHVzaW5nIGEgcmVmZXJl bmNlIG1heSByZXF1aXJlIGFuIGV4dHJhCgkgIGludGVyYWN0aW9uIGJldHdlZW4gYSBzZXJ2ZXIg YW5kIHRoZSB0b2tlbiBpc3N1ZXIgdG8gcmVzb2x2ZQoJICB0aGUgcmVmZXJlbmNlIHRvIHRoZSBh dXRob3JpemF0aW9uIGluZm9ybWF0aW9uLgoJICBUaGUgbWVjaGFuaWNzIG9mIHN1Y2ggYW4gaW50 ZXJhY3Rpb24gYXJlIG5vdCBkZWZpbmVkIGJ5IHRoaXMKCSAgc3BlY2lmaWNhdGlvbi4KCQo8L3A+ CjxwPgoJICBUaGlzIGRvY3VtZW50IGRvZXMgbm90IHNwZWNpZnkgdGhlIGVuY29kaW5nIG9yIHRo ZSBjb250ZW50cwoJICBvZiB0aGUgdG9rZW47IGhlbmNlIGRldGFpbGVkIHJlY29tbWVuZGF0aW9u cyBhYm91dCB0aGUgbWVhbnMKCSAgb2YgZ3VhcmFudGVlaW5nIHRva2VuIGludGVncml0eSBwcm90 ZWN0aW9uIGFyZSBvdXRzaWRlIHRoZQoJICBzY29wZSBvZiB0aGlzIGRvY3VtZW50LiAgVGhlIHRv a2VuIGludGVncml0eSBwcm90ZWN0aW9uIE1VU1QKCSAgYmUgc3VmZmljaWVudCB0byBwcmV2ZW50 IHRoZSB0b2tlbiBmcm9tIGJlaW5nIG1vZGlmaWVkLgoJCjwvcD4KPHA+CgkgIFRvIGRlYWwgd2l0 aCB0b2tlbiByZWRpcmVjdCwgaXQgaXMgaW1wb3J0YW50IGZvciB0aGUKCSAgYXV0aG9yaXphdGlv biBzZXJ2ZXIgdG8gaW5jbHVkZSB0aGUgaWRlbnRpdHkgb2YgdGhlIGludGVuZGVkCgkgIHJlY2lw aWVudHMgKHRoZSBhdWRpZW5jZSksIHR5cGljYWxseSBhIHNpbmdsZSByZXNvdXJjZQoJICBzZXJ2 ZXIgKG9yIGEgbGlzdCBvZiByZXNvdXJjZSBzZXJ2ZXJzKSwgaW4gdGhlIHRva2VuLgoJICBSZXN0 cmljdGluZyB0aGUgdXNlIG9mIHRoZSB0b2tlbiB0byBhIHNwZWNpZmljIHNjb3BlIGlzIGFsc28K CSAgUkVDT01NRU5ERUQuCgkKPC9wPgo8cD4KCSAgVGhlIGF1dGhvcml6YXRpb24gc2VydmVyIE1V U1QgaW1wbGVtZW50IFRMUy4KCSAgV2hpY2ggdmVyc2lvbihzKSBvdWdodCB0byBiZSBpbXBsZW1l bnRlZCB3aWxsIHZhcnkgb3ZlcgoJICB0aW1lLCBhbmQgZGVwZW5kIG9uIHRoZSB3aWRlc3ByZWFk IGRlcGxveW1lbnQgYW5kIGtub3duCgkgIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdGllcyBhdCB0aGUg dGltZSBvZiBpbXBsZW1lbnRhdGlvbi4KCSAgQXQgdGhlIHRpbWUgb2YgdGhpcyB3cml0aW5nLAoJ ICBUTFMgdmVyc2lvbiAxLjIgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNSRkM1MjQ2Jz5bUkZDNTI0 Nl08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RGllcmtzLCBULiBhbmQgRS4gUmVz Y29ybGEsICZsZHF1bztUaGUgVHJhbnNwb3J0IExheWVyIFNlY3VyaXR5IChUTFMpIFByb3RvY29s IFZlcnNpb24gMS4yLCZyZHF1bzsgQXVndXN0Jm5ic3A7MjAwOC48L3NwYW4+PHNwYW4+KTwvc3Bh bj48L2E+CgkgIGlzIHRoZSBtb3N0IHJlY2VudCB2ZXJzaW9uLCBidXQgaGFzIHZlcnkgbGltaXRl ZCBhY3R1YWwKCSAgZGVwbG95bWVudCwgYW5kIG1pZ2h0IG5vdCBiZSByZWFkaWx5IGF2YWlsYWJs ZSBpbgoJICBpbXBsZW1lbnRhdGlvbiB0b29sa2l0cy4KCSAgVExTIHZlcnNpb24gMS4wIDxhIGNs YXNzPSdpbmZvJyBocmVmPScjUkZDMjI0Nic+W1JGQzIyNDZdPHNwYW4+ICg8L3NwYW4+PHNwYW4g Y2xhc3M9J2luZm8nPkRpZXJrcywgVC4gYW5kIEMuIEFsbGVuLCAmbGRxdW87VGhlIFRMUyBQcm90 b2NvbCBWZXJzaW9uIDEuMCwmcmRxdW87IEphbnVhcnkmbmJzcDsxOTk5Ljwvc3Bhbj48c3Bhbj4p PC9zcGFuPjwvYT4KCSAgaXMgdGhlIG1vc3Qgd2lkZWx5IGRlcGxveWVkIHZlcnNpb24sIGFuZCB3 aWxsIGdpdmUgdGhlCgkgIGJyb2FkZXN0IGludGVyb3BlcmFiaWxpdHkuCgkKPC9wPgo8cD4KCSAg VG8gcHJvdGVjdCBhZ2FpbnN0IHRva2VuIGRpc2Nsb3N1cmUsIGNvbmZpZGVudGlhbGl0eQoJICBw cm90ZWN0aW9uIE1VU1QgYmUgYXBwbGllZCB1c2luZwoJICBUTFMgPGEgY2xhc3M9J2luZm8nIGhy ZWY9JyNSRkM1MjQ2Jz5bUkZDNTI0Nl08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ RGllcmtzLCBULiBhbmQgRS4gUmVzY29ybGEsICZsZHF1bztUaGUgVHJhbnNwb3J0IExheWVyIFNl Y3VyaXR5IChUTFMpIFByb3RvY29sIFZlcnNpb24gMS4yLCZyZHF1bzsgQXVndXN0Jm5ic3A7MjAw OC48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CgkgIHdpdGggYSBjaXBoZXJzdWl0ZSB0aGF0IHBy b3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQKCSAgaW50ZWdyaXR5IHByb3RlY3Rpb24uICBUaGlz CgkgIHJlcXVpcmVzIHRoYXQgdGhlIGNvbW11bmljYXRpb24gaW50ZXJhY3Rpb24gYmV0d2VlbiB0 aGUKCSAgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIsIGFzIHdlbGwgYXMgdGhl CgkgIGludGVyYWN0aW9uIGJldHdlZW4gdGhlIGNsaWVudCBhbmQgdGhlIHJlc291cmNlIHNlcnZl ciwKCSAgdXRpbGl6ZSBjb25maWRlbnRpYWxpdHkgYW5kIGludGVncml0eSBwcm90ZWN0aW9uLgoJ ICBTaW5jZSBUTFMgaXMgbWFuZGF0b3J5IHRvCgkgIGltcGxlbWVudCBhbmQgdG8gdXNlIHdpdGgg dGhpcyBzcGVjaWZpY2F0aW9uLCBpdCBpcyB0aGUKCSAgcHJlZmVycmVkIGFwcHJvYWNoIGZvciBw cmV2ZW50aW5nIHRva2VuIGRpc2Nsb3N1cmUgdmlhIHRoZQoJICBjb21tdW5pY2F0aW9uIGNoYW5u ZWwuIEZvciB0aG9zZSBjYXNlcyB3aGVyZSB0aGUgY2xpZW50CgkgIGlzIHByZXZlbnRlZCBmcm9t IG9ic2VydmluZyB0aGUgY29udGVudHMgb2YgdGhlIHRva2VuLCB0b2tlbgoJICBlbmNyeXB0aW9u IE1VU1QgYmUgYXBwbGllZCBpbiBhZGRpdGlvbiB0byB0aGUgdXNhZ2Ugb2YgVExTCgkgIHByb3Rl Y3Rpb24uCgkgIEFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9rZW4gZGlzY2xvc3VyZSwg dGhlIGNsaWVudAoJICBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUgY2hhaW4gd2hl biBtYWtpbmcgcmVxdWVzdHMKCSAgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4KCQo8L3A+CjxwPgoJ ICBDb29raWVzIGFyZSB0eXBpY2FsbHkgdHJhbnNtaXR0ZWQgaW4gdGhlIGNsZWFyLiAgVGh1cywg YW55CgkgIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGVtIGlzIGF0IHJpc2sgb2YgZGlzY2xv c3VyZS4KCSAgVGhlcmVmb3JlLCBiZWFyZXIgdG9rZW5zIE1VU1QgTk9UIGJlIHN0b3JlZCBpbiBj b29raWVzIHRoYXQKCSAgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyLgoJCjwvcD4KPHA+CgkgIElu IHNvbWUgZGVwbG95bWVudHMsIGluY2x1ZGluZyB0aG9zZSB1dGlsaXppbmcgbG9hZAoJICBiYWxh bmNlcnMsIHRoZSBUTFMgY29ubmVjdGlvbiB0byB0aGUgcmVzb3VyY2Ugc2VydmVyCgkgIHRlcm1p bmF0ZXMgcHJpb3IgdG8gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhhdCBwcm92aWRlcyB0aGUKCSAgcmVz b3VyY2UuICBUaGlzIGNvdWxkIGxlYXZlIHRoZSB0b2tlbiB1bnByb3RlY3RlZCBiZXR3ZWVuCgkg IHRoZSBmcm9udCBlbmQgc2VydmVyIHdoZXJlIHRoZSBUTFMgY29ubmVjdGlvbiB0ZXJtaW5hdGVz IGFuZAoJICB0aGUgYmFjayBlbmQgc2VydmVyIHRoYXQgcHJvdmlkZXMgdGhlIHJlc291cmNlLiAg SW4gc3VjaAoJICBkZXBsb3ltZW50cywgc3VmZmljaWVudCBtZWFzdXJlcyBNVVNUIGJlIGVtcGxv eWVkIHRvIGVuc3VyZQoJICBjb25maWRlbnRpYWxpdHkgb2YgdGhlIHRva2VuIGJldHdlZW4gdGhl IGZyb250IGVuZCBhbmQKCSAgYmFjayBlbmQgc2VydmVyczsgZW5jcnlwdGlvbiBvZiB0aGUgdG9r ZW4gaXMgb25lIHBvc3NpYmxlCgkgIHN1Y2ggbWVhc3VyZS4KCQo8L3A+CjxwPgoJICBUbyBkZWFs IHdpdGggdG9rZW4gY2FwdHVyZSBhbmQgcmVwbGF5LAoJICB0aGUgZm9sbG93aW5nIHJlY29tbWVu ZGF0aW9ucyBhcmUKCSAgbWFkZTogRmlyc3QsIHRoZSBsaWZldGltZSBvZiB0aGUgdG9rZW4gTVVT VCBiZSBsaW1pdGVkOwoJICBvbmUgbWVhbnMgb2YgYWNoaWV2aW5nIHRoaXMgaXMgYnkKCSAgcHV0 dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5zaWRlIHRoZSBwcm90ZWN0ZWQgcGFydCBvZgoJ ICB0aGUgdG9rZW4uICBOb3RlIHRoYXQgdXNpbmcgc2hvcnQtbGl2ZWQgKG9uZSBob3VyIG9yIGxl c3MpCgkgIHRva2VucyByZWR1Y2VzIHRoZSBpbXBhY3Qgb2YgdGhlbSBiZWluZwoJICBsZWFrZWQu ICBTZWNvbmQsIGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9uIG9mIHRoZSBleGNoYW5nZXMKCSAg YmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgYW5kIGJldHdl ZW4KCSAgdGhlIGNsaWVudCBhbmQgdGhlIHJlc291cmNlIHNlcnZlciBNVVNUIGJlIGFwcGxpZWQu CgkgIEFzIGEKCSAgY29uc2VxdWVuY2UsIG5vIGVhdmVzZHJvcHBlciBhbG9uZyB0aGUgY29tbXVu aWNhdGlvbiBwYXRoIGlzCgkgIGFibGUgdG8gb2JzZXJ2ZSB0aGUgdG9rZW4gZXhjaGFuZ2UuIENv bnNlcXVlbnRseSwgc3VjaCBhbgoJICBvbi1wYXRoIGFkdmVyc2FyeSBjYW5ub3QgcmVwbGF5IHRo ZSB0b2tlbi4KCSAgRnVydGhlcm1vcmUsIHdoZW4KCSAgcHJlc2VudGluZyB0aGUgdG9rZW4gdG8g YSByZXNvdXJjZSBzZXJ2ZXIsIHRoZSBjbGllbnQgTVVTVAoJICB2ZXJpZnkgdGhlIGlkZW50aXR5 IG9mIHRoYXQgcmVzb3VyY2Ugc2VydmVyLCBhcyBwZXIKCSAgUmVwcmVzZW50YXRpb24gYW5kIFZl cmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRpb24gU2VydmljZQoJICBJZGVudGl0 eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtleSBJbmZyYXN0cnVjdHVyZSBVc2luZyBYLjUwOSAo UEtJWCkKCSAgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0IG9mIFRyYW5zcG9ydCBMYXllciBT ZWN1cml0eSAoVExTKQoJICA8YSBjbGFzcz0naW5mbycgaHJlZj0nI1JGQzYxMjUnPltSRkM2MTI1 XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5TYWludC1BbmRyZSwgUC4gYW5kIEou IEhvZGdlcywgJmxkcXVvO1JlcHJlc2VudGF0aW9uIGFuZCBWZXJpZmljYXRpb24gb2YgRG9tYWlu LUJhc2VkIEFwcGxpY2F0aW9uIFNlcnZpY2UgSWRlbnRpdHkgd2l0aGluIEludGVybmV0IFB1Ymxp YyBLZXkgSW5mcmFzdHJ1Y3R1cmUgVXNpbmcgWC41MDkgKFBLSVgpIENlcnRpZmljYXRlcyBpbiB0 aGUgQ29udGV4dCBvZiBUcmFuc3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUyksJnJkcXVvOyBNYXJj aCZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgTm90ZSB0aGF0IHRoZQoJ ICBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0aGUgVExTIGNlcnRpZmljYXRlIGNoYWluIHdoZW4gbWFr aW5nCgkgIHRoZXNlIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMuICBQcmVzZW50aW5n IHRoZSB0b2tlbgoJICB0byBhbiB1bmF1dGhlbnRpY2F0ZWQgYW5kIHVuYXV0aG9yaXplZCByZXNv dXJjZSBzZXJ2ZXIgb3IKCSAgZmFpbGluZyB0byB2YWxpZGF0ZSB0aGUgY2VydGlmaWNhdGUgY2hh aW4gd2lsbCBhbGxvdwoJICBhZHZlcnNhcmllcyB0byBzdGVhbCB0aGUgdG9rZW4gYW5kIGdhaW4g dW5hdXRob3JpemVkIGFjY2VzcwoJICB0byBwcm90ZWN0ZWQgcmVzb3VyY2VzLgoJCjwvcD4KPGEg bmFtZT0iYW5jaG9yNiI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBj ZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdo dCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8 L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjQuMyI+PC9hPjxoMz40 LjMuJm5ic3A7ClN1bW1hcnkgb2YgUmVjb21tZW5kYXRpb25zPC9oMz4KCjxwPgoJICA8L3A+Cjxi bG9ja3F1b3RlIGNsYXNzPSJ0ZXh0Ij48ZGw+CjxkdD5TYWZlZ3VhcmQgYmVhcmVyIHRva2Vuczo8 L2R0Pgo8ZGQ+CgkgICAgICBDbGllbnQgaW1wbGVtZW50YXRpb25zIE1VU1QgZW5zdXJlIHRoYXQg YmVhcmVyIHRva2VucwoJICAgICAgYXJlIG5vdCBsZWFrZWQgdG8gdW5pbnRlbmRlZCBwYXJ0aWVz LCBhcyB0aGV5IHdpbGwgYmUKCSAgICAgIGFibGUgdG8gdXNlIHRoZW0gdG8gZ2FpbiBhY2Nlc3Mg dG8gcHJvdGVjdGVkIHJlc291cmNlcy4KCSAgICAgIFRoaXMgaXMgdGhlIHByaW1hcnkgc2VjdXJp dHkgY29uc2lkZXJhdGlvbiB3aGVuIHVzaW5nCgkgICAgICBiZWFyZXIgdG9rZW5zIGFuZCB1bmRl cmxpZXMgYWxsIHRoZSBtb3JlCgkgICAgICBzcGVjaWZpYyByZWNvbW1lbmRhdGlvbnMgdGhhdCBm b2xsb3cuCgkgICAgCjwvZGQ+CjxkdD5WYWxpZGF0ZSBTU0wgY2VydGlmaWNhdGUgY2hhaW5zOjwv ZHQ+CjxkZD4KCSAgICAgIFRoZSBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0aGUgVExTIGNlcnRpZmlj YXRlIGNoYWluIHdoZW4KCSAgICAgIG1ha2luZyByZXF1ZXN0cyB0byBwcm90ZWN0ZWQgcmVzb3Vy Y2VzLiAgRmFpbGluZyB0byBkbwoJICAgICAgc28gbWF5IGVuYWJsZSBETlMgaGlqYWNraW5nIGF0 dGFja3MgdG8gc3RlYWwgdGhlIHRva2VuCgkgICAgICBhbmQgZ2FpbiB1bmludGVuZGVkIGFjY2Vz cy4KCSAgICAKPC9kZD4KPGR0PkFsd2F5cyB1c2UgVExTIChodHRwcyk6PC9kdD4KPGRkPgoJICAg ICAgQ2xpZW50cyBNVVNUIGFsd2F5cyB1c2UKCSAgICAgIFRMUyA8YSBjbGFzcz0naW5mbycgaHJl Zj0nI1JGQzUyNDYnPltSRkM1MjQ2XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5E aWVya3MsIFQuIGFuZCBFLiBSZXNjb3JsYSwgJmxkcXVvO1RoZSBUcmFuc3BvcnQgTGF5ZXIgU2Vj dXJpdHkgKFRMUykgUHJvdG9jb2wgVmVyc2lvbiAxLjIsJnJkcXVvOyBBdWd1c3QmbmJzcDsyMDA4 Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCSAgICAgIChodHRwcykgb3IgZXF1aXZhbGVudCB0 cmFuc3BvcnQgc2VjdXJpdHkgd2hlbiBtYWtpbmcgcmVxdWVzdHMKCSAgICAgIHdpdGggYmVhcmVy IHRva2Vucy4gIEZhaWxpbmcgdG8gZG8gc28gZXhwb3NlcyB0aGUgdG9rZW4KCSAgICAgIHRvIG51 bWVyb3VzIGF0dGFja3MgdGhhdCBjb3VsZCBnaXZlIGF0dGFja2VycyB1bmludGVuZGVkCgkgICAg ICBhY2Nlc3MuCgkgICAgCjwvZGQ+CjxkdD5Eb24ndCBzdG9yZSBiZWFyZXIgdG9rZW5zIGluIGNv b2tpZXM6PC9kdD4KPGRkPgoJICAgICAgSW1wbGVtZW50YXRpb25zIE1VU1QgTk9UIHN0b3JlIGJl YXJlciB0b2tlbnMgd2l0aGluCgkgICAgICBjb29raWVzIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhl IGNsZWFyICh3aGljaCBpcyB0aGUKCSAgICAgIGRlZmF1bHQgdHJhbnNtaXNzaW9uIG1vZGUgZm9y IGNvb2tpZXMpLgoJICAgICAgSW1wbGVtZW50YXRpb25zIHRoYXQgZG8gc3RvcmUgYmVhcmVyIHRv a2VucyBpbiBjb29raWVzCgkgICAgICBNVVNUIHRha2UgcHJlY2F1dGlvbnMgYWdhaW5zdCBjcm9z cyBzaXRlIHJlcXVlc3QgZm9yZ2VyeS4KCSAgICAKPC9kZD4KPGR0Pklzc3VlIHNob3J0LWxpdmVk IGJlYXJlciB0b2tlbnM6PC9kdD4KPGRkPgoJICAgICAgVG9rZW4gc2VydmVycyBTSE9VTEQgaXNz dWUgc2hvcnQtbGl2ZWQgKG9uZSBob3VyIG9yCgkgICAgICBsZXNzKSBiZWFyZXIgdG9rZW5zLCBw YXJ0aWN1bGFybHkgd2hlbiBpc3N1aW5nIHRva2VucyB0bwoJICAgICAgY2xpZW50cyB0aGF0IHJ1 biB3aXRoaW4gYSB3ZWIgYnJvd3NlciBvciBvdGhlcgoJICAgICAgZW52aXJvbm1lbnRzIHdoZXJl IGluZm9ybWF0aW9uIGxlYWthZ2UgbWF5IG9jY3VyLiAgVXNpbmcKCSAgICAgIHNob3J0LWxpdmVk IGJlYXJlciB0b2tlbnMgY2FuIHJlZHVjZSB0aGUgaW1wYWN0IG9mIHRoZW0KCSAgICAgIGJlaW5n IGxlYWtlZC4KCSAgICAKPC9kZD4KPGR0Pklzc3VlIHNjb3BlZCBiZWFyZXIgdG9rZW5zOjwvZHQ+ CjxkZD4KCSAgICAgIFRva2VuIHNlcnZlcnMgU0hPVUxEIGlzc3VlIGJlYXJlciB0b2tlbnMgdGhh dCBjb250YWluIGFuIGF1ZGllbmNlCgkgICAgICByZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1 c2UgdG8gdGhlIGludGVuZGVkIHJlbHlpbmcKCSAgICAgIHBhcnR5IG9yIHNldCBvZiByZWx5aW5n IHBhcnRpZXMuCgkgICAgCjwvZGQ+CjxkdD5Eb24ndCBwYXNzIGJlYXJlciB0b2tlbnMgaW4gcGFn ZSBVUkxzOjwvZHQ+CjxkZD4KCSAgICAgIEJlYXJlciB0b2tlbnMgU0hPVUxEIE5PVCBiZSBwYXNz ZWQgaW4gcGFnZSBVUkxzIChmb3IKCSAgICAgIGV4YW1wbGUgYXMgcXVlcnkgc3RyaW5nIHBhcmFt ZXRlcnMpLiBJbnN0ZWFkLCBiZWFyZXIKCSAgICAgIHRva2VucyBTSE9VTEQgYmUgcGFzc2VkIGlu IEhUVFAgbWVzc2FnZSBoZWFkZXJzIG9yCgkgICAgICBtZXNzYWdlIGJvZGllcyBmb3Igd2hpY2gg Y29uZmlkZW50aWFsaXR5IG1lYXN1cmVzIGFyZQoJICAgICAgdGFrZW4uIEJyb3dzZXJzLCB3ZWIg c2VydmVycywgYW5kIG90aGVyIHNvZnR3YXJlIG1heSBub3QKCSAgICAgIGFkZXF1YXRlbHkgc2Vj dXJlIFVSTHMgaW4gdGhlIGJyb3dzZXIgaGlzdG9yeSwgd2ViCgkgICAgICBzZXJ2ZXIgbG9ncywg YW5kIG90aGVyIGRhdGEgc3RydWN0dXJlcy4gSWYgYmVhcmVyIHRva2VucwoJICAgICAgYXJlIHBh c3NlZCBpbiBwYWdlIFVSTHMsIGF0dGFja2VycyBtaWdodCBiZSBhYmxlIHRvCgkgICAgICBzdGVh bCB0aGVtIGZyb20gdGhlIGhpc3RvcnkgZGF0YSwgbG9ncywgb3Igb3RoZXIKCSAgICAgIHVuc2Vj dXJlZCBsb2NhdGlvbnMuCgkgICAgCjwvZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxwPgoJCjwvcD4K PGEgbmFtZT0iYW5jaG9yNyI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0 IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJy aWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJz cDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjUiPjwvYT48aDM+ NS4mbmJzcDsKSUFOQSBDb25zaWRlcmF0aW9uczwvaDM+Cgo8YSBuYW1lPSJhbmNob3I4Ij48L2E+ PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxs c3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJU T0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJs ZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4xIj48L2E+PGgzPjUuMS4mbmJzcDsKT0F1dGggQWNj ZXNzIFRva2VuIFR5cGUgUmVnaXN0cmF0aW9uPC9oMz4KCjxwPgogICAgICAgICAgVGhpcyBzcGVj aWZpY2F0aW9uIHJlZ2lzdGVycyB0aGUgZm9sbG93aW5nIGFjY2VzcyB0b2tlbiB0eXBlIGluIHRo ZSBPQXV0aCBBY2Nlc3MgVG9rZW4KICAgICAgICAgIFR5cGUgUmVnaXN0cnkuCiAgICAgICAgCjwv cD4KPGEgbmFtZT0iYW5jaG9yOSI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5 b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWdu PSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0Mm bmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjUuMS4xIj48 L2E+PGgzPjUuMS4xLiZuYnNwOwpUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNzIFRva2VuIFR5cGU8 L2gzPgoKPHA+CiAgICAgICAgICAgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4K PGR0PlR5cGUgbmFtZTo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg IEJlYXJlcgogICAgICAgICAgICAgIAo8L2RkPgo8ZHQ+QWRkaXRpb25hbCBUb2tlbiBFbmRwb2lu dCBSZXNwb25zZSBQYXJhbWV0ZXJzOjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAgICAg ICAgICAgICAgKG5vbmUpCiAgICAgICAgICAgICAgCjwvZGQ+CjxkdD5IVFRQIEF1dGhlbnRpY2F0 aW9uIFNjaGVtZShzKTo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg IEJlYXJlcgogICAgICAgICAgICAgIAo8L2RkPgo8ZHQ+Q2hhbmdlIGNvbnRyb2xsZXI6PC9kdD4K PGRkPgogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBJRVRGCiAgICAgICAgICAgICAg CjwvZGQ+CjxkdD5TcGVjaWZpY2F0aW9uIGRvY3VtZW50KHMpOjwvZHQ+CjxkZD4KICAgICAgICAg ICAgICAgIAogICAgICAgICAgICAgICAgW1sgdGhpcyBkb2N1bWVudCBdXQogICAgICAgICAgICAg IAo8L2RkPgo8L2RsPjwvYmxvY2txdW90ZT48cD4KICAgICAgICAgIAo8L3A+CjxhIG5hbWU9ImFu Y2hvcjEwIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRk aW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+ PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3Rk PjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4yIj48L2E+PGgzPjUuMi4mbmJz cDsKQXV0aGVudGljYXRpb24gU2NoZW1lIFJlZ2lzdHJhdGlvbjwvaDM+Cgo8cD4KICAgICAgICAg IFRoaXMgc3BlY2lmaWNhdGlvbiByZWdpc3RlcnMgdGhlIGZvbGxvd2luZyBhdXRoZW50aWNhdGlv bgogICAgICAgICAgc2NoZW1lIGluIHRoZSBBdXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cnkg ZGVmaW5lZCBpbgogICAgICAgICAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5mbycgaHJl Zj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBi aXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRl ciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNj aGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3Rv YmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgogICAgICAgIAo8L3A+Cjxh IG5hbWU9ImFuY2hvcjExIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJp Z2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNw OzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4yLjEiPjwvYT48 aDM+NS4yLjEuJm5ic3A7ClRoZSAiQmVhcmVyIiBBdXRoZW50aWNhdGlvbiBTY2hlbWU8L2gzPgoK PHA+CiAgICAgICAgICAgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4KPGR0PkF1 dGhlbnRpY2F0aW9uIFNjaGVtZSBOYW1lOjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAg ICAgICAgICAgICAgQmVhcmVyCiAgICAgICAgICAgICAgCjwvZGQ+CjxkdD5Qb2ludGVyIHRvIHNw ZWNpZmljYXRpb24gdGV4dDo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAg ICAgIFtbIHRoaXMgZG9jdW1lbnQgXV0KICAgICAgICAgICAgICAKPC9kZD4KPGR0Pk5vdGVzIChv cHRpb25hbCk6PC9kdD4KPGRkPgogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAobm9u ZSkKICAgICAgICAgICAgICAKPC9kZD4KPC9kbD48L2Jsb2NrcXVvdGU+PHA+CiAgICAgICAgICAK PC9wPgo8YSBuYW1lPSJyZmMucmVmZXJlbmNlcyI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3Vt bWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0Ni dWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4m bmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9u LjYiPjwvYT48aDM+Ni4mbmJzcDsKUmVmZXJlbmNlczwvaDM+Cgo8YSBuYW1lPSJyZmMucmVmZXJl bmNlczEiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8aDM+Ni4xLiZuYnNwO05vcm1hdGl2ZSBSZWZlcmVuY2VzPC9oMz4KPHRh YmxlIHdpZHRoPSI5OSUiIGJvcmRlcj0iMCI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2 YWxpZ249InRvcCI+PGEgbmFtZT0iSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmciPltJLUQu aWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZ108L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4 dCI+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNp bnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBS ZXNjaGtlLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt aWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZy0xNyI+SFRUUC8xLjEsIHBhcnQgMTogVVJJcywgQ29u bmVjdGlvbnMsIGFuZCBNZXNzYWdlIFBhcnNpbmc8L2E+LCZyZHF1bzsgZHJhZnQtaWV0Zi1odHRw YmlzLXAxLW1lc3NhZ2luZy0xNyAod29yayBpbiBwcm9ncmVzcyksIE9jdG9iZXImbmJzcDsyMDEx ICg8YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRm LWh0dHBiaXMtcDEtbWVzc2FnaW5nLTE3LnR4dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRk IGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5hbWU9IkktRC5pZXRmLWh0dHBi aXMtcDctYXV0aCI+W0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF08L2E+PC90ZD4KPHRkIGNsYXNz PSJhdXRob3ItdGV4dCI+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxz ZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwg WS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1dGgtMTciPkhUVFAvMS4xLCBwYXJ0IDc6IEF1 dGhlbnRpY2F0aW9uPC9hPiwmcmRxdW87IGRyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3ICh3 b3JrIGluIHByb2dyZXNzKSwgT2N0b2JlciZuYnNwOzIwMTEgKDxhIGhyZWY9Imh0dHA6Ly93d3cu aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3LnR4 dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWdu PSJ0b3AiPjxhIG5hbWU9IkktRC5pZXRmLW9hdXRoLXYyIj5bSS1ELmlldGYtb2F1dGgtdjJdPC9h PjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPkhhbW1lci1MYWhhdiwgRS4sIFJlY29yZG9u LCBELiwgYW5kIEQuIEhhcmR0LCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC12Mi0yMiI+VGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9u IFByb3RvY29sPC9hPiwmcmRxdW87IGRyYWZ0LWlldGYtb2F1dGgtdjItMjIgKHdvcmsgaW4gcHJv Z3Jlc3MpLCBTZXB0ZW1iZXImbmJzcDsyMDExICg8YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3Jn L2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyLnR4dCI+VFhUPC9hPiwgPGEg aHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1vYXV0 aC12Mi0yMi5wZGYiPlBERjwvYT4pLjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRl eHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkMyMTE5Ij5bUkZDMjExOV08L2E+PC90ZD4KPHRk IGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0ibWFpbHRvOnNvYkBoYXJ2YXJkLmVkdSI+QnJh ZG5lciwgUy48L2E+LCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwv cmZjMjExOSI+S2V5IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZSBSZXF1aXJlbWVu dCBMZXZlbHM8L2E+LCZyZHF1bzsgQkNQJm5ic3A7MTQsIFJGQyZuYnNwOzIxMTksIE1hcmNoJm5i c3A7MTk5NyAoPGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjExOS50 eHQiPlRYVDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMv aHRtbC9yZmMyMTE5Lmh0bWwiPkhUTUw8L2E+LCA8YSBocmVmPSJodHRwOi8veG1sLnJlc291cmNl Lm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyMTE5LnhtbCI+WE1MPC9hPikuPC90ZD48L3RyPgo8dHI+ PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5hbWU9IlJGQzIyNDYiPltS RkMyMjQ2XTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJtYWlsdG86 dGRpZXJrc0BjZXJ0aWNvbS5jb20iPkRpZXJrcywgVC48L2E+IGFuZCA8YSBocmVmPSJtYWlsdG86 Y2FsbGVuQGNlcnRpY29tLmNvbSI+Qy4gQWxsZW48L2E+LCAmbGRxdW87PGEgaHJlZj0iaHR0cDov L3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMjI0NiI+VGhlIFRMUyBQcm90b2NvbCBWZXJzaW9uIDEu MDwvYT4sJnJkcXVvOyBSRkMmbmJzcDsyMjQ2LCBKYW51YXJ5Jm5ic3A7MTk5OSAoPGEgaHJlZj0i aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjI0Ni50eHQiPlRYVDwvYT4pLjwvdGQ+ PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJS RkMzOTg2Ij5bUkZDMzk4Nl08L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJl Zj0ibWFpbHRvOnRpbWJsQHczLm9yZyI+QmVybmVycy1MZWUsIFQuPC9hPiwgPGEgaHJlZj0ibWFp bHRvOmZpZWxkaW5nQGdiaXYuY29tIj5GaWVsZGluZywgUi48L2E+LCBhbmQgPGEgaHJlZj0ibWFp bHRvOkxNTUBhY20ub3JnIj5MLiBNYXNpbnRlcjwvYT4sICZsZHF1bzs8YSBocmVmPSJodHRwOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMzOTg2Ij5Vbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIg KFVSSSk6IEdlbmVyaWMgU3ludGF4PC9hPiwmcmRxdW87IFNURCZuYnNwOzY2LCBSRkMmbmJzcDsz OTg2LCBKYW51YXJ5Jm5ic3A7MjAwNSAoPGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9y Zy9yZmMvcmZjMzk4Ni50eHQiPlRYVDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uu b3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMzOTg2Lmh0bWwiPkhUTUw8L2E+LCA8YSBocmVmPSJodHRw Oi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMzOTg2LnhtbCI+WE1MPC9hPiku PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5h bWU9IlJGQzUyMzQiPltSRkM1MjM0XTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5D cm9ja2VyLCBELiBhbmQgUC4gT3ZlcmVsbCwgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly90b29scy5p ZXRmLm9yZy9odG1sL3JmYzUyMzQiPkF1Z21lbnRlZCBCTkYgZm9yIFN5bnRheCBTcGVjaWZpY2F0 aW9uczogQUJORjwvYT4sJnJkcXVvOyBTVEQmbmJzcDs2OCwgUkZDJm5ic3A7NTIzNCwgSmFudWFy eSZuYnNwOzIwMDggKDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzUy MzQudHh0Ij5UWFQ8L2E+KS48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2 YWxpZ249InRvcCI+PGEgbmFtZT0iUkZDNTI0NiI+W1JGQzUyNDZdPC9hPjwvdGQ+Cjx0ZCBjbGFz cz0iYXV0aG9yLXRleHQiPkRpZXJrcywgVC4gYW5kIEUuIFJlc2NvcmxhLCAmbGRxdW87PGEgaHJl Zj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNTI0NiI+VGhlIFRyYW5zcG9ydCBMYXll ciBTZWN1cml0eSAoVExTKSBQcm90b2NvbCBWZXJzaW9uIDEuMjwvYT4sJnJkcXVvOyBSRkMmbmJz cDs1MjQ2LCBBdWd1c3QmbmJzcDsyMDA4ICg8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iu b3JnL3JmYy9yZmM1MjQ2LnR4dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJh dXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5hbWU9IlJGQzYxMjUiPltSRkM2MTI1XTwvYT48 L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5TYWludC1BbmRyZSwgUC4gYW5kIEouIEhvZGdl cywgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzYxMjUiPlJl cHJlc2VudGF0aW9uIGFuZCBWZXJpZmljYXRpb24gb2YgRG9tYWluLUJhc2VkIEFwcGxpY2F0aW9u IFNlcnZpY2UgSWRlbnRpdHkgd2l0aGluIEludGVybmV0IFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1 cmUgVXNpbmcgWC41MDkgKFBLSVgpIENlcnRpZmljYXRlcyBpbiB0aGUgQ29udGV4dCBvZiBUcmFu c3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUyk8L2E+LCZyZHF1bzsgUkZDJm5ic3A7NjEyNSwgTWFy Y2gmbmJzcDsyMDExICg8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM2 MTI1LnR4dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIg dmFsaWduPSJ0b3AiPjxhIG5hbWU9IlczQy5SRUMtaHRtbDQwMS0xOTk5MTIyNCI+W1czQy5SRUMt aHRtbDQwMS0xOTk5MTIyNF08L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+SmFjb2Jz LCBJLiwgUmFnZ2V0dCwgRC4sIGFuZCBBLiBIb3JzLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3d3 dy53My5vcmcvVFIvMTk5OS9SRUMtaHRtbDQwMS0xOTk5MTIyNCI+SFRNTCA0LjAxIFNwZWNpZmlj YXRpb248L2E+LCZyZHF1bzsgV29ybGQgV2lkZSBXZWIgQ29uc29ydGl1bSBSZWNvbW1lbmRhdGlv biZuYnNwO1JFQy1odG1sNDAxLTE5OTkxMjI0LCBEZWNlbWJlciZuYnNwOzE5OTkgKDxhIGhyZWY9 Imh0dHA6Ly93d3cudzMub3JnL1RSLzE5OTkvUkVDLWh0bWw0MDEtMTk5OTEyMjQiPkhUTUw8L2E+ KS48L3RkPjwvdHI+CjwvdGFibGU+Cgo8YSBuYW1lPSJyZmMucmVmZXJlbmNlczIiPjwvYT48YnIg Lz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFj aW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1 ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8 aDM+Ni4yLiZuYnNwO0luZm9ybWF0aXZlIFJlZmVyZW5jZXM8L2gzPgo8dGFibGUgd2lkdGg9Ijk5 JSIgYm9yZGVyPSIwIj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48 YSBuYW1lPSJOSVNUODAwLTYzIj5bTklTVDgwMC02M108L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRo b3ItdGV4dCI+QnVyciwgVy4sIERvZHNvbiwgRC4sIFBlcmxuZXIsIFIuLCBQb2xrLCBULiwgR3Vw dGEsIFMuLCBhbmQgRS4gTmFiYnVzLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL2NzcmMubmlzdC5n b3YvcHVibGljYXRpb25zL1B1YnNEcmFmdHMuaHRtbCNTUC04MDAtNjMtUmV2LiUyMDEiPk5JU1Qg U3BlY2lhbCBQdWJsaWNhdGlvbiA4MDAtNjMtMSwgSU5GT1JNQVRJT04gU0VDVVJJVFk8L2E+LCZy ZHF1bzsgRGVjZW1iZXImbmJzcDsyMDA4LjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9y LXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkMyNjE2Ij5bUkZDMjYxNl08L2E+PC90ZD4K PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0ibWFpbHRvOmZpZWxkaW5nQGljcy51Y2ku ZWR1Ij5GaWVsZGluZywgUi48L2E+LCA8YSBocmVmPSJtYWlsdG86amdAdzMub3JnIj5HZXR0eXMs IEouPC9hPiwgPGEgaHJlZj0ibWFpbHRvOm1vZ3VsQHdybC5kZWMuY29tIj5Nb2d1bCwgSi48L2E+ LCA8YSBocmVmPSJtYWlsdG86ZnJ5c3R5a0B3My5vcmciPkZyeXN0eWssIEguPC9hPiwgPGEgaHJl Zj0ibWFpbHRvOm1hc2ludGVyQHBhcmMueGVyb3guY29tIj5NYXNpbnRlciwgTC48L2E+LCA8YSBo cmVmPSJtYWlsdG86cGF1bGxlQG1pY3Jvc29mdC5jb20iPkxlYWNoLCBQLjwvYT4sIGFuZCA8YSBo cmVmPSJtYWlsdG86dGltYmxAdzMub3JnIj5ULiBCZXJuZXJzLUxlZTwvYT4sICZsZHF1bzs8YSBo cmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMyNjE2Ij5IeXBlcnRleHQgVHJhbnNm ZXIgUHJvdG9jb2wgLS0gSFRUUC8xLjE8L2E+LCZyZHF1bzsgUkZDJm5ic3A7MjYxNiwgSnVuZSZu YnNwOzE5OTkgKDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzI2MTYu dHh0Ij5UWFQ8L2E+LCA8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMy NjE2LnBzIj5QUzwvYT4sIDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3Jm YzI2MTYucGRmIj5QREY8L2E+LCA8YSBocmVmPSJodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJs aWMvcmZjL2h0bWwvcmZjMjYxNi5odG1sIj5IVE1MPC9hPiwgPGEgaHJlZj0iaHR0cDovL3htbC5y ZXNvdXJjZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjYxNi54bWwiPlhNTDwvYT4pLjwvdGQ+PC90 cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkMy NjE3Ij5bUkZDMjYxN108L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0i bWFpbHRvOmpvaG5AbWF0aC5ud3UuZWR1Ij5GcmFua3MsIEouPC9hPiwgPGEgaHJlZj0ibWFpbHRv OnBiYWtlckB2ZXJpc2lnbi5jb20iPkhhbGxhbS1CYWtlciwgUC48L2E+LCA8YSBocmVmPSJtYWls dG86amVmZkBBYmlTb3VyY2UuY29tIj5Ib3N0ZXRsZXIsIEouPC9hPiwgPGEgaHJlZj0ibWFpbHRv Omxhd3JlbmNlQGFncmFuYXQuY29tIj5MYXdyZW5jZSwgUy48L2E+LCA8YSBocmVmPSJtYWlsdG86 cGF1bGxlQG1pY3Jvc29mdC5jb20iPkxlYWNoLCBQLjwvYT4sIEx1b3RvbmVuLCBBLiwgYW5kIDxh IGhyZWY9Im1haWx0bzpzdGV3YXJ0QE9wZW5NYXJrZXQuY29tIj5MLiBTdGV3YXJ0PC9hPiwgJmxk cXVvOzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzI2MTciPkhUVFAgQXV0 aGVudGljYXRpb246IEJhc2ljIGFuZCBEaWdlc3QgQWNjZXNzIEF1dGhlbnRpY2F0aW9uPC9hPiwm cmRxdW87IFJGQyZuYnNwOzI2MTcsIEp1bmUmbmJzcDsxOTk5ICg8YSBocmVmPSJodHRwOi8vd3d3 LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMyNjE3LnR4dCI+VFhUPC9hPiwgPGEgaHJlZj0iaHR0cDov L3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9odG1sL3JmYzI2MTcuaHRtbCI+SFRNTDwvYT4s IDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMveG1sL3JmYzI2MTcu eG1sIj5YTUw8L2E+KS48L3RkPjwvdHI+CjwvdGFibGU+Cgo8YSBuYW1lPSJhbmNob3IxNCI+PC9h PjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2Vs bHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0i VE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFi bGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLkEiPjwvYT48aDM+QXBwZW5kaXggQS4mbmJzcDsKQWNr bm93bGVkZ2VtZW50czwvaDM+Cgo8cD4KICAgICAgICBUaGUgZm9sbG93aW5nIHBlb3BsZSBjb250 cmlidXRlZCB0byBwcmVsaW1pbmFyeSB2ZXJzaW9ucyBvZiB0aGlzIGRvY3VtZW50OgogICAgICAg IEJsYWluZSBDb29rIChCVCksIEJyaWFuIEVhdG9uIChHb29nbGUpLCBZYXJvbiBZLiBHb2xhbmQg KE1pY3Jvc29mdCksIEJyZW50IEdvbGRtYW4gKEZhY2Vib29rKSwKICAgICAgICBSYWZmaSBLcmlr b3JpYW4gKFR3aXR0ZXIpLCBMdWtlIFNoZXBhcmQgKEZhY2Vib29rKSwgYW5kIEFsbGVuIFRvbSAo WWFob28hKS4gVGhlIGNvbnRlbnQgYW5kCiAgICAgICAgY29uY2VwdHMgd2l0aGluIGFyZSBhIHBy b2R1Y3Qgb2YgdGhlIE9BdXRoIGNvbW11bml0eSwgdGhlIFdSQVAgY29tbXVuaXR5LCBhbmQgdGhl IE9BdXRoIFdvcmtpbmcKICAgICAgICBHcm91cC4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgVGhl IE9BdXRoIFdvcmtpbmcgR3JvdXAgaGFzIGRvemVucyBvZiB2ZXJ5IGFjdGl2ZSBjb250cmlidXRv cnMgd2hvIHByb3Bvc2VkIGlkZWFzIGFuZAogICAgICAgIHdvcmRpbmcgZm9yIHRoaXMgZG9jdW1l bnQsIGluY2x1ZGluZzoKCU1pY2hhZWwgQWRhbXMsIEFtYW5kYSBBbmdhbmVzLCBBbmRyZXcgQXJu b3R0LCBEaXJrIEJhbGZhbnosCglKb2huIEJyYWRsZXksIEJyaWFuIENhbXBiZWxsLCBMZWFoIEN1 bHZlciwgQmlsbCBkZSBow5NyYSwKCUJyaWFuIEVsbGluLCBJZ29yIEZheW5iZXJnLCBTdGVwaGVu IEZhcnJlbGwsIEdlb3JnZSBGbGV0Y2hlciwKCVRpbSBGcmVlbWFuLCBFdmFuIEdpbGJlcnQsIFlh cm9uIFkuIEdvbGFuZCwgVGhvbWFzIEhhcmRqb25vLAoJSnVzdGluIEhhcnQsIFBoaWwgSHVudCwg Sm9obiBLZW1wLCBFcmFuIEhhbW1lci1MYWhhdiwKCUNoYXNlbiBMZSBIYXJhLCBCYXJyeSBMZWli YSwgTWljaGFlbCBCLiBKb25lcywKCVRvcnN0ZW4gTG9kZGVyc3RlZHQsIEV2ZSBNYWxlciwgSmFt ZXMgTWFuZ2VyLCBMYXVyZW5jZSBNaWFvLAoJV2lsbGlhbSBKLiBNaWxscywgQ2h1Y2sgTW9ydGlt b3JlLCBBbnRob255IE5hZGFsaW4sCglKdWxpYW4gUmVzY2hrZSwgSnVzdGluIFJpY2hlciwgUGV0 ZXIgU2FpbnQtQW5kcmUsIE5hdCBTYWtpbXVyYSwKCVJvYiBTYXlyZSwgTWFyaXVzIFNjdXJ0ZXNj dSwgTmFpdGlrIFNoYWgsIEp1c3RpbiBTbWl0aCwKCUplcmVteSBTdXJpZWwsIENocmlzdGlhbiBT dMO8Ym5lciwgUGF1bCBUYXJqYW4sCglIYW5uZXMgVHNjaG9mZW5pZywgRnJhbmtsaW4gVHNlLCBh bmQgU2hhbmUgV2VlZGVuLgogICAgICAKPC9wPgo8YSBuYW1lPSJhbmNob3IxNSI+PC9hPjxiciAv PjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNp bmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVn Ij48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+Cjxh IG5hbWU9InJmYy5zZWN0aW9uLkIiPjwvYT48aDM+QXBwZW5kaXggQi4mbmJzcDsKRG9jdW1lbnQg SGlzdG9yeTwvaDM+Cgo8cD4KICAgICAgICBbWyB0byBiZSByZW1vdmVkIGJ5IHRoZSBSRkMgZWRp dG9yIGJlZm9yZSBwdWJsaWNhdGlvbiBhcyBhbiBSRkMgXV0KICAgICAgCjwvcD4KPHA+CiAgICAg ICAgLTE1CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CgkgICAgQ2xhcmlmaWVk IHRoYXQgZm9ybS1lbmNvZGVkIGNvbnRlbnQgbXVzdCBjb25zaXN0IGVudGlyZWx5CgkgICAgb2Yg QVNDSUkgY2hhcmFjdGVycy4KCSAgCjwvbGk+CjxsaT4KCSAgICBBZGRlZCBUTFMgdmVyc2lvbiBy ZXF1aXJlbWVudHMuCgkgIAo8L2xpPgo8bGk+CgkgICAgQXBwbGllZCBlZGl0b3JpYWwgaW1wcm92 ZW1lbnRzIHN1Z2dlc3RlZCBieSBNYXJrCgkgICAgTm90dGluZ2hhbSBkdXJpbmcgdGhlIEFQUFMg YXJlYSByZXZpZXcuCgkgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAt MTQKICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KCSAgICBDaGFuZ2VzIG1hZGUg aW4gcmVzcG9uc2UgdG8gcmV2aWV3IGNvbW1lbnRzIGJ5IFNlY3VyaXR5CgkgICAgQXJlYSBEaXJl Y3RvciBTdGVwaGVuIEZhcnJlbGwuICBTcGVjaWZpY2FsbHk6CgkgIAo8L2xpPgo8bGk+CgkgICAg U3RyZW5ndGhlbmVkIHdhcm5pbmdzIGFib3V0IHBhc3NpbmcgYW4gYWNjZXNzIHRva2VuIGFzIGEK CSAgICBxdWVyeSBwYXJhbWV0ZXIgYW5kIG1vcmUgcHJlY2lzZWx5IGRlc2NyaWJlZCB0aGUKCSAg ICBsaW1pdGF0aW9ucyBwbGFjZWQgdXBvbiB0aGUgdXNlIG9mIHRoaXMgbWV0aG9kLgoJICAKPC9s aT4KPGxpPgoJICAgIENsYXJpZmllZCB0aGF0IHRoZSA8dHQ+cmVhbG08L3R0PgoJICAgIGF0dHJp YnV0ZSBNQVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24KCSAg ICBpbiB0aGUgbWFubmVyIGRlc2NyaWJlZCBpbgoJICAgIEhUVFAvMS4xLCBQYXJ0IDcgPGEgY2xh c3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0 ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4g Y2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2Vu LCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFku LCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9u LCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAg CjwvbGk+CjxsaT4KCSAgICBOb3JtYXRpdmVseSBzdGF0ZWQgdGhhdCAidGhlIHRva2VuIGludGVn cml0eSBwcm90ZWN0aW9uCgkgICAgTVVTVCBiZSBzdWZmaWNpZW50IHRvIHByZXZlbnQgdGhlIHRv a2VuIGZyb20gYmVpbmcKCSAgICBtb2RpZmllZCIuCgkgIAo8L2xpPgo8bGk+CgkgICAgQWRkZWQg c3RhdGVtZW50IHRoYXQgIlRMUyBpcyBtYW5kYXRvcnkgdG8gaW1wbGVtZW50IGFuZAoJICAgIHVz ZSB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbiIgdG8gdGhlIGludHJvZHVjdGlvbi4KCSAgCjwvbGk+ CjxsaT4KCSAgICBTdGF0ZWQgdGhhdCBUTFMgTVVTVCBiZSB1c2VkIHdpdGggImEgY2lwaGVyc3Vp dGUgdGhhdAoJICAgIHByb3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQgaW50ZWdyaXR5IHByb3Rl Y3Rpb24iLgoJICAKPC9saT4KPGxpPgoJICAgIEFkZGVkICJBcyBhIGZ1cnRoZXIgZGVmZW5zZSBh Z2FpbnN0IHRva2VuIGRpc2Nsb3N1cmUsIHRoZQoJICAgIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRo ZSBUTFMgY2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcKCSAgICByZXF1ZXN0cyB0byBwcm90 ZWN0ZWQgcmVzb3VyY2VzIiB0byB0aGUgVGhyZWF0IE1pdGlnYXRpb24KCSAgICBzZWN0aW9uLgoJ ICAKPC9saT4KPGxpPgoJICAgIENsYXJpZmllZCB0aGF0IHB1dHRpbmcgYSB2YWxpZGl0eSB0aW1l IGZpZWxkIGluc2lkZSB0aGUKCSAgICBwcm90ZWN0ZWQgcGFydCBvZiB0aGUgdG9rZW4gaXMgb25l IG1lYW5zLCBidXQgbm90IHRoZSBvbmx5CgkgICAgbWVhbnMsIG9mIGxpbWl0aW5nIHRoZSBsaWZl dGltZSBvZiB0aGUgdG9rZW4uCgkgIAo8L2xpPgo8bGk+CgkgICAgRHJvcHBlZCB0aGUgY29uZnVz aW5nIHBocmFzZSAiZm9yIGluc3RhbmNlLCB0aHJvdWdoIHRoZQoJICAgIHVzZSBvZiBUTFMiIGZy b20gdGhlIHNlbnRlbmNlIGFib3V0IGNvbmZpZGVudGlhbGl0eQoJICAgIHByb3RlY3Rpb24gb2Yg dGhlIGV4Y2hhbmdlcy4KCSAgCjwvbGk+CjxsaT4KCSAgICBSZWZlcmVuY2UgUkZDIDYxMjUgZm9y IGlkZW50aXR5IHZlcmlmaWNhdGlvbiwgcmF0aGVyIHRoYW4KCSAgICBSRkMgMjgxOC4KCSAgCjwv bGk+CjxsaT4KCSAgICBTdGF0ZWQgdGhhdCB0aGUgdG9rZW4gTVVTVCBiZSBwcm90ZWN0ZWQgYmV0 d2VlbiBmcm9udCBlbmQKCSAgICBhbmQgYmFjayBlbmQgc2VydmVycyB3aGVuIHRoZSBUTFMgY29u bmVjdGlvbiB0ZXJtaW5hdGVzIGF0CgkgICAgYSBmcm9udCBlbmQgc2VydmVyIHRoYXQgaXMgZGlz dGluY3QgZnJvbSB0aGUgYWN0dWFsIHNlcnZlcgoJICAgIHRoYXQgcHJvdmlkZXMgdGhlIHJlc291 cmNlLgoJICAKPC9saT4KPGxpPgoJICAgIFN0YXRlZCB0aGF0IGJlYXJlciB0b2tlbnMgTVVTVCBu b3QgYmUgc3RvcmVkIGluIGNvb2tpZXMKCSAgICB0aGF0IGNhbiBiZSBzZW50IGluIHRoZSBjbGVh ciBpbiB0aGUgVGhyZWF0IE1pdGlnYXRpb24KCSAgICBzZWN0aW9uLgoJICAKPC9saT4KPGxpPgoJ ICAgIFJlcGxhY2VkIHNvbGUgcmVtYWluaW5nIHJlZmVyZW5jZSB0byA8YSBjbGFzcz0naW5mbycg aHJlZj0nI1JGQzI2MTYnPltSRkMyNjE2XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZv Jz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgRnJ5c3R5aywgSC4sIE1hc2lu dGVyLCBMLiwgTGVhY2gsIFAuLCBhbmQgVC4gQmVybmVycy1MZWUsICZsZHF1bztIeXBlcnRleHQg VHJhbnNmZXIgUHJvdG9jb2wgLS0gSFRUUC8xLjEsJnJkcXVvOyBKdW5lJm5ic3A7MTk5OS48L3Nw YW4+PHNwYW4+KTwvc3Bhbj48L2E+IHdpdGgKCSAgICBIVFRQYmlzIDxhIGNsYXNzPSdpbmZvJyBo cmVmPScjSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcnPltJJiM4MjA5O0QuaWV0ZiYjODIw OTtodHRwYmlzJiM4MjA5O3AxJiM4MjA5O21lc3NhZ2luZ108c3Bhbj4gKDwvc3Bhbj48c3BhbiBj bGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4s IEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4s IGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgMTogVVJJcywgQ29ubmVjdGlv bnMsIGFuZCBNZXNzYWdlIFBhcnNpbmcsJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+ PHNwYW4+KTwvc3Bhbj48L2E+CgkgICAgcmVmZXJlbmNlLgoJICAKPC9saT4KPGxpPgoJICAgIFJl cGxhY2VkIGFsbCByZWZlcmVuY2VzIHdoZXJlIHRoZSByZWZlcmVuY2UgaXMgdXNlZCBhcyBpZgoJ ICAgIGl0IHdlcmUgcGFydCBvZiB0aGUgc2VudGVuY2UgKHN1Y2ggYXMgImRlZmluZWQgYnkKCSAg ICBbSS1ELndoYXRldmVyXSIpIHdpdGggb25lcyB3aGVyZSB0aGUgc3BlY2lmaWNhdGlvbiBuYW1l IGlzCgkgICAgdXNlZCwgZm9sbG93ZWQgYnkgdGhlIHJlZmVyZW5jZSAoc3VjaCBhcyAiZGVmaW5l ZCBieQoJICAgIFdoYXRldmVyIFtJLUQud2hhdGV2ZXJdIikuCgkgIAo8L2xpPgo8bGk+CgkgICAg T3RoZXIgb24tbm9ybWF0aXZlIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMuCgkgIAo8L2xpPgo8L3Vs PjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMTMKICAgICAgICA8L3A+Cjx1bCBjbGFzcz0i dGV4dCI+CjxsaT4KCSAgICBBdCB0aGUgcmVxdWVzdCBvZiBIYW5uZXMgVHNjaG9mZW5pZywgbWFk ZSBBQk5GIGNoYW5nZXMgdG8KCSAgICBtYWtlIGl0IGNsZWFyIHRoYXQgbm8gc3BlY2lhbCBXV1ct QXV0aGVudGljYXRlIHJlc3BvbnNlCgkgICAgaGVhZGVyIGZpZWxkIHBhcnNlcnMgYXJlIG5lZWRl ZC4gIFRoZSA8dHQ+c2NvcGU8L3R0PiwgPHR0PmVycm9yLWRlc2NyaXB0aW9uPC90dD4sIGFuZCA8 dHQ+ZXJyb3ItdXJpPC90dD4gcGFyYW1ldGVycyBhcmUgYWxsIG5vdwoJICAgIGRlZmluZWQgYXMg cXVvdGVkLXN0cmluZyBpbiB0aGUgQUJORiAoYXMgPHR0PmVycm9yPC90dD4gYWxyZWFkeSB3YXMp LiAgUmVzdHJpY3Rpb25zIG9uCgkgICAgdGhlc2UgdmFsdWVzIHRoYXQgd2VyZSBmb3JtZXJseSBk ZXNjcmliZWQgaW4gdGhlIEFCTkZzIGFyZQoJICAgIG5vdyBkZXNjcmliZWQgaW4gbm9ybWF0aXZl IHRleHQgaW5zdGVhZC4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAg IC0xMgogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAgIE1hZGUgbm9uLW5v cm1hdGl2ZSBlZGl0b3JpYWwgY2hhbmdlcyB0aGF0IEhhbm5lcwoJICAgIFRzY2hvZmVuaWcgcmVx dWVzdGVkIGJlIGFwcGxpZWQgcHJpb3IgdG8gZm9yd2FyZGluZyB0aGUKCSAgICBzcGVjaWZpY2F0 aW9uIHRvIHRoZSBJRVNHLgoJICAKPC9saT4KPGxpPgoJICAgIEFkZGVkIHJhdGlvbmFsZSBmb3Ig dGhlIGNob2ljZSBvZiB0aGUgYjY0dG9rZW4gc3ludGF4LgoJICAKPC9saT4KPGxpPgoJICAgIEFk ZGVkIHJhdGlvbmFsZSBzdGF0aW5nIHRoYXQgcmVjZWl2ZXJzIGFyZSBmcmVlIHRvIHBhcnNlCgkg ICAgdGhlIDx0dD5zY29wZTwvdHQ+IGF0dHJpYnV0ZSB1c2luZyBhCgkgICAgc3RhbmRhcmQgcXVv dGVkLXN0cmluZyBwYXJzZXIsIHNpbmNlIGl0IHdpbGwgY29ycmVjdGx5CgkgICAgcHJvY2VzcyBh bGwgbGVnYWwgPHR0PnNjb3BlPC90dD4KCSAgICB2YWx1ZXMuCgkgIAo8L2xpPgo8bGk+CgkgICAg QWRkZWQgYWRkaXRpb25hbCBhY3RpdmUgd29ya2luZyBncm91cCBjb250cmlidXRvcnMgdG8gdGhl CgkgICAgQWNrbm93bGVkZ2VtZW50cyBzZWN0aW9uLgoJICAKPC9saT4KPC91bD48cD4KICAgICAg CjwvcD4KPHA+CiAgICAgICAgLTExCiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+ CgkgICAgUmVwbGFjZWQgdXNlcyBvZiAmbHQ7IiZndDsgd2l0aCBEUVVPVEUgdG8gcGFzcyBBQk5G IHN5bnRheCBjaGVjay4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAg IC0xMAogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAgIFJlbW92ZWQgdGhl ICNhdXRoLXBhcmFtIG9wdGlvbiBmcm9tIEF1dGhvcml6YXRpb24gaGVhZGVyCgkgICAgc3ludGF4 IChsZWF2aW5nIG9ubHkgdGhlIGI2NHRva2VuIHN5bnRheCkuCgkgIAo8L2xpPgo8bGk+CgkgICAg UmVzdHJpY3RlZCB0aGUgPHR0PnNjb3BlPC90dD4gdmFsdWUKCSAgICBjaGFyYWN0ZXIgc2V0IHRv ICV4MjEgLyAleDIzLTVCIC8gJXg1RC03RSAocHJpbnRhYmxlIEFTQ0lJCgkgICAgY2hhcmFjdGVy cyBleGNsdWRpbmcgZG91YmxlLXF1b3RlIGFuZCBiYWNrc2xhc2gpLgoJICAgIEluZGljYXRlZCB0 aGF0IHNjb3BlIGlzIGludGVuZGVkIGZvciBwcm9ncmFtbWF0aWMgdXNlIGFuZAoJICAgIGlzIG5v dCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoJICAKPC9saT4KPGxpPgoJICAg IFJlc3RyaWN0ZWQgdGhlIGNoYXJhY3RlciBzZXQgZm9yIDx0dD5lcnJvcl9kZXNjcmlwdGlvbjwv dHQ+IHN0cmluZ3MgdG8gU1AgLwoJICAgIFZDSEFSIGFuZCBpbmRpY2F0ZWQgdGhhdCB0aGV5IGFy ZSBub3QgbWVhbnQgdG8gYmUKCSAgICBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoJICAKPC9saT4K PGxpPgoJICAgIEluY2x1ZGVkIG1vcmUgZGVzY3JpcHRpb24gaW4gdGhlIEFic3RyYWN0LCBzaW5j ZSBIYW5uZXMKCSAgICBUc2Nob2ZlbmlnIGluZGljYXRlZCB0aGF0IHRoZSBSRkMgZWRpdG9yIHdv dWxkIHJlcXVpcmUKCSAgICB0aGlzLgoJICAKPC9saT4KPGxpPgogICAgICAgICAgICBDaGFuZ2Vk ICJBY2Nlc3MgR3JhbnQiIHRvICJBdXRob3JpemF0aW9uIEdyYW50IiwgYXMgd2FzCiAgICAgICAg ICAgIGRvbmUgaW4gdGhlIGNvcmUgc3BlYy4KCSAgCjwvbGk+CjxsaT4KCSAgICBTaW1wbGlmaWVk IHRoZSBpbnRyb2R1Y3Rpb24gdG8gdGhlIEF1dGhlbnRpY2F0ZWQgUmVxdWVzdHMKCSAgICBzZWN0 aW9uLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTA5CiAgICAg ICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIEluY29ycG9yYXRlZCB3 b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBjb21tZW50cy4gIFNwZWNpZmljIGNoYW5nZXMgd2VyZToK CSAgCjwvbGk+CjxsaT4KCSAgICBVc2UgZGVmaW5pdGlvbnMgZnJvbSA8YSBjbGFzcz0naW5mbycg aHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0 dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5m byc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNp bnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBS ZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBP Y3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+IHJhdGhlciB0aGFuIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjUkZDMjYxNyc+W1JGQzI2MTddPHNwYW4+ICg8L3NwYW4+PHNw YW4gY2xhc3M9J2luZm8nPkZyYW5rcywgSi4sIEhhbGxhbS1CYWtlciwgUC4sIEhvc3RldGxlciwg Si4sIExhd3JlbmNlLCBTLiwgTGVhY2gsIFAuLCBMdW90b25lbiwgQS4sIGFuZCBMLiBTdGV3YXJ0 LCAmbGRxdW87SFRUUCBBdXRoZW50aWNhdGlvbjogQmFzaWMgYW5kIERpZ2VzdCBBY2Nlc3MgQXV0 aGVudGljYXRpb24sJnJkcXVvOyBKdW5lJm5ic3A7MTk5OS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48 L2E+LgoJICAKPC9saT4KPGxpPgoJICAgIFVwZGF0ZSBjcmVkZW50aWFscyBkZWZpbml0aW9uIHRv IGNvbmZvcm0gdG8gPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1 dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNw YW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwg TW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMt TGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0 IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFu Pik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+CjxsaT4KCSAgICBGdXJ0aGVyIGNsYXJpZmllZCB0aGF0 IHF1ZXJ5IHBhcmFtZXRlcnMgbWF5IG9jY3VyIGluIGFueSBvcmRlci4KCSAgCjwvbGk+CjxsaT4K CSAgICBTcGVjaWZ5IHRoYXQgZXJyb3JfZGVzY3JpcHRpb24gaXMgVVRGLTggZW5jb2RlZAoJICAg IChtYXRjaGluZyB0aGUgY29yZSBzcGVjaWZpY2F0aW9uKS4KCSAgCjwvbGk+CjxsaT4KCSAgICBS ZWdpc3RlcmVkICJCZWFyZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBpbgoJICAgIEF1dGhlbnRp Y2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZpbmVkIGJ5CgkgICAgPGEgY2xhc3M9J2luZm8nIGhy ZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRw YmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8n PkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50 ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVz Y2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0 b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+CjxsaT4K ICAgICAgICAgICAgVXBkYXRlZCByZWZlcmVuY2VzIHRvIG9hdXRoLXYyLCBodHRwYmlzLXAxLW1l c3NhZ2luZywgYW5kCiAgICAgICAgICAgIGh0dHBiaXMtcDctYXV0aCBkcmFmdHMuCgkgIAo8L2xp Pgo8bGk+CgkgICAgT3RoZXIgd29yZGluZyBpbXByb3ZlbWVudHMgbm90IGludHJvZHVjaW5nIG5v cm1hdGl2ZSBjaGFuZ2VzLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAg ICAgLTA4CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIFVw ZGF0ZWQgcmVmZXJlbmNlcyB0byBvYXV0aC12MiBhbmQgSFRUUGJpcyBkcmFmdHMuCgkgIAo8L2xp Pgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDcKICAgICAgICA8L3A+Cjx1bCBj bGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgQWRkZWQgbWlzc2luZyBjb21tYSBpbiBlcnJv ciByZXNwb25zZSBleGFtcGxlLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAg ICAgICAgLTA2CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAg IENoYW5nZWQgcGFyYW1ldGVyIG5hbWUgPHR0PmJlYXJlcl90b2tlbjwvdHQ+IHRvIDx0dD5hY2Nl c3NfdG9rZW48L3R0PiwgcGVyIHdvcmtpbmcgZ3JvdXAKICAgICAgICAgICAgY29uc2Vuc3VzLgoJ ICAKPC9saT4KPGxpPgoJICAgIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgPHR0PmludmFs aWRfcmVxdWVzdDwvdHQ+IGVycm9yIGNvZGUgZnJvbSBIVFRQCgkgICAgNDAxIChVbmF1dGhvcml6 ZWQpIGJhY2sgdG8gSFRUUCA0MDAgKEJhZCBSZXF1ZXN0KSwgcGVyCgkgICAgaW5wdXQgZnJvbSBI VFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAgIAo8L3A+ CjxwPgogICAgICAgIC0wNQogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAg IFJlbW92ZWQgT0F1dGggRXJyb3JzIFJlZ2lzdHJ5LCBwZXIgZGVzaWduIHRlYW0gaW5wdXQuCgkg IAo8L2xpPgo8bGk+CgkgICAgQ2hhbmdlZCBIVFRQIHN0YXR1cyBjb2RlIGZvciA8dHQ+aW52YWxp ZF9yZXF1ZXN0PC90dD4gZXJyb3IgY29kZSBmcm9tIEhUVFAKCSAgICA0MDAgKEJhZCBSZXF1ZXN0 KSB0byBIVFRQIDQwMSAoVW5hdXRob3JpemVkKSB0byBtYXRjaCBIVFRQCgkgICAgdXNhZ2UgW1sg Y2hhbmdlIHBlbmRpbmcgd29ya2luZyBncm91cCBjb25zZW5zdXMgXV0uCgkgIAo8L2xpPgo8bGk+ CgkgICAgQWRkZWQgbWlzc2luZyBxdW90YXRpb24gbWFya3MgaW4gZXJyb3ItdXJpIGRlZmluaXRp b24uCgkgIAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgbm90ZSB0byBhZGQgbGFuZ3VhZ2UgYW5kIGVu Y29kaW5nIGluZm9ybWF0aW9uIHRvCgkgICAgZXJyb3JfZGVzY3JpcHRpb24gaWYgdGhlIGNvcmUg c3BlY2lmaWNhdGlvbiBkb2VzLgoJICAKPC9saT4KPGxpPgoJICAgIEV4cGxpY2l0bHkgcmVmZXJl bmNlIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikKCSAgICBkZWZpbmVkIGlu IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDNTIzNCc+W1JGQzUyMzRdPHNwYW4+ICg8L3NwYW4+ PHNwYW4gY2xhc3M9J2luZm8nPkNyb2NrZXIsIEQuIGFuZCBQLiBPdmVyZWxsLCAmbGRxdW87QXVn bWVudGVkIEJORiBmb3IgU3ludGF4IFNwZWNpZmljYXRpb25zOiBBQk5GLCZyZHF1bzsgSmFudWFy eSZuYnNwOzIwMDguPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+CjxsaT4KCSAg ICBVc2UgYXV0aC1wYXJhbSBpbnN0ZWFkIG9mIHJlcGVhdGluZyBpdHMgZGVmaW5pdGlvbiwgd2hp Y2gKCSAgICBpcyAoIHRva2VuICI9IiAoIHRva2VuIC8gcXVvdGVkLXN0cmluZyApICkuCgkgIAo8 L2xpPgo8bGk+CgkgICAgQ2xhcmlmeSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBhYm91dCBpbmNs dWRpbmcgYW4KCSAgICBhdWRpZW5jZSByZXN0cmljdGlvbiBpbiB0aGUgdG9rZW4gYW5kIGluY2x1 ZGUgYQoJICAgIHJlY29tbWVuZGF0aW9uIHRvIGlzc3VlIHNjb3BlZCBiZWFyZXIgdG9rZW5zIGlu IHRoZQoJICAgIHN1bW1hcnkgb2YgcmVjb21tZW5kYXRpb25zLgoJICAKPC9saT4KPC91bD48cD4K ICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTA0CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQi Pgo8bGk+CgkgICAgRWRpdHMgcmVzcG9uZGluZyB0byB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBm ZWVkYmFjayBvbgoJICAgIC0wMy4gIFNwZWNpZmljIGVkaXRzIGVudW1lcmF0ZWQgYmVsb3cuCgkg IAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgQmVhcmVyIFRva2VuIGRlZmluaXRpb24gaW4gVGVybWlu b2xvZ3kgc2VjdGlvbi4KCSAgCjwvbGk+CjxsaT4KICAgICAgICAgICAgQ2hhbmdlZCBwYXJhbWV0 ZXIgbmFtZSA8dHQ+b2F1dGhfdG9rZW48L3R0PiB0byA8dHQ+YmVhcmVyX3Rva2VuPC90dD4uCgkg IAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgcmVhbG0gcGFyYW1ldGVyIHRvIDx0dD5XV1ctQXV0aGVu dGljYXRlPC90dD4gcmVzcG9uc2UgdG8gY29tcGx5CgkgICAgd2l0aCA8YSBjbGFzcz0naW5mbycg aHJlZj0nI1JGQzI2MTcnPltSRkMyNjE3XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZv Jz5GcmFua3MsIEouLCBIYWxsYW0tQmFrZXIsIFAuLCBIb3N0ZXRsZXIsIEouLCBMYXdyZW5jZSwg Uy4sIExlYWNoLCBQLiwgTHVvdG9uZW4sIEEuLCBhbmQgTC4gU3Rld2FydCwgJmxkcXVvO0hUVFAg QXV0aGVudGljYXRpb246IEJhc2ljIGFuZCBEaWdlc3QgQWNjZXNzIEF1dGhlbnRpY2F0aW9uLCZy ZHF1bzsgSnVuZSZuYnNwOzE5OTkuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+ CjxsaT4KCSAgICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFyYW0gXSIgZnJvbSA8dHQ+Y3JlZGVu dGlhbHM8L3R0PiBkZWZpbml0aW9uIHNpbmNlIGl0IGRpZAoJICAgIG5vdCBjb21wbHkgd2l0aCB0 aGUgQUJORiBpbiA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0 aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bh bj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBN b2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1M ZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQg NzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+ KTwvc3Bhbj48L2E+LgoJICAKPC9saT4KPGxpPgoJICAgIFJlbW92ZWQgcmVzdHJpY3Rpb24gdGhh dCB0aGUgPHR0PmJlYXJlcl90b2tlbjwvdHQ+IChmb3JtZXJseSA8dHQ+b2F1dGhfdG9rZW48L3R0 PikgcGFyYW1ldGVyIGJlIHRoZSBsYXN0CgkgICAgcGFyYW1ldGVyIGluIHRoZSBlbnRpdHktYm9k eSBhbmQgdGhlIEhUVFAgcmVxdWVzdCBVUkkKCSAgICBxdWVyeS4KCSAgCjwvbGk+CjxsaT4KCSAg ICBEbyBub3QgcmVxdWlyZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIGluIGEgcmVwbHkgdG8g YQoJICAgIG1hbGZvcm1lZCByZXF1ZXN0LCBhcyBhbiBIVFRQIDQwMCBCYWQgUmVxdWVzdCByZXNw b25zZQoJICAgIHdpdGhvdXQgYSBXV1ctQXV0aGVudGljYXRlIGhlYWRlciBpcyBsaWtlbHkgdGhl IHJpZ2h0CgkgICAgcmVzcG9uc2UgaW4gc29tZSBjYXNlcyBvZiBtYWxmb3JtZWQgcmVxdWVzdHMu CgkgIAo8L2xpPgo8bGk+CgkgICAgUmVtb3ZlZCBPQXV0aCBQYXJhbWV0ZXJzIHJlZ2lzdHJ5IGV4 dGVuc2lvbi4KCSAgCjwvbGk+CjxsaT4KCSAgICBOdW1lcm91cyBlZGl0b3JpYWwgaW1wcm92ZW1l bnRzIHN1Z2dlc3RlZCBieSB3b3JraW5nIGdyb3VwCgkgICAgbWVtYmVycy4KCSAgCjwvbGk+Cjwv dWw+PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAgIC0wMwogICAgICAgIDwvcD4KPHVsIGNsYXNz PSJ0ZXh0Ij4KPGxpPgoJICAgIFJlc3RvcmVkIHRoZSBXV1ctQXV0aGVudGljYXRlIHJlc3BvbnNl IGhlYWRlcgoJICAgIGZ1bmN0aW9uYWxpdHkgZGVsZXRlZCBmcm9tIHRoZSBmcmFtZXdvcmsgc3Bl Y2lmaWNhdGlvbiBpbgoJICAgIGRyYWZ0IDEyIGJhc2VkIHVwb24gdGhlIHNwZWNpZmljYXRpb24g dGV4dCBmcm9tIGRyYWZ0IDExLgoJICAKPC9saT4KPGxpPgoJICAgIEF1Z21lbnRlZCB0aGUgT0F1 dGggUGFyYW1ldGVycyByZWdpc3RyeSBieSBhZGRpbmcgdHdvCgkgICAgYWRkaXRpb25hbCBwYXJh bWV0ZXIgdXNhZ2UgbG9jYXRpb25zOiAicmVzb3VyY2UgcmVxdWVzdCIKCSAgICBhbmQgInJlc291 cmNlIHJlc3BvbnNlIi4KCSAgCjwvbGk+CjxsaT4KICAgICAgICAgICAgUmVnaXN0ZXJlZCB0aGUg Im9hdXRoX3Rva2VuIiBPQXV0aCBwYXJhbWV0ZXIgd2l0aCB1c2FnZQogICAgICAgICAgICBsb2Nh dGlvbiAicmVzb3VyY2UgcmVxdWVzdCIuCiAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAg ICBSZWdpc3RlcmVkIHRoZSAiZXJyb3IiIE9BdXRoIHBhcmFtZXRlci4KICAgICAgICAgIAo8L2xp Pgo8bGk+CgkgICAgQ3JlYXRlZCB0aGUgT0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVy ZWQgZXJyb3JzLgoJICAKPC9saT4KPGxpPgoJICAgIENoYW5nZWQgdGhlICJPQXV0aDIiIE9BdXRo IGFjY2VzcyB0b2tlbiB0eXBlIG5hbWUgdG8KCSAgICAiQmVhcmVyIi4KCSAgCjwvbGk+CjwvdWw+ PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAgIC0wMgogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0 ZXh0Ij4KPGxpPgogICAgICAgICAgICBJbmNvcnBvcmF0ZWQgZmVlZGJhY2sgcmVjZWl2ZWQgb24g ZHJhZnQgMDEuICBNb3N0IGNoYW5nZXMKICAgICAgICAgICAgd2VyZSB0byB0aGUgc2VjdXJpdHkg Y29uc2lkZXJhdGlvbnMgc2VjdGlvbi4gIE5vIG5vcm1hdGl2ZQogICAgICAgICAgICBjaGFuZ2Vz IHdlcmUgbWFkZS4gIFNwZWNpZmljIGNoYW5nZXMgaW5jbHVkZWQ6CiAgICAgICAgICAKPC9saT4K PGxpPgoJICAgIENoYW5nZWQgdGVybWlub2xvZ3kgZnJvbSAidG9rZW4gcmV1c2UiIHRvICJ0b2tl biBjYXB0dXJlCgkgICAgYW5kIHJlcGxheSIuCgkgIAo8L2xpPgo8bGk+CgkgICAgUmVtb3ZlZCBz ZW50ZW5jZSAiRW5jcnlwdGluZyB0aGUgdG9rZW4gY29udGVudHMgaXMgYW5vdGhlcgoJICAgIGFs dGVybmF0aXZlIiBmcm9tIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzaW5jZSBpdCB3YXMK CSAgICByZWR1bmRhbnQgYW5kIHBvdGVudGlhbGx5IGNvbmZ1c2luZy4KCSAgCjwvbGk+CjxsaT4K CSAgICBDb3JyZWN0ZWQgc29tZSByZWZlcmVuY2VzIHRvICJyZXNvdXJjZSBzZXJ2ZXIiIHRvIGJl CgkgICAgImF1dGhvcml6YXRpb24gc2VydmVyIiBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlv bnMuCgkgIAo8L2xpPgo8bGk+CgkgICAgR2VuZXJhbGl6ZWQgc2VjdXJpdHkgY29uc2lkZXJhdGlv bnMgbGFuZ3VhZ2UgYWJvdXQKCSAgICBvYnRhaW5pbmcgY29uc2VudCBvZiB0aGUgcmVzb3VyY2Ug b3duZXIuCgkgIAo8L2xpPgo8bGk+CgkgICAgQnJvYWRlbmVkIHNjb3BlIG9mIHNlY3VyaXR5IGNv bnNpZGVyYXRpb25zIGRlc2NyaXB0aW9uIGZvcgoJICAgIHJlY29tbWVuZGF0aW9uICJEb24ndCBw YXNzIGJlYXJlciB0b2tlbnMgaW4gcGFnZSBVUkxzIi4KCSAgCjwvbGk+CjxsaT4KCSAgICBSZW1v dmVkIHVudXNlZCByZWZlcmVuY2UgdG8gT0F1dGggMS4wLgoJICAKPC9saT4KPGxpPgoJICAgIFVw ZGF0ZWQgcmVmZXJlbmNlIHRvIGZyYW1ld29yayBzcGVjaWZpY2F0aW9uIGFuZCB1cGRhdGVkCgkg ICAgRGF2aWQgUmVjb3Jkb24ncyBlLW1haWwgYWRkcmVzcy4KCSAgCjwvbGk+CjxsaT4KCSAgICBS ZW1vdmVkIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHRleHQgb24gYXV0aGVudGljYXRpbmcKCSAg ICBjbGllbnRzLgoJICAKPC9saT4KPGxpPgoJICAgIFJlZ2lzdGVyZWQgdGhlICJPQXV0aDIiIE9B dXRoIGFjY2VzcyB0b2tlbiB0eXBlIGFuZAoJICAgICJvYXV0aF90b2tlbiIgcGFyYW1ldGVyLgoJ ICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTAxCiAgICAgICAgPC9w Pgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIEZpcnN0IHB1YmxpYyBkcmFmdCwg d2hpY2ggaW5jb3Jwb3JhdGVzIGZlZWRiYWNrIHJlY2VpdmVkCiAgICAgICAgICAgIG9uIC0wMCBp bmNsdWRpbmcgZW5oYW5jZWQgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgY29udGVudC4KICAgICAg ICAgICAgVGhpcyB2ZXJzaW9uIGlzIGludGVuZGVkIHRvIGFjY29tcGFueSBPQXV0aCAyLjAgZHJh ZnQgMTEuCiAgICAgICAgICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAg LTAwCiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIEluaXRp YWwgZHJhZnQgYmFzZWQgb24gcHJlbGltaW5hcnkgdmVyc2lvbiBvZiBPQXV0aCAyLjAgZHJhZnQg MTEuCiAgICAgICAgICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPGEgbmFtZT0icmZjLmF1 dGhvcnMiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8aDM+QXV0aG9ycycgQWRkcmVzc2VzPC9oMz4KPHRhYmxlIHdpZHRoPSI5 OSUiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIj4KPHRyPjx0ZCBj bGFzcz0iYXV0aG9yLXRleHQiPiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPk1p Y2hhZWwgQi4gSm9uZXM8L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij4mbmJz cDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5NaWNyb3NvZnQ8L3RkPjwvdHI+Cjx0cj48 dGQgY2xhc3M9ImF1dGhvciIgYWxpZ249InJpZ2h0Ij5FbWFpbDombmJzcDs8L3RkPgo8dGQgY2xh c3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJtYWlsdG86bWJqQG1pY3Jvc29mdC5jb20iPm1iakBt aWNyb3NvZnQuY29tPC9hPjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0i cmlnaHQiPlVSSTombmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJo dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8iPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLzwvYT48L3Rk PjwvdHI+Cjx0ciBjZWxscGFkZGluZz0iMyI+PHRkPiZuYnNwOzwvdGQ+PHRkPiZuYnNwOzwvdGQ+ PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0i YXV0aG9yLXRleHQiPkRpY2sgSGFyZHQ8L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10 ZXh0Ij4mbmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5pbmRlcGVuZGVudDwvdGQ+ PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0icmlnaHQiPkVtYWlsOiZuYnNwOzwv dGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzpkaWNrLmhhcmR0QGdt YWlsLmNvbSI+ZGljay5oYXJkdEBnbWFpbC5jb208L2E+PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNz PSJhdXRob3IiIGFsaWduPSJyaWdodCI+VVJJOiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9y LXRleHQiPjxhIGhyZWY9Imh0dHA6Ly9kaWNraGFyZHQub3JnLyI+aHR0cDovL2RpY2toYXJkdC5v cmcvPC9hPjwvdGQ+PC90cj4KPHRyIGNlbGxwYWRkaW5nPSIzIj48dGQ+Jm5ic3A7PC90ZD48dGQ+ Jm5ic3A7PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+Jm5ic3A7PC90ZD4K PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+RGF2aWQgUmVjb3Jkb248L3RkPjwvdHI+Cjx0cj48dGQg Y2xhc3M9ImF1dGhvci10ZXh0Ij4mbmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5G YWNlYm9vazwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0icmlnaHQiPkVt YWlsOiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzpk ckBmYi5jb20iPmRyQGZiLmNvbTwvYT48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvciIg YWxpZ249InJpZ2h0Ij5VUkk6Jm5ic3A7PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEg aHJlZj0iaHR0cDovL3d3dy5kYXZpZHJlY29yZG9uLmNvbS8iPmh0dHA6Ly93d3cuZGF2aWRyZWNv cmRvbi5jb20vPC9hPjwvdGQ+PC90cj4KPC90YWJsZT4KPC9ib2R5PjwvaHRtbD4K --_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: text/plain; name="draft-ietf-oauth-v2-bearer-15 preliminary.txt" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.txt Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.txt"; size=45441; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:05:55 GMT" Content-Transfer-Encoding: base64 CgoKTmV0d29yayBXb3JraW5nIEdyb3VwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIE0uIEpvbmVzCkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIE1pY3Jvc29mdApJbnRlbmRlZCBzdGF0dXM6IFN0YW5k YXJkcyBUcmFjayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRC4gSGFyZHQKRXhwaXJl czogSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlu ZGVwZW5kZW50CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBELiBSZWNvcmRvbgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmFjZWJvb2sKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERlY2VtYmVyIDEyLCAyMDEx CgoKICAgICAgICAgIFRoZSBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVy IFRva2VucwogICAgICAgICAgICAgICAgICAgICBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0x NQoKQWJzdHJhY3QKCiAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkZXNjcmliZXMgaG93IHRvIHVzZSBi ZWFyZXIgdG9rZW5zIGluIEhUVFAKICAgcmVxdWVzdHMgdG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90 ZWN0ZWQgcmVzb3VyY2VzLiAgQW55IHBhcnR5IGluCiAgIHBvc3Nlc3Npb24gb2YgYSBiZWFyZXIg dG9rZW4gKGEgImJlYXJlciIpIGNhbiB1c2UgaXQgdG8gZ2V0IGFjY2VzcyB0bwogICB0aGUgYXNz b2NpYXRlZCByZXNvdXJjZXMgKHdpdGhvdXQgZGVtb25zdHJhdGluZyBwb3NzZXNzaW9uIG9mIGEK ICAgY3J5cHRvZ3JhcGhpYyBrZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMg bmVlZCB0byBiZQogICBwcm90ZWN0ZWQgZnJvbSBkaXNjbG9zdXJlIGluIHN0b3JhZ2UgYW5kIGlu IHRyYW5zcG9ydC4KClN0YXR1cyBvZiB0aGlzIE1lbW8KCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQg aXMgc3VibWl0dGVkIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUKICAgcHJvdmlzaW9ucyBv ZiBCQ1AgNzggYW5kIEJDUCA3OS4KCiAgIEludGVybmV0LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1 bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nCiAgIFRhc2sgRm9yY2UgKElFVEYpLiAg Tm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlCiAgIHdvcmtpbmcgZG9j dW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQt CiAgIERyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJl bnQvLgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9yIGEg bWF4aW11bSBvZiBzaXggbW9udGhzCiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9y IG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55CiAgIHRpbWUuICBJdCBpcyBpbmFw cHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlCiAgIG1hdGVyaWFs IG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiIKCiAgIFRo aXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gSnVuZSAxNCwgMjAxMi4KCkNvcHlyaWdo dCBOb3RpY2UKCiAgIENvcHlyaWdodCAoYykgMjAxMSBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29u cyBpZGVudGlmaWVkIGFzIHRoZQogICBkb2N1bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyByZXNl cnZlZC4KCiAgIFRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRG IFRydXN0J3MgTGVnYWwKICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cwog ICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24gdGhl IGRhdGUgb2YKICAgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcg dGhlc2UgZG9jdW1lbnRzCiAgIGNhcmVmdWxseSwgYXMgdGhleSBkZXNjcmliZSB5b3VyIHJpZ2h0 cyBhbmQgcmVzdHJpY3Rpb25zIHdpdGggcmVzcGVjdAoKCgpKb25lcywgZXQgYWwuICAgICAgICAg ICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgMV0KDApJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERl Y2VtYmVyIDIwMTEKCgogICB0byB0aGlzIGRvY3VtZW50LiAgQ29kZSBDb21wb25lbnRzIGV4dHJh Y3RlZCBmcm9tIHRoaXMgZG9jdW1lbnQgbXVzdAogICBpbmNsdWRlIFNpbXBsaWZpZWQgQlNEIExp Y2Vuc2UgdGV4dCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbiA0LmUgb2YKICAgdGhlIFRydXN0IExl Z2FsIFByb3Zpc2lvbnMgYW5kIGFyZSBwcm92aWRlZCB3aXRob3V0IHdhcnJhbnR5IGFzCiAgIGRl c2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZS4KCgpUYWJsZSBvZiBDb250ZW50 cwoKICAgMS4gIEludHJvZHVjdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAzCiAgICAgMS4xLiAgTm90YXRpb25hbCBDb252ZW50aW9ucyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMwogICAgIDEuMi4gIFRlcm1pbm9sb2d5 ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDMKICAgICAx LjMuICBPdmVydmlldyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICA0CiAgIDIuICBBdXRoZW50aWNhdGVkIFJlcXVlc3RzIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNQogICAgIDIuMS4gIEF1dGhvcml6YXRpb24gUmVxdWVz dCBIZWFkZXIgRmllbGQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDUKICAgICAyLjIuICBGb3Jt LUVuY29kZWQgQm9keSBQYXJhbWV0ZXIgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA2 CiAgICAgMi4zLiAgVVJJIFF1ZXJ5IFBhcmFtZXRlciAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgNwogICAzLiAgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVh ZGVyIEZpZWxkIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDcKICAgICAzLjEuICBFcnJvciBDb2RlcyAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA5CiAgIDQuICBT ZWN1cml0eSBDb25zaWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAxMAogICAgIDQuMS4gIFNlY3VyaXR5IFRocmVhdHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gMTAKICAgICA0LjIuICBUaHJlYXQgTWl0aWdhdGlvbiAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDEwCiAgICAgNC4zLiAgU3VtbWFy eSBvZiBSZWNvbW1lbmRhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMgog ICA1LiAgSUFOQSBDb25zaWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gMTMKICAgICA1LjEuICBPQXV0aCBBY2Nlc3MgVG9rZW4gVHlwZSBSZWdpc3Ry YXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDEzCiAgICAgICA1LjEuMS4gIFRoZSAiQmVhcmVy IiBPQXV0aCBBY2Nlc3MgVG9rZW4gVHlwZSAuIC4gLiAuIC4gLiAuIC4gLiAxMwogICAgIDUuMi4g IEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyYXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gMTQKICAgICAgIDUuMi4xLiAgVGhlICJCZWFyZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSAu IC4gLiAuIC4gLiAuIC4gLiAuIDE0CiAgIDYuICBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxNAogICAgIDYuMS4gIE5vcm1hdGl2 ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTQKICAg ICA2LjIuICBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIDE1CiAgIEFwcGVuZGl4IEEuICBBY2tub3dsZWRnZW1lbnRzICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxNQogICBBcHBlbmRpeCBCLiAgRG9jdW1lbnQgSGlz dG9yeSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTYKICAgQXV0aG9ycycg QWRkcmVzc2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IDIyCgoKCgoKCgoKCgoKCgoKCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJlcyBK dW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAyXQoMCkludGVybmV0LURyYWZ0ICAg ICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgRGVjZW1iZXIgMjAxMQoK CjEuICBJbnRyb2R1Y3Rpb24KCiAgIE9BdXRoIGVuYWJsZXMgY2xpZW50cyB0byBhY2Nlc3MgcHJv dGVjdGVkIHJlc291cmNlcyBieSBvYnRhaW5pbmcgYW4KICAgYWNjZXNzIHRva2VuLCB3aGljaCBp cyBkZWZpbmVkIGluIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uCiAgIFtJLUQuaWV0Zi1vYXV0aC12 Ml0gYXMgImEgc3RyaW5nIHJlcHJlc2VudGluZyBhbiBhY2Nlc3MgYXV0aG9yaXphdGlvbgogICBp c3N1ZWQgdG8gdGhlIGNsaWVudCIsIHJhdGhlciB0aGFuIHVzaW5nIHRoZSByZXNvdXJjZSBvd25l cidzCiAgIGNyZWRlbnRpYWxzIGRpcmVjdGx5LgoKICAgVG9rZW5zIGFyZSBpc3N1ZWQgdG8gY2xp ZW50cyBieSBhbiBhdXRob3JpemF0aW9uIHNlcnZlciB3aXRoIHRoZQogICBhcHByb3ZhbCBvZiB0 aGUgcmVzb3VyY2Ugb3duZXIuICBUaGUgY2xpZW50IHVzZXMgdGhlIGFjY2VzcyB0b2tlbiB0bwog ICBhY2Nlc3MgdGhlIHByb3RlY3RlZCByZXNvdXJjZXMgaG9zdGVkIGJ5IHRoZSByZXNvdXJjZSBz ZXJ2ZXIuICBUaGlzCiAgIHNwZWNpZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byBtYWtlIHByb3Rl Y3RlZCByZXNvdXJjZSByZXF1ZXN0cyB3aGVuCiAgIHRoZSBPQXV0aCBhY2Nlc3MgdG9rZW4gaXMg YSBiZWFyZXIgdG9rZW4uCgogICBUaGlzIHNwZWNpZmljYXRpb24gZGVmaW5lcyB0aGUgdXNlIG9m IGJlYXJlciB0b2tlbnMgb3ZlciBIVFRQLzEuMQogICBbSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNz YWdpbmddIHVzaW5nIFRMUyBbUkZDNTI0Nl0gdG8gYWNjZXNzCiAgIHByb3RlY3RlZCByZXNvdXJj ZXMuICBUTFMgaXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbmQgdXNlIHdpdGggdGhpcwogICBz cGVjaWZpY2F0aW9uOyBvdGhlciBzcGVjaWZpY2F0aW9ucyBtYXkgZXh0ZW5kIHRoaXMgc3BlY2lm aWNhdGlvbiBmb3IKICAgdXNlIHdpdGggb3RoZXIgdHJhbnNwb3J0IHByb3RvY29scy4gIFdoaWxl IGRlc2lnbmVkIGZvciB1c2Ugd2l0aAogICBhY2Nlc3MgdG9rZW5zIHJlc3VsdGluZyBmcm9tIE9B dXRoIDIuMCBBdXRob3JpemF0aW9uCiAgIFtJLUQuaWV0Zi1vYXV0aC12Ml0gZmxvd3MgdG8gYWNj ZXNzIE9BdXRoIHByb3RlY3RlZCByZXNvdXJjZXMsIHRoaXMKICAgc3BlY2lmaWNhdGlvbiBhY3R1 YWxseSBkZWZpbmVzIGEgZ2VuZXJhbCBIVFRQIGF1dGhvcml6YXRpb24gbWV0aG9kCiAgIHRoYXQg Y2FuIGJlIHVzZWQgd2l0aCBiZWFyZXIgdG9rZW5zIGZyb20gYW55IHNvdXJjZSB0byBhY2Nlc3Mg YW55CiAgIHJlc291cmNlcyBwcm90ZWN0ZWQgYnkgdGhvc2UgYmVhcmVyIHRva2Vucy4KCjEuMS4g IE5vdGF0aW9uYWwgQ29udmVudGlvbnMKCiAgIFRoZSBrZXkgd29yZHMgJ01VU1QnLCAnTVVTVCBO T1QnLCAnUkVRVUlSRUQnLCAnU0hBTEwnLCAnU0hBTEwgTk9UJywKICAgJ1NIT1VMRCcsICdTSE9V TEQgTk9UJywgJ1JFQ09NTUVOREVEJywgJ01BWScsIGFuZCAnT1BUSU9OQUwnIGluIHRoaXMKICAg ZG9jdW1lbnQgYXJlIHRvIGJlIGludGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbiBLZXkgd29yZHMg Zm9yIHVzZSBpbgogICBSRkNzIHRvIEluZGljYXRlIFJlcXVpcmVtZW50IExldmVscyBbUkZDMjEx OV0uCgogICBUaGlzIGRvY3VtZW50IHVzZXMgdGhlIEF1Z21lbnRlZCBCYWNrdXMtTmF1ciBGb3Jt IChBQk5GKSBub3RhdGlvbiBvZgogICBIVFRQLzEuMSwgUGFydCAxIFtJLUQuaWV0Zi1odHRwYmlz LXAxLW1lc3NhZ2luZ10sIHdoaWNoIGlzIGJhc2VkIHVwb24KICAgdGhlIEF1Z21lbnRlZCBCYWNr dXMtTmF1ciBGb3JtIChBQk5GKSBbUkZDNTIzNF0gbm90YXRpb24uCiAgIEFkZGl0aW9uYWxseSwg dGhlIGZvbGxvd2luZyBydWxlcyBhcmUgaW5jbHVkZWQgZnJvbSBIVFRQLzEuMSwgUGFydCA3CiAg IFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdOiBiNjR0b2tlbiwgYXV0aC1wYXJhbSwgYW5kIHJl YWxtOyBmcm9tCiAgIEhUVFAvMS4xLCBQYXJ0IDEgW0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2Fn aW5nXTogcXVvdGVkLXN0cmluZzsgYW5kCiAgIGZyb20gVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlm aWVyIChVUkkpIFtSRkMzOTg2XTogVVJJLVJlZmVyZW5jZS4KCiAgIFVubGVzcyBvdGhlcndpc2Ug bm90ZWQsIGFsbCB0aGUgcHJvdG9jb2wgcGFyYW1ldGVyIG5hbWVzIGFuZCB2YWx1ZXMKICAgYXJl IGNhc2Ugc2Vuc2l0aXZlLgoKMS4yLiAgVGVybWlub2xvZ3kKCgoKCgoKCkpvbmVzLCBldCBhbC4g ICAgICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAz XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAg ICAgICAgRGVjZW1iZXIgMjAxMQoKCiAgIEJlYXJlciBUb2tlbgogICAgICBBIHNlY3VyaXR5IHRv a2VuIHdpdGggdGhlIHByb3BlcnR5IHRoYXQgYW55IHBhcnR5IGluIHBvc3Nlc3Npb24gb2YKICAg ICAgdGhlIHRva2VuIChhICJiZWFyZXIiKSBjYW4gdXNlIHRoZSB0b2tlbiBpbiBhbnkgd2F5IHRo YXQgYW55IG90aGVyCiAgICAgIHBhcnR5IGluIHBvc3Nlc3Npb24gb2YgaXQgY2FuLiAgVXNpbmcg YSBiZWFyZXIgdG9rZW4gZG9lcyBub3QKICAgICAgcmVxdWlyZSBhIGJlYXJlciB0byBwcm92ZSBw b3NzZXNzaW9uIG9mIGNyeXB0b2dyYXBoaWMga2V5IG1hdGVyaWFsCiAgICAgIChwcm9vZi1vZi1w b3NzZXNzaW9uKS4KCiAgIEFsbCBvdGhlciB0ZXJtcyBhcmUgYXMgZGVmaW5lZCBpbiBPQXV0aCAy LjAgQXV0aG9yaXphdGlvbgogICBbSS1ELmlldGYtb2F1dGgtdjJdLgoKMS4zLiAgT3ZlcnZpZXcK CiAgIE9BdXRoIHByb3ZpZGVzIGEgbWV0aG9kIGZvciBjbGllbnRzIHRvIGFjY2VzcyBhIHByb3Rl Y3RlZCByZXNvdXJjZSBvbgogICBiZWhhbGYgb2YgYSByZXNvdXJjZSBvd25lci4gIEluIHRoZSBn ZW5lcmFsIGNhc2UsIGJlZm9yZSBhIGNsaWVudCBjYW4KICAgYWNjZXNzIGEgcHJvdGVjdGVkIHJl c291cmNlLCBpdCBtdXN0IGZpcnN0IG9idGFpbiBhbiBhdXRob3JpemF0aW9uCiAgIGdyYW50IGZy b20gdGhlIHJlc291cmNlIG93bmVyIGFuZCB0aGVuIGV4Y2hhbmdlIHRoZSBhdXRob3JpemF0aW9u CiAgIGdyYW50IGZvciBhbiBhY2Nlc3MgdG9rZW4uICBUaGUgYWNjZXNzIHRva2VuIHJlcHJlc2Vu dHMgdGhlIGdyYW50J3MKICAgc2NvcGUsIGR1cmF0aW9uLCBhbmQgb3RoZXIgYXR0cmlidXRlcyBn cmFudGVkIGJ5IHRoZSBhdXRob3JpemF0aW9uCiAgIGdyYW50LiAgVGhlIGNsaWVudCBhY2Nlc3Nl cyB0aGUgcHJvdGVjdGVkIHJlc291cmNlIGJ5IHByZXNlbnRpbmcgdGhlCiAgIGFjY2VzcyB0b2tl biB0byB0aGUgcmVzb3VyY2Ugc2VydmVyLiAgSW4gc29tZSBjYXNlcywgYSBjbGllbnQgY2FuCiAg IGRpcmVjdGx5IHByZXNlbnQgaXRzIG93biBjcmVkZW50aWFscyB0byBhbiBhdXRob3JpemF0aW9u IHNlcnZlciB0bwogICBvYnRhaW4gYW4gYWNjZXNzIHRva2VuIHdpdGhvdXQgaGF2aW5nIHRvIGZp cnN0IG9idGFpbiBhbgogICBhdXRob3JpemF0aW9uIGdyYW50IGZyb20gYSByZXNvdXJjZSBvd25l ci4KCiAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZXMgYW4gYWJzdHJhY3Rpb24sIHJlcGxhY2lu ZyBkaWZmZXJlbnQKICAgYXV0aG9yaXphdGlvbiBjb25zdHJ1Y3RzIChlLmcuIHVzZXJuYW1lIGFu ZCBwYXNzd29yZCwgYXNzZXJ0aW9uKSBmb3IKICAgYSBzaW5nbGUgdG9rZW4gdW5kZXJzdG9vZCBi eSB0aGUgcmVzb3VyY2Ugc2VydmVyLiAgVGhpcyBhYnN0cmFjdGlvbgogICBlbmFibGVzIGlzc3Vp bmcgYWNjZXNzIHRva2VucyB2YWxpZCBmb3IgYSBzaG9ydCB0aW1lIHBlcmlvZCwgYXMgd2VsbAog ICBhcyByZW1vdmluZyB0aGUgcmVzb3VyY2Ugc2VydmVyJ3MgbmVlZCB0byB1bmRlcnN0YW5kIGEg d2lkZSByYW5nZSBvZgogICBhdXRoZW50aWNhdGlvbiBzY2hlbWVzLgoKCgoKCgoKCgoKCgoKCgoK CgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAg ICAgICAgICAgICAgW1BhZ2UgNF0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4w IEJlYXJlciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgogICArLS0tLS0tLS0rICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCiAgIHwgICAgICAg IHwtLShBKS0gQXV0aG9yaXphdGlvbiBSZXF1ZXN0IC0+fCAgIFJlc291cmNlICAgIHwKICAgfCAg ICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICBPd25lciAgICAgfAog ICB8ICAgICAgICB8PC0oQiktLSBBdXRob3JpemF0aW9uIEdyYW50IC0tLXwgICAgICAgICAgICAg ICB8CiAgIHwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0t LS0tLS0tLSsKICAgfCAgICAgICAgfAogICB8ICAgICAgICB8ICAgICAgICBBdXRob3JpemF0aW9u IEdyYW50ICYgICstLS0tLS0tLS0tLS0tLS0rCiAgIHwgICAgICAgIHwtLShDKS0tLSBDbGllbnQg Q3JlZGVudGlhbHMgLS0+fCBBdXRob3JpemF0aW9uIHwKICAgfCBDbGllbnQgfCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICB8ICAgICBTZXJ2ZXIgICAgfAogICB8ICAgICAgICB8PC0oRCkt LS0tLSBBY2Nlc3MgVG9rZW4gLS0tLS0tLXwgICAgICAgICAgICAgICB8CiAgIHwgICAgICAgIHwg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKICAgfCAgICAg ICAgfAogICB8ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0t LS0tLS0tLS0rCiAgIHwgICAgICAgIHwtLShFKS0tLS0tIEFjY2VzcyBUb2tlbiAtLS0tLS0+fCAg ICBSZXNvdXJjZSAgIHwKICAgfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICB8ICAgICBTZXJ2ZXIgICAgfAogICB8ICAgICAgICB8PC0oRiktLS0gUHJvdGVjdGVkIFJlc291 cmNlIC0tLXwgICAgICAgICAgICAgICB8CiAgICstLS0tLS0tLSsgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKCiAgICAgICAgICAgICAgICAgICAgIEZpZ3Vy ZSAxOiBBYnN0cmFjdCBQcm90b2NvbCBGbG93CgogICBUaGUgYWJzdHJhY3QgZmxvdyBpbGx1c3Ry YXRlZCBpbiBGaWd1cmUgMSBkZXNjcmliZXMgdGhlIG92ZXJhbGwgT0F1dGgKICAgMi4wIHByb3Rv Y29sIGFyY2hpdGVjdHVyZS4gIFRoZSBmb2xsb3dpbmcgc3RlcHMgYXJlIHNwZWNpZmllZCB3aXRo aW4KICAgdGhpcyBkb2N1bWVudDoKCiAgICAgIEUpIFRoZSBjbGllbnQgbWFrZXMgYSBwcm90ZWN0 ZWQgcmVzb3VyY2UgcmVxdWVzdCB0byB0aGUgcmVzb3VyY2UKICAgICAgc2VydmVyIGJ5IHByZXNl bnRpbmcgdGhlIGFjY2VzcyB0b2tlbi4KCiAgICAgIEYpIFRoZSByZXNvdXJjZSBzZXJ2ZXIgdmFs aWRhdGVzIHRoZSBhY2Nlc3MgdG9rZW4sIGFuZCBpZiB2YWxpZCwKICAgICAgc2VydmVzIHRoZSBy ZXF1ZXN0LgoKCjIuICBBdXRoZW50aWNhdGVkIFJlcXVlc3RzCgogICBUaGlzIHNlY3Rpb24gZGVm aW5lcyB0aHJlZSBtZXRob2RzIG9mIHNlbmRpbmcgYmVhcmVyIGFjY2VzcyB0b2tlbnMgaW4KICAg cmVzb3VyY2UgcmVxdWVzdHMgdG8gcmVzb3VyY2Ugc2VydmVycy4gIENsaWVudHMgTVVTVCBOT1Qg dXNlIG1vcmUKICAgdGhhbiBvbmUgbWV0aG9kIHRvIHRyYW5zbWl0IHRoZSB0b2tlbiBpbiBlYWNo IHJlcXVlc3QuCgoyLjEuICBBdXRob3JpemF0aW9uIFJlcXVlc3QgSGVhZGVyIEZpZWxkCgogICBX aGVuIHNlbmRpbmcgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgIkF1dGhvcml6YXRpb24iIHJlcXVl c3QgaGVhZGVyCiAgIGZpZWxkIGRlZmluZWQgYnkgSFRUUC8xLjEsIFBhcnQgNyBbSS1ELmlldGYt aHR0cGJpcy1wNy1hdXRoXSwgdGhlCiAgIGNsaWVudCB1c2VzIHRoZSAiQmVhcmVyIiBhdXRoZW50 aWNhdGlvbiBzY2hlbWUgdG8gdHJhbnNtaXQgdGhlIGFjY2VzcwogICB0b2tlbi4KCgoKCgoKCgpK b25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAg ICAgICAgW1BhZ2UgNV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJl ciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgogICBGb3IgZXhhbXBsZToKCiAgIEdF VCAvcmVzb3VyY2UgSFRUUC8xLjEKICAgSG9zdDogc2VydmVyLmV4YW1wbGUuY29tCiAgIEF1dGhv cml6YXRpb246IEJlYXJlciB2RjlkZnQ0cW1UCgogICBUaGUgIkF1dGhvcml6YXRpb24iIGhlYWRl ciBmaWVsZCB1c2VzIHRoZSBmcmFtZXdvcmsgZGVmaW5lZCBieQogICBIVFRQLzEuMSwgUGFydCA3 IFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdIGFzIGZvbGxvd3M6CgogICBjcmVkZW50aWFscyA9 ICJCZWFyZXIiIDEqU1AgYjY0dG9rZW4KCiAgIFRoZSBiNjR0b2tlbiBzeW50YXggd2FzIGNob3Nl biBvdmVyIHRoZSBhbHRlcm5hdGl2ZSAjYXV0aC1wYXJhbQogICBzeW50YXggYWxzbyBkZWZpbmVk IGJ5IEhUVFAvMS4xLCBQYXJ0IDcgW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0KICAgYm90aCBm b3Igc2ltcGxpY2l0eSBhbmQgZm9yIGNvbXBhdGliaWxpdHkgd2l0aCBleGlzdGluZwogICBpbXBs ZW1lbnRhdGlvbnMuICBJZiBhZGRpdGlvbmFsIHBhcmFtZXRlcnMgYXJlIG5lZWRlZCBpbiB0aGUg ZnV0dXJlLAogICBhIGRpZmZlcmVudCBzY2hlbWUgd291bGQgbmVlZCB0byBiZSBkZWZpbmVkLgoK ICAgQ2xpZW50cyBTSE9VTEQgbWFrZSBhdXRoZW50aWNhdGVkIHJlcXVlc3RzIHdpdGggYSBiZWFy ZXIgdG9rZW4gdXNpbmcKICAgdGhlICJBdXRob3JpemF0aW9uIiByZXF1ZXN0IGhlYWRlciBmaWVs ZCB3aXRoIHRoZSAiQmVhcmVyIiBIVFRQCiAgIGF1dGhvcml6YXRpb24gc2NoZW1lLiAgUmVzb3Vy Y2Ugc2VydmVycyBNVVNUIHN1cHBvcnQgdGhpcyBtZXRob2QuCgoyLjIuICBGb3JtLUVuY29kZWQg Qm9keSBQYXJhbWV0ZXIKCiAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBI VFRQIHJlcXVlc3QgZW50aXR5LWJvZHksIHRoZQogICBjbGllbnQgYWRkcyB0aGUgYWNjZXNzIHRv a2VuIHRvIHRoZSByZXF1ZXN0IGJvZHkgdXNpbmcgdGhlCiAgICJhY2Nlc3NfdG9rZW4iIHBhcmFt ZXRlci4gIFRoZSBjbGllbnQgTVVTVCBOT1QgdXNlIHRoaXMgbWV0aG9kIHVubGVzcwogICBhbGwg b2YgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zIGFyZSBtZXQ6CgogICBvICBUaGUgSFRUUCByZXF1 ZXN0IGVudGl0eS1ib2R5IGlzIHNpbmdsZS1wYXJ0LgoKICAgbyAgVGhlIGVudGl0eS1ib2R5IGZv bGxvd3MgdGhlIGVuY29kaW5nIHJlcXVpcmVtZW50cyBvZiB0aGUKICAgICAgImFwcGxpY2F0aW9u L3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIgY29udGVudC10eXBlIGFzIGRlZmluZWQgYnkKICAgICAg SFRNTCA0LjAxIFtXM0MuUkVDLWh0bWw0MDEtMTk5OTEyMjRdLgoKICAgbyAgVGhlIEhUVFAgcmVx dWVzdCBlbnRpdHktaGVhZGVyIGluY2x1ZGVzIHRoZSAiQ29udGVudC1UeXBlIiBoZWFkZXIKICAg ICAgZmllbGQgc2V0IHRvICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiLgoKICAg byAgVGhlIEhUVFAgcmVxdWVzdCBtZXRob2QgaXMgb25lIGZvciB3aGljaCB0aGUgcmVxdWVzdCBi b2R5IGhhcwogICAgICBkZWZpbmVkIHNlbWFudGljcy4gIEluIHBhcnRpY3VsYXIsIHRoaXMgbWVh bnMgdGhhdCB0aGUgIkdFVCIKICAgICAgbWV0aG9kIE1VU1QgTk9UIGJlIHVzZWQuCgogICBvICBU aGUgY29udGVudCB0byBiZSBlbmNvZGVkIGluIHRoZSBlbnRpdHktYm9keSBNVVNUIGNvbnNpc3Qg ZW50aXJlbHkKICAgICAgb2YgQVNDSUkgY2hhcmFjdGVycy4KCiAgIFRoZSBlbnRpdHktYm9keSBN QVkgaW5jbHVkZSBvdGhlciByZXF1ZXN0LXNwZWNpZmljIHBhcmFtZXRlcnMsIGluCiAgIHdoaWNo IGNhc2UsIHRoZSAiYWNjZXNzX3Rva2VuIiBwYXJhbWV0ZXIgTVVTVCBiZSBwcm9wZXJseSBzZXBh cmF0ZWQKICAgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVzaW5nICImIiBj aGFyYWN0ZXIocykgKEFTQ0lJCiAgIGNvZGUgMzgpLgoKCgpKb25lcywgZXQgYWwuICAgICAgICAg ICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgNl0KDApJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERl Y2VtYmVyIDIwMTEKCgogICBGb3IgZXhhbXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93 aW5nIEhUVFAgcmVxdWVzdCB1c2luZwogICB0cmFuc3BvcnQtbGF5ZXIgc2VjdXJpdHk6CgogICBQ T1NUIC9yZXNvdXJjZSBIVFRQLzEuMQogICBIb3N0OiBzZXJ2ZXIuZXhhbXBsZS5jb20KICAgQ29u dGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKCiAgIGFjY2Vzc190 b2tlbj12RjlkZnQ0cW1UCgogICBUaGUgImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2Rl ZCIgbWV0aG9kIFNIT1VMRCBOT1QgYmUgdXNlZAogICBleGNlcHQgaW4gYXBwbGljYXRpb24gY29u dGV4dHMgd2hlcmUgcGFydGljaXBhdGluZyBicm93c2VycyBkbyBub3QKICAgaGF2ZSBhY2Nlc3Mg dG8gdGhlICJBdXRob3JpemF0aW9uIiByZXF1ZXN0IGhlYWRlciBmaWVsZC4gIFJlc291cmNlCiAg IHNlcnZlcnMgTUFZIHN1cHBvcnQgdGhpcyBtZXRob2QuCgoyLjMuICBVUkkgUXVlcnkgUGFyYW1l dGVyCgogICBXaGVuIHNlbmRpbmcgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgSFRUUCByZXF1ZXN0 IFVSSSwgdGhlIGNsaWVudAogICBhZGRzIHRoZSBhY2Nlc3MgdG9rZW4gdG8gdGhlIHJlcXVlc3Qg VVJJIHF1ZXJ5IGNvbXBvbmVudCBhcyBkZWZpbmVkCiAgIGJ5IFVuaWZvcm0gUmVzb3VyY2UgSWRl bnRpZmllciAoVVJJKSBbUkZDMzk4Nl0gdXNpbmcgdGhlCiAgICJhY2Nlc3NfdG9rZW4iIHBhcmFt ZXRlci4KCiAgIEZvciBleGFtcGxlLCB0aGUgY2xpZW50IG1ha2VzIHRoZSBmb2xsb3dpbmcgSFRU UCByZXF1ZXN0IHVzaW5nCiAgIHRyYW5zcG9ydC1sYXllciBzZWN1cml0eToKCiAgIEdFVCAvcmVz b3VyY2U/YWNjZXNzX3Rva2VuPXZGOWRmdDRxbVQgSFRUUC8xLjEKICAgSG9zdDogc2VydmVyLmV4 YW1wbGUuY29tCgogICBUaGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeSBjYW4gaW5jbHVkZSBvdGhl ciByZXF1ZXN0LXNwZWNpZmljCiAgIHBhcmFtZXRlcnMsIGluIHdoaWNoIGNhc2UsIHRoZSAiYWNj ZXNzX3Rva2VuIiBwYXJhbWV0ZXIgTVVTVCBiZQogICBwcm9wZXJseSBzZXBhcmF0ZWQgZnJvbSB0 aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVzaW5nICImIgogICBjaGFyYWN0ZXIocykg KEFTQ0lJIGNvZGUgMzgpLgoKICAgRm9yIGV4YW1wbGU6CgogICBodHRwczovL3NlcnZlci5leGFt cGxlLmNvbS9yZXNvdXJjZT94PXkmYWNjZXNzX3Rva2VuPXZGOWRmdDRxbVQmcD1xCgogICBCZWNh dXNlIG9mIHRoZSBzZWN1cml0eSB3ZWFrbmVzc2VzIGFzc29jaWF0ZWQgd2l0aCB0aGUgVVJJIG1l dGhvZAogICAoc2VlIFNlY3Rpb24gNCksIGluY2x1ZGluZyB0aGUgaGlnaCBsaWtlbGlob29kIHRo YXQgdGhlIFVSTAogICBjb250YWluaW5nIHRoZSBhY2Nlc3MgdG9rZW4gd2lsbCBiZSBsb2dnZWQs IGl0IFNIT1VMRCBOT1QgYmUgdXNlZAogICB1bmxlc3MgaXQgaXMgaW1wb3NzaWJsZSB0byB0cmFu c3BvcnQgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUKICAgIkF1dGhvcml6YXRpb24iIHJlcXVlc3Qg aGVhZGVyIGZpZWxkIG9yIHRoZSBIVFRQIHJlcXVlc3QgZW50aXR5LWJvZHkuCiAgIFJlc291cmNl IHNlcnZlcnMgTUFZIHN1cHBvcnQgdGhpcyBtZXRob2QuCgoKMy4gIFRoZSBXV1ctQXV0aGVudGlj YXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZAoKICAgSWYgdGhlIHByb3RlY3RlZCByZXNvdXJjZSBy ZXF1ZXN0IGRvZXMgbm90IGluY2x1ZGUgYXV0aGVudGljYXRpb24KICAgY3JlZGVudGlhbHMgb3Ig ZG9lcyBub3QgY29udGFpbiBhbiBhY2Nlc3MgdG9rZW4gdGhhdCBlbmFibGVzIGFjY2VzcwoKCgpK b25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAg ICAgICAgW1BhZ2UgN10KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJl ciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgogICB0byB0aGUgcHJvdGVjdGVkIHJl c291cmNlLCB0aGUgcmVzb3VyY2Ugc2VydmVyIE1VU1QgaW5jbHVkZSB0aGUgSFRUUAogICAiV1dX LUF1dGhlbnRpY2F0ZSIgcmVzcG9uc2UgaGVhZGVyIGZpZWxkOyBpdCBNQVkgaW5jbHVkZSBpdCBp bgogICByZXNwb25zZSB0byBvdGhlciBjb25kaXRpb25zIGFzIHdlbGwuICBUaGUgIldXVy1BdXRo ZW50aWNhdGUiIGhlYWRlcgogICBmaWVsZCB1c2VzIHRoZSBmcmFtZXdvcmsgZGVmaW5lZCBieSBI VFRQLzEuMSwgUGFydCA3CiAgIFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdIGFzIGZvbGxvd3M6 CgogICBjaGFsbGVuZ2UgICAgICAgPSAiQmVhcmVyIiBbIDEqU1AgMSNwYXJhbSBdCgogICBwYXJh bSAgICAgICAgICAgPSByZWFsbSAvIHNjb3BlIC8KICAgICAgICAgICAgICAgICAgICAgZXJyb3Ig LyBlcnJvci1kZXNjIC8gZXJyb3ItdXJpIC8KICAgICAgICAgICAgICAgICAgICAgYXV0aC1wYXJh bQoKICAgc2NvcGUgICAgICAgICAgID0gInNjb3BlIiAiPSIgcXVvdGVkLXN0cmluZwogICBlcnJv ciAgICAgICAgICAgPSAiZXJyb3IiICI9IiBxdW90ZWQtc3RyaW5nCiAgIGVycm9yLWRlc2MgICAg ICA9ICJlcnJvcl9kZXNjcmlwdGlvbiIgIj0iIHF1b3RlZC1zdHJpbmcKICAgZXJyb3ItdXJpICAg ICAgID0gImVycm9yX3VyaSIgIj0iIHF1b3RlZC1zdHJpbmcKCiAgIEEgInJlYWxtIiBhdHRyaWJ1 dGUgTUFZIGJlIGluY2x1ZGVkIHRvIGluZGljYXRlIHRoZSBzY29wZSBvZgogICBwcm90ZWN0aW9u IGluIHRoZSBtYW5uZXIgZGVzY3JpYmVkIGluIEhUVFAvMS4xLCBQYXJ0IDcKICAgW0ktRC5pZXRm LWh0dHBiaXMtcDctYXV0aF0uICBUaGUgInJlYWxtIiBhdHRyaWJ1dGUgTVVTVCBOT1QgYXBwZWFy CiAgIG1vcmUgdGhhbiBvbmNlLiAgVGhlICJyZWFsbSIgdmFsdWUgaXMgaW50ZW5kZWQgZm9yIHBy b2dyYW1tYXRpYyB1c2UKICAgYW5kIGlzIG5vdCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8gZW5k IHVzZXJzLgoKICAgVGhlICJzY29wZSIgYXR0cmlidXRlIGlzIGEgc3BhY2UtZGVsaW1pdGVkIGxp c3Qgb2Ygc2NvcGUgdmFsdWVzCiAgIGluZGljYXRpbmcgdGhlIHJlcXVpcmVkIHNjb3BlIG9mIHRo ZSBhY2Nlc3MgdG9rZW4gZm9yIGFjY2Vzc2luZyB0aGUKICAgcmVxdWVzdGVkIHJlc291cmNlLiAg SW4gc29tZSBjYXNlcywgdGhlICJzY29wZSIgdmFsdWUgd2lsbCBiZSB1c2VkCiAgIHdoZW4gcmVx dWVzdGluZyBhIG5ldyBhY2Nlc3MgdG9rZW4gd2l0aCBzdWZmaWNpZW50IHNjb3BlIG9mIGFjY2Vz cyB0bwogICB1dGlsaXplIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuICBUaGUgInNjb3BlIiBhdHRy aWJ1dGUgTVVTVCBOT1QKICAgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLiAgVGhlICJzY29wZSIgdmFs dWUgaXMgaW50ZW5kZWQgZm9yCiAgIHByb2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5vdCBtZWFudCB0 byBiZSBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoKICAgSWYgdGhlIHByb3RlY3RlZCByZXNvdXJj ZSByZXF1ZXN0IGluY2x1ZGVkIGFuIGFjY2VzcyB0b2tlbiBhbmQgZmFpbGVkCiAgIGF1dGhlbnRp Y2F0aW9uLCB0aGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBpbmNsdWRlIHRoZSAiZXJyb3IiCiAg IGF0dHJpYnV0ZSB0byBwcm92aWRlIHRoZSBjbGllbnQgd2l0aCB0aGUgcmVhc29uIHdoeSB0aGUg YWNjZXNzCiAgIHJlcXVlc3Qgd2FzIGRlY2xpbmVkLiAgVGhlIHBhcmFtZXRlciB2YWx1ZSBpcyBk ZXNjcmliZWQgaW4KICAgU2VjdGlvbiAzLjEuICBJbiBhZGRpdGlvbiwgdGhlIHJlc291cmNlIHNl cnZlciBNQVkgaW5jbHVkZSB0aGUKICAgImVycm9yX2Rlc2NyaXB0aW9uIiBhdHRyaWJ1dGUgdG8g cHJvdmlkZSBkZXZlbG9wZXJzIGEgaHVtYW4tcmVhZGFibGUKICAgZXhwbGFuYXRpb24gdGhhdCBp cyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRvIGVuZCB1c2Vycy4gIEl0IGFsc28KICAgTUFZ IGluY2x1ZGUgdGhlICJlcnJvcl91cmkiIGF0dHJpYnV0ZSB3aXRoIGFuIGFic29sdXRlIFVSSQog ICBpZGVudGlmeWluZyBhIGh1bWFuLXJlYWRhYmxlIHdlYiBwYWdlIGV4cGxhaW5pbmcgdGhlIGVy cm9yLiAgVGhlCiAgICJlcnJvciIsICJlcnJvcl9kZXNjcmlwdGlvbiIsIGFuZCAiZXJyb3JfdXJp IiBhdHRyaWJ1dGVzIE1VU1QgTk9UCiAgIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KCiAgIFByb2R1 Y2VycyBvZiAic2NvcGUiIHN0cmluZ3MgTVVTVCBOT1QgdXNlIGNoYXJhY3RlcnMgb3V0c2lkZSB0 aGUgc2V0CiAgICV4MjEgLyAleDIzLTVCIC8gJXg1RC03RSBmb3IgcmVwcmVzZW50aW5nIHRoZSBz Y29wZSB2YWx1ZXMgYW5kICV4MjAKICAgZm9yIHRoZSBkZWxpbWl0ZXIuICBQcm9kdWNlcnMgb2Yg ImVycm9yIiBhbmQgImVycm9yX2Rlc2NyaXB0aW9uIgogICBzdHJpbmdzIE1VU1QgTk9UIHVzZSBj aGFyYWN0ZXJzIG91dHNpZGUgdGhlIHNldCAleDIwLTIxIC8gJXgyMy01QiAvCiAgICV4NUQtN0Ug Zm9yIHJlcHJlc2VudGluZyB0aGVzZSB2YWx1ZXMuICBQcm9kdWNlcnMgb2YgImVycm9yLXVyaSIK CgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAg ICAgICAgICAgIFtQYWdlIDhdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBC ZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJlciAyMDExCgoKICAgc3RyaW5ncyBNVVNUIE5P VCB1c2UgY2hhcmFjdGVycyBvdXRzaWRlIHRoZSBzZXQgJXgyMSAvICV4MjMtNUIgLwogICAleDVE LTdFIGZvciByZXByZXNlbnRpbmcgdGhlc2UgdmFsdWVzLiAgRnVydGhlcm1vcmUsICJlcnJvci11 cmkiCiAgIHN0cmluZ3MgTVVTVCBjb25mb3JtIHRvIHRoZSBVUkktUmVmZXJlbmNlIHN5bnRheC4g IEluIGFsbCB0aGVzZQogICBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwg YXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZAogICBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hh cmFjdGVyLgoKICAgRm9yIGV4YW1wbGUsIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291 cmNlIHJlcXVlc3Qgd2l0aG91dAogICBhdXRoZW50aWNhdGlvbjoKCiAgIEhUVFAvMS4xIDQwMSBV bmF1dGhvcml6ZWQKICAgV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIgoK ICAgQW5kIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3Qgd2l0aCBh bgogICBhdXRoZW50aWNhdGlvbiBhdHRlbXB0IHVzaW5nIGFuIGV4cGlyZWQgYWNjZXNzIHRva2Vu OgoKICAgSFRUUC8xLjEgNDAxIFVuYXV0aG9yaXplZAogICBXV1ctQXV0aGVudGljYXRlOiBCZWFy ZXIgcmVhbG09ImV4YW1wbGUiLAogICAgICAgICAgICAgICAgICAgICBlcnJvcj0iaW52YWxpZF90 b2tlbiIsCiAgICAgICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uPSJUaGUgYWNjZXNz IHRva2VuIGV4cGlyZWQiCgozLjEuICBFcnJvciBDb2RlcwoKICAgV2hlbiBhIHJlcXVlc3QgZmFp bHMsIHRoZSByZXNvdXJjZSBzZXJ2ZXIgcmVzcG9uZHMgdXNpbmcgdGhlCiAgIGFwcHJvcHJpYXRl IEhUVFAgc3RhdHVzIGNvZGUgKHR5cGljYWxseSwgNDAwLCA0MDEsIDQwMywgb3IgNDA1KSwgYW5k CiAgIGluY2x1ZGVzIG9uZSBvZiB0aGUgZm9sbG93aW5nIGVycm9yIGNvZGVzIGluIHRoZSByZXNw b25zZToKCiAgIGludmFsaWRfcmVxdWVzdAogICAgICAgICBUaGUgcmVxdWVzdCBpcyBtaXNzaW5n IGEgcmVxdWlyZWQgcGFyYW1ldGVyLCBpbmNsdWRlcyBhbgogICAgICAgICB1bnN1cHBvcnRlZCBw YXJhbWV0ZXIgb3IgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIHRoZSBzYW1lCiAgICAgICAgIHBh cmFtZXRlciwgdXNlcyBtb3JlIHRoYW4gb25lIG1ldGhvZCBmb3IgaW5jbHVkaW5nIGFuIGFjY2Vz cwogICAgICAgICB0b2tlbiwgb3IgaXMgb3RoZXJ3aXNlIG1hbGZvcm1lZC4gIFRoZSByZXNvdXJj ZSBzZXJ2ZXIgU0hPVUxECiAgICAgICAgIHJlc3BvbmQgd2l0aCB0aGUgSFRUUCA0MDAgKEJhZCBS ZXF1ZXN0KSBzdGF0dXMgY29kZS4KCiAgIGludmFsaWRfdG9rZW4KICAgICAgICAgVGhlIGFjY2Vz cyB0b2tlbiBwcm92aWRlZCBpcyBleHBpcmVkLCByZXZva2VkLCBtYWxmb3JtZWQsIG9yCiAgICAg ICAgIGludmFsaWQgZm9yIG90aGVyIHJlYXNvbnMuICBUaGUgcmVzb3VyY2UgU0hPVUxEIHJlc3Bv bmQgd2l0aAogICAgICAgICB0aGUgSFRUUCA0MDEgKFVuYXV0aG9yaXplZCkgc3RhdHVzIGNvZGUu ICBUaGUgY2xpZW50IE1BWQogICAgICAgICByZXF1ZXN0IGEgbmV3IGFjY2VzcyB0b2tlbiBhbmQg cmV0cnkgdGhlIHByb3RlY3RlZCByZXNvdXJjZQogICAgICAgICByZXF1ZXN0LgoKICAgaW5zdWZm aWNpZW50X3Njb3BlCiAgICAgICAgIFRoZSByZXF1ZXN0IHJlcXVpcmVzIGhpZ2hlciBwcml2aWxl Z2VzIHRoYW4gcHJvdmlkZWQgYnkgdGhlCiAgICAgICAgIGFjY2VzcyB0b2tlbi4gIFRoZSByZXNv dXJjZSBzZXJ2ZXIgU0hPVUxEIHJlc3BvbmQgd2l0aCB0aGUgSFRUUAogICAgICAgICA0MDMgKEZv cmJpZGRlbikgc3RhdHVzIGNvZGUgYW5kIE1BWSBpbmNsdWRlIHRoZSAic2NvcGUiCiAgICAgICAg IGF0dHJpYnV0ZSB3aXRoIHRoZSBzY29wZSBuZWNlc3NhcnkgdG8gYWNjZXNzIHRoZSBwcm90ZWN0 ZWQKICAgICAgICAgcmVzb3VyY2UuCgogICBJZiB0aGUgcmVxdWVzdCBsYWNrcyBhbnkgYXV0aGVu dGljYXRpb24gaW5mb3JtYXRpb24gKGkuZS4gdGhlIGNsaWVudAoKCgpKb25lcywgZXQgYWwuICAg ICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgOV0K DApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAg ICAgIERlY2VtYmVyIDIwMTEKCgogICB3YXMgdW5hd2FyZSBhdXRoZW50aWNhdGlvbiBpcyBuZWNl c3Nhcnkgb3IgYXR0ZW1wdGVkIHVzaW5nIGFuCiAgIHVuc3VwcG9ydGVkIGF1dGhlbnRpY2F0aW9u IG1ldGhvZCksIHRoZSByZXNvdXJjZSBzZXJ2ZXIgU0hPVUxEIE5PVAogICBpbmNsdWRlIGFuIGVy cm9yIGNvZGUgb3Igb3RoZXIgZXJyb3IgaW5mb3JtYXRpb24uCgogICBGb3IgZXhhbXBsZToKCiAg IEhUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKICAgV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJl YWxtPSJleGFtcGxlIgoKCjQuICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucwoKICAgVGhpcyBzZWN0 aW9uIGRlc2NyaWJlcyB0aGUgcmVsZXZhbnQgc2VjdXJpdHkgdGhyZWF0cyByZWdhcmRpbmcgdG9r ZW4KICAgaGFuZGxpbmcgd2hlbiB1c2luZyBiZWFyZXIgdG9rZW5zIGFuZCBkZXNjcmliZXMgaG93 IHRvIG1pdGlnYXRlIHRoZXNlCiAgIHRocmVhdHMuCgo0LjEuICBTZWN1cml0eSBUaHJlYXRzCgog ICBUaGUgZm9sbG93aW5nIGxpc3QgcHJlc2VudHMgc2V2ZXJhbCBjb21tb24gdGhyZWF0cyBhZ2Fp bnN0IHByb3RvY29scwogICB1dGlsaXppbmcgc29tZSBmb3JtIG9mIHRva2Vucy4gIFRoaXMgbGlz dCBvZiB0aHJlYXRzIGlzIGJhc2VkIG9uIE5JU1QKICAgU3BlY2lhbCBQdWJsaWNhdGlvbiA4MDAt NjMgW05JU1Q4MDAtNjNdLiAgU2luY2UgdGhpcyBkb2N1bWVudCBidWlsZHMKICAgb24gdGhlIE9B dXRoIDIuMCBzcGVjaWZpY2F0aW9uLCB3ZSBleGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0aHJlYXRz CiAgIHRoYXQgYXJlIGRlc2NyaWJlZCB0aGVyZSBvciBpbiByZWxhdGVkIGRvY3VtZW50cy4KCiAg IFRva2VuIG1hbnVmYWN0dXJlL21vZGlmaWNhdGlvbjogIEFuIGF0dGFja2VyIG1heSBnZW5lcmF0 ZSBhIGJvZ3VzCiAgICAgIHRva2VuIG9yIG1vZGlmeSB0aGUgdG9rZW4gY29udGVudHMgKHN1Y2gg YXMgdGhlIGF1dGhlbnRpY2F0aW9uIG9yCiAgICAgIGF0dHJpYnV0ZSBzdGF0ZW1lbnRzKSBvZiBh biBleGlzdGluZyB0b2tlbiwgY2F1c2luZyB0aGUgcmVzb3VyY2UKICAgICAgc2VydmVyIHRvIGdy YW50IGluYXBwcm9wcmlhdGUgYWNjZXNzIHRvIHRoZSBjbGllbnQuICBGb3IgZXhhbXBsZSwKICAg ICAgYW4gYXR0YWNrZXIgbWF5IG1vZGlmeSB0aGUgdG9rZW4gdG8gZXh0ZW5kIHRoZSB2YWxpZGl0 eSBwZXJpb2Q7IGEKICAgICAgbWFsaWNpb3VzIGNsaWVudCBtYXkgbW9kaWZ5IHRoZSBhc3NlcnRp b24gdG8gZ2FpbiBhY2Nlc3MgdG8KICAgICAgaW5mb3JtYXRpb24gdGhhdCB0aGV5IHNob3VsZCBu b3QgYmUgYWJsZSB0byB2aWV3LgoKICAgVG9rZW4gZGlzY2xvc3VyZTogIFRva2VucyBtYXkgY29u dGFpbiBhdXRoZW50aWNhdGlvbiBhbmQgYXR0cmlidXRlCiAgICAgIHN0YXRlbWVudHMgdGhhdCBp bmNsdWRlIHNlbnNpdGl2ZSBpbmZvcm1hdGlvbi4KCiAgIFRva2VuIHJlZGlyZWN0OiAgQW4gYXR0 YWNrZXIgdXNlcyBhIHRva2VuIGdlbmVyYXRlZCBmb3IgY29uc3VtcHRpb24KICAgICAgYnkgb25l IHJlc291cmNlIHNlcnZlciB0byBnYWluIGFjY2VzcyB0byBhIGRpZmZlcmVudCByZXNvdXJjZQog ICAgICBzZXJ2ZXIgdGhhdCBtaXN0YWtlbmx5IGJlbGlldmVzIHRoZSB0b2tlbiB0byBiZSBmb3Ig aXQuCgogICBUb2tlbiByZXBsYXk6ICBBbiBhdHRhY2tlciBhdHRlbXB0cyB0byB1c2UgYSB0b2tl biB0aGF0IGhhcyBhbHJlYWR5CiAgICAgIGJlZW4gdXNlZCB3aXRoIHRoYXQgcmVzb3VyY2Ugc2Vy dmVyIGluIHRoZSBwYXN0LgoKNC4yLiAgVGhyZWF0IE1pdGlnYXRpb24KCiAgIEEgbGFyZ2UgcmFu Z2Ugb2YgdGhyZWF0cyBjYW4gYmUgbWl0aWdhdGVkIGJ5IHByb3RlY3RpbmcgdGhlIGNvbnRlbnRz CiAgIG9mIHRoZSB0b2tlbiBieSB1c2luZyBhIGRpZ2l0YWwgc2lnbmF0dXJlIG9yIGEgTWVzc2Fn ZSBBdXRoZW50aWNhdGlvbgogICBDb2RlIChNQUMpLiAgQWx0ZXJuYXRpdmVseSwgYSBiZWFyZXIg dG9rZW4gY2FuIGNvbnRhaW4gYSByZWZlcmVuY2UgdG8KICAgYXV0aG9yaXphdGlvbiBpbmZvcm1h dGlvbiwgcmF0aGVyIHRoYW4gZW5jb2RpbmcgdGhlIGluZm9ybWF0aW9uCgoKCkpvbmVzLCBldCBh bC4gICAgICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgIFtQYWdl IDEwXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAg ICAgICAgICAgRGVjZW1iZXIgMjAxMQoKCiAgIGRpcmVjdGx5LiAgU3VjaCByZWZlcmVuY2VzIE1V U1QgYmUgaW5mZWFzaWJsZSBmb3IgYW4gYXR0YWNrZXIgdG8KICAgZ3Vlc3M7IHVzaW5nIGEgcmVm ZXJlbmNlIG1heSByZXF1aXJlIGFuIGV4dHJhIGludGVyYWN0aW9uIGJldHdlZW4gYQogICBzZXJ2 ZXIgYW5kIHRoZSB0b2tlbiBpc3N1ZXIgdG8gcmVzb2x2ZSB0aGUgcmVmZXJlbmNlIHRvIHRoZQog ICBhdXRob3JpemF0aW9uIGluZm9ybWF0aW9uLiAgVGhlIG1lY2hhbmljcyBvZiBzdWNoIGFuIGlu dGVyYWN0aW9uIGFyZQogICBub3QgZGVmaW5lZCBieSB0aGlzIHNwZWNpZmljYXRpb24uCgogICBU aGlzIGRvY3VtZW50IGRvZXMgbm90IHNwZWNpZnkgdGhlIGVuY29kaW5nIG9yIHRoZSBjb250ZW50 cyBvZiB0aGUKICAgdG9rZW47IGhlbmNlIGRldGFpbGVkIHJlY29tbWVuZGF0aW9ucyBhYm91dCB0 aGUgbWVhbnMgb2YgZ3VhcmFudGVlaW5nCiAgIHRva2VuIGludGVncml0eSBwcm90ZWN0aW9uIGFy ZSBvdXRzaWRlIHRoZSBzY29wZSBvZiB0aGlzIGRvY3VtZW50LgogICBUaGUgdG9rZW4gaW50ZWdy aXR5IHByb3RlY3Rpb24gTVVTVCBiZSBzdWZmaWNpZW50IHRvIHByZXZlbnQgdGhlCiAgIHRva2Vu IGZyb20gYmVpbmcgbW9kaWZpZWQuCgogICBUbyBkZWFsIHdpdGggdG9rZW4gcmVkaXJlY3QsIGl0 IGlzIGltcG9ydGFudCBmb3IgdGhlIGF1dGhvcml6YXRpb24KICAgc2VydmVyIHRvIGluY2x1ZGUg dGhlIGlkZW50aXR5IG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnRzICh0aGUKICAgYXVkaWVuY2Up LCB0eXBpY2FsbHkgYSBzaW5nbGUgcmVzb3VyY2Ugc2VydmVyIChvciBhIGxpc3Qgb2YgcmVzb3Vy Y2UKICAgc2VydmVycyksIGluIHRoZSB0b2tlbi4gIFJlc3RyaWN0aW5nIHRoZSB1c2Ugb2YgdGhl IHRva2VuIHRvIGEKICAgc3BlY2lmaWMgc2NvcGUgaXMgYWxzbyBSRUNPTU1FTkRFRC4KCiAgIFRo ZSBhdXRob3JpemF0aW9uIHNlcnZlciBNVVNUIGltcGxlbWVudCBUTFMuICBXaGljaCB2ZXJzaW9u KHMpIG91Z2h0CiAgIHRvIGJlIGltcGxlbWVudGVkIHdpbGwgdmFyeSBvdmVyIHRpbWUsIGFuZCBk ZXBlbmQgb24gdGhlIHdpZGVzcHJlYWQKICAgZGVwbG95bWVudCBhbmQga25vd24gc2VjdXJpdHkg dnVsbmVyYWJpbGl0aWVzIGF0IHRoZSB0aW1lIG9mCiAgIGltcGxlbWVudGF0aW9uLiAgQXQgdGhl IHRpbWUgb2YgdGhpcyB3cml0aW5nLCBUTFMgdmVyc2lvbiAxLjIKICAgW1JGQzUyNDZdIGlzIHRo ZSBtb3N0IHJlY2VudCB2ZXJzaW9uLCBidXQgaGFzIHZlcnkgbGltaXRlZCBhY3R1YWwKICAgZGVw bG95bWVudCwgYW5kIG1pZ2h0IG5vdCBiZSByZWFkaWx5IGF2YWlsYWJsZSBpbiBpbXBsZW1lbnRh dGlvbgogICB0b29sa2l0cy4gIFRMUyB2ZXJzaW9uIDEuMCBbUkZDMjI0Nl0gaXMgdGhlIG1vc3Qg d2lkZWx5IGRlcGxveWVkCiAgIHZlcnNpb24sIGFuZCB3aWxsIGdpdmUgdGhlIGJyb2FkZXN0IGlu dGVyb3BlcmFiaWxpdHkuCgogICBUbyBwcm90ZWN0IGFnYWluc3QgdG9rZW4gZGlzY2xvc3VyZSwg Y29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gTVVTVAogICBiZSBhcHBsaWVkIHVzaW5nIFRMUyBb UkZDNTI0Nl0gd2l0aCBhIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlkZXMKICAgY29uZmlkZW50aWFs aXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbi4gIFRoaXMgcmVxdWlyZXMgdGhhdCB0aGUKICAg Y29tbXVuaWNhdGlvbiBpbnRlcmFjdGlvbiBiZXR3ZWVuIHRoZSBjbGllbnQgYW5kIHRoZSBhdXRo b3JpemF0aW9uCiAgIHNlcnZlciwgYXMgd2VsbCBhcyB0aGUgaW50ZXJhY3Rpb24gYmV0d2VlbiB0 aGUgY2xpZW50IGFuZCB0aGUKICAgcmVzb3VyY2Ugc2VydmVyLCB1dGlsaXplIGNvbmZpZGVudGlh bGl0eSBhbmQgaW50ZWdyaXR5IHByb3RlY3Rpb24uCiAgIFNpbmNlIFRMUyBpcyBtYW5kYXRvcnkg dG8gaW1wbGVtZW50IGFuZCB0byB1c2Ugd2l0aCB0aGlzCiAgIHNwZWNpZmljYXRpb24sIGl0IGlz IHRoZSBwcmVmZXJyZWQgYXBwcm9hY2ggZm9yIHByZXZlbnRpbmcgdG9rZW4KICAgZGlzY2xvc3Vy ZSB2aWEgdGhlIGNvbW11bmljYXRpb24gY2hhbm5lbC4gIEZvciB0aG9zZSBjYXNlcyB3aGVyZSB0 aGUKICAgY2xpZW50IGlzIHByZXZlbnRlZCBmcm9tIG9ic2VydmluZyB0aGUgY29udGVudHMgb2Yg dGhlIHRva2VuLCB0b2tlbgogICBlbmNyeXB0aW9uIE1VU1QgYmUgYXBwbGllZCBpbiBhZGRpdGlv biB0byB0aGUgdXNhZ2Ugb2YgVExTCiAgIHByb3RlY3Rpb24uICBBcyBhIGZ1cnRoZXIgZGVmZW5z ZSBhZ2FpbnN0IHRva2VuIGRpc2Nsb3N1cmUsIHRoZQogICBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0 aGUgVExTIGNlcnRpZmljYXRlIGNoYWluIHdoZW4gbWFraW5nIHJlcXVlc3RzCiAgIHRvIHByb3Rl Y3RlZCByZXNvdXJjZXMuCgogICBDb29raWVzIGFyZSB0eXBpY2FsbHkgdHJhbnNtaXR0ZWQgaW4g dGhlIGNsZWFyLiAgVGh1cywgYW55CiAgIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGVtIGlz IGF0IHJpc2sgb2YgZGlzY2xvc3VyZS4gIFRoZXJlZm9yZSwKICAgYmVhcmVyIHRva2VucyBNVVNU IE5PVCBiZSBzdG9yZWQgaW4gY29va2llcyB0aGF0IGNhbiBiZSBzZW50IGluIHRoZQogICBjbGVh ci4KCiAgIEluIHNvbWUgZGVwbG95bWVudHMsIGluY2x1ZGluZyB0aG9zZSB1dGlsaXppbmcgbG9h ZCBiYWxhbmNlcnMsIHRoZQoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVu ZSAxNCwgMjAxMiAgICAgICAgICAgICAgICBbUGFnZSAxMV0KDApJbnRlcm5ldC1EcmFmdCAgICAg ICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgog ICBUTFMgY29ubmVjdGlvbiB0byB0aGUgcmVzb3VyY2Ugc2VydmVyIHRlcm1pbmF0ZXMgcHJpb3Ig dG8gdGhlIGFjdHVhbAogICBzZXJ2ZXIgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2UuICBUaGlz IGNvdWxkIGxlYXZlIHRoZSB0b2tlbgogICB1bnByb3RlY3RlZCBiZXR3ZWVuIHRoZSBmcm9udCBl bmQgc2VydmVyIHdoZXJlIHRoZSBUTFMgY29ubmVjdGlvbgogICB0ZXJtaW5hdGVzIGFuZCB0aGUg YmFjayBlbmQgc2VydmVyIHRoYXQgcHJvdmlkZXMgdGhlIHJlc291cmNlLiAgSW4KICAgc3VjaCBk ZXBsb3ltZW50cywgc3VmZmljaWVudCBtZWFzdXJlcyBNVVNUIGJlIGVtcGxveWVkIHRvIGVuc3Vy ZQogICBjb25maWRlbnRpYWxpdHkgb2YgdGhlIHRva2VuIGJldHdlZW4gdGhlIGZyb250IGVuZCBh bmQgYmFjayBlbmQKICAgc2VydmVyczsgZW5jcnlwdGlvbiBvZiB0aGUgdG9rZW4gaXMgb25lIHBv c3NpYmxlIHN1Y2ggbWVhc3VyZS4KCiAgIFRvIGRlYWwgd2l0aCB0b2tlbiBjYXB0dXJlIGFuZCBy ZXBsYXksIHRoZSBmb2xsb3dpbmcgcmVjb21tZW5kYXRpb25zCiAgIGFyZSBtYWRlOiBGaXJzdCwg dGhlIGxpZmV0aW1lIG9mIHRoZSB0b2tlbiBNVVNUIGJlIGxpbWl0ZWQ7IG9uZSBtZWFucwogICBv ZiBhY2hpZXZpbmcgdGhpcyBpcyBieSBwdXR0aW5nIGEgdmFsaWRpdHkgdGltZSBmaWVsZCBpbnNp ZGUgdGhlCiAgIHByb3RlY3RlZCBwYXJ0IG9mIHRoZSB0b2tlbi4gIE5vdGUgdGhhdCB1c2luZyBz aG9ydC1saXZlZCAob25lIGhvdXIKICAgb3IgbGVzcykgdG9rZW5zIHJlZHVjZXMgdGhlIGltcGFj dCBvZiB0aGVtIGJlaW5nIGxlYWtlZC4gIFNlY29uZCwKICAgY29uZmlkZW50aWFsaXR5IHByb3Rl Y3Rpb24gb2YgdGhlIGV4Y2hhbmdlcyBiZXR3ZWVuIHRoZSBjbGllbnQgYW5kCiAgIHRoZSBhdXRo b3JpemF0aW9uIHNlcnZlciBhbmQgYmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgcmVzb3VyY2UK ICAgc2VydmVyIE1VU1QgYmUgYXBwbGllZC4gIEFzIGEgY29uc2VxdWVuY2UsIG5vIGVhdmVzZHJv cHBlciBhbG9uZyB0aGUKICAgY29tbXVuaWNhdGlvbiBwYXRoIGlzIGFibGUgdG8gb2JzZXJ2ZSB0 aGUgdG9rZW4gZXhjaGFuZ2UuCiAgIENvbnNlcXVlbnRseSwgc3VjaCBhbiBvbi1wYXRoIGFkdmVy c2FyeSBjYW5ub3QgcmVwbGF5IHRoZSB0b2tlbi4KICAgRnVydGhlcm1vcmUsIHdoZW4gcHJlc2Vu dGluZyB0aGUgdG9rZW4gdG8gYSByZXNvdXJjZSBzZXJ2ZXIsIHRoZQogICBjbGllbnQgTVVTVCB2 ZXJpZnkgdGhlIGlkZW50aXR5IG9mIHRoYXQgcmVzb3VyY2Ugc2VydmVyLCBhcyBwZXIKICAgUmVw cmVzZW50YXRpb24gYW5kIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRpb24g U2VydmljZQogICBJZGVudGl0eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtleSBJbmZyYXN0cnVj dHVyZSBVc2luZyBYLjUwOSAoUEtJWCkKICAgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0IG9m IFRyYW5zcG9ydCBMYXllciBTZWN1cml0eSAoVExTKQogICBbUkZDNjEyNV0uICBOb3RlIHRoYXQg dGhlIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUKICAgY2hhaW4gd2hl biBtYWtpbmcgdGhlc2UgcmVxdWVzdHMgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4gIFByZXNlbnRp bmcKICAgdGhlIHRva2VuIHRvIGFuIHVuYXV0aGVudGljYXRlZCBhbmQgdW5hdXRob3JpemVkIHJl c291cmNlIHNlcnZlciBvcgogICBmYWlsaW5nIHRvIHZhbGlkYXRlIHRoZSBjZXJ0aWZpY2F0ZSBj aGFpbiB3aWxsIGFsbG93IGFkdmVyc2FyaWVzIHRvCiAgIHN0ZWFsIHRoZSB0b2tlbiBhbmQgZ2Fp biB1bmF1dGhvcml6ZWQgYWNjZXNzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMuCgo0LjMuICBTdW1t YXJ5IG9mIFJlY29tbWVuZGF0aW9ucwoKICAgU2FmZWd1YXJkIGJlYXJlciB0b2tlbnM6ICBDbGll bnQgaW1wbGVtZW50YXRpb25zIE1VU1QgZW5zdXJlIHRoYXQKICAgICAgYmVhcmVyIHRva2VucyBh cmUgbm90IGxlYWtlZCB0byB1bmludGVuZGVkIHBhcnRpZXMsIGFzIHRoZXkgd2lsbAogICAgICBi ZSBhYmxlIHRvIHVzZSB0aGVtIHRvIGdhaW4gYWNjZXNzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMu ICBUaGlzCiAgICAgIGlzIHRoZSBwcmltYXJ5IHNlY3VyaXR5IGNvbnNpZGVyYXRpb24gd2hlbiB1 c2luZyBiZWFyZXIgdG9rZW5zIGFuZAogICAgICB1bmRlcmxpZXMgYWxsIHRoZSBtb3JlIHNwZWNp ZmljIHJlY29tbWVuZGF0aW9ucyB0aGF0IGZvbGxvdy4KCiAgIFZhbGlkYXRlIFNTTCBjZXJ0aWZp Y2F0ZSBjaGFpbnM6ICBUaGUgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUwogICAgICBjZXJ0 aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZyByZXF1ZXN0cyB0byBwcm90ZWN0ZWQgcmVzb3VyY2Vz LgogICAgICBGYWlsaW5nIHRvIGRvIHNvIG1heSBlbmFibGUgRE5TIGhpamFja2luZyBhdHRhY2tz IHRvIHN0ZWFsIHRoZQogICAgICB0b2tlbiBhbmQgZ2FpbiB1bmludGVuZGVkIGFjY2Vzcy4KCiAg IEFsd2F5cyB1c2UgVExTIChodHRwcyk6ICBDbGllbnRzIE1VU1QgYWx3YXlzIHVzZSBUTFMgW1JG QzUyNDZdCiAgICAgIChodHRwcykgb3IgZXF1aXZhbGVudCB0cmFuc3BvcnQgc2VjdXJpdHkgd2hl biBtYWtpbmcgcmVxdWVzdHMgd2l0aAogICAgICBiZWFyZXIgdG9rZW5zLiAgRmFpbGluZyB0byBk byBzbyBleHBvc2VzIHRoZSB0b2tlbiB0byBudW1lcm91cwogICAgICBhdHRhY2tzIHRoYXQgY291 bGQgZ2l2ZSBhdHRhY2tlcnMgdW5pbnRlbmRlZCBhY2Nlc3MuCgoKCgoKSm9uZXMsIGV0IGFsLiAg ICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMTJd CgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAg ICAgICBEZWNlbWJlciAyMDExCgoKICAgRG9uJ3Qgc3RvcmUgYmVhcmVyIHRva2VucyBpbiBjb29r aWVzOiAgSW1wbGVtZW50YXRpb25zIE1VU1QgTk9UIHN0b3JlCiAgICAgIGJlYXJlciB0b2tlbnMg d2l0aGluIGNvb2tpZXMgdGhhdCBjYW4gYmUgc2VudCBpbiB0aGUgY2xlYXIgKHdoaWNoCiAgICAg IGlzIHRoZSBkZWZhdWx0IHRyYW5zbWlzc2lvbiBtb2RlIGZvciBjb29raWVzKS4gIEltcGxlbWVu dGF0aW9ucwogICAgICB0aGF0IGRvIHN0b3JlIGJlYXJlciB0b2tlbnMgaW4gY29va2llcyBNVVNU IHRha2UgcHJlY2F1dGlvbnMKICAgICAgYWdhaW5zdCBjcm9zcyBzaXRlIHJlcXVlc3QgZm9yZ2Vy eS4KCiAgIElzc3VlIHNob3J0LWxpdmVkIGJlYXJlciB0b2tlbnM6ICBUb2tlbiBzZXJ2ZXJzIFNI T1VMRCBpc3N1ZSBzaG9ydC0KICAgICAgbGl2ZWQgKG9uZSBob3VyIG9yIGxlc3MpIGJlYXJlciB0 b2tlbnMsIHBhcnRpY3VsYXJseSB3aGVuIGlzc3VpbmcKICAgICAgdG9rZW5zIHRvIGNsaWVudHMg dGhhdCBydW4gd2l0aGluIGEgd2ViIGJyb3dzZXIgb3Igb3RoZXIKICAgICAgZW52aXJvbm1lbnRz IHdoZXJlIGluZm9ybWF0aW9uIGxlYWthZ2UgbWF5IG9jY3VyLiAgVXNpbmcgc2hvcnQtCiAgICAg IGxpdmVkIGJlYXJlciB0b2tlbnMgY2FuIHJlZHVjZSB0aGUgaW1wYWN0IG9mIHRoZW0gYmVpbmcg bGVha2VkLgoKICAgSXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnM6ICBUb2tlbiBzZXJ2ZXJzIFNI T1VMRCBpc3N1ZSBiZWFyZXIgdG9rZW5zCiAgICAgIHRoYXQgY29udGFpbiBhbiBhdWRpZW5jZSBy ZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1c2UgdG8gdGhlCiAgICAgIGludGVuZGVkIHJlbHlp bmcgcGFydHkgb3Igc2V0IG9mIHJlbHlpbmcgcGFydGllcy4KCiAgIERvbid0IHBhc3MgYmVhcmVy IHRva2VucyBpbiBwYWdlIFVSTHM6ICBCZWFyZXIgdG9rZW5zIFNIT1VMRCBOT1QgYmUKICAgICAg cGFzc2VkIGluIHBhZ2UgVVJMcyAoZm9yIGV4YW1wbGUgYXMgcXVlcnkgc3RyaW5nIHBhcmFtZXRl cnMpLgogICAgICBJbnN0ZWFkLCBiZWFyZXIgdG9rZW5zIFNIT1VMRCBiZSBwYXNzZWQgaW4gSFRU UCBtZXNzYWdlIGhlYWRlcnMgb3IKICAgICAgbWVzc2FnZSBib2RpZXMgZm9yIHdoaWNoIGNvbmZp ZGVudGlhbGl0eSBtZWFzdXJlcyBhcmUgdGFrZW4uCiAgICAgIEJyb3dzZXJzLCB3ZWIgc2VydmVy cywgYW5kIG90aGVyIHNvZnR3YXJlIG1heSBub3QgYWRlcXVhdGVseQogICAgICBzZWN1cmUgVVJM cyBpbiB0aGUgYnJvd3NlciBoaXN0b3J5LCB3ZWIgc2VydmVyIGxvZ3MsIGFuZCBvdGhlcgogICAg ICBkYXRhIHN0cnVjdHVyZXMuICBJZiBiZWFyZXIgdG9rZW5zIGFyZSBwYXNzZWQgaW4gcGFnZSBV UkxzLAogICAgICBhdHRhY2tlcnMgbWlnaHQgYmUgYWJsZSB0byBzdGVhbCB0aGVtIGZyb20gdGhl IGhpc3RvcnkgZGF0YSwgbG9ncywKICAgICAgb3Igb3RoZXIgdW5zZWN1cmVkIGxvY2F0aW9ucy4K Cgo1LiAgSUFOQSBDb25zaWRlcmF0aW9ucwoKNS4xLiAgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUg UmVnaXN0cmF0aW9uCgogICBUaGlzIHNwZWNpZmljYXRpb24gcmVnaXN0ZXJzIHRoZSBmb2xsb3dp bmcgYWNjZXNzIHRva2VuIHR5cGUgaW4gdGhlCiAgIE9BdXRoIEFjY2VzcyBUb2tlbiBUeXBlIFJl Z2lzdHJ5LgoKNS4xLjEuICBUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUKCiAg IFR5cGUgbmFtZToKICAgICAgQmVhcmVyCgogICBBZGRpdGlvbmFsIFRva2VuIEVuZHBvaW50IFJl c3BvbnNlIFBhcmFtZXRlcnM6CiAgICAgIChub25lKQoKICAgSFRUUCBBdXRoZW50aWNhdGlvbiBT Y2hlbWUocyk6CiAgICAgIEJlYXJlcgoKCgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBF eHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMTNdCgwKSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJl ciAyMDExCgoKICAgQ2hhbmdlIGNvbnRyb2xsZXI6CiAgICAgIElFVEYKCiAgIFNwZWNpZmljYXRp b24gZG9jdW1lbnQocyk6CiAgICAgIFtbIHRoaXMgZG9jdW1lbnQgXV0KCjUuMi4gIEF1dGhlbnRp Y2F0aW9uIFNjaGVtZSBSZWdpc3RyYXRpb24KCiAgIFRoaXMgc3BlY2lmaWNhdGlvbiByZWdpc3Rl cnMgdGhlIGZvbGxvd2luZyBhdXRoZW50aWNhdGlvbiBzY2hlbWUgaW4KICAgdGhlIEF1dGhlbnRp Y2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZpbmVkIGluIEhUVFAvMS4xLCBQYXJ0IDcKICAgW0kt RC5pZXRmLWh0dHBiaXMtcDctYXV0aF0uCgo1LjIuMS4gIFRoZSAiQmVhcmVyIiBBdXRoZW50aWNh dGlvbiBTY2hlbWUKCiAgIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBOYW1lOgogICAgICBCZWFyZXIK CiAgIFBvaW50ZXIgdG8gc3BlY2lmaWNhdGlvbiB0ZXh0OgogICAgICBbWyB0aGlzIGRvY3VtZW50 IF1dCgogICBOb3RlcyAob3B0aW9uYWwpOgogICAgICAobm9uZSkKCgo2LiAgUmVmZXJlbmNlcwoK Ni4xLiAgTm9ybWF0aXZlIFJlZmVyZW5jZXMKCiAgIFtJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3Nh Z2luZ10KICAgICAgICAgICAgICBGaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwg TmllbHNlbiwgSC4sCiAgICAgICAgICAgICAgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5l cnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQKICAgICAgICAgICAgICBKLiBSZXNjaGtlLCAiSFRU UC8xLjEsIHBhcnQgMTogVVJJcywgQ29ubmVjdGlvbnMsIGFuZAogICAgICAgICAgICAgIE1lc3Nh Z2UgUGFyc2luZyIsIGRyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmctMTcgKHdvcmsKICAg ICAgICAgICAgICBpbiBwcm9ncmVzcyksIE9jdG9iZXIgMjAxMS4KCiAgIFtJLUQuaWV0Zi1odHRw YmlzLXA3LWF1dGhdCiAgICAgICAgICAgICAgRmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1 bCwgSi4sIE5pZWxzZW4sIEguLAogICAgICAgICAgICAgIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAu LCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kCiAgICAgICAgICAgICAgSi4gUmVzY2hr ZSwgIkhUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uIiwKICAgICAgICAgICAgICBkcmFm dC1pZXRmLWh0dHBiaXMtcDctYXV0aC0xNyAod29yayBpbiBwcm9ncmVzcyksCiAgICAgICAgICAg ICAgT2N0b2JlciAyMDExLgoKICAgW0ktRC5pZXRmLW9hdXRoLXYyXQogICAgICAgICAgICAgIEhh bW1lci1MYWhhdiwgRS4sIFJlY29yZG9uLCBELiwgYW5kIEQuIEhhcmR0LCAiVGhlIE9BdXRoCiAg ICAgICAgICAgICAgMi4wIEF1dGhvcml6YXRpb24gUHJvdG9jb2wiLCBkcmFmdC1pZXRmLW9hdXRo LXYyLTIyICh3b3JrCiAgICAgICAgICAgICAgaW4gcHJvZ3Jlc3MpLCBTZXB0ZW1iZXIgMjAxMS4K CiAgIFtSRkMyMTE5XSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRv IEluZGljYXRlCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAy MDEyICAgICAgICAgICAgICAgIFtQYWdlIDE0XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBP QXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgRGVjZW1iZXIgMjAxMQoKCiAgICAgICAg ICAgICAgUmVxdWlyZW1lbnQgTGV2ZWxzIiwgQkNQIDE0LCBSRkMgMjExOSwgTWFyY2ggMTk5Ny4K CiAgIFtSRkMyMjQ2XSAgRGllcmtzLCBULiBhbmQgQy4gQWxsZW4sICJUaGUgVExTIFByb3RvY29s IFZlcnNpb24gMS4wIiwKICAgICAgICAgICAgICBSRkMgMjI0NiwgSmFudWFyeSAxOTk5LgoKICAg W1JGQzM5ODZdICBCZXJuZXJzLUxlZSwgVC4sIEZpZWxkaW5nLCBSLiwgYW5kIEwuIE1hc2ludGVy LCAiVW5pZm9ybQogICAgICAgICAgICAgIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6IEdlbmVy aWMgU3ludGF4IiwgU1REIDY2LAogICAgICAgICAgICAgIFJGQyAzOTg2LCBKYW51YXJ5IDIwMDUu CgogICBbUkZDNTIzNF0gIENyb2NrZXIsIEQuIGFuZCBQLiBPdmVyZWxsLCAiQXVnbWVudGVkIEJO RiBmb3IgU3ludGF4CiAgICAgICAgICAgICAgU3BlY2lmaWNhdGlvbnM6IEFCTkYiLCBTVEQgNjgs IFJGQyA1MjM0LCBKYW51YXJ5IDIwMDguCgogICBbUkZDNTI0Nl0gIERpZXJrcywgVC4gYW5kIEUu IFJlc2NvcmxhLCAiVGhlIFRyYW5zcG9ydCBMYXllciBTZWN1cml0eQogICAgICAgICAgICAgIChU TFMpIFByb3RvY29sIFZlcnNpb24gMS4yIiwgUkZDIDUyNDYsIEF1Z3VzdCAyMDA4LgoKICAgW1JG QzYxMjVdICBTYWludC1BbmRyZSwgUC4gYW5kIEouIEhvZGdlcywgIlJlcHJlc2VudGF0aW9uIGFu ZAogICAgICAgICAgICAgIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRpb24g U2VydmljZSBJZGVudGl0eQogICAgICAgICAgICAgIHdpdGhpbiBJbnRlcm5ldCBQdWJsaWMgS2V5 IEluZnJhc3RydWN0dXJlIFVzaW5nIFguNTA5CiAgICAgICAgICAgICAgKFBLSVgpIENlcnRpZmlj YXRlcyBpbiB0aGUgQ29udGV4dCBvZiBUcmFuc3BvcnQgTGF5ZXIKICAgICAgICAgICAgICBTZWN1 cml0eSAoVExTKSIsIFJGQyA2MTI1LCBNYXJjaCAyMDExLgoKICAgW1czQy5SRUMtaHRtbDQwMS0x OTk5MTIyNF0KICAgICAgICAgICAgICBKYWNvYnMsIEkuLCBSYWdnZXR0LCBELiwgYW5kIEEuIEhv cnMsICJIVE1MIDQuMDEKICAgICAgICAgICAgICBTcGVjaWZpY2F0aW9uIiwgV29ybGQgV2lkZSBX ZWIgQ29uc29ydGl1bQogICAgICAgICAgICAgIFJlY29tbWVuZGF0aW9uIFJFQy1odG1sNDAxLTE5 OTkxMjI0LCBEZWNlbWJlciAxOTk5LAogICAgICAgICAgICAgIDxodHRwOi8vd3d3LnczLm9yZy9U Ui8xOTk5L1JFQy1odG1sNDAxLTE5OTkxMjI0Pi4KCjYuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5j ZXMKCiAgIFtOSVNUODAwLTYzXQogICAgICAgICAgICAgIEJ1cnIsIFcuLCBEb2Rzb24sIEQuLCBQ ZXJsbmVyLCBSLiwgUG9saywgVC4sIEd1cHRhLCBTLiwKICAgICAgICAgICAgICBhbmQgRS4gTmFi YnVzLCAiTklTVCBTcGVjaWFsIFB1YmxpY2F0aW9uIDgwMC02My0xLAogICAgICAgICAgICAgIElO Rk9STUFUSU9OIFNFQ1VSSVRZIiwgRGVjZW1iZXIgMjAwOC4KCiAgIFtSRkMyNjE2XSAgRmllbGRp bmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIEZyeXN0eWssIEguLAogICAgICAgICAgICAg IE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBhbmQgVC4gQmVybmVycy1MZWUsICJIeXBlcnRleHQK ICAgICAgICAgICAgICBUcmFuc2ZlciBQcm90b2NvbCAtLSBIVFRQLzEuMSIsIFJGQyAyNjE2LCBK dW5lIDE5OTkuCgogICBbUkZDMjYxN10gIEZyYW5rcywgSi4sIEhhbGxhbS1CYWtlciwgUC4sIEhv c3RldGxlciwgSi4sIExhd3JlbmNlLCBTLiwKICAgICAgICAgICAgICBMZWFjaCwgUC4sIEx1b3Rv bmVuLCBBLiwgYW5kIEwuIFN0ZXdhcnQsICJIVFRQCiAgICAgICAgICAgICAgQXV0aGVudGljYXRp b246IEJhc2ljIGFuZCBEaWdlc3QgQWNjZXNzIEF1dGhlbnRpY2F0aW9uIiwKICAgICAgICAgICAg ICBSRkMgMjYxNywgSnVuZSAxOTk5LgoKCkFwcGVuZGl4IEEuICBBY2tub3dsZWRnZW1lbnRzCgog ICBUaGUgZm9sbG93aW5nIHBlb3BsZSBjb250cmlidXRlZCB0byBwcmVsaW1pbmFyeSB2ZXJzaW9u cyBvZiB0aGlzCiAgIGRvY3VtZW50OiBCbGFpbmUgQ29vayAoQlQpLCBCcmlhbiBFYXRvbiAoR29v Z2xlKSwgWWFyb24gWS4gR29sYW5kCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJl cyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgIFtQYWdlIDE1XQoMCkludGVybmV0LURyYWZ0 ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgRGVjZW1iZXIgMjAx MQoKCiAgIChNaWNyb3NvZnQpLCBCcmVudCBHb2xkbWFuIChGYWNlYm9vayksIFJhZmZpIEtyaWtv cmlhbiAoVHdpdHRlciksCiAgIEx1a2UgU2hlcGFyZCAoRmFjZWJvb2spLCBhbmQgQWxsZW4gVG9t IChZYWhvbyEpLiAgVGhlIGNvbnRlbnQgYW5kCiAgIGNvbmNlcHRzIHdpdGhpbiBhcmUgYSBwcm9k dWN0IG9mIHRoZSBPQXV0aCBjb21tdW5pdHksIHRoZSBXUkFQCiAgIGNvbW11bml0eSwgYW5kIHRo ZSBPQXV0aCBXb3JraW5nIEdyb3VwLgoKICAgVGhlIE9BdXRoIFdvcmtpbmcgR3JvdXAgaGFzIGRv emVucyBvZiB2ZXJ5IGFjdGl2ZSBjb250cmlidXRvcnMgd2hvCiAgIHByb3Bvc2VkIGlkZWFzIGFu ZCB3b3JkaW5nIGZvciB0aGlzIGRvY3VtZW50LCBpbmNsdWRpbmc6IE1pY2hhZWwKICAgQWRhbXMs IEFtYW5kYSBBbmdhbmVzLCBBbmRyZXcgQXJub3R0LCBEaXJrIEJhbGZhbnosIEpvaG4gQnJhZGxl eSwKICAgQnJpYW4gQ2FtcGJlbGwsIExlYWggQ3VsdmVyLCBCaWxsIGRlIGhPcmEsIEJyaWFuIEVs bGluLCBJZ29yCiAgIEZheW5iZXJnLCBTdGVwaGVuIEZhcnJlbGwsIEdlb3JnZSBGbGV0Y2hlciwg VGltIEZyZWVtYW4sIEV2YW4KICAgR2lsYmVydCwgWWFyb24gWS4gR29sYW5kLCBUaG9tYXMgSGFy ZGpvbm8sIEp1c3RpbiBIYXJ0LCBQaGlsIEh1bnQsCiAgIEpvaG4gS2VtcCwgRXJhbiBIYW1tZXIt TGFoYXYsIENoYXNlbiBMZSBIYXJhLCBCYXJyeSBMZWliYSwgTWljaGFlbCBCLgogICBKb25lcywg VG9yc3RlbiBMb2RkZXJzdGVkdCwgRXZlIE1hbGVyLCBKYW1lcyBNYW5nZXIsIExhdXJlbmNlIE1p YW8sCiAgIFdpbGxpYW0gSi4gTWlsbHMsIENodWNrIE1vcnRpbW9yZSwgQW50aG9ueSBOYWRhbGlu LCBKdWxpYW4gUmVzY2hrZSwKICAgSnVzdGluIFJpY2hlciwgUGV0ZXIgU2FpbnQtQW5kcmUsIE5h dCBTYWtpbXVyYSwgUm9iIFNheXJlLCBNYXJpdXMKICAgU2N1cnRlc2N1LCBOYWl0aWsgU2hhaCwg SnVzdGluIFNtaXRoLCBKZXJlbXkgU3VyaWVsLCBDaHJpc3RpYW4KICAgU3R1ZWJuZXIsIFBhdWwg VGFyamFuLCBIYW5uZXMgVHNjaG9mZW5pZywgRnJhbmtsaW4gVHNlLCBhbmQgU2hhbmUKICAgV2Vl ZGVuLgoKCkFwcGVuZGl4IEIuICBEb2N1bWVudCBIaXN0b3J5CgogICBbWyB0byBiZSByZW1vdmVk IGJ5IHRoZSBSRkMgZWRpdG9yIGJlZm9yZSBwdWJsaWNhdGlvbiBhcyBhbiBSRkMgXV0KCiAgIC0x NQoKICAgbyAgQ2xhcmlmaWVkIHRoYXQgZm9ybS1lbmNvZGVkIGNvbnRlbnQgbXVzdCBjb25zaXN0 IGVudGlyZWx5IG9mIEFTQ0lJCiAgICAgIGNoYXJhY3RlcnMuCgogICBvICBBZGRlZCBUTFMgdmVy c2lvbiByZXF1aXJlbWVudHMuCgogICBvICBBcHBsaWVkIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMg c3VnZ2VzdGVkIGJ5IE1hcmsgTm90dGluZ2hhbSBkdXJpbmcKICAgICAgdGhlIEFQUFMgYXJlYSBy ZXZpZXcuCgogICAtMTQKCiAgIG8gIENoYW5nZXMgbWFkZSBpbiByZXNwb25zZSB0byByZXZpZXcg Y29tbWVudHMgYnkgU2VjdXJpdHkgQXJlYQogICAgICBEaXJlY3RvciBTdGVwaGVuIEZhcnJlbGwu ICBTcGVjaWZpY2FsbHk6CgogICBvICBTdHJlbmd0aGVuZWQgd2FybmluZ3MgYWJvdXQgcGFzc2lu ZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYSBxdWVyeQogICAgICBwYXJhbWV0ZXIgYW5kIG1vcmUgcHJl Y2lzZWx5IGRlc2NyaWJlZCB0aGUgbGltaXRhdGlvbnMgcGxhY2VkIHVwb24KICAgICAgdGhlIHVz ZSBvZiB0aGlzIG1ldGhvZC4KCiAgIG8gIENsYXJpZmllZCB0aGF0IHRoZSAicmVhbG0iIGF0dHJp YnV0ZSBNQVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlCiAgICAgIHNjb3BlIG9mIHByb3RlY3Rp b24gaW4gdGhlIG1hbm5lciBkZXNjcmliZWQgaW4gSFRUUC8xLjEsIFBhcnQgNwogICAgICBbSS1E LmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgIEV4 cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICBbUGFnZSAxNl0KDApJbnRlcm5ldC1E cmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVy IDIwMTEKCgogICBvICBOb3JtYXRpdmVseSBzdGF0ZWQgdGhhdCAidGhlIHRva2VuIGludGVncml0 eSBwcm90ZWN0aW9uIE1VU1QgYmUKICAgICAgc3VmZmljaWVudCB0byBwcmV2ZW50IHRoZSB0b2tl biBmcm9tIGJlaW5nIG1vZGlmaWVkIi4KCiAgIG8gIEFkZGVkIHN0YXRlbWVudCB0aGF0ICJUTFMg aXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbmQgdXNlIHdpdGgKICAgICAgdGhpcyBzcGVjaWZp Y2F0aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoKICAgbyAgU3RhdGVkIHRoYXQgVExTIE1VU1Qg YmUgdXNlZCB3aXRoICJhIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlkZXMKICAgICAgY29uZmlkZW50 aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiIuCgogICBvICBBZGRlZCAiQXMgYSBmdXJ0 aGVyIGRlZmVuc2UgYWdhaW5zdCB0b2tlbiBkaXNjbG9zdXJlLCB0aGUgY2xpZW50CiAgICAgIE1V U1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZyByZXF1ZXN0 cyB0bwogICAgICBwcm90ZWN0ZWQgcmVzb3VyY2VzIiB0byB0aGUgVGhyZWF0IE1pdGlnYXRpb24g c2VjdGlvbi4KCiAgIG8gIENsYXJpZmllZCB0aGF0IHB1dHRpbmcgYSB2YWxpZGl0eSB0aW1lIGZp ZWxkIGluc2lkZSB0aGUgcHJvdGVjdGVkCiAgICAgIHBhcnQgb2YgdGhlIHRva2VuIGlzIG9uZSBt ZWFucywgYnV0IG5vdCB0aGUgb25seSBtZWFucywgb2YKICAgICAgbGltaXRpbmcgdGhlIGxpZmV0 aW1lIG9mIHRoZSB0b2tlbi4KCiAgIG8gIERyb3BwZWQgdGhlIGNvbmZ1c2luZyBwaHJhc2UgImZv ciBpbnN0YW5jZSwgdGhyb3VnaCB0aGUgdXNlIG9mCiAgICAgIFRMUyIgZnJvbSB0aGUgc2VudGVu Y2UgYWJvdXQgY29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gb2YgdGhlCiAgICAgIGV4Y2hhbmdl cy4KCiAgIG8gIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRlbnRpdHkgdmVyaWZpY2F0aW9uLCBy YXRoZXIgdGhhbiBSRkMKICAgICAgMjgxOC4KCiAgIG8gIFN0YXRlZCB0aGF0IHRoZSB0b2tlbiBN VVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVuIGZyb250IGVuZCBhbmQgYmFjawogICAgICBlbmQgc2Vy dmVycyB3aGVuIHRoZSBUTFMgY29ubmVjdGlvbiB0ZXJtaW5hdGVzIGF0IGEgZnJvbnQgZW5kCiAg ICAgIHNlcnZlciB0aGF0IGlzIGRpc3RpbmN0IGZyb20gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhhdCBw cm92aWRlcyB0aGUKICAgICAgcmVzb3VyY2UuCgogICBvICBTdGF0ZWQgdGhhdCBiZWFyZXIgdG9r ZW5zIE1VU1Qgbm90IGJlIHN0b3JlZCBpbiBjb29raWVzIHRoYXQgY2FuCiAgICAgIGJlIHNlbnQg aW4gdGhlIGNsZWFyIGluIHRoZSBUaHJlYXQgTWl0aWdhdGlvbiBzZWN0aW9uLgoKICAgbyAgUmVw bGFjZWQgc29sZSByZW1haW5pbmcgcmVmZXJlbmNlIHRvIFtSRkMyNjE2XSB3aXRoIEhUVFBiaXMK ICAgICAgW0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nXSByZWZlcmVuY2UuCgogICBvICBS ZXBsYWNlZCBhbGwgcmVmZXJlbmNlcyB3aGVyZSB0aGUgcmVmZXJlbmNlIGlzIHVzZWQgYXMgaWYg aXQgd2VyZQogICAgICBwYXJ0IG9mIHRoZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBieSBb SS1ELndoYXRldmVyXSIpIHdpdGgKICAgICAgb25lcyB3aGVyZSB0aGUgc3BlY2lmaWNhdGlvbiBu YW1lIGlzIHVzZWQsIGZvbGxvd2VkIGJ5IHRoZQogICAgICByZWZlcmVuY2UgKHN1Y2ggYXMgImRl ZmluZWQgYnkgV2hhdGV2ZXIgW0ktRC53aGF0ZXZlcl0iKS4KCiAgIG8gIE90aGVyIG9uLW5vcm1h dGl2ZSBlZGl0b3JpYWwgaW1wcm92ZW1lbnRzLgoKICAgLTEzCgogICBvICBBdCB0aGUgcmVxdWVz dCBvZiBIYW5uZXMgVHNjaG9mZW5pZywgbWFkZSBBQk5GIGNoYW5nZXMgdG8gbWFrZSBpdAogICAg ICBjbGVhciB0aGF0IG5vIHNwZWNpYWwgV1dXLUF1dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIg ZmllbGQKICAgICAgcGFyc2VycyBhcmUgbmVlZGVkLiAgVGhlICJzY29wZSIsICJlcnJvci1kZXNj cmlwdGlvbiIsIGFuZAogICAgICAiZXJyb3ItdXJpIiBwYXJhbWV0ZXJzIGFyZSBhbGwgbm93IGRl ZmluZWQgYXMgcXVvdGVkLXN0cmluZyBpbiB0aGUKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAg ICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMTddCgwKSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNl bWJlciAyMDExCgoKICAgICAgQUJORiAoYXMgImVycm9yIiBhbHJlYWR5IHdhcykuICBSZXN0cmlj dGlvbnMgb24gdGhlc2UgdmFsdWVzIHRoYXQKICAgICAgd2VyZSBmb3JtZXJseSBkZXNjcmliZWQg aW4gdGhlIEFCTkZzIGFyZSBub3cgZGVzY3JpYmVkIGluCiAgICAgIG5vcm1hdGl2ZSB0ZXh0IGlu c3RlYWQuCgogICAtMTIKCiAgIG8gIE1hZGUgbm9uLW5vcm1hdGl2ZSBlZGl0b3JpYWwgY2hhbmdl cyB0aGF0IEhhbm5lcyBUc2Nob2ZlbmlnCiAgICAgIHJlcXVlc3RlZCBiZSBhcHBsaWVkIHByaW9y IHRvIGZvcndhcmRpbmcgdGhlIHNwZWNpZmljYXRpb24gdG8gdGhlCiAgICAgIElFU0cuCgogICBv ICBBZGRlZCByYXRpb25hbGUgZm9yIHRoZSBjaG9pY2Ugb2YgdGhlIGI2NHRva2VuIHN5bnRheC4K CiAgIG8gIEFkZGVkIHJhdGlvbmFsZSBzdGF0aW5nIHRoYXQgcmVjZWl2ZXJzIGFyZSBmcmVlIHRv IHBhcnNlIHRoZQogICAgICAic2NvcGUiIGF0dHJpYnV0ZSB1c2luZyBhIHN0YW5kYXJkIHF1b3Rl ZC1zdHJpbmcgcGFyc2VyLCBzaW5jZSBpdAogICAgICB3aWxsIGNvcnJlY3RseSBwcm9jZXNzIGFs bCBsZWdhbCAic2NvcGUiIHZhbHVlcy4KCiAgIG8gIEFkZGVkIGFkZGl0aW9uYWwgYWN0aXZlIHdv cmtpbmcgZ3JvdXAgY29udHJpYnV0b3JzIHRvIHRoZQogICAgICBBY2tub3dsZWRnZW1lbnRzIHNl Y3Rpb24uCgogICAtMTEKCiAgIG8gIFJlcGxhY2VkIHVzZXMgb2YgPCI+IHdpdGggRFFVT1RFIHRv IHBhc3MgQUJORiBzeW50YXggY2hlY2suCgogICAtMTAKCiAgIG8gIFJlbW92ZWQgdGhlICNhdXRo LXBhcmFtIG9wdGlvbiBmcm9tIEF1dGhvcml6YXRpb24gaGVhZGVyIHN5bnRheAogICAgICAobGVh dmluZyBvbmx5IHRoZSBiNjR0b2tlbiBzeW50YXgpLgoKICAgbyAgUmVzdHJpY3RlZCB0aGUgInNj b3BlIiB2YWx1ZSBjaGFyYWN0ZXIgc2V0IHRvICV4MjEgLyAleDIzLTVCIC8KICAgICAgJXg1RC03 RSAocHJpbnRhYmxlIEFTQ0lJIGNoYXJhY3RlcnMgZXhjbHVkaW5nIGRvdWJsZS1xdW90ZSBhbmQK ICAgICAgYmFja3NsYXNoKS4gIEluZGljYXRlZCB0aGF0IHNjb3BlIGlzIGludGVuZGVkIGZvciBw cm9ncmFtbWF0aWMgdXNlCiAgICAgIGFuZCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRv IGVuZCB1c2Vycy4KCiAgIG8gIFJlc3RyaWN0ZWQgdGhlIGNoYXJhY3RlciBzZXQgZm9yICJlcnJv cl9kZXNjcmlwdGlvbiIgc3RyaW5ncyB0byBTUAogICAgICAvIFZDSEFSIGFuZCBpbmRpY2F0ZWQg dGhhdCB0aGV5IGFyZSBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRvCiAgICAgIGVuZCB1c2Vy cy4KCiAgIG8gIEluY2x1ZGVkIG1vcmUgZGVzY3JpcHRpb24gaW4gdGhlIEFic3RyYWN0LCBzaW5j ZSBIYW5uZXMgVHNjaG9mZW5pZwogICAgICBpbmRpY2F0ZWQgdGhhdCB0aGUgUkZDIGVkaXRvciB3 b3VsZCByZXF1aXJlIHRoaXMuCgogICBvICBDaGFuZ2VkICJBY2Nlc3MgR3JhbnQiIHRvICJBdXRo b3JpemF0aW9uIEdyYW50IiwgYXMgd2FzIGRvbmUgaW4KICAgICAgdGhlIGNvcmUgc3BlYy4KCiAg IG8gIFNpbXBsaWZpZWQgdGhlIGludHJvZHVjdGlvbiB0byB0aGUgQXV0aGVudGljYXRlZCBSZXF1 ZXN0cyBzZWN0aW9uLgoKICAgLTA5CgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBFeHBp cmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMThdCgwKSW50ZXJuZXQtRHJh ZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJlciAy MDExCgoKICAgbyAgSW5jb3Jwb3JhdGVkIHdvcmtpbmcgZ3JvdXAgbGFzdCBjYWxsIGNvbW1lbnRz LiAgU3BlY2lmaWMgY2hhbmdlcwogICAgICB3ZXJlOgoKICAgbyAgVXNlIGRlZmluaXRpb25zIGZy b20gW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0gcmF0aGVyIHRoYW4KICAgICAgW1JGQzI2MTdd LgoKICAgbyAgVXBkYXRlIGNyZWRlbnRpYWxzIGRlZmluaXRpb24gdG8gY29uZm9ybSB0bwogICAg ICBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCiAgIG8gIEZ1cnRoZXIgY2xhcmlmaWVkIHRo YXQgcXVlcnkgcGFyYW1ldGVycyBtYXkgb2NjdXIgaW4gYW55IG9yZGVyLgoKICAgbyAgU3BlY2lm eSB0aGF0IGVycm9yX2Rlc2NyaXB0aW9uIGlzIFVURi04IGVuY29kZWQgKG1hdGNoaW5nIHRoZSBj b3JlCiAgICAgIHNwZWNpZmljYXRpb24pLgoKICAgbyAgUmVnaXN0ZXJlZCAiQmVhcmVyIiBBdXRo ZW50aWNhdGlvbiBTY2hlbWUgaW4gQXV0aGVudGljYXRpb24gU2NoZW1lCiAgICAgIFJlZ2lzdHJ5 IGRlZmluZWQgYnkgW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0uCgogICBvICBVcGRhdGVkIHJl ZmVyZW5jZXMgdG8gb2F1dGgtdjIsIGh0dHBiaXMtcDEtbWVzc2FnaW5nLCBhbmQgaHR0cGJpcy0K ICAgICAgcDctYXV0aCBkcmFmdHMuCgogICBvICBPdGhlciB3b3JkaW5nIGltcHJvdmVtZW50cyBu b3QgaW50cm9kdWNpbmcgbm9ybWF0aXZlIGNoYW5nZXMuCgogICAtMDgKCiAgIG8gIFVwZGF0ZWQg cmVmZXJlbmNlcyB0byBvYXV0aC12MiBhbmQgSFRUUGJpcyBkcmFmdHMuCgogICAtMDcKCiAgIG8g IEFkZGVkIG1pc3NpbmcgY29tbWEgaW4gZXJyb3IgcmVzcG9uc2UgZXhhbXBsZS4KCiAgIC0wNgoK ICAgbyAgQ2hhbmdlZCBwYXJhbWV0ZXIgbmFtZSAiYmVhcmVyX3Rva2VuIiB0byAiYWNjZXNzX3Rv a2VuIiwgcGVyCiAgICAgIHdvcmtpbmcgZ3JvdXAgY29uc2Vuc3VzLgoKICAgbyAgQ2hhbmdlZCBI VFRQIHN0YXR1cyBjb2RlIGZvciAiaW52YWxpZF9yZXF1ZXN0IiBlcnJvciBjb2RlIGZyb20KICAg ICAgSFRUUCA0MDEgKFVuYXV0aG9yaXplZCkgYmFjayB0byBIVFRQIDQwMCAoQmFkIFJlcXVlc3Qp LCBwZXIgaW5wdXQKICAgICAgZnJvbSBIVFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCiAgIC0w NQoKICAgbyAgUmVtb3ZlZCBPQXV0aCBFcnJvcnMgUmVnaXN0cnksIHBlciBkZXNpZ24gdGVhbSBp bnB1dC4KCiAgIG8gIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgImludmFsaWRfcmVxdWVz dCIgZXJyb3IgY29kZSBmcm9tCiAgICAgIEhUVFAgNDAwIChCYWQgUmVxdWVzdCkgdG8gSFRUUCA0 MDEgKFVuYXV0aG9yaXplZCkgdG8gbWF0Y2ggSFRUUAogICAgICB1c2FnZSBbWyBjaGFuZ2UgcGVu ZGluZyB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBdXS4KCgoKCgpKb25lcywgZXQgYWwuICAgICAg ICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICBbUGFnZSAxOV0KDApJ bnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAg IERlY2VtYmVyIDIwMTEKCgogICBvICBBZGRlZCBtaXNzaW5nIHF1b3RhdGlvbiBtYXJrcyBpbiBl cnJvci11cmkgZGVmaW5pdGlvbi4KCiAgIG8gIEFkZGVkIG5vdGUgdG8gYWRkIGxhbmd1YWdlIGFu ZCBlbmNvZGluZyBpbmZvcm1hdGlvbiB0bwogICAgICBlcnJvcl9kZXNjcmlwdGlvbiBpZiB0aGUg Y29yZSBzcGVjaWZpY2F0aW9uIGRvZXMuCgogICBvICBFeHBsaWNpdGx5IHJlZmVyZW5jZSB0aGUg QXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFCTkYpIGRlZmluZWQKICAgICAgaW4gW1JGQzUy MzRdLgoKICAgbyAgVXNlIGF1dGgtcGFyYW0gaW5zdGVhZCBvZiByZXBlYXRpbmcgaXRzIGRlZmlu aXRpb24sIHdoaWNoIGlzICgKICAgICAgdG9rZW4gIj0iICggdG9rZW4gLyBxdW90ZWQtc3RyaW5n ICkgKS4KCiAgIG8gIENsYXJpZnkgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgYWJvdXQgaW5jbHVk aW5nIGFuIGF1ZGllbmNlCiAgICAgIHJlc3RyaWN0aW9uIGluIHRoZSB0b2tlbiBhbmQgaW5jbHVk ZSBhIHJlY29tbWVuZGF0aW9uIHRvIGlzc3VlCiAgICAgIHNjb3BlZCBiZWFyZXIgdG9rZW5zIGlu IHRoZSBzdW1tYXJ5IG9mIHJlY29tbWVuZGF0aW9ucy4KCiAgIC0wNAoKICAgbyAgRWRpdHMgcmVz cG9uZGluZyB0byB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBmZWVkYmFjayBvbiAtMDMuCiAgICAg IFNwZWNpZmljIGVkaXRzIGVudW1lcmF0ZWQgYmVsb3cuCgogICBvICBBZGRlZCBCZWFyZXIgVG9r ZW4gZGVmaW5pdGlvbiBpbiBUZXJtaW5vbG9neSBzZWN0aW9uLgoKICAgbyAgQ2hhbmdlZCBwYXJh bWV0ZXIgbmFtZSAib2F1dGhfdG9rZW4iIHRvICJiZWFyZXJfdG9rZW4iLgoKICAgbyAgQWRkZWQg cmVhbG0gcGFyYW1ldGVyIHRvICJXV1ctQXV0aGVudGljYXRlIiByZXNwb25zZSB0byBjb21wbHkK ICAgICAgd2l0aCBbUkZDMjYxN10uCgogICBvICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFyYW0g XSIgZnJvbSAiY3JlZGVudGlhbHMiIGRlZmluaXRpb24gc2luY2UKICAgICAgaXQgZGlkIG5vdCBj b21wbHkgd2l0aCB0aGUgQUJORiBpbiBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCiAgIG8g IFJlbW92ZWQgcmVzdHJpY3Rpb24gdGhhdCB0aGUgImJlYXJlcl90b2tlbiIgKGZvcm1lcmx5CiAg ICAgICJvYXV0aF90b2tlbiIpIHBhcmFtZXRlciBiZSB0aGUgbGFzdCBwYXJhbWV0ZXIgaW4gdGhl IGVudGl0eS1ib2R5CiAgICAgIGFuZCB0aGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeS4KCiAgIG8g IERvIG5vdCByZXF1aXJlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgaW4gYSByZXBseSB0byBh IG1hbGZvcm1lZAogICAgICByZXF1ZXN0LCBhcyBhbiBIVFRQIDQwMCBCYWQgUmVxdWVzdCByZXNw b25zZSB3aXRob3V0IGEgV1dXLQogICAgICBBdXRoZW50aWNhdGUgaGVhZGVyIGlzIGxpa2VseSB0 aGUgcmlnaHQgcmVzcG9uc2UgaW4gc29tZSBjYXNlcyBvZgogICAgICBtYWxmb3JtZWQgcmVxdWVz dHMuCgogICBvICBSZW1vdmVkIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0cnkgZXh0ZW5zaW9uLgoK ICAgbyAgTnVtZXJvdXMgZWRpdG9yaWFsIGltcHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgd29ya2lu ZyBncm91cAogICAgICBtZW1iZXJzLgoKICAgLTAzCgogICBvICBSZXN0b3JlZCB0aGUgV1dXLUF1 dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIgZnVuY3Rpb25hbGl0eQogICAgICBkZWxldGVkIGZy b20gdGhlIGZyYW1ld29yayBzcGVjaWZpY2F0aW9uIGluIGRyYWZ0IDEyIGJhc2VkIHVwb24KCgoK Sm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAg ICAgICAgW1BhZ2UgMjBdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFy ZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJlciAyMDExCgoKICAgICAgdGhlIHNwZWNpZmljYXRp b24gdGV4dCBmcm9tIGRyYWZ0IDExLgoKICAgbyAgQXVnbWVudGVkIHRoZSBPQXV0aCBQYXJhbWV0 ZXJzIHJlZ2lzdHJ5IGJ5IGFkZGluZyB0d28gYWRkaXRpb25hbAogICAgICBwYXJhbWV0ZXIgdXNh Z2UgbG9jYXRpb25zOiAicmVzb3VyY2UgcmVxdWVzdCIgYW5kICJyZXNvdXJjZQogICAgICByZXNw b25zZSIuCgogICBvICBSZWdpc3RlcmVkIHRoZSAib2F1dGhfdG9rZW4iIE9BdXRoIHBhcmFtZXRl ciB3aXRoIHVzYWdlIGxvY2F0aW9uCiAgICAgICJyZXNvdXJjZSByZXF1ZXN0Ii4KCiAgIG8gIFJl Z2lzdGVyZWQgdGhlICJlcnJvciIgT0F1dGggcGFyYW1ldGVyLgoKICAgbyAgQ3JlYXRlZCB0aGUg T0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVyZWQgZXJyb3JzLgoKICAgbyAgQ2hhbmdl ZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRva2VuIHR5cGUgbmFtZSB0byAiQmVhcmVyIi4K CiAgIC0wMgoKICAgbyAgSW5jb3Jwb3JhdGVkIGZlZWRiYWNrIHJlY2VpdmVkIG9uIGRyYWZ0IDAx LiAgTW9zdCBjaGFuZ2VzIHdlcmUgdG8KICAgICAgdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25z IHNlY3Rpb24uICBObyBub3JtYXRpdmUgY2hhbmdlcyB3ZXJlCiAgICAgIG1hZGUuICBTcGVjaWZp YyBjaGFuZ2VzIGluY2x1ZGVkOgoKICAgbyAgQ2hhbmdlZCB0ZXJtaW5vbG9neSBmcm9tICJ0b2tl biByZXVzZSIgdG8gInRva2VuIGNhcHR1cmUgYW5kCiAgICAgIHJlcGxheSIuCgogICBvICBSZW1v dmVkIHNlbnRlbmNlICJFbmNyeXB0aW5nIHRoZSB0b2tlbiBjb250ZW50cyBpcyBhbm90aGVyCiAg ICAgIGFsdGVybmF0aXZlIiBmcm9tIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzaW5jZSBp dCB3YXMKICAgICAgcmVkdW5kYW50IGFuZCBwb3RlbnRpYWxseSBjb25mdXNpbmcuCgogICBvICBD b3JyZWN0ZWQgc29tZSByZWZlcmVuY2VzIHRvICJyZXNvdXJjZSBzZXJ2ZXIiIHRvIGJlCiAgICAg ICJhdXRob3JpemF0aW9uIHNlcnZlciIgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLgoK ICAgbyAgR2VuZXJhbGl6ZWQgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgbGFuZ3VhZ2UgYWJvdXQg b2J0YWluaW5nCiAgICAgIGNvbnNlbnQgb2YgdGhlIHJlc291cmNlIG93bmVyLgoKICAgbyAgQnJv YWRlbmVkIHNjb3BlIG9mIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGRlc2NyaXB0aW9uIGZvcgog ICAgICByZWNvbW1lbmRhdGlvbiAiRG9uJ3QgcGFzcyBiZWFyZXIgdG9rZW5zIGluIHBhZ2UgVVJM cyIuCgogICBvICBSZW1vdmVkIHVudXNlZCByZWZlcmVuY2UgdG8gT0F1dGggMS4wLgoKICAgbyAg VXBkYXRlZCByZWZlcmVuY2UgdG8gZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gYW5kIHVwZGF0ZWQg RGF2aWQKICAgICAgUmVjb3Jkb24ncyBlLW1haWwgYWRkcmVzcy4KCiAgIG8gIFJlbW92ZWQgc2Vj dXJpdHkgY29uc2lkZXJhdGlvbnMgdGV4dCBvbiBhdXRoZW50aWNhdGluZyBjbGllbnRzLgoKICAg byAgUmVnaXN0ZXJlZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRva2VuIHR5cGUgYW5kICJv YXV0aF90b2tlbiIKICAgICAgcGFyYW1ldGVyLgoKICAgLTAxCgoKCkpvbmVzLCBldCBhbC4gICAg ICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgIFtQYWdlIDIxXQoM CkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAg ICAgRGVjZW1iZXIgMjAxMQoKCiAgIG8gIEZpcnN0IHB1YmxpYyBkcmFmdCwgd2hpY2ggaW5jb3Jw b3JhdGVzIGZlZWRiYWNrIHJlY2VpdmVkIG9uIC0wMAogICAgICBpbmNsdWRpbmcgZW5oYW5jZWQg U2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgY29udGVudC4gIFRoaXMgdmVyc2lvbgogICAgICBpcyBp bnRlbmRlZCB0byBhY2NvbXBhbnkgT0F1dGggMi4wIGRyYWZ0IDExLgoKICAgLTAwCgogICBvICBJ bml0aWFsIGRyYWZ0IGJhc2VkIG9uIHByZWxpbWluYXJ5IHZlcnNpb24gb2YgT0F1dGggMi4wIGRy YWZ0IDExLgoKCkF1dGhvcnMnIEFkZHJlc3NlcwoKICAgTWljaGFlbCBCLiBKb25lcwogICBNaWNy b3NvZnQKCiAgIEVtYWlsOiBtYmpAbWljcm9zb2Z0LmNvbQogICBVUkk6ICAgaHR0cDovL3NlbGYt aXNzdWVkLmluZm8vCgoKICAgRGljayBIYXJkdAogICBpbmRlcGVuZGVudAoKICAgRW1haWw6IGRp Y2suaGFyZHRAZ21haWwuY29tCiAgIFVSSTogICBodHRwOi8vZGlja2hhcmR0Lm9yZy8KCgogICBE YXZpZCBSZWNvcmRvbgogICBGYWNlYm9vawoKICAgRW1haWw6IGRyQGZiLmNvbQogICBVUkk6ICAg aHR0cDovL3d3dy5kYXZpZHJlY29yZG9uLmNvbS8KCgoKCgoKCgoKCgoKCgoKCgoKCgoKSm9uZXMs IGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAg W1BhZ2UgMjJdCgwK --_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: application/pdf; name="draft-ietf-oauth-v2-bearer-15 preliminary.pdf" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.pdf Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.pdf"; size=169692; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:06:35 GMT" Content-Transfer-Encoding: base64 JVBERi0xLjQKMSAwIG9iago8PAovVGl0bGUgKP7/AFQAaABlACAATwBBAHUAdABoACAAMgAuADAA IABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUAByAG8AdABvAGMAbwBsADoAIABCAGUAYQBy AGUAcgAgAFQAbwBrAGUAbgBzKQovQ3JlYXRvciAo/v8pCi9Qcm9kdWNlciAo/v8AdwBrAGgAdABt AGwAdABvAHAAZABmKQovQ3JlYXRpb25EYXRlIChEOjIwMTExMjEyMTcwNjI0KzAxJzAwJykKPj4K ZW5kb2JqCjMgMCBvYmoKPDwKL1R5cGUgL0V4dEdTdGF0ZQovU0EgdHJ1ZQovU00gMC4wMgovY2Eg MS4wCi9DQSAxLjAKL0FJUyBmYWxzZQovU01hc2sgL05vbmU+PgplbmRvYmoKNCAwIG9iagpbL1Bh dHRlcm4gL0RldmljZVJHQl0KZW5kb2JqCjEwIDAgb2JqClswIC9YWVogNDcuNTE5OTk5OSAgCjY4 OC44Nzk5OTkgIDBdCmVuZG9iagoxMSAwIG9iagpbMCAvWFlaIDQ3LjUxOTk5OTkgIAo1NzQuNjM5 OTk5ICAwXQplbmRvYmoKMTIgMCBvYmoKWzAgL1hZWiA0Ny41MTk5OTk5ICAKNDc5LjU5OTk5OSAg MF0KZW5kb2JqCjEzIDAgb2JqClswIC9YWVogNDcuNTE5OTk5OSAgCjE1MS4yNzk5OTkgIDBdCmVu ZG9iagoxNCAwIG9iagpbMCAvWFlaIDQ3LjUxOTk5OTkgIAozMTkuMjc5OTk5ICAwXQplbmRvYmoK MTUgMCBvYmoKWzAgL1hZWiA0Ny41MTk5OTk5ICAKMTgxLjAzOTk5OSAgMF0KZW5kb2JqCjE2IDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNzgy Ljk1OTk5OSAgNTQzLjg0MDAwMCAgNzkwLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5OTk5ICAxMTQu Nzk5OTk5ICA4OC43OTk5OTk5ICAxMjUuMzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMQo+PgplbmRvYmoKMTgg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICAx MDMuMjc5OTk5ICAxMTQuNzE5OTk5ICAxMTMuODM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMgo+PgplbmRvYmoK MTkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5 ICA5MS43NTk5OTk5ICAxMTQuNzE5OTk5ICAxMDIuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMwo+PgplbmRv YmoKMjAgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5 OTk5ICA4MC4yMzk5OTk5ICAxMTQuNzE5OTk5ICA5MC43OTk5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNAo+Pgpl bmRvYmoKMjEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4y Mzk5OTk5ICA2OC43MTk5OTk5ICA4OC43OTk5OTk5ICA3OS4yNzk5OTk5IF0KL0JvcmRlciBbMCAw IDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNQo+ PgplbmRvYmoKMjIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5 My41OTk5OTk5ICA1Ny4xOTk5OTk5ICAxMTQuNzE5OTk5ICA2Ny43NTk5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYXV0aHoj MmRoZWFkZXIKPj4KZW5kb2JqCjIzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbOTMuNTk5OTk5OSAgNDUuNjc5OTk5OSAgMTE0LjcxOTk5OSAgNTYuMjM5OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM2JvZHkjMmRwYXJhbQo+PgplbmRvYmoKMjQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICAzNC4xNTk5OTk5ICAxMTQuNzE5OTk5ICA0NC43 MTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1w IzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIu aHRtbC5odG1sIzIzcXVlcnkjMmRwYXJhbQo+PgplbmRvYmoKNSAwIG9iago8PAovVHlwZSAvUGFn ZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAyNSAwIFIKL1Jlc291cmNlcyAyNyAwIFIKL0Fubm90 cyAyOCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjI3IDAgb2JqCjw8Ci9D b2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3Jh eQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwK L0Y2IDYgMCBSCi9GNyA3IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+ Cj4+CmVuZG9iagoyOCAwIG9iagpbIDE2IDAgUiAxNyAwIFIgMTggMCBSIDE5IDAgUiAyMCAwIFIg MjEgMCBSIDIyIDAgUiAyMyAwIFIgMjQgMCBSIF0KZW5kb2JqCjI1IDAgb2JqCjw8Ci9MZW5ndGgg MjYgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dy27kuBXd11doHcBuUW8B wQB+BsgigNEGshhkEfSkJxi0B3Fmkd+PVKUqU/eIOuQtSla52+6ZttkSeXnfL7I+/eXzP5Nf/0g+ 3X3+T/Jl+Pvu8y69Tsv28JWk3feVPZA113mW9l9JY/Lrqt6PfnnZvSavu6fdU/f//u/X3XHWdP/9 x5ffd58O6w1P9aMvu6atutnT1OTdr9/sX02emvq66n7uxlP5a//wv3d//1Py++xSp3+5LtLhy/mz /d7rzmTXzX7c7CcVv3b7zeqk/2OyxFTJf/+1+9rta8nlinTd9eqkKNbd3qrr1Ull1t3equvVSd2s u71V16uTtlx3e6uuVyemW2vV/a27YLfBrF15gzMLVmneZqasGufP9oJ5PixQJCZtTLU3WJ0ty4uy N1BpWvbjnaFsDtaqqUzRw94vPh7P6uvsOH6c55tj/t7efbVgbvPhy/nzCOYRbIU5WNIXsVZ5gBNg s8ftvRzn+eaYX8IcCc8OmF0wuOiyBJ6naf0ixn3wPM0bLl4aw3z01lpwiDyEpertcNP/MeVRVJ58 Xjyub/bf9qqHkc93f+s8t/8lWfLX7r/fkp//0b33i+W/4Yu3z7tPj1W31eT5a3JY6Orw1/MB0Ku8 TZ5/Sf7cw/FT8vzbrvcjh4FsP1C/DeT7geZtoJBPHOZ4eB55sA6wagdYnZ4BqGoJVSWhymegKuUr lXyl3g8UbwONfKLdD7RnTXojn7iVc9zJAYDjXtIAlgXAHuTAYwwqFZlFJpMK9BjgJrkTcyBkOQM4 oEfS3uSR+K2sjjMWlEbAb8CRQBK6EZjUlHKgklwtVzG1xA4wTxR09YR/w5ckPDC5aSl6JOEHshYz TyyztY4T6jwmJ8hXzA1laXgCBAewA8wjOQEhlToBJjW3VIDvpu3DHBwUH/gKsDm8AvgASO/DZQe4 to4lO28cJkXaQ2k+yFfC8RVNVNrTEo8CqiyVuv1RAgG2ELSCQ9kHsSjYGLCFXDXLSTMjnsjkKxmI G8xRyFekhsNVilgM2LqJEK6vkLIRlKBL1Z7PsyatxzSJgM+3ORUSnYFdB74HVURdT8Sww7eKgNCs iI/Q05wZ6GWuqEEaG4oMGIii7HvsFCY+dk5zok/IeQewIwMbRBf3b7mKBH23iIq0wk+fYF7+Gw2w 5ybbE64L+6spwhlTJldZlh03ewDUAJINqDxj+TWOwDZLJWmM5Y/XMHEjXXZcG1ZqAZgb+cgthzcS dHcwcnDwjIUI6SgNdspYSjIFgGFtmAWWNkhKue3BCzH1HLy4JwAG10YWwWcAmlLOC08gmWChCeTh nhC8+yklqJaqsik6qSpLt1QhOmqACfcG85hJ5a2GO8/qDu6mGSvpWX5GfA823iKSZJjBP55jZ6QQ TCKXwVkRycgcGjmHlYaI054X9BK+dM8161ncbFMJFn+Apazk2xsjHToC0n2VZvrnsd3iz3vYsrBF B47uDNmUY1IlVz1Xj/W8kUSwEHMgfyP5oZTYBa56e8VAPrqZwC1afU9bPy3TbdKZkCld1KdDy6NI u9LWjWQnnrbm9tSatJ7GyEyOZpCgmWwSznEjV7mVtIM57uQrkMeG3T7QzQE+ANJHBhgwlccqACnQ Vu52sChQPShmUAgYk68YWBYghb3AHHz7QGzAKbwCT4TvdpDtub0AB3FCAVtSLhzcJ9sOgGjLgcHD glml+xCmYIqiGmkYSgYjtQMyDOd1IBRHcjgnI4+BIMMAB51CevQFLfsN3g+gDHYHT8AyraTDjXxi MhmjMUCn3DKaBuAXIAtsjVsT/gpocSA+1ydASdAWQASYNJyBgExRxNg0rU0n4DhQSVhmAQwCrbnO loRzrXLeZrOyGDFluP7FvQHbcsFX6IoYDgy8Aq4WV4Qf2mDD5u7lKhwfD5KRV0EQLstRyN1ojqAI Lh+yNtA2gknPOBmiGb1TIuWd/AiNx8PdCE5I2C0HHQDj8SEP9j6QzecqCUM5Lk88PuRuZnh4PFRD TJAR4wEAYFmRDZDLora4eD/gTL3WBSW2YlvCleDZEnQKgQpU9SFpOQPBKjx5Np2gDzcmRXryzKlD A+gBJ2CZEKKpbTgxH8GtDw8OQZlAMzB376gOm9BQNCuqcIEyRzvhB/WqHTbtPJ7L02rEdLAqwKXw ChQ5UE44BfNvJTMCSp5COiFR3HHglQi5uwx6Y6k19nDXFKELD8K5QwOgUwPlEdxwcwygP8QyYaY5 A18Kf49rIO688QTVzRt6PlbdtCjNmK/sYoOsiqLCg7rpgRfnSq2FJPqdfOVGTgqvwLKZmGPg5yIA Dqc/AH4IBjXvVvQtGtHVFbfom8mDIB5+FvdEuPmWkw59qtYAVE88VAVYNB7nRqiTg+0BKfLxRAFU tYk/N6lejrhOoeQlGQBBYODR4vNwkofKwA7ULkwQitsjngcCvzJGlmeRpF+494qhGxcpRdqDi2V4 EiOT1THoVnbV2q05wHu7jeaszS27COgQH1pe0VlWrE84fZ8Gh/OtIvTn+oRqOgz9Y6RRgW9pRQBt A6pgRS5oCXURQ8Fuhf0RMJiDk5+7BjxtQ1voNGwInjKtZaE4AIIczfpze1F4BrIgBAyDhJK7BUhX ShyX7VjTP4JC9c18RTA4WelcA6SWl5i49lDoBprA9Shu8FIfeHQ8JuROsEfXEDgX4OLz8nGM5CLP ONGmXY/66Q8TvYCJ5h0IWzWv7+VdLqTYi3ykUXkiivtBoA0Ukuzr00UwJ4W/dCBhuUOvKG5+55we JZOnMPzcFMCAtMB5KibNDRtArc1B509wugCz84Ix9zWBUDxagYwiTMpTe9I0eiB5CcbFZd9HowAc 8ZI91bFC+ENJUY2jKFMvwqYX7CdiBprHHo4bq+bQHl5NUHTNecReOU244yQ+pImRIaOZfgTeAwO8 OsCjb4VoKrLyMSJnRdORR9SvcCBovTGbvDZJYzGaU+cX14dyayjcvE/fd2tzvK4Qf8jWAKlpTgR3 y72n8N4wTIHwhM8qKbELMkua6ILqIA860P54j/278ghz8ecivRa8xMDbuxUdmfyVGAdZYnSoRjiy tTEvPYI5aU8ByGb8fP4Kt3wAGKcCV2zhNSqfJhkFw1CJ8mgSUthkxek6fqothuxTa6ny4RcxyooS G+8iCxehXGanohRdYrSJK9qqeO0v/LwZmPV88tZXhcqtsuOV3T/aVCMYmPCGQU1LpdwuBufAt0A6 Rf4q/K6DXJIf3R5OS5gU8vKKk11w+Yrs/oNVXPe1fMCjB1XZjjFpXdkGhwIGfrUGoIFRXtkGZwAG 8YRb/+AWw5mjB0eJngEVJ4HDCHB3XD5BZFCzyx0jqE63ckOjKI9+MOikzhuar/Az6HhfB4T21DVR CCgMcGuk6MnyaFoD14THehEyDJqDlDEazbm55v1CMe5s4/cCctdDcQui4vymIsaMQbnNZOAoQjTX q/EIcqWem7q1tTZc5KXx9xbR2rEiiDotnXDySIdqD48bBiRjRyuI17n7NoUYF7duVyJXOV2Xw6c1 Kc7PR8gLXfBxokWONmzWK8rbYLbM4fMIIFgE3Rmev0T+uJjjdznwKSCI12kXudpJIchqTo5gK4qZ 2sVma50Yqr1TnyTtcdQEUfQU0+X0OHp0QvGCENcOIPsyb+qRRKf9Vh6XYipS9bzqxstwCndDcQHs IsFcjDK2onGMXiaOdyooOHmdTxZY5GSpw6pHMDhV7mSGd7I3C12NnZX2bsHX8uis4hkXLhyKu/Co MdF8AITitv4Lyg3xOJMrh/CGDMVFJ5Bb9+g8XCXx59FptpWPUAFvFEBX3O67ZvYsRltyBEtQ+3/6 R4xzth5u0hKR6jKX7ygwpvh4pSXSVnrn4xJykh6drLwgyhVd+KQTu+P3GPIuhximkfeFRDhKuOEr TD+gQESwDm3uBCNKZZrH6vSeWIQjXHJz6Pbw6J/nZ1JWKQlDBQI2M5FU5KnuVVJEHmKo0EsxfOet uLlcHYanu5DbFU5IhKQJ9N6h3V4k7xQjh7ZK407EAtT5tqBJTx8ufLkVqyh10xjnuRe5c5MrLX4I cCOfRYNwcKwrrhWHyCH8jqvv3JjE0KY/3K/3cb8+bhd6U4uPzbb6ceCYM3yQONxMD53dEa6792iP RyUITegSMv6KsT7XKL0u2+ErOXahGyRUVSat6Z49EOJlV7f27992ny1CjicccwouRrjCPdmeAyqH u9LBe9Wm7VjaLJRUE2yP4HoCGQZa3+FpgWYkPWGglpwGn+560GrWCYkbOXArX7kDjSRlABUfLPM4 bQmA9fxcz1laZoU/whwDIfzedPyelW/8bjrQrIHtMXwzRpKD4cHd2oZI9NgNIvGgwW3NCawnuRX1 opqfZ/Tz4OhCnAhmwBY9vgwoeXlsykMpKHYXUoCfFd88QN9FEt8iFeJbbNheNWMkUfE1cOTt3cU3 hMTQ5gPsLC2YGVxoSPrP2UXJ4Cic8EQjhdOEXCY6KwPl+iaslCas3LoJK/1N2OBgb0kGQkgMzr+H kgepgLBECgXMYW6DOal3/mvh/NcbVqZ7aauO6mhTqnLv/Ff+mtJ4+Ong6Dii2fOcBTgmRd0pXBY3 A/t9AP0LDIwfMEA3jPlqADaaq9Osr+Ybqeabrav5E5Jc0rnpSCWAxFEEGD11CPClvEJZaJHwZzvy C5Ac88VmZlbHPUFz0CPmYWG4fILbZPBLrY+fPE8btasHXqZ78aB9Bm1kDWxUG7XMV9h04BVAYuRN qlkw8BrS1tas3L+AXCJPSGrch+EI32xuBReSl4XgtBW84yhOzqSbEJG4Q+5ChRxOn1MMppt7fc1g SqEZTgPb1AwWljxUw+bi0SAiY5ESjTnWImCWRppdbt1Rdi5UIrvv5LWjman2ZBj++vKipf5T8rT7 Pw8FJ1xlbmRzdHJlYW0KZW5kb2JqCjI2IDAgb2JqCjM2NzIKZW5kb2JqCjMxIDAgb2JqClsxIC9Y WVogNDcuNTE5OTk5OSAgCjU2Ni45NTk5OTkgIDBdCmVuZG9iagozMiAwIG9iagpbMSAvWFlaIDQ3 LjUxOTk5OTkgIAo2MDguMjQwMDAwICAwXQplbmRvYmoKMzMgMCBvYmoKWzEgL1hZWiA0Ny41MTk5 OTk5ICAKMzI1Ljk5OTk5OSAgMF0KZW5kb2JqCjM0IDAgb2JqClsxIC9YWVogNDcuNTE5OTk5OSAg CjI5Ni4yMzk5OTkgIDBdCmVuZG9iagozNSAwIG9iagpbMSAvWFlaIDQ3LjUxOTk5OTkgIAoxMjUu MzU5OTk5ICAwXQplbmRvYmoKMzYgMCBvYmoKWzEgL1hZWiA0Ny41MTk5OTk5ICAKOTUuNTk5OTk5 OSAgMF0KZW5kb2JqCjM3IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbNzguMjM5OTk5OSAgODAzLjEyMDAwMCAgODguNzk5OTk5OSAgODEzLjY3OTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkz Ni5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2F1 dGhuIzJkaGVhZGVyCj4+CmVuZG9iagozOCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzkzLjU5OTk5OTkgIDc5MS41OTk5OTkgIDExNC43MTk5OTkgIDgwMi4xNTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNyZXNvdXJjZSMyZGVycm9yIzJkY29kZXMKPj4KZW5kb2JqCjM5IDAgb2JqCjw8Ci9U eXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzguMjM5OTk5OSAgNzgwLjA3OTk5OSAg ODguNzk5OTk5OSAgNzkwLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMy ZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0 aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3NlYyMyZGNvbgo+PgplbmRvYmoKNDAgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA3NjguNTU5 OTk5ICAxMTQuNzE5OTk5ICA3NzkuMTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxl IzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMy ZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdGhyZWF0cwo+PgplbmRvYmoKNDEgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA3NTcu MDM5OTk5ICAxMTQuNzE5OTk5ICA3NjcuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzbWl0aWdhdGlvbgo+PgplbmRvYmoK NDIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5 ICA3NDUuNTE5OTk5ICAxMTQuNzE5OTk5ICA3NTYuMDc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNgo+PgplbmRv YmoKNDMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5 OTk5ICA3MzQgIDg4Ljc5OTk5OTkgIDc0NC41NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3Qg L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I3Cj4+CmVuZG9iago0 NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzkzLjU5OTk5OTkg IDcyMi40Nzk5OTkgIDExNC43MTk5OTkgIDczMy4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rl c3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I4Cj4+CmVuZG9i ago0NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEwOC45NTk5 OTkgIDcxMC45NTk5OTkgIDE0MC42Mzk5OTkgIDcyMS41MTk5OTkgXQovQm9yZGVyIFswIDAgMF0K L0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJh ZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I5Cj4+CmVu ZG9iago0NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzkzLjU5 OTk5OTkgIDY5OS40Mzk5OTkgIDExNC43MTk5OTkgIDcwOS45OTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxMAo+ PgplbmRvYmoKNDcgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsx MDguOTU5OTk5ICA2ODcuOTE5OTk5ICAxNDAuNjM5OTk5ICA2OTguNDc5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y MTEKPj4KZW5kb2JqCjQ4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbNzguMjM5OTk5OSAgNjc2LjM5OTk5OSAgODguNzk5OTk5OSAgNjg2Ljk1OTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkz Ni5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3Jm Yy5yZWZlcmVuY2VzMQo+PgplbmRvYmoKNDkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA2NjQuODc5OTk5ICAxMTQuNzE5OTk5ICA2NzUuNDM5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzcmZjLnJlZmVyZW5jZXMxCj4+CmVuZG9iago1MCAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzkzLjU5OTk5OTkgIDY1My4zNTk5OTkgIDExNC43MTk5 OTkgIDY2My45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjNyZmMucmVmZXJlbmNlczIKPj4KZW5kb2JqCjUxIDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzguMjM5OTk5OSAgNjQxLjgzOTk5 OSAgMTQ3LjM2MDAwMCAgNjUyLjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjE0Cj4+CmVuZG9iago1MiAwIG9i ago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzc4LjIzOTk5OTkgIDYzMC4z MTk5OTkgIDE0Ny4zNjAwMDAgIDY0MC44Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2Zp bGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRm IzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxNQo+PgplbmRvYmoKNTMg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5OTk5ICA2 MTguNzk5OTk5ICA4My4wMzk5OTk5ICA2MjkuMzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzcmZjLmF1dGhvcnMKPj4KZW5k b2JqCjU0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcy MDAwMCAgNTYzLjEyMDAwMCAgNTQzLjg0MDAwMCAgNTcwLjc5OTk5OSBdCi9Cb3JkZXIgWzAgMCAw XQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRv YmoKNTUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyMzkuNTE5 OTk5ICA1MTguOTU5OTk5ICAzMzkuMzYwMDAwICA1MjkuNTE5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMy ZG9hdXRoIzJkdjIKPj4KZW5kb2JqCjU2IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNjcuNjc5OTk5OSAgNDA2LjYzOTk5OSAgMjQ0LjMxOTk5OSAgNDE3LjE5OTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNH SXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwu aHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEjMmRtZXNzYWdpbmcKPj4KZW5kb2JqCjU3 IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjk3LjEyMDAwMCAg NDA2LjYzOTk5OSAgMzU1LjY4MDAwMCAgNDE3LjE5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyNDYKPj4KZW5kb2Jq CjU4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzMyLjYzOTk5 OSAgMzcyLjA3OTk5OSAgNDMyLjQ4MDAwMCAgMzgyLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRv YXV0aCMyZHYyCj4+CmVuZG9iago1OSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xp bmsKL1JlY3QgWzUyMi43MjAwMDAgIDI5Mi4zOTk5OTkgIDU0My44NDAwMDAgIDMwMC4wNzk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0 ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0 bWwjMjN0b2MKPj4KZW5kb2JqCjYwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbNDEyLjMxOTk5OSAgMjM2LjcxOTk5OSAgNDcwLjg3OTk5OSAgMjQ3LjI3OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM1JGQzIxMTkKPj4KZW5kb2JqCjYxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNjcuNjc5OTk5OSAgMjA0LjA3OTk5OSAgMjQ0LjMxOTk5OSAgMjE0LjYzOTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNH SXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwu aHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEjMmRtZXNzYWdpbmcKPj4KZW5kb2JqCjYy IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTA1LjEyMDAwMCAg MTkyLjU1OTk5OSAgMTYzLjY4MDAwMCAgMjAzLjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyMzQKPj4KZW5kb2Jq CjYzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzcuMjgwMDAw MCAgMTgxLjAzOTk5OSAgMjE2LjQ3OTk5OSAgMTkxLjU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRo dHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iago2NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDE2OS41MTk5OTkgIDI0NC4zMTk5OTkgIDE4 MC4wNzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHAxIzJkbWVzc2FnaW5nCj4+CmVu ZG9iago2NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk0LjU2 MDAwMDAgIDE1Ny45OTk5OTkgIDE1My4xMjAwMDAgIDE2OC41NTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkMzOTg2Cj4+ CmVuZG9iago2NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDkxLjc1OTk5OTkgIDU0My44NDAwMDAgIDk5LjQzOTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjI5IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDY3 IDAgUgovUmVzb3VyY2VzIDY5IDAgUgovQW5ub3RzIDcwIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUg ODQyXQo+PgplbmRvYmoKNjkgMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwKL1BDU3AgNCAwIFIKL0NT cCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3RhdGUgPDwKL0dTYSAzIDAg Ugo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjYgNiAwIFIKL0Y4IDggMCBSCi9GOSA5IDAg UgovRjMwIDMwIDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKNzAgMCBvYmoKWyAzNyAw IFIgMzggMCBSIDM5IDAgUiA0MCAwIFIgNDEgMCBSIDQyIDAgUiA0MyAwIFIgNDQgMCBSIDQ1IDAg UiA0NiAwIFIgNDcgMCBSIDQ4IDAgUiA0OSAwIFIgNTAgMCBSIDUxIDAgUiA1MiAwIFIgNTMgMCBS IDU0IDAgUiA1NSAwIFIgNTYgMCBSIDU3IDAgUiA1OCAwIFIgNTkgMCBSIDYwIDAgUiA2MSAwIFIg NjIgMCBSIDYzIDAgUiA2NCAwIFIgNjUgMCBSIDY2IDAgUiBdCmVuZG9iago2NyAwIG9iago8PAov TGVuZ3RoIDY4IDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXd1v3LgRf/df sc8F4oikqA+gKJA4ToE+FAhioA+HPhS5XouDfah7D/33q5W0K3F+oobiDrWSvQna2LxdcmY435wh P/75+z8O//r98PHh+38OP/p/H77fZfeZrbs/h6z5+2E8oKt7o7Pjn0OlzH1RtqM/Xu5eD6933+6+ Nf//eqeK9ov9P81/PC2RtX9///Hb3cdu8btu5PvDX5uf/nfQh780//v18NPfm8Gf+/mOH3i5q+qi gSPLlGl+fR7/qnRd6/bnZjyjvx4//O+7v/3h8NsRMH1ftcCrDsDxrx+UyVR5Xxx/uwTk1+GrzWSm 1soWlffn8cTG9PDkB1PV6v5IZ9ugbnJ7BOv4i6mz/L77saFBofL7vIFX03FdHr98HB/mefbMfyTP LyOYa9P/8f7swDyGTRXt/C3Mo7VqXbefobC54yNczvM8e+anMAvR2QOzDwbfvqSg8/Rev7jjQXSe 5g0fLwnRuTJ1S7dmeoefqzxrYWvGHRjI+Bnm0TzPnvnF+LnKte7BcXijyo3twXFhc8dHuJznefbM n4jOHph9MPj2JQWdp/f6xR0PovM0b/h4SYjOSpU2a+d3+bkZL0wLjwsDGT/DPJrn2TO/GD83c5ZF ZxhfyFpV1RIOYBuPj3E5zfPsmT8RnT0w+2Dw7UsKOk/v9QsZD6HzNG/4eMmF+eSm1eC0LPJ9iryh TEOlxts7KHv47z+bRb61rk2EA6Xav2NYuhGPA/U688XPT3cfvxYHlR2efjl0EHzo/nnqgG5AyM3h 6efDH48w/enw9Ovd0V3sB3Q7UA4Dph2ohoGcfqKb4/GpRz8NpYsq3yGli9rujtJ1XuyQ0rUtE1Ga UvcIv0L4i0aBZqb58JEsjVIr6/Hvz3ffg7ZrarFZYs1NdiKbmSSbbX7JdN1jrD61GNcDCYqBBJFx 3uvMF2dha2g3hq3fDUu3ZzSgyY6qLwQdlVP86By6bgdUvmzEkGnUQ/eRbFiJwpJ1sxRLoK24ObKv 7cAAWfZIaaJYOFgiqUeKHXxHWbKu/gQU+cyhB5ME7F83oNQMaEAB2Cxc5xMlNCys6VfoViAgmm7W wyBt0WLTiXSjDoPFxjOwRO9VR73XOJEnvaeO2aZhYHuKr3Kp5FN8I6LYDanGI3mXbbLmORoGQD5Z IehN6KyQ88LWi/1iu1sQu1ts3e7ak23TQKWr210bbnf1A2u4qBVCawi8BZYM7FRNJ41hR9bmICAR 5oK3urhMKKgS5qK8grkoqbkot24uzlTyyeu2zcWCTd6uSLM+Psoe7wACHHKSVS2IX6Qkq86IZNXb tYSVSyVeslSxPclassmrMDAKdLeKGiVEWGnECKYCyydn1wSErfGIVxe2xlNyhW0Y2KiwDVQKELYt JYQ6YVuyyWDGwEipsmPpfG4EmBwklLdblNT6kRPZgCwLGmG6TBB+fJ4JXd7UDu2CwE9pN/Abft+e BHZ6Sp3N3dcNyVcb+A2wBajMkhoI5JOsG1Ezn7nFbdEGz1zB4Blq8MzWDd6ZSj5x23TctmiTTYC4 LT+JQNuEs4IpgpMH9owAZZj1nkHaTMZGrmDdeB+d2nc8zZA5NQEHG31woBFopIRKTEJn5ZdHxBID S/Seagtj7CiszsvxwPYU3xHiMa3jNd9WdWOzAwuZSeB42HQDQ42AtrxQ8+ED64fAujfNvzXNL6Ea iyu4cwV154qtu3NFuDu3wWThkk3ecxlJRGAUkL8BOFhsQ/IdN1dtWh+Ve3XVKuqqVZt31cpwV82n 1bbtqi1hpjftqt20ekKtvjh5XFs3eVxv1/3plHJ98h8MlBxePXlcL/BteBsLZyQBCVteLEKjEwED qrP1T/+1Iqf/w8D2OLpyqeTj6K0attahX7LJeBzCV1mGHEjyR/e020HECd6/gOr1I26tScQ9DGxV QDVncjYdcS/aZHqkCeyJB/c3Cb5Ighc4azof2TbrDGxPdDoFY869VeD1Yyox5FiJr80A1jHQ6hYQ klxTbK1LuqhEGeVBSA8jJaF4phtQehihLTu4P1hlgFVzMTkqNryLlSlriUzZ7ZqjTqZsvgeZwnzD BmTKhptCk/O+KlsELsLZAV1+MclX3m7XcRJVjurR9Pj3rQpUcQ7A7PU4tCHVGJSVTkcCuIBykimo jxgAWcgIX/jNnpvOeloDt3QXkx1Z0vezy4785wNYdNmiLa+0NxBM8IoujhcODHYA9NAnukU5N6Ar qkHAR68oR36hKgXaZmo6R0k/AXYEVnmkoMMqamKPhaW29kitPUqtqU43XJz0Pbg/I2g9J/lzZ/2W kqCcNjzAASPJyMhA3xJrZiaFGyEAjop8Aic17CoAOtCDhwO+8sCSkBIIcMEBnkA8pAWd4ysLOiAH cACk/FdAZQCkABiPPgUdeR0mjSAyhRRYu7c/8JWwjJlP1HPlyjpiS+HAbQCmA/EAaWA/oWFZntdh la2IByvIvcGYWxYIZOgqwEFg64BxYRsAfV5rwxxLSqdmLVCe+QUb6FOzcAF7RKgPflIJoVSqctBf yQBDXZyiHlefPJmbQwIwMBagYOk+mC+UcUHUYVnYS1g2yebmWeHytowaz9xJAX3e4Dyyeh3EASYF IrM7F6P5eSPOOyS8Xo/w6d6eWZNQ48r6AH2DyoG3jDOuA9IjwkZFhA081QGO60RNoKR4Nwj5g999 Hn2YNIKmyyUd+QNYSkIFRbPDpUbMuOpiK8EaEAhWAVebdzYpHKZm1QUrcwEU4z3pCDNHORllX86a GD8qABdPDjbJAKhAHN57yRK42eoEBhScCoSMAQwFKomn4I7N3kYSfcGpHlkv8W07X7w7T0HXcJvw cquPhgBwiUiMS7hnQHUIkZYncZFivCFgbSlmciR8C2uMq2AlaHpV/0TC3pTGC5eARwPpI6QgmLmt Bh4xrnjE0VMSSd9vknvPZ2ISW3k7VwtShbyIiRiPQVvyfhGfGV1O5Bg/MZQLJaxJVW2NG67jFYrY PT6K4pED9cHrAliWP1eDOdZx8PlEBtCDT5dQwPD0O8Kos9oCnS0Bu3eqp5xJ0wRY5JtJElJCFyrY vF6oYRXdqIAkC2+0+FwGX3Tg8foELJDNjBfy5d7XWmVvW/FPk/jrEWaMPXYOUMoRecyIEx0Biskl j61RN+9iRe9CouBolSgyJlMRnaV7m1IasFF8bjQUl0vLi0pHGSi8d9dzmcnoPAa6IxRB14B3QWMe Uwggo6tWs+WFJIV0VTiTpjxUvwxSo3MXfbpR5hMdgGtYRHhKV1PbsMu03C1+eVoYv8BprZzLUnhd lmDOvsjXDIiR0RZ4+pLmGIY9No3J5PEiRgkygS4VB76BZmKS6OOUCxW5LV0miti7FM7StQ6Bb069 67RAjx3v1SapBHzLRBbRsWrJG6nzFqUsfDQ14JDzRnq5/riJ6WIOAmwBML7qaD9qfB2Vw/dh8LaS Zzp+X5LYfVNVrqhL+PTwCWB+iPA9Ra7gKQuXMuXtrR8D+qbDdnxxBqtzAvqkJQ7cYFkIkyWa8nav LyQMX+33gnd8nsAvuzxKhr1GYUjS2AVsytdXouskEjflmcMxt/ZSbrt31F5qu1zdoA5kCqCIjqG8 jCLE1zjs7QIMAS1dZOek80qHy7d0pzvp8t0P6DCUi/kuVOxF5jDZO4sbedmHdlK2JxMUG98Ptt3D ZLayAr0Y3kXjo9PlTSEih5bvoQNKwibpk1UPyexHEEgiZ8ZTjO+NjWi35sVBIpDkDyVSZKLeWX2G YPS1pA0zwDrspwo1zytHYWzMQV9k+iI2alseqoTqN6Ip1FXihDRNMHz/Dq/537I+Hdd8vLEbZ8sh JmdvnBW5k7aP/BXdsZlLaZG3oi+Urf2TKh52eJA2YBmQLXj0gr+UNwK7aoJjQUd2I0nuzy1NeQJW oMuZF2JeDyKd+WAGGJ41tXCPTQ7vI+W9ZzWEd1jdBQVhdFo+L5MIEoyav9JJMLuXBB9D8+WaKvJc U0AQ4/5NgyXTasBPBB0QakgDQJIU6wRhYLOQbYiRAvADSCZkh2J4PT65AFoBx7ps/v/aW8oLMb3H foJoqDBhBOcFlJENVtIoCC2IaU4Na8S6EoWnsOzECRFkOD3P4c5NMsGQvOaCq+n42uuIqzwkKuWA zmxdD5YDCBY4z/FIxNVqy/MtESnMgL3k43hALuJGXolTRc89yBI6vii9YFzpKoLN3F/e3pcyECjP OdC3ErxspZYsQp+iwX+k1gEerklRggE2KMAYSpwgszQFAsXcmbD8itE05gSDCViXbUDlC1hliofK 0tEGcv1jZX2+KjhJy/tmnYnNXj7HFzFBiYEMhZbbQg1PFLJHU5CE4/dB07eU0f8OKEtgbQ7oet5u BRxv9g/rWf/2AhEngj8KmkrT997WPo00AvAMf4C1TpnSmheeDvS48j0AI3nnHy6COJePnXiDKXcf QaU4XC5cpc6cVa77kNOcTw4hCf/sTMSJL4DONyJJZB8SlVCU7t7eDObODKaA31rps1bekYVVZeXA LjNp5RJkK2Y7Teuezo27/SBSIIV8rCzhpAiUPYvUyfOJETZBw4Me0JuS4pWygL4ziZpuiRc7gD/Y O9ZRBfNJ0YjOzmu1zFnr6r534U1LWLr8DKin+eBShVo4q5gsidq2ubMK+L05bC1/mLHKG7ASLQ/g kaH/zXMUGBiQ03WOWQPUI28LAfaAq2a2o8raV9ZGzPweVNlKiQF7sg+J9FCXGDivEnBeEVG1TWUI 5Z+/J1rg2dcAmZLQB5uRy7wzZefNxYKlgGfUlx9fBqSB+YOzKz3ngEeNSV435JszPeUPEg5UeaYg TRVMVLTBETDUA6XJDBS5A2oa7adKlyAx+IMuC+Bt2H6+2IXnOpbZ5U5Jq7ryUgzVcERMuvxyZIlL rwKC9oi6i4j0E29Al3u2AUmMJNmVrdykxQMmEXLElJzxDVl8ci0AEIGOxoCM/vL3G2NeEUmSs+Ir hCKkn/8K33m8PD/LV+q84fa7ujhZp4DmOnqDVET7XeYxG7DHBd0fBX4mX50IPQozLWy9bzIasBO7 Dg5ANyLdwla0e1PXJ1DgoGKd5la5Z7Av9D2zhh662cTTskCPCF3CFo8FhNFwo43AReISD/9s9yHk CBeHvzWJTTuJdKlH3IIice9BhO8Vgf46pem5yR1BDqgl4eOdiBBpzUIyYQFaR3/QbEcmEQ/3alyf zFrvcsw12qewc7gsbwklrjOSaEzYOAcJPA004o+YtjYBjYvG03Nj/i7NyTo3oG/LaM0B9qYNDu/1 CWi66fDY1v0f0AH0vwWEvf7JWoVS+BRKebyrPc9OkPZ1AQXdSqq2uPVM5tVg7oLZdNFiND7tCeQI n/7weHQhDJwWfqXaLafarSZE6QsaxYhijEpJFGMKd/rPBEHU5184EqjpqDWeBG3xZjoSVMaZXsEd PzS5YSpRAKz7UGByOSvIw4Sy5CxKF5tdSJnKqpQ0UW3dyujZRlaGEOPOTuAlE+MTMSDktGMZT6ai SEqmUjnTI84eTzkeodYmpEOotu6+91dazLA61AnhgOe6sDlGyKBVA74jrNSMVfNarQ8kx70AmkoF lHf1DQQjPCDxTA2YobNKI1qXzvsCydV3/0purdLwbK7c9xL2ocBza5ISxZKXKTboJtksS0kCm1n3 5ZXV3aQWv6EXX0ajANS9iZkZ6O8vSOsPDm126/iDw3op/MERNrtQJ50/mIwmnT846qTctT+Yjkyt PzhqWV7JH0yHUOsPjvb9/fiDKlNOF9Ja/qCiyhodRFlEC7ffJrn2Lt31hDm2rF1s9qG9dZaSJkpb twtlr9q7a4pORqbKbdaZwHm6Vy8+gZzplAjpNvAa7Xu0z5/YdbReJZvGdbQ2DcE713HAZh/Kp3Md U9Gkdx2t3bvyKYqkZOpcx/P0q7mOyRDqXMdh39+P61iVboeOTNwPQTwM0CLX2Uxi8/fw2mCrihbs /p8fL7HVr98O3+7+D2tbD2hlbmRzdHJlYW0KZW5kb2JqCjY4IDAgb2JqCjQ0NzUKZW5kb2JqCjcz IDAgb2JqClsyIC9YWVogNDcuNTE5OTk5OSAgCjUyMy43NTk5OTkgIDBdCmVuZG9iago3NCAwIG9i agpbMiAvWFlaIDQ3LjUxOTk5OTkgIAo3NTkuOTE5OTk5ICAwXQplbmRvYmoKNzUgMCBvYmoKWzIg L1hZWiA0Ny41MTk5OTk5ICAKMTc1LjI3OTk5OSAgMF0KZW5kb2JqCjc2IDAgb2JqClsyIC9YWVog NDcuNTE5OTk5OSAgCjcyOS4xOTk5OTkgIDBdCmVuZG9iago3NyAwIG9iagpbMiAvWFlaIDQ3LjUx OTk5OTkgIAo3NC40Nzk5OTk5ICAwXQplbmRvYmoKNzggMCBvYmoKWzIgL1hZWiA0Ny41MTk5OTk5 ICAKMTQ1LjUxOTk5OSAgMF0KZW5kb2JqCjc5IDAgb2JqClsyIC9YWVogNDcuNTE5OTk5OSAgCjQ0 LjcxOTk5OTkgIDBdCmVuZG9iago4MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xp bmsKL1JlY3QgWzM0OC45NTk5OTkgIDc3MC40Nzk5OTkgIDQ0OC43OTk5OTkgIDc4MS4wMzk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0 ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0 bWwjMjNJIzJkRC5pZXRmIzJkb2F1dGgjMmR2Mgo+PgplbmRvYmoKODEgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICA3MjUuMzU5OTk5ICA1NDMu ODQwMDAwICA3MzMuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJm IzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJk djIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iago4MiAwIG9iago8PAovVHlwZSAv QW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIxNi40Nzk5OTkgIDI2My41OTk5OTkgIDI2Mi41 NjAwMDAgIDI3NC4xNTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYj MmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2 MiMyZGJlYXJlci5odG1sLmh0bWwjMjNGaWd1cmUjMmQxCj4+CmVuZG9iago4MyAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDE0MS42Nzk5OTkg IDU0My44NDAwMDAgIDE0OS4zNTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2Ej MmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1 dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjg0IDAgb2JqCjw8Ci9U eXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDAuODc5OTk5OSAg NTQzLjg0MDAwMCAgNDguNTU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMy ZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0 aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKNzEgMCBvYmoKPDwKL1R5 cGUgL1BhZ2UKL1BhcmVudCAyIDAgUgovQ29udGVudHMgODUgMCBSCi9SZXNvdXJjZXMgODcgMCBS Ci9Bbm5vdHMgODggMCBSCi9NZWRpYUJveCBbMCAwIDU5NSA4NDJdCj4+CmVuZG9iago4NyAwIG9i ago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0Rl dmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9G b250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y4IDggMCBSCi9GNzIgNzIgMCBSCi9GMzAgMzAg MCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iago4OCAwIG9iagpbIDgwIDAgUiA4MSAwIFIg ODIgMCBSIDgzIDAgUiA4NCAwIFIgXQplbmRvYmoKODUgMCBvYmoKPDwKL0xlbmd0aCA4NiAwIFIK L0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7V1Lb+Q2Er73r9B5gfHwIVESsFhgxmMv kEMAwwb2EOSwmNkkGNjBenPI31+1pHZL/ER9FJtSS448SKZdoy5WFYv1IlX8+M/Hfye//pF8vH38 b/K1/fv28SBuRFY2P4mo/nzoAlRxo5U4/iSF1Dcmr6FfXw6vyevh4fBQ/f/1IE39xfav6h9PQ4j6 zx9ffz98bAY/NJDH2x+rT38mKvmh+u978tPPFfBbi+/4wMuhKE1FhxBSV78+d3+VWhTyxlSfK7iw fz0+/NvhX39Lfj8Spm6KmnjZENj99YOqvlMev6gvIvn1/NUKmS6VzEzh/NxFrHVLT5pImedHUirK Xg46zerPIqvgpbhJRcNcYWR6/EUqG67yG9XC3/A8O/AfxfNLh+ZStz/Ozz2aO7QpoY/DNjR3xlLS 3IgB2vrwMy9nPM8O/DbNkeTsoNlFg2te5pDz8Fy/9OXmJedh3XDpUp/mZrUcF7/rc5fmSeutlIlK q4+ZLBKZ/O8/1bgPy4xssmpkpZM0V4kyetGxj1znSrq4DtdrUcqink/LfohSy3r+rTnvw886csbz 7MAfz36IMk1vBtaiKDNz/AVp68K7vJzwPDvwx7MfPTk7aHbR4JqXOeQ8PNcvFtxHzsO64dKlWHJW WZmdaO7ZYyOKkzx7trAH79jCNzzPDvwR/aFRopGb5VuM1qcApUdbD97l5YTn2YF/Jjk7aHbR4JqX OeQ8PNeWP/SS87BuuHSpT/MpLC4hSJzmgdI0UVJXfqjyAtnJDTyEBayy/tOlpYE4AtbXkS9+fjp8 vDfVgk6efkkaCj40fz01RH9QMjXJ07fk70ea/pE8fT8cw/MWoGpAfgboGlCcAan9RIPj7qllfx5J V7nDBiVdinxrktZC5duTtBa6mEnSgUnl68gXa37KKusd4kcKU4lUVFw1tKQNLVKMkKttlr9YHCph s5zVgPQM+MSekIAjtwGA474GZCNfgSeAsM/2E7cWDqltecAotjxwlDv7CXsURArTAEhhWEAKzAEO KkJpbICyRwH94PPyjvQDv2JLDEexcSgwIg6J1TYjePGnVZjXXfxIKTAHWggArrjcoMCwfEXBV8oI AmqtY1aekBY26fZUylv7CZAp1SA0n6AwoNowCl+VwAssMWrpkFsbh2r9iR6hHQTClyUwYyNVqf1E jAWjCtHTB/nFJmz6WndpbkeGhuLgX9nM0pawpD5FmLlMHSeuOAXIslH+0q0vLgUaMzmgyLAIYzgc imNgzfHgIcBZchx8WAiEYBRbtXn4iThgFKCDI41iP4zsq2FDaSfaBsXE8IprGRjy0l5jn+wnPlMc MQiDFUMNu/5iqxB3H8HhxIUmJi37k9uxW+fkudkaFfX2wPDnXtLn8TxPCScOWnNZ5+SDKnys6WRv TMLSslVL2coHT7RmYgzQzI9UduQB8Q1Mshn5yt2wFehEEUNTCFoxT2ZeeyxZnAoNC5mKKMkKLEBu 5QMclEeoCcMEmCjuO8BDcTMHOOxgHMMPECovOwC3XMoB6S1MDCQWAAgIJKfrQ0gszoMt4IV/hWsQ j7VAHlCWAk0GpHwaeIhLE3GPugxQypM3WGK++f/YVxwadGEUUKeIZ7t93bmNkDQpoZ10ScsDeYTi juxuZJ5UZmsDrwYFZGIwLFfk6dx61ylGXINHmmXTofSwkC/MZlTR0w+PpR/gKiPUihfyrgEzxzV5 967vxbu6FuFYFYLqGAa9SCpwxzWXF12Af8coMTyQLJzzAiYHeANNXqbUU5o+5RGW/jusuIy5W77p EWCSQbF5eotp5RzhxlqsFI+sY0R9Hg4HkHJDHzANfBXaX9FQ7gCZ0gTH48QEn5cYSvf+TEwMf6O1 c1qWMUq+BaQLd7el7HG7ofB0jlM6rkz00iRJ94UsqbUIyHi2K/UQR8hTD87tMtXTGGWHCCZHl7b1 5LzAE6BSYKVgXgJSINvLe8Q0c8SnHpT6RiwxPFLqzIDmOXTARQoA6vUhV/MINqbvE83jsqdXHZBb elZqj+im+opZJptXpMN9+IXnNZuA7WwMrlTXXCb8CNgjjrGA1lXXjOE8jHayspIaQ4ixvFIQGOPl h2A1jbJfY9z53ntKIwJOMrzrMh5XfjhHyt9C8N3NvfQ9BdNT3JAdYSp1n+NDc+zNwhMhqcfWdjxj uLX8LQyCYDzgDSTqoUGC6/VRAfuK3GoHbANEcVpC9yebvoLjkazF8Pv8JMcyp+32fcQr+LkoU7nk ZnZcDZozULzQNeRZ31zECzZj+Kzy7awUWE9uo+mi9FjYMLX8MCY/3h0jBeLLJd6ZlDF5bHdRvmuz vunjIbMcNE5V2bMo6808Zzw2HMEmayVPg+xbs4S57bwcFGA+wcJw78FtEC/8zrI3OX0PHdMXzkuM QIDn7mCTAcDD9Tl2Pd6hv73QnGrLnvITA0DH9DWH08DXHDUo2NgBWl/Ae66whxHPRWnjZHZ6uotC h5A/pBQa4wAn+BdeTrUBGFzwNWcTFlKBDdjPBDoiLGTonjHP66q8AB2haxi6pIBDsXPEQbgKua7z 2eemj7eOWdexlEtNn+jZvvUmOEturcVwJ9mEjAeW7fRgfDuRNT/9z50ncOthxrhM+TSAI+RTGaNv 44bTW36WEFYp3/Th6e1aHHJAcsKTJLoI/WPLC8tjpeibOno42aPLHPW3USJH8NkQ0sK56oDuZQ46 YvgX4++yB9QhoIS05Bms/axPCwh5qYAXegPe756+l3StAD5Gjsw74/KtRc4c1/VZ3mn07eJyoW8o TN9MxSjtxThTwo9PLXNkgr/R6mHHqTGclNHkyjGZ5rgNltoN2YsR2q8EAMKgY90O+CsDVqu4V10v UaxD9rZJnq5ksh2XQkwSUGYDeIrjqAmM4SiGXXIH4HBSHQD3SRCR3NNhHf6148UhALG5lfaaA8cv QUC2PPArMJVAOiAFHDC3ERTXg1sYBaYS1AEyGt8LImKslyjWwRQRhbyQdVgLYTtgFYBF9EPCHjjY Qv6KN+/bvDLrUGwvdoB+7zx2kODEeeywBxP9JzilNh2IdHqo4AFYreJedb1EsQ7lHjvsgG0D9rrD kDxiWIdMbiV2iMKt2m1hMGCPlKJHSh5XxOy2cDlbmG7FFk4SEORRfIc7YBpAteHYLyxkeAJqfQEr it4wi6PAQg6gA4YFpNA1kOsYlXpIDfYvZcZjxg6Zf+xwJeVfr9naAasALKIf+JYRrbAquu0zT1E2 onXItxc7BNRgFT9TNEuQR70YbunRPT5wwNwjK6DDdkkKkHK7Pt3vzwNYreJuv+5Q7HWHHbBtwF53 GJJHDOtgxFZihyjcyt0W7oBtA3ZbOJst1FuxhZMEBHkUFO72PKr/xGbyqFnOwQJgywdjI8YO6R47 7IBtA/Ya7GzWwWwvdgipwQa8QzM9MlCA1HGnTAdg84I+CkjnX4F9wu24xr0GuybrkO/v3+6AbQNW q7gbqDuYRIrB2zuyvLIOubQajnUa1TTDmvOw99YTEpoRODqidlqlQUMDe9jW75+faNuswh1/cN3L ua1G2/+k088gs3kpLcKQUmjAdkdxgAgNk0frkfMRpPAE0GE/0bpoPUKYPbf4FUD62RLyJC0c7UqU p3kfZ9w+39dqcke7iWErKN6Pnbaf4w2nPDrVBsgjwsWswMs8zZC1yPtKxztf8+5R/O4jmzlUyytd q8m7evEGS7T7nqvt2YXtgtL+VLbvwUph+6jzCgppIAR9nCB9s1tO4zn6WW4zhSdoX28VrZdcbpTT GPBOaY4scuySnekXw3m0cKPNwyNeMTylsaTHAuLOgtpTj2583DfQCwxCbongDfw4pbxgxO9N4Fcb BVxAHuOGKV9fOclZANJZbgJLpe7bD5AYtWuwsn26nNG2b1pE4K6sjWP5RlhAH/gYFuY614wOTAOE 45qGFwH2YuWXhY9RutpepdxZ8uIw5yWgc/F+XzT5yhz3aLruJ4hgLQuR+S/bdd0dfxn30qR99mPo 7TtqBB/lZoVGxd4OWKk7O5ZYxiHv5qQfKQCOGB38A8pSyxRZ3tGiDOmkH9BNm6dii6iUB7ezLKB4 ahnDep4PoF0nKOw6gjdGbpRof5yfu2z6PP94++NBJH8mKvmh+u978tPPFQnfutKbOGgt2yKR2eAe 3LHZeXl+McDxBjqo2higkb6UtrQ71YZiWHGgHjFWWgIcd3a4CDggggIc8JXSHtZmV30GduFEj707 iAKBceFYjE1q+0RfH2FhNRCuU9NWZF19LdPSPzjxLetMsmnL3PLEt2J4hY43/ohhbHl8N8ttOkqW PXXwKYQF3IYK88BF5ntjxCSt44FEhKK3x9ZcQME64Kqo7QaJIRencWuw2hzqSqWyWcrzpglLzg7G oR8R9hBLk65+apdJjx03sES+XkeavCd1ZQdY8+wSUFuQCjuMS1s3dt7J1xDHQeADCeG9jQQPCHAs ITc7e+yL8Dv9Au7UBVJ5Js79No+f4uwK9i3CUoHMLNsN0+/kAqUa4J9vE89Su1rk5mZXOBDDy+Sl ky4ectHTQHtJJHJJRItz7EFLIthi7lpFE/BPjQJ3DuraNRKPXqq0zgLDYq1mLUUTJOQLJQR3HaEm BK8LgNxh3DsbB0gV6LBxtHRYyy8r2x8wU/a/eSwrN7LTyX6HIy0qoyeK06FIndvyGK4Ls/G0cA2o +gM6ToYH86N1n58UtMYM+9/Unr7OjJeWUFqdiCeUPJ1VKHnZR28fz0cz8IWJQA573GARZErOKYKs zlPP6LHibCyOdRGVAJWa3uljBS4B1LCA9ANm5ZM9K6C6cjjqq9mq/iSvFXPS1FS2f319Ca1SPyQP h/8D0JRZzWVuZHN0cmVhbQplbmRvYmoKODYgMCBvYmoKMzYyNAplbmRvYmoKOTAgMCBvYmoKWzMg L1hZWiA0Ny41MTk5OTk5ICAKNDMuNzU5OTk5OSAgMF0KZW5kb2JqCjkxIDAgb2JqClszIC9YWVog NDcuNTE5OTk5OSAgCjQ1MS43NTk5OTkgIDBdCmVuZG9iago5MiAwIG9iagpbMyAvWFlaIDQ3LjUx OTk5OTkgIAo0ODEuNTE5OTk5ICAwXQplbmRvYmoKOTMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9T dWJ0eXBlIC9MaW5rCi9SZWN0IFsxNDkuMjgwMDAwICA3ODAuMDc5OTk5ICAyODguNDgwMDAwICA3 OTAuNjM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJm dG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFy ZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBiaXMjMmRwNyMyZGF1dGgKPj4KZW5kb2Jq Cjk0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNjcuNjc5OTk5 OSAgNjQxLjgzOTk5OSAgMjA2Ljg3OTk5OSAgNjUyLjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRo dHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iago5NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzE0OS4yODAwMDAgIDU2MS4xOTk5OTkgIDI4OC40ODAwMDAgIDU3 MS43NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRvYmoK OTYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA0NDcuOTE5OTk5ICA1NDMuODQwMDAwICA0NTUuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iago5 NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEyOC4xNTk5OTkg IDMzMy42Nzk5OTkgIDI5Ny4xMjAwMDAgIDM0NC4yMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rl c3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNXM0MuUkVDIzJkaHRtbDQw MSMyZDE5OTkxMjI0Cj4+CmVuZG9iago4OSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIg MCBSCi9Db250ZW50cyA5OCAwIFIKL1Jlc291cmNlcyAxMDAgMCBSCi9Bbm5vdHMgMTAxIDAgUgov TWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+PgplbmRvYmoKMTAwIDAgb2JqCjw8Ci9Db2xvclNwYWNl IDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0 R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBS Ci9GOSA5IDAgUgovRjcyIDcyIDAgUgovRjggOCAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3Qg PDwKPj4KPj4KZW5kb2JqCjEwMSAwIG9iagpbIDkzIDAgUiA5NCAwIFIgOTUgMCBSIDk2IDAgUiA5 NyAwIFIgXQplbmRvYmoKOTggMCBvYmoKPDwKL0xlbmd0aCA5OSAwIFIKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnic7V1fj9y4DX+fT+HnA7LRP8s2UBRI9jYF+lAgSIA+HPpQ5JoeDpdD t/fQr19b9sxY/FmmrZHsmclkcbezGluiKJIiKZJ6+5dP/yz+/Ufx9vnTf4ovw+/nTwfxJMqm/1eI 9ufNuEHVT1qJ7l9RS/1kK9f65dvhtXg9fDx8bP//epDWvTj8ar88DiHczx9ffj+87Qc/9C2fnv/W fvpfoYq/tv/9Wvz0j7bx56G/7oFvh7qxLRxCSN3++dv4T6lFLZ9s+7ltF/TP7uFfDn//ofi9A0w9 1Q542QM4/vONbkQjn9rJlReB/Hp+dei9Q1bo87jjVfDZstDStgtiTVHq4r//OnxtB99saN1+VI0t 1MTQVuhGydLWwc/jobUehmrnUUs3iqjbBdem7FaxG7OslekWu21vV95K82RawBRtV1X3sms/9fNb oP+OKL6OYG708C/42YN5DJu2rn8H83gs07hnADavfTSXUz+/BfqnMCfCcwDmEAyhdcmB5+m1/ua3 L8LzNG2EaMmHOTMr1XXd/s8U9QQrHeVuA1Jo3TDGFLqUnfguZHkc5mOcRJTuZwxL3xKQiK8zL77/ fHj7wRZSFJ+/Fj0Eb/pfn3ug3+hSt3/8XPypg+nPxedfD538HxqUa6jODdo11OcGQ5/o+3j5PMby Ogn/OvOim0/TbkFT8ylVOx1RH0HRHxwoUtL5jMCvaMOPtKF0DWZmxnwfL7RBU0TTV5Rg4XjvGso1 k4M+3tEnajo5aIBOAR/QwIP+TDqVej2SYRQWyQlxSun9SY3EmJkUY+GnlvDFggEcr1QqwCyqqT1u EXaaFkYNDW0A8nlPG+jCLuCND+yw0AcdVor9hJARvhRCIvtAiYzSlKRLIXkyBKYDUgY4+E5hfWGx 4BWYHAzbsHxKO1WGPgFwjLgwfvvQhCP42fJzAVqFPgJzOXcq6V4gn1PM1pFpa2AMffY4loLu5LC1 nxtkSQDTkoCugZLfcU8oTXEK+KDDIp0CFbLcoKCPFCSljfCwHJrcpaPU3igXbmPxcFTah4MqD8jI LO+HhP3MUqK05FW2CJ3lflUDU/lUKylvIIZh0waNDl55nsTOJnt0KQnDJNk+lC9RQSohCiJoimcH YClQ4QNq21wfAT0uwRYkpQoyIUDO4kf1O5CckyjrzZEFr8COA0iGlaPTnYAd1oHX6h5m4ZTCkYJQ zWmhXigYQDC8Gkwh1+BroaswQR+gPMEGC8OIFfgI7hC26RBSmyOSqQGmqIqmwHFEGxSYm+wWMuis c/Yn3ylvawGk1CCFyWEDyCkKGOifCnC6hpKZlWua0FzQlgYkw/SB+un0oY+QNgDEvuoVAJ2+okAG U71FUWtM0SckfQJHATjAtQJr+5JsbZU8cuUdenRWEV1GrXVOOlDCVXQZNNjzFA5N+wCMaZCFAAdQ sk61Eyp7ggt8BPdrFVWNP/X7465dbDFZax+v34Gf8mp9FXPTZy2cBbaX7B9pZgieDoM6P4B65X5a AP0yEWys9Rjm4blNgFSlu6NwVSX1CCl3oDDqFGbLszJQLmi9VOigFAKtBriQwpHQStTqNCzsmLyF B9o3PAEH5fz2x6v0YPNQ7Uqz9qwGm2cTfRSGRQWVwqHBWAdlG4QhzBaU3IB/Y26hwCpizUa5hk5n dVptT1wardPObAUGBC70sU1QBOV03KN4DzMQELiuAB8gcSJEIe8NBmUiIlYHhgWBC7ONUC5zeGlR 8MMoPKSAj/WHBQsQlOS0sbEe35peBI3DvRKcwAzW++gJ2MV4HWaBpnwljLqAqICn+NOSK1fQU2wf tfR1h+9dHU/N7C6Q4ozlRJ0af+lAlwTS5uX2eg1+wXYBPAcyN+ZsiD8pZs8fc5m40l9t/jCVZf4k 6wAIChxbzK1DxI6KhAnrzy/u0qWb09r482iVTKKeAyn4o1KAiw+HTBGCnYQLY0IY1m/98TEeM+o0 bEJp3CZKeus/HCaPIAVW5iMYQD7wMfkpMMarUwB6Hv2SNzd524A30XhQebOGV/R4zW+9brhptsDM rsSbKCG30QySeVUQVy5JSByV5DzTAWtDA0+nS8Vlgl3KyJOOslP0Gn+kggEK68+pknBlgsA71IR4 FtvH+kwXeGY0idZpZlYyRUA1K+f1M4EDjV5Z0RYjaYt+RwZS8BKal8gi4OXh/aSs+LuhWN0Ivtsp A4mlq3iDY83axgiVCMUmYE1eaBnrxpMI25waLIhS2DWj9faCiUrjS/ZHNFHCFHBTljtLuu8rhimL 1P6OhEEfJ3Km2rvLt1K19dkSSCjFoUkerY73ElNq1z+uV+IiXEv8IUEWAzSPz8+41NEzhWjYy3gp zLMALB2fxhRR/oOOEhMwwKrKpt9kR6fdE/YVNdPGxVku3GKroN8D0Q66DRsIFnHuuICV+VOCBdYm 70jlRcicr+Bcmmi8rUx/9iT3gud5ub5yUEcoruLRlNTvhH5pToQSUGBBXZl7wnANQ9oDuMNGDb0k tZQ/R4ss6ZoOWUBj/wZVeiABAwaW1HuDKSvwBJ2exCAXdhhIxsNeFUwPrDWKNczIATRitah6et+D YfazHcrqmI78KB+1Wr+64TzhazkQyqQJ72oHXxilU1ceXybxs7LBEBD3tyA4CLZ16JQ/h0vBlvuU XYk5c98mlSmjmEqgSpctfW8q2FKUu4hYhRsWQbIXQaeFSiELHk72/H61uvT5CxJ/gOJYEsRSBrRB 8577yxJdttaLuzhMD41pdnWyNlcb9pTJ4WUJUhNkHe208V/iiprzvaDNjeEBbC8xCdbpXEsJ1AMr 9CXkvd4ZtQCFsO2wQa2LzbwLN+pSeijj4y8XBGQCxvjw0ywJ+Fkyf1OoFGxUfIxLI0e8cpaA1Ri2 1Cu3c4nbuVSi0FZVxbfjx/pJClPaQsqm/9R0rS2ryLr/8KWV0fapbkqjxfEr679p+z7dk93Hsn+8 8F8sj32W7snxcO1XPTSnN49wfjn8cnj/Q64qItoxvj45m1Mk8d6hK2YujvZm3CgLfHU85ycwrhbk cqTIHgUkT50WxQgPo07Cw+gp4WHMwOjtByI83FfWf9P2fR6FhxFTwsOIY5+CCo/uqx4a4QkP12d+ 4WFSVgC4K/bapwhJHrWKXxdenclyIJNiXwA4+NSQJNlm/NJtqUTfnqfKuMs4RhII6lKyDVDEBkvh wt6TpTAjVDaFPsC5RV/hG4J5phcvxbAZ2NMxMNRiZMNsofQiUi5fl5YtM4rVDNgyowvKKX1Yp1sk jRIsfcwnMTR5fx/7CipxfCo1LEXEKVUWD4m2wkfyldfmSF1ZQPvTX2DjoXsT8pYwQYqNmoSS2UP9 jgtXt3cZVnVqU6FuTqZCI6ZMhUYOan37gZgK7ivrv2n7Po+mQl1NmQp1NfRZV9RU6L7qAas8U8H1 md9UaHSIWh5+hvUKdw5DaK+MC142soc0uAw8YI/7a8ZC3l3vcmZSuV6LBU04pvAk5F1D1UQopR9Q 0Ha6Jcf4si5JSQCyNnedGbXgrDEirn06kef62bLfOyvR+Kv0MHJDDdDHwxbdLOalKT1aTaVIV0oe FelKqQlFulK6V3q7D74i3X9l/Tdt3+egSFdtT6hIt61Dn7IhirT7SgnvzSOcGyjSlTqlBD4UaWYj 2Cv8I+ZwjffLJIh/4Hd5PGPgPeZ80uQjOpao27XPynnOoGC2ERWkt/R1XRjI1ItHE57cgoMcvmpm REGajWoAitKbP9YA5OPcExy18/hYUFyLHTbPrcCqrn0S2itBdv1NmDEils+xf7hEzsSw+MbGXbRv 46rjjEg3yTZlrC9SdtKnrjtcen19vZgI60UJ8DPEFjSvylNIU1VOhTRV5RDS1H0g5lU5hDSN37R9 n0fzqpwKaWpbj33SkCb3VQ+NF9LU95nfvCqThjTtc/y6V9nILIFCt1OY9o7i15JK3EvTfozPlxE8 xUeu7nRKxwebwVEXb/etDxwb/KhNeG2xjio1L1SSbJReCJ9L5fC+hfVJb9hpgsre6YrXVqerph9R tZxUAsI1/N2XO50382wasQfxp3b7eMkwuABe4eO9+LtVeN8T9JEkIqyqfT692kxcQPuCehrrtaeN nMZ8pWfe5ZeunMjteTTc7lKfL7t/5PZHqSim9tGYwou6kTTYyLESYzsGghDmTFZ+BwG38VJt+tJb 0qRPIrx7JwHNJKlzz99hvuD+rjs67rsyRSaBeVHrGxBU/L0HGUv/3N7OLt294eeVldMBb9vsj1Xl Uxmvx12JTT8Evc4Z+Xz8BO0joWtlTsKmcKyCdgDacyAibTrR+kIxVZ6u8Hlh58abwXQqeCHiAskW cTPhPZcvTHOx0DY5zDdTGua+I/L2qtjH7x/8mUGCEuygTfKhL2ihLDXzLr2IsPak8AIbhg304S+C 4D3N4zpA7OSCCpPTl5pznTDgBhDkEM8OdbhpA0S889ctgPcEo9X5TpfWPBhBCkk18AQ0AIIgvh82 VPDzrFEWmKWUdWguGEYPSIbpA2dD2XnWRRWyk1e9AqBD6ByILUgIoXofnyGCowAcbK6CWhPSyayt vp+stDU09kj2YRoeyT7JWMzqEDnc3KHAaBTYtCh9KDoXDQtF8YE0RkHXABjAATJZr1jKObPZCHF5 8MDt+b+qxp/6Q3I+JOdCybl5mqTRPq2mOXCqvE73CtTe85brWw7mjvFX8hdwBDglohZHio3pnLcK vhf2trsF/syIa8BT3CCZI8Ab13pp9cBL7+ww3kItCOvhfVERJ/85ks7wCX5YfpQI9y48wR6wLyj7 meBAFWUSf8cNkDYf0rg+SXXBXaB8YbgruWXtu06oK43w94HHBe7JLmE04nxp6JUc9WxapujSOzCM j8IcpY7yZH3LLmV5BPrjFmhGSKfJIXjc4MyNG3mDc9kM/1B4ku8W3Mwc7szxlA2Kg+7oUzTHjLOh NKml+KCcy42nRTB8yx8wcOl49HzcTfGj+RjKAgKiHD9QvdVQJbQhSAmc+EQjRblaetmQomTjdT+c Lc1MEGfcU/DYcdHQFkTktNSPR1OlsqLJRfOdu5+Y8/vEE2pszglpIf11B+uKJQQgFT0dnBsLoot/ U9Vm4sf64yVGuK382dyE8JGizokTKbXX/a0KH2ltVjRV0us+v/CRjcg6IVcjcbTu1yd8euWnu8B0 U+XnPGAW5Wc0n5uQP73ykw0pvfJz7v5W5U+v/ORDk1N+zt1vpfxkm1Cv/IzW/QrlT39dwOk+BpA/ Q4CfHFHVOwo0xlBDfYIX+ogCJp++kDZ+bYXxZpaaWEXjX2TBL2UFmFTUF/CervYL7TU1S9smK5Yq sgglnSAlJr4B+hgcrDMNiNcRF7U/xWs7WWkd1MOvL99iPcsfi4+H/wOhd/IsZW5kc3RyZWFtCmVu ZG9iago5OSAwIG9iago0MDE5CmVuZG9iagoxMDMgMCBvYmoKWzQgL1hZWiA0Ny41MTk5OTk5ICAK Nzk5LjI3OTk5OSAgMF0KZW5kb2JqCjEwNCAwIG9iagpbNCAvWFlaIDQ3LjUxOTk5OTkgIAo0MzMu NTE5OTk5ICAwXQplbmRvYmoKMTA1IDAgb2JqCls0IC9YWVogNDcuNTE5OTk5OSAgCjQ2NC4yMzk5 OTkgIDBdCmVuZG9iagoxMDYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFs1MjIuNzIwMDAwICA3OTUuNDM5OTk5ICA1NDMuODQwMDAwICA4MDMuMTE5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw OTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz dG9jCj4+CmVuZG9iagoxMDcgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFs2Ny42Nzk5OTk5ICA3MzkuNzU5OTk5ICAxMjYuMjM5OTk5ICA3NTAuMzE5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw OTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz UkZDMzk4Ngo+PgplbmRvYmoKMTA4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbNDMxLjUxOTk5OSAgNTIxLjgzOTk5OSAgNDgzLjM1OTk5OSAgNTMyLjM5OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM3NlYyMyZGNvbgo+PgplbmRvYmoKMTA5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDI5LjY3OTk5OSAgNTQzLjg0MDAwMCAgNDM3LjM1 OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMy ZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0 bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTEwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbMjU3Ljc1OTk5OSAgMzQ5Ljk5OTk5OSAgMzk2Ljk1OTk5OSAgMzYwLjU1 OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMy ZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0 bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iagoxMTEg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyMTEuNjgwMDAwICAx NjQuNzE5OTk5ICAzNTAuODc5OTk5ICAxNzUuMjc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBi aXMjMmRwNyMyZGF1dGgKPj4KZW5kb2JqCjEwMiAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50 IDIgMCBSCi9Db250ZW50cyAxMTIgMCBSCi9SZXNvdXJjZXMgMTE0IDAgUgovQW5ub3RzIDExNSAw IFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjExNCAwIG9iago8PAovQ29sb3JT cGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4K L0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2 IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCi9GNzIgNzIgMCBSCi9GMzAgMzAgMCBSCj4+Ci9YT2Jq ZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMTUgMCBvYmoKWyAxMDYgMCBSIDEwNyAwIFIgMTA4IDAgUiAx MDkgMCBSIDExMCAwIFIgMTExIDAgUiBdCmVuZG9iagoxMTIgMCBvYmoKPDwKL0xlbmd0aCAxMTMg MCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dS2/kuBG+96/QOcB4xIdeQBDA 9tgBcghgjIEcFjkEs9kEC3sRZw/5+9Gru8X6RBVFkWqp3TZ2bXPUZL2rWCyWvv75+z+Sf/2efH38 /p/kR//z8fshvUuzqvtK0vr7y3BAlndKps1XUgp1lxft6I/3w0fycXg5vNT//ziIvP1g/6P+x+MS afv9+4/fDl+7xQ/dyPfHv9a//S+RyV/q/35Nfvp7PfhzP1/zwPuhrPIajjQVqv7zbfinkFVR3dVA iXo8pX82D//78Lc/JL81gMm7sgVedAAO//ySSVFmd3maFotA/jh/tJ5MVVJkeWn9fTixUj08egjZ +0HpFqw0zRLZ/5aqhga50He6fkbScVm0BJDDed4s8zfk+WUAc6X6L+vvBsxn2FTZANP++j5cKxN3 ncQUJmxk/ITLYJ43y/wU5kB0tsBsg8HGlxh0Huf1+3Dckc7jsmGTJRPm7vlG+W2/D2GepW95lmip 0kQVeU3l5L//rBd+WW9pVWVJpnUiFS7tLV25SDtaVqYW50J0clSZlCfjJ04N5nmzzB9Mi3OhOnmp TI2oodSNwUXYjPEBLqd53izzB9Nik84WmG0w2PgSg87jvH43x53oPC4bNllaVYuLekmty0RkI2p8 DCQqcKvz1qlVVadlE4/U6xyXefFz8aL9HsLSjVhc/MfEBx9eD1+f80SkyesvSQfBl+7Hawf0Fy1q +r7+nPyxgelPyeuvhyag6QdkO1CcB1Q7UJ4HNH2im+PptUc/DqWzmq/7o3RWu5I4lD5TWQ70Z/x3 I3R0eJ6lxdxFW0q1zBuhlMwbkRTiiGRFyXDfDujTgGSf6Ck3MaDSdkCI86wPMFKys3QMqW3d6ZGi HakmuPqtHcjPy2TjfD8vIzpREel5JOVmhSdkP4maAK1DOGOBNyVw3vbkY+KDrZxUSQ3jiJxkspET LY+0f6b86jWqpMwA8AcD2TiLizlzPNEBRVWdfkQC+wCOB8oKHjmY436cv8XEAEwK9IABHvRHMqlQ 84kMq7BEjkJToakq9kYZrPR5QICCA2TPFDIKiMjpAA87cArwp3BoQbFTD1R0M0J3qSgyUWSZSqrU lP8gELxQsQRBFQJlhwEPBdm4brfm3t9ul4VhuFeyD5ZVFuLS+qCsCMnJHes+mkcPUCn+4pFVIBBt KkFSQLBDIYPPoExFMSC8eQCLAnBU850hzAGrAC9pkGJjzDKVUrkwdArlEJEBdIEgwFwqZSMSQgkA 8u+gZmDKQP5B3Xk7TQFDPeRFhhddnqi8hwXkQKi+kSd8zI54DiB3QlaN3BXSBHXhpEoZkyL7QWK8 NwsLIS2Eib63K6ObQSMfoE+/kw2i5SmXTaPDAi3qNW4W3KvcxP2Z9bisX+s3BhMDqhw346CTA9bD pLBsOsqDZI0NuazkmAYNDAb4XPCGYDDoEyN2GuQQRJePMe5DBYMyPSau5BPnDHjzCJAryBI6EIiS HfdKdJmr3sSNUIgS0WHHsc62jg1kgGRIQ4hBOvwhJ7koQXXdiZCYfntKYlhziOIPgPEbHViFwiFz OgBCBhoEmwPX4HChEc5Kwwo7JHCpFXKI0YHZlGKAvkpnIGeNVPImRpU6O65iCY3BkMNeafAEhCHs ngVCGQhUUn5SVm+VJTjYcVg2WAXYIOgAxUXB/pvSQ9E5AHQFgAEcdOvoIEF0FfgIDkDAQakuIa4B qs+J2RiNyq24ALNR+AF9MLAUfZRCMDmWDNasjwDo9CMSvAcVKRQHUEL6BK4CcIBLAt4+hXAFTTyu UnLiPvAEt+MeE45dp3z5yMjjyJDdoCByfOoN4AB74bFziBJMKV2YKnQZQYXw0yHIZaM8n/wmzLGf DAeQzGGLP/9IHbeWwH6eqPARD+Vno/6AGY79JTw7zyiFKSw7Dqwvku8UujTJuCNrAK4f6t9GgoFH qtwQ+7Bnhg7eEIgGwIO/5K0/HPeBI49zmKmFKSJ8NiKAzDgIBHvai96QZYPDEeqOCyQ2FoSE2Bqp wgr5ZgwVm2aPfqS6K88u2nzGmbPicRSRdfxjUZhSxsdxwEsP4weTehwH0qoEkCkxv7JBlMR9gj/t k0+DASiuZLfffC2Uxw5VQ/QMKZ14J6oqP24/93yiGjD/r4Vd+CGkhuQkxPo0xob0JeZm6cAtnznq 6KaW3c2pC9AUji4UlTFhUcsdbzAn0N/PyQ3wBYQfkOtXCWDGdXYy49QROsTJcLzMR30eeVcIvqPs XzZyIu2QvAPA+DoZvtCYv2XgUWvDJwDZ0lyHzVmMjbZDNQ4vdDHkdMFp0DJzoVVl2gufnSUbTThw ht0FIBxTNbH+9rNSBkEg2JbhrHQhrGIY5XRsK3cj2XMKhMOihQvrsPPSYANfEsnXKjqUVfLqMl9/ HPjCG9QLWbY+DF506cihNBXw55VuKwpzzZeJeZ/sUHbrfRay0IzrlDEgsAuA1gA8pJa9xqzT5Idg Tqs8ekZIqWHBjijoyIg5oNov4UNYVf7MrxTlwMxnK8THPjApmBk25eWj3nzsy39k/ipe10N57MBT g6LxNJxvAMMcXLZl1GfF2mxp+s25zXVuMTtl7O/ArHUg2fm6AIgkn1S0BLFTYs33jKGZOVzWEl1C 6vIyZ39ZbtJ1I6f4Dhs/NunlcIDGH0PNv0yNzoLfgbmejy10FmllMvvWWIdjf4j7+GyGF0pWMLpk d/UwqYDmakF2LakyRGizvRYcgmvIzsEJc4CyFyzYg/oCHSwrmInCBhgSGTxouChvYWotzUxceDM1 f2+xUrJ6WF5xZa0fm/5QPS0DNHZMLRXpUx0Zoa1j3ypx3ogANudUZbE7JHRcZKHFXBXM8UR9K8wB foHv/EiJhP0yEVQoJNEUdsjfUOxgDgfIvvGQwQk9LcXi+3biuk90DsoI28VATeG4XIPNXJRHdOCw b53jco96cP5Y1qNIkI+22eDyUjHLVqJeICFwzuPoHyJnXhy2dRNw4earyA01dSiV8dBKj+0Jf0mL n4NPnPDHcrxWRumWBnV0sH3nRdujvPWiKhZgq5ErZeXkOgesfDLY4yOb7cba9X0bUP1C3VhDlAbw cIBt9DiR8ShG28jpwS0+4+ZYJT6znZUvtJ4iYxQ5xlW7K8zChXBi+hiNRbpXu5nWFRvL9O/v/FG2 ie+zwGAlGjuANA9wiMlfhOBPJPFeDHuq2S97kXyHUsJgRRBz6NFm3OMmwxUdYipIkgWpKS8Jb+cX GrmfuOzBcIcotPoWgDGdv8z15lXMI7qO2NdpWR0yX4UfIjUT4tbO/DtKfGVunBNsWVamJHu3m9tf EKNEbuB+C2IuFsTo9j2DAzG8aKyw0GlXhYnLKkVTPvXU4ZqBh/CmpT1AC9HGBW0wm6fGnCGfuAYi X9NbbkR7pe/MqSCb4P4W+aAoAY71qOuDJ/iLHLj35pu08D35YY6AUX8ZeNLMnNTjlU7rtPWncATs QVLIo1FG/8j37YZqJrbnBrZh4POMbOPqKAPQQgGfgKYT/JEtxBw8+vQJWBYBs1w2HIglhVRRY4CX ycAG85OyTVp4evCdXxD9OflfRj0yvSro+xng1cP5BGHCfvAUwwY8fJN2vs0PAMYaJTmnnR8jdPX/ t8Xs/Qzw5tOWzZl6wkPoosAB3pSVUwfh3ypyfBcs26X6OFpZatsqtwFuAHylx208aN8WziOHkI9S nCLpVRzOfgZ8IukYJHQInKEVHfsEGkfAFmQdbKEl8Thh6NEVsK+z4c2nbXMWRD1kZUMuiovez4CP esQg4U09LqkeWsfk7TqR43WrBzTLDUFCVugwyvFuIHBT9W2oehbXE8bYR31yVfcg4U3FoqrY5MFp lZ5erAotivdampFnBmIBk6uX6SuTEnz4miI4e+RbWXXaMdG4y+FOHd+FMkQ9oc8Llih2K5UgWo7e F1ZdtbcfB/LgUabH04Ovl/O47LhKcT2eRfPlgvxrjEJ0Ur/QtSHgnMcVU15gYrBypDKHv5nIV8QE u/RSnd9yxhsDXiznG2WfK2GurFxY7aOUQaBbtU8MKmspTCpHqfPVsjKF/RPV+eq2q98A951Hk7oi +FxTNBnkouGMrsYhXMj5XXFAeL6tGF/HzF6mGPGxfA+GEIGcR48BPnBh79VGugkhhMnLT2QhpSpN 3HduIWVB8AGN4V+fx28ePfasHq3E+W4hfAMJ723unOLfSLcp2gYB1cRLX/k3/ELI7XGfwGUf49Fd KMQ1Do/WLx5bjFVaWrn0oeSxC9bWp8rcG8wESXLxKRv2HimW3EOdNtwN8TAH6zT0F0VqssHD1oVQ MbbTbbgXx1blZ9yjFZWBesCKqMsk/IWJz463aD6ewJIomUrw8vdx+A5F8K57Nu7h3zE24pGAIAG6 PDm87Myjc6VHgnuVzHuc8DtKp7nutY4DTb7QuQu77EovUAvRlBVw8Wh2ua0joxB+v5rR4f2TvwvI ey+6OoGuSW09einvt91hpGOYLsl4UnXsTs4LP4u+yyaa78fD3w9nGePwekVv2d7fFidTucH7ve9x ssLEZ9Uk6zI1bPqOG6zwfnPqcsefpeKY3djMazQtbx+ZAoy3WxdyQSE8ML+fZStWkKafKmTjNczB FYRQfVVoQ+ccXg0F0Sbf0gcYBU94NOvf1pZnyqtvVZIdzCdrP/hMTd+QZFmfxmiNtrJUllZpuDVB n2ZcnF2BKAlfPlHiXzZv4RzgvveoWGoTnx1n/i9fnDXrjOFWasU57q2UWmVafVp7lzUn2ldk73KR Ttu7gFmAEMGPJn1tbsVZSwIXXZg0vRVnsay6FWcxy9xKrTzpsfRd5qmpy1dfapWltZfuOQnnMLe3 xL5ucQO+mbTyxu8nz3I4u8nfBSkeCOGAwTqwb+x0eEXjfFZe9UtyA54eh/AV5emcc7OmMOLrBScs H6SA8J4wJnhGMkn31DxiVmgrRvczlzHIKjXUIWBPogu9P8/EZ8cJW582Ih47drAZoIXrvENe58Lk XIiInLUXUY5yAx6Pr1046FAoZnH1prrfZVX/hYpP/o03AROTtSKVT1XiitO2UHXI5mc+PVGf1GsD vL9k6P3uySMKBqgLVXRWNd7a2x/P5lZl0xihx8LiwwdogU5XhDa9qID8DeaA/mSCxiPjV/d80ZRV Zbz0BvhpiQ+59WqXYXEmqbmgpcmALz5KaBOfXtbOJ3Qp3IGhXEHOUkZa2oT7EyXLohIlT82XUn3j EESM7yEarSD4BEKO+zBvMmmhYpJJtzWP5+lHcPZTPjtCqoiKkDZfG4c+lBUEEJXAZlYqs+tOdPvT Vh9gm59g+GTaxGcX9kdWWUyiqDQ1Gzjt1P6oTEUlU1Ya08e3P6oooiJUmv3jQtuf+jv5qAEVebti /+PHu+8O+SV5Ofwf3ngAaGVuZHN0cmVhbQplbmRvYmoKMTEzIDAgb2JqCjQwMjgKZW5kb2JqCjEx NyAwIG9iagpbNSAvWFlaIDQ3LjUxOTk5OTkgIAo0NDEuMTk5OTk5ICAwXQplbmRvYmoKMTE4IDAg b2JqCls1IC9YWVogNDcuNTE5OTk5OSAgCjQxMC40Nzk5OTkgIDBdCmVuZG9iagoxMTkgMCBvYmoK WzUgL1hZWiA0Ny41MTk5OTk5ICAKNDEuODM5OTk5OSAgMF0KZW5kb2JqCjEyMCAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzQzMi40Nzk5OTkgIDgwMy4xMjAwMDAg IDQ5NC44Nzk5OTkgIDgxMy42Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2Ej MmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1 dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNyZXNvdXJjZSMyZGVycm9yIzJkY29kZXMKPj4K ZW5kb2JqCjEyMSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDQwNi42Mzk5OTkgIDU0My44NDAwMDAgIDQxNC4zMTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjExNiAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAx MjIgMCBSCi9SZXNvdXJjZXMgMTI0IDAgUgovQW5ub3RzIDEyNSAwIFIKL01lZGlhQm94IFswIDAg NTk1IDg0Ml0KPj4KZW5kb2JqCjEyNCAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAg UgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1Nh IDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y3 MiA3MiAwIFIKL0Y4IDggMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMjUgMCBvYmoK WyAxMjAgMCBSIDEyMSAwIFIgXQplbmRvYmoKMTIyIDAgb2JqCjw8Ci9MZW5ndGggMTIzIDAgUgov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXUuP3LgRvvev0DmAx6JIURIQLGCP7QA5 BDA8QA6LHAJvvMHCXmSyh/z9qNXd0yK/Zn8UVXp0j2ZgTw9HIovFerNYfPuXL//Mfv0je/v45T/Z 1+PPxy+7/CEvm8NXlrffb/oNRf2gi3z/ldVKP9iqa/36Y/ecPe8+7z63/z/vlO1ePP5o/3gaIu++ //j6++7tYfDdoeXL49/aT//Liuyv7b/fsp//0Tb+cuxv/8CPXd3YFo48V7r99Xv/V6XzWj3Y9nPb nvu/7h/+9+7vf8p+3wNWPNQd8OoAYP/XN7ZU1uwbmlEgP59fPfa+R1boc7/jQfDZMit1ZTNd1Jmu s//+a/etHXy2oU1jszI3mb0wtM11U6iy/VPoc39orY9DtZ2ZutmvXDvMj502Zfc5LzNb5sWD6drb lbfK7H9Rhd9eVA/Fof3cz/dA/3ui+NaDudHHr+BnB+Y+bKrcD3uAuTdW2bJKfgE2t703l5d+vgf6 92EWwnMA5hAMoXWZAs+X1/qH2x6F58u0EaIlF+ZpWcnmJszFJ7nbgBQaNowxWWnzvfjOVHka5nOa RFTddx+WQ0tAIj5fefH90+7tJ5upPHv6lh0geHP48XQA+k1pi/aXX7I/72H6KXv6bbeX/8eGomuo zg26a6jPDcZ/4tDHx6c+lodJ+OcrL3bzaVoVdGk+ZdFOR+X6CIo6gNL40zlDrx596MuuwZwb3ncN ZbiPvPIboI93/hO1Pyw0QKeAZ2iAYT/5oPudKus38MnBsIAgHw5cBsAHn8tHCpiPwsL4xKz9hg+0 U39Y9c4HDCBV/lwSCMZfF8QYrK3/RHGAQ+kr48LSwRMwjA9qARICAPHXIYLIACGwdAGK6cROsvww rZ7oC5AIqgM4gJMBhf5cVD6YDCMQBLQtgaC9gnMkbIAdRo6iKmeUorw8uXGjHJSFqoMsBkiHBkA6 MBQ88ej34a9ToamEkVBJVDcgZfugIx9Dp1ytAWAwLJVJKIKGizFz4EGlzrOrPa1lNFVSnAmpkkKk chkkRyC+1fZwCETknTFuXj57llzgqRjrLmKAjomrIsDFra/ksDHiDzgOGt6zJ3Ttk/4nxgvKMFsr QhT4o+QNewXmclQui5jjplauiOWGMVAuNAxXp0gS3O7hLAWrx404AN3vAyUZSJSANJBQhdpEixwu ctH6BoQBfrjY5n4CUBQ8AZzqN1ywnKFXYFVL6RRmxw0O/wkgbcQyp2T/CQ1r6S8MjkLxEcHZw02j FEXH4Uj2NcwVSAM65pojFeGvcbQHhhnrFilXPgwXhhE+Dnf5+cIMp1yMACU4XwnKAUaBpaTDol4b bjvDKxN5dDp3KAg9uvdiasw0obVGaqA+zj06CuOQrKyH5VfkbKi6cuY+j7ORQ0NAUy5i5Bdl49LD 7Rr5GKjmAR4YVoLHdKmuS7II04jajlz4Rcic4Ug2RzsnPxO8zxKoHbgA5cKP20rQaeMTCBgLVJAX gPbNZfFQJufB2jLIybD1xdeFbsLg2i7kfXFzQoJOJcLO3CClQRJ4YhqTtTCNQ1Lp+3q3Z+cUlXXZ Sc7OWcRG0cqdT2iP5fZWShdmqpW6YpFu4e+osInNo6jumikQGxW4PcrdpzfOT7nr9qX2CYWOzrkd X8qIGXG1OnkKEGq54Ds8+oYeqGkItH7yO1GV38J7wZUAAcf3N3hWT0SUmNpHIhvGCR4oj+fT9ICj aSdAVkX+ErQpKcIAckgDA/zwTIeEzSyAw3dIb1b6K23dReH2AkQJAkbIIpJbVe58IvJahgvqCKeN 0pSoUB3pYXXa7owzGcGcsisCiwXczOUhTcjEThPSL4fLjAhlDp0mRNcmiRbwlaPbquaAdVWcqduP uCjfrdAge/xetbosiMeNayCJwg/RGf+Vwt98CoEqoUKLMn5yCCnwMsyugADbJEmsShlnNqhVuUmV kE/J04F4CqZEUHuhyB9PlE5IEJonGz0h62j4bn6KwFDgAANkErQtsfw8pYwe17jg+/D9OapSp4ke l12i/FnGbE7HCpyOstHuotx4WPuglc0pXvKaood17kx9C3t7wy4Y9i66zZYeWb4KV1g6vpjuxo5M PbHe6m2u8NMrdoXBwgSnbfXes4TnW1anQZId8HGzndSdlnAXxiaVGgfNmzudKPzndoWn8Z60rh1y 2LynFZjcpnBF4SQ2N7LCqjfsTePJrXXZuiNVX3e0tqf77sJeljAHKu1S52Ydh6TufVvHazN1JTaK pFW5yR2OuQdbd9v2uVU7VUL416dyBsVHfxBeECUBpVDuRCIF7H4yoNVBwNSTFgC5MbO0UC6lrsws nTwEG7G3DBJ0uDa4wIgyEVjlLl7C6XIBmyrlnB6oZXgFxwW8c9uWq0OBulN41o8rXV9zoSU3zWaz qVzFBOcnhx8XBaWL+/MT2gsCelrnJkgNvP4kBTTiMAcvCnI7eYfgbvPKobwEioCNyo9spxAygE7r tXLTL+X0zyRhHa1qlz0S3A3u5kuUbko4yDC85hayGK/PmZB2xIvIgCLk5cJCBsigsNhKEgQxMIBx gMZndpjuB98AabzZGV8DwxPHLA8JFaRejgOsVbDL+cXanOLE4BenBFb4OfmIgsf8KH2sXzyodk9C lIhWsorwYBLOOSS4FrxaRYIM5oSbQOtc5K62CO5qK7cnFMRJ2GfgxWx4HxwfCUFU7kkIlDnUveQ9 KpODcTG7T0DWzSmPqwBl6t/kgA0gHP2gF0bdIUQQqFUCgv3cYKBiDO3jGKvo0QeYLJBUCQE8yLIM rO0gmUyzEAZZG9cX2+T2hFMfUt6A/AJifDjGcLawLjS3FTNoaX4slkeChfIpSHEJA8NywUaHjVYn vSd8kir8Bg0sBlnJgCAgXH9YGAWP31Ja12JFAkz7/3EQ2NccfvRmM+nYE5tJ97SZdEMoKKE+4T2b dCKFXMAc4w5vBD3MEyAKEIiEKrBVCEG8th7OjcsPLoMWuu6LSn4FhYkpAwn6IqXafJE+jd21L1IW my9yedjNF2EImtMX6fFtr3rQWOI/n54DJG8NhPgnOclLqRBZHSS/L9c5N2Cn/itYnxBkEGgxykAA +qS0XtqVUdDtNGyn1hnhUr4FQzHCr4RXAEHgiVPXHFEIEgaGnYLVOY2BesWVo4lLIcsRFsrNfnVy fS9/dnJjI57nmbMDB+1EXneF98WKdfvrsnXQj8n95AJUCZAAaFgDno86LpC90gA5s/AEDHOgnF4q LnSiIP8CqK2+sOygVqZJeu6iAdaeAsP6E8wnIX6UECtdSaAP84notQH8fqTtclr2yhSX08602QCy ioacbie7LKVcM9/j4K/A9Hncl19TZEAhwIkIvwFP0CccCaGwR9CDRAarzV1RH3HcY7prU231ciDe Tz5E/MCZAh6QpvsTPMEZhuViXIPSAmMdrFWBTuFArUSneFqWa7HhGYsRcEBsMDZHfGydZevQqUS1 yqVuMEwowAGAcWURW8RDWEfRI2gRZxnADuL7vQkaeYprnFJO8UkQTGzyx0hd0UXLekwYSzASKqop gkhfJm1l0LZi0AzYi7WqGEDYw4+a8woX5r3f6ZwO4MiyW3mHQj3+jrMV+r/Dr/GOKTDM9+XnuRJS AsuTJD/QWxP5wZaYq9CHH3UROdqxkFEzPL8K4aBSGl/hPjLX6hJJfSujKRGhWw62jEYOW2h32JUh 9Yoon6RETIQ4SCjuA0/weE9CYpdEhayUtVw7Yw4R9ikFllMsiBu+no3XbkpZO77p/VFOytrxl7yM FbuVC8c8NsaEObuDXrndzNdJgoQJTknEyYrhNcQiokIJldz4JfToX4uUXaImZajuTq9hFtf3Dvct RcR0feoUin3hZhdWh71QquqdL0OxpKyIdLcu+Evt1M5zykfADp1m7zJht4qXDsGKqaDd6Drw+meT BMNgY2nZ3V7ZkL5IyZID3zbxVtlMsWM5S0ZCLtdKVD3ekXUocUQWSSqhnHbCTi3H2DIH6SQiMojT hMUeDtiKTd+Z/JhZ5GXClnnEXOQcLBGZe76XlrMQrxg4fLP2lftKs3sgy+d5bt6DR1c0LY17D0gR uBASJRC4vPPXTn8YrACX9SdEpKoJi4RkF2RqEUkDwciXCRUxoBAn1GSHGjsGbKjVZoHwTAq67YHi 8HV5NhLpolyz0QsIMHl6ko3SrdTRU4wFJSKUy3hTd5o4mVgoqa7CMjkh8QbcGmjg5wQEdAPGpwCl XJsGciRECKi+y8zFhXL7uL6ho+Cu8vC9yRSRDHDQ0FpEKWiYSwLGJsncWGuoEU6jz6Sy78j6EvQs JARsk6/D2ri2+sucyd3CRFuYiB40jNhkHn5XQsR1JLB0XLgHShXd5xZyuo8rIlTVyWodEWoZCYiu HECWOvkgx/23d3FloZSzBhFVmODIdaC00zKXTpbufCKYjNe8pZY+2pw8iM7F9Fo1m6D/PSokKmJQ 07MCKe5DoNr5OHFpGldur8bjuPn4pog+fSnItRYnRe5WraY8XSGGl3rOU5RgJUExjNdQHkT3W+Cg ZYRMeuWV7bkpKZL4NMtksKQP2B8QsEnYLJbg02U2i9FSir3EdNBRZWApPmzsMbuRQro0jpR+Dcwv odYqExyVC+nbMU8TshGXuhgkIdy/6NUhgwC74doHr0CgXJn+pCeMr0Q7p6nEVnYFhHvC7+aLpUro groJAnrvWzlY2xlHwr2LBJN7nuhtwl42X661VJKTUO5TnOVeCqc37OeJxWdsy68n0G/41nO5W75s brdbvvqrDTIY+OOKm7vyW75sXm23fF0edrvliyFo9huHzzeClM3xC2je/1vE9SLhzjoGskHtsd+B V7l2CQaM0F6IC0yUAxVaH4UQWOz1ATUNlKeTjmTZe8Je1lodTtvv7LlFh7LdvI4/vv5I3Xz+nH3e /R96p/x5ZW5kc3RyZWFtCmVuZG9iagoxMjMgMCBvYmoKMzY4MQplbmRvYmoKMTI3IDAgb2JqCls2 IC9YWVogNDcuNTE5OTk5OSAgCjczNi44Nzk5OTkgIDBdCmVuZG9iagoxMjggMCBvYmoKWzYgL1hZ WiA0Ny41MTk5OTk5ICAKNzk2LjM5OTk5OSAgMF0KZW5kb2JqCjEyOSAwIG9iagpbNiAvWFlaIDQ3 LjUxOTk5OTkgIAozODkuMzU5OTk5ICAwXQplbmRvYmoKMTMwIDAgb2JqCls2IC9YWVogNDcuNTE5 OTk5OSAgCjcwNy4xMTk5OTkgIDBdCmVuZG9iagoxMzEgMCBvYmoKWzYgL1hZWiA0Ny41MTk5OTk5 ICAKNDE5LjExOTk5OSAgMF0KZW5kb2JqCjEzMiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDc5Mi41NTk5OTkgIDU0My44NDAwMDAgIDgwMC4y Mzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzMyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDcwMy4yNzk5OTkgIDU0My44NDAwMDAgIDcxMC45 NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzNCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzQxMy4yNzk5OTkgIDY1OS4xMjAwMDAgIDQ4NS4yNzk5OTkgIDY2OS42 Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjNOSVNUODAwIzJkNjMKPj4KZW5kb2JqCjEzNSAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDM4NS41MTk5OTkgIDU0My44NDAw MDAgIDM5My4xOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzNiAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDExNS43NTk5OTkgIDEyNi4yMzk5 OTkgIDEyNi4zMTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjNSRkM1MjQ2Cj4+CmVuZG9iagoxMzcgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszOTUuMDM5OTk5ICAxMDQuMjM5OTk5ICA0NTMu NTk5OTk5ICAxMTQuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJm IzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJk djIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDMjI0Ngo+PgplbmRvYmoKMTM4IDAgb2JqCjw8Ci9U eXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNjcuNjc5OTk5OSAgNTkuMTE5OTk5OSAg MTI2LjIzOTk5OSAgNjkuNjc5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMy ZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0 aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyNDYKPj4KZW5kb2JqCjEyNiAwIG9iago8 PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAxMzkgMCBSCi9SZXNvdXJjZXMg MTQxIDAgUgovQW5ub3RzIDE0MiAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2Jq CjE0MSAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IK L0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJu IDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCi9GMzAgMzAgMCBS Cj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxNDIgMCBvYmoKWyAxMzIgMCBSIDEzMyAwIFIg MTM0IDAgUiAxMzUgMCBSIDEzNiAwIFIgMTM3IDAgUiAxMzggMCBSIF0KZW5kb2JqCjEzOSAwIG9i ago8PAovTGVuZ3RoIDE0MCAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7V1L j9w2Er7Pr+jzAh6L1BtYLGBP7AVyCGDYwB6CHBb2ZhfBONjZHPL3Vy31dIv8mvqoUlGt7pkxEvfQ aqpYrHcVi2///vmfu3//sXv78Pm/u6+Hvx8+32X3WdkOP7us+/NmPGCb+9xm+59dY/L7qu5Hv36/ e9o93X26+9T9/+nOVP0XD391//j8iqz/88fX3+/eDi+/G0Y+P/zUffpzZ3c/dv/9tvv5l27w22G+ /QPf75q26uDIMpN3vz6OfzW2rar7ovvcjWf+r/uH/3P3j7/sft8DZu+bHngzADj+9U3d2GL/RWMW gfx0+up9leWtNWXVBD+PJ87zAzzFrirue8Cytlt6XpTdN7qfcldXwxNmv7imMkW/UOuP2/re9uOj eR4D8+/R8+sI5jY//AQ/OzCfYGva4VO3Jd/H7zKZ3UM5bMgINm/8uJbRPI+B+X2YlfAcgDkEQ2hf UuD5/F5/H49H4vk8bYRoSQnPpiya/rN16bn7juk/WxcGb/y0ltM8j4H51ejZlHUPzgDz+F1NDw7C 5oyP1nKc5zEwfyI8B2AOwRDalxR4Pr/XLj3H4fk8bYRoSUtuNN279jySufRcNZ1aavpxBwZv/MSD p3keA/Or0XPV1Pn+8wDz+F3NoC8BNmd8tJbjPI+B+RPhOQBzCIbQvqTA8/m9/u6OR+H5PG2EaMmF +dlMa8FomWX7VEWHmc6O6qy9jnt2//tX95JPvWkjMKBM/2cMyzASMKCeJr74/svd249Vp9B2X37d DRC8Gf76MgD9psNS98u33V/3MP1t9+W3u725eBiw/UB9Gsj7geY0UPhPDHN8+HJYfhpM26K8Qkzb sro6TFflNdJ0Vaei6ROWB5+u+wl+dlygiOcpLua+tMdUv3lnMGWrPfOX5rDIHNDwrh8ofLxMDNis HzBZGLkGXlP3A+1p4Id+oDoNfPDf2/QD5em95fktHEE2vNaY0yMP3nuN8Qcaf1YfENP6sMPq/MWY zH/CXwwuNxZSl0DneeFPE1/syajddR7cGTIq7Z6MGuvyyoh5rL/g3OdI4LfyPKGNnqjPY3H0xHsf rfDah/N71UzA8eE88U7JDgDsIwMMSYS/BSCF5cM2wKQwB0Dqf8UWPk7hCZC27yjWAXQFcjCwfLoN AId5UMA6xSkiCCblu893DmgMXgtzAPEDxvytxLeUJ0ElljhFUbkiBxDkc/ZB6UwRDOd92EpOyT7G kF/EKBwpIV8bRLA6XS3yCxBdLOjLNntQL20dLxs5IcNX4AnO2Bokxvl4Polds84CmgMkA6nP3ygV EWSbwiFLOwBmpjibGiQRMhnm4EpcYAhw9boRxWfenfbyxhwzWz3TFnfMDLD4LbluWUC/Tb0WQKde 18VdKNs27oKnXCjOkK0/4MtBsEXQOOHiV8F8ibCJQB5xD6GaL3641OOeioInix4TN1d8yYk4BThA xQN9gEo7o+QELvRWXCTAGde+lNqjKXWhA5QbV2BwaoeN4nYSpxCgMop1dCu4VUTlQ/6D/1oFsYRr 4QyiIZZh6868BmaFSVoFKuu1Ur7/t0iK0XCBDFgusNgUAcY0SiiwLbC4Zftk6oxs1IUk7PxtQDMN 4OBamnvEsVproY/YeYfjfbED1kcW9sH2HUkyP9KPxO4vBr8CyoDHymGn5hsUxrfjQdTD5kYwHUDK 6VIhzG/f+6DTAVt5cBQ+PoqAclgopNvKIbKQ/Fz2liornLcg0XHTCLayVtNRtglSg0byCQQKNZWA 9mNshfl5EOAoNK+4NQWr4whJYvUnYQ+bFw6BmNqXwQe/v53AIYcdNqb1NwZCNr4AiTBANQQ7WCCX EbmHdPyEmYexBm5c+0/k4Er7iwN2wN3n4XMetecihYslntGEr/CUjYCTY43arbj8CzWfMXM1TABS DUVX5MGXcAxuNjHEDXaB9hDgg7riES4O5x9BUYUgDSRIC17KqplK6sj5tjeL6+fiNvSjUpQInMEH TeCiGAd5CnPQWqeIahfQlYYvBiiEq7GN2Bu5RimCyXqiap6LeMF0jOB+vjgYoNsfQbpUkkWQLi9/ wqgq56H5yQ1JEpxaZKimINzLnS1BVV6SSqX5iiwNs6sUzCXxC4vKOqy80sbQlEqEukyRlTQ/UKUM +wJroV5xKJirIZWLzCwmqQlIJUEBwUZtJP4psYQFim2+7xCxDUnERZ7lLo3xZNB8rZXImuZbJ/Do eV2iIDgjSLlpJHpTiH4e3+KsrViCq+Fbq0hpc1S4gnoc2Bfu5QSSDsriwVTe4niSErL8gqofce3r lMXOzW/BeQ0eJoG3QLBbUOPCv0ITnyrOBlAhJ0sey1XYfRVTiYbUEcnz1VqatGbRuHxrPzCRE8GE XM9Bch0Vv0+5EQetuMYJcLKKYM9N8C03FeG4Oj959eCDQAxxlhF4wYEI+EJHoLYutSvsCz8iGSFS OdEJTjPyhDNXqJQ9cjgiMD96F8HbkmIjuhhJCDChvlSR5EUVj9RbFJgLC05M5iAxooBxvrOQJuij 4T0ISuav2Hzmi1Mp914n5icubJjlkVIuDLH20vKJ0mVLoAd+9hSy37yUDvAB28DPZfBMlWJ8pgqa 8RHVuwoWaIRxRLUjdkdRKygoaq+BU+KCAo06MX6sLyLZw8sH9BLsRZu2aoMfBtEwfFRyfSnU6QtL ZWl0ULjp3FZhjct015PbWsmImX+2IU1ZseCAMs8Y8fOXgcyEhqgvsyoeyZu1pfXsi9KuW7AYkYXj Fgifg9YrKloPZX6L5XkRgSZBvx1+TmGVkPFmyga5JTBfBqkYhtRAj0ghJTGv0IpJ4r4XVe2wdgSk Ct0NV61AmKXn16weUBHKxy6zLz1kqHE0DIQQDAhOw8RWdSwMj9fGIYdXJmQkpeDAxDSnm+/0Sari wC2iYRR+fEyQP4vYqXUa7G41I58yxlxWRy2uYU3xPLeed9ZszjvjdUI0cqnpe7W36HtJAIuIf3H7 PIUBInEkt+o3pon28TkEveWALQUH3n3DMJGrVRqXk7lzPn/nJFRInfOI7pTzO3lc6rz/IFD33Qei CeZlGcoCL1HDYgOpzaXDlEFyY02Lq2bGbTJ+jxxB0+J1WgNjr2TU5rTPMTxx6BjWzgEk9maYy3Ux rs3zrQxoAoJfyhtdgOjg2ohb0TQlLHnLtbXFmXMSTRAHjih73kzLfG5ZxEa5pxSFoCXv/ETaqicC YY6lXY1zR4Bs9rR8Gl7fSLRIQOsrHVTViOMMOso+X63Ag+0IFxdSgm7sFGEIBz9CqdAVKE1rAJUz t03tbGVxuL/CTCyGp3h4U3iKIZWGktdbcGfhSkR+3oPj1O9PgrsNaAdAoBNCokOltnUIEwEDccC1 FjDZfO6PLuyaEFygCySnTgW24/Vc6SU2rjX0WqFqOiVJzAtyHEmy24JAV2ywfaFe67vGj7ZSo36b K21+p8Y65dpXXAYaIQsFRWqCTqcaMez5/XwieExw8vN63Ndy0Psnxr06UtZQQWW8a6VROMwtFH6h DFxmoNLrbrN6jYY30LYuDlSXhXHGLyoRhAglLMRtR+prqxx1FNe2LGxQUWUuGwok+2YLMRROqCNv z48S8I4Vq0bErlIKyc9camip2kYvzviBfH7HiiSslqShIj+VmCY0VzYukrkYF0RA5ndFT3LgASGF sCu/yUQQV+C8f6HCDI0Dt1eTLYkopOaH61fRhBoFRHhlMCcYFdeqqFyBokEf21KNGlqtqReQx1a6 Zr+GqogZpHhiWTnzYavcJUOFe8xjGgdw75zrJJ49S1IWsE6bfQ1avhoLTeVqLIU+TRFpTn45Dj/W mqR4iYvpgN2joMaazLpzjgC9oRsQVY4lDQjLjy9JcTX2di4KE0AmONenwfqrEO5KXYM3m+cRVCKl 6Hd+2arEhbUqRe0KkBuqbIzoKywouxLUDXA7YH7pRURG4oOafinKeEuKcgeqApFyAKQm8fnmn/Tj 98hFOMUpeCwGy9xxSCKFbF/KOSKz+VIoIs/D3QLBTSc8krvVG4qS+IAR18kk6Ut/obMVF3JOBRKF px8DWkpDf1TL5dgyMOraBYNfa82vErrQibAr9t8SBR3z0t1chaDjq8C9GYGrWsy0tIld41CqpCCK x4t5czDBvScawRpBToqTnaCzkwboSa5IHJRlXUYjTEUIAXlQ1j6jDARVEgp28Vo31NOYu14st83y oAzi/MIjDfOPJq7UVeWWuxtHHAzgOBVUntCvxHSl4lFWHr0SiFyN1nAX8jbyvlntiJNfVlnEVhpn alzftE5ff40Ieqw/P4srY10HDcVnmuDGrZOD0CiB4GHq2Pz90grc3MWpQIsBPkA1aLgJVGnB0e+V KtW4ZaCQLIIj6RGmAnff+UbRCges9JzfuldSojzfK5CczdlWL72ld1g3LqtfRv8im+o1CikmNlvQ yDo2UKuh1fJ8mzS3ur0GgSuB5LtQy8cUvmqiWHhZOUSXv6er5ezCA8ob70o261jehdI6W0lJCLwo gZa/UBknByxJHlAQqOFhuoCy0NBZxbMpAeLDAttCj6UBHaPkypkEDIzgvB/9aSxMjF+CRxTjshMX v74elNmEhbFSGwNJEJX7KIkKpP3V5O/8Aeh9kcQwyQfD5MhE+Ud/byIqHeafhNEwVCWl/eALUetX UOSDJpNGYaH4apg5GnBDLJOubLY93qjLU2g83BJB27S0LCJkA7lesSBeGMDMaweFEd0MOTlImhUK Dq/zmC83IgWvFShmDZeKp4c5PriDoHBdisZGIVuCmIYOmWk0uwKhosNIjz7hbgeIbKn89LifW5C0 hFFeGLdcF9TZ8Z5rEKio14HGFC6/Ra3NT5TM78YvOW4nuKEpSThFoE9UYkMbto2up/NAXuQOl+Hd Iy+MqlIUkqPwny9SJQm+gNW2UCx3vueYYgSu8lbcTYAjh5ZlPtMZjQyX2Tc8rTuS1twXk+fupILo aZrTcrAPgkyjoAxDwVi8EF1ydwtbUwhCGAr3NQoQxH1pblCJbkCa3wBE0IeFn54MBSiWFjMYl/uv x0VbJ7gQQTLRcUENvyavgmuZ3zZDElrUCAxQV0hQ6xQRnuMeGPXiJMVPsVUUC0sRTOPSxwvzcySh dtpuESM2XF9A6iGNA7Y/Yjve7pdlTkOdjYqLUpYuTnUmbaf5cvP2tYbaKuNTM9wEkaiLVewaga24 WVdBJeCdJA/HI6uxTXI3cHTJlC578OPlsLfc3hIUISY5rcHXwhN1l4m8h2450ZCNdRvS4SontpM0 CuDmOL8nmFOUgEzXqdrkZ1VopSNXLxG9B/jxfC7nBe31eCloksNwPCQibr2x1BivXEZ+bd/hWwKC SAMIDMAqN9nmtxaQ1LCLq+0Xqo+2mNYfIR9QJQ3RvVxxLYc0xHHSNF0QeOm84FSm4HoJLtkFcWmB TSuoBZgv2tAc16hYetVjBB9i/21hRqGsXOnw2nRLXWunCSmWTenunLi5uYJXZLI2uAtwqDvJjWEa YbkL1Vqp9ARGJAru8NjKxTCC2MQLv+7sQgGxwhqX+7nfnKR53lYuVXs9uDYNuiB+foiJaCgpWwTx I6juo3kOHhwXwHEpTjeFh8JXKb4hKT5hTbwwCfyy+4ikKQYu2srh/QitNj+Jg0pMwXK+wSBCv5XH jbwv28MPbKn/b58ffrrLdn/u7O7H7r/fdj//0g1+G1PFxGQ9fVQh7ZrtD3Tm5thXZcBY5QvY8Xnm 2tsHC1Fqn8ggjn24wQYGfGJny8qz0Lr6TpWndR1c7LnzB9FWe2iz3noOgYPRAhtdAKxTTYrbNuBz 3FTCB/Eg1saPfPRXUXkD9r2/LH9W5XUWtVtsp7NQWNflFzps6DEktM0N7f7snrrVmqoH+/DX1+8T 2imbEmCfdp/u/g/aX9bNZW5kc3RyZWFtCmVuZG9iagoxNDAgMCBvYmoKNDQwOQplbmRvYmoKMTQ0 IDAgb2JqCls3IC9YWVogNDcuNTE5OTk5OSAgCjM5OC45NTk5OTkgIDBdCmVuZG9iagoxNDUgMCBv YmoKWzcgL1hZWiA0Ny41MTk5OTk5ICAKNDI4LjcxOTk5OSAgMF0KZW5kb2JqCjE0NiAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDQ3My44Mzk5 OTkgIDEyNi4yMzk5OTkgIDQ4NC4zOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkM2MTI1Cj4+CmVuZG9iagoxNDcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICAzOTUu MTE5OTk5ICA1NDMuODQwMDAwICA0MDIuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagoxNDggMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNTMuOTE5OTk5ICAyNDYu MzE5OTk5ICAzMTIuNDc5OTk5ICAyNTYuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDNTI0Ngo+PgplbmRvYmoKMTQz IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDE0OSAwIFIKL1Jl c291cmNlcyAxNTEgMCBSCi9Bbm5vdHMgMTUyIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+ PgplbmRvYmoKMTUxIDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0Rl dmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4K L1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBSCi9GOSA5IDAgUgovRjggOCAwIFIKPj4K L1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjE1MiAwIG9iagpbIDE0NiAwIFIgMTQ3IDAgUiAxNDgg MCBSIF0KZW5kb2JqCjE0OSAwIG9iago8PAovTGVuZ3RoIDE1MCAwIFIKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnic7V3LjtzGFd3PV3AdQCO+mwSCANJICuCFAUEDZCF4EUhxAsEyonjh 3w+b3dPNqtPsc+vyFsl+zECemXKTLFbd57mPev33T/9M/v1H8vrp03+TL/ufT58e0se0andfSdp9 vxoO5M1jkafbr6TJisd6049++f7wI/nx8PHhY/ffHw9Z3V+4/9H9z5dHpP33H19+f3i9e/jDbuTT 08/db38mefJT9+9b8vmXbvDr/n7bD3x/aNq6m0eaZkX352/DP7O87Wa1/b0bT/0/tx/+z8M//pL8 vp1Y/tj0k892Exz++arN8rx6rLe3nDLlH8dLu5sVbZ5VdTP6+/DGRbGfT5nUdVs+lt2vbffqRbmd VvdVJfUm3Tzm/Xi3BnXWfyjL/fG8/2M7frzPbyP33y7Pr4M5t8X+a/R3Z87DueW7Ldlu1/BZm93v WerNzR0fvMvhPr+N3N+fs9E6j8x5bA5j+xJjnU/v9Xd3XLTOp2ljjJbcOb+IgRaYIoi36rJMNnWd ddIkyarkf//qHvKxZx0Fg2b993Auu5ERBv1x5sK3zw+vP9RJt1DPvya7Gbza/XjeTfrVpiOA5Plr 8tftnP6WPH972Iqj/UDeD2yOA0U/0BwHSv8Tu3u8f+5eXilwfpy5sH+fNunW68T7VHn3OlnRvkzl jT/Zd/7Ae3+g6gdK/4WLM/d42w9Ux4GN94k89S/54F8CT/Fvmj356wwzrelTnoKnnjb+Y+ESmDo8 xV+x7I0/9epIM+rNzzvmHu5+sZtHG7KV8LawHrDqmXdJ8cYfgHlwGgOm8i/Jd4/NBtcoiB0ugc2F vfRpSkCX/KYW2180qcv8/qKeWDKfY/LS3whgZbwJkAgXELBEFoJKuszHS7KcCnNK/1lGuQwmBo/l 7wKXjLDMNBra6Y+qHF0OELFcXsJEW8r9cA/Op+FCOC9OC+FzE+OEHC7JBHs9QoTT9jprU3ezufqE ecBWwifgHvymnNOBHGDqClMAbgpUyNkW1oOqD40VAzIZjFSFSKa2ARpx4RI4K8JnCk8B+uA8528l 6jnYKP8eqCs4JYPRMuJNnDNi1OLCQhPU7dgKwoKhYYAjuIaw28voAlxlzvzcZIEBYFyfDMccgwEJ vWcbIRAxnIQoOwgcA75z/KZUe6L5xbVnOOPqdfSZ9UAhBISrNq2nMX+ZFy73K6yahdSYwpoApU1t hRNOENwVVB+oT079/kQE+sNCa0dUKM3B2qQKRbPZ/BJOuDAPoI8o0iGG7SRwcSKabBPRrGLjEgx/ LJAUx2pASsUwJsodD2bZcWQvQNLDCIJkPq6Gqg9Ym1NZuOek0VIWoDKfOjyFOwZRTMVw3MlCYAiw K3/FUBdwglFIQykgbKFP2oOJcuPgf5ZXznpkjS9PuObjvqe/+QKnWEHq3IEBTlcgU8DYCheHcxis KZd8MA+OOt6Bl8l2z3U7dI0rHSJZJOifAIPwJVIE6ebx32fUa3k27idxccmVVJQQjAIR4qBauKGo QYToTQXhZhSxFs45lXWZb/igvOSomtRNnhihTiuXthWW80JmnsLF4SgjLDJoba76uHgAffrGTEqV L3lTeevzHOwCt0i4slSYsAZYrwA1CBefoAgxFqBILIG35UEKf01PSDruRlvwiwISmMeIg3tQIovj 4hV9suKR6dAe81+fYwQCS5mS0BihTjRZ+2y2wdty+giPvkuyyOYJLyrQb4WttFa2lARUFDGokb20 UH3VZlTm0omi6rOA3S7GO48EgNW1uy9UOmoCw4oEn3BwQgDsK+wcRVqABYpEuTQWFvHBv0m28Ufi xFi4dxVONHEENddC81jtXGFwrWwhQ6rak+0cBeFwhAUFSWFDC822CbC4Ls0iN1ifIj3MqwpfH+ry S/LrFeEQHtUFTvetepvMf4UDEl61gr40kCG3lqJk0hjk1eG7UA+Fo+7FOyrXw9dDYE7yoL5NaUzm cC7KZB6n4JJfgdQruGHOSMa5ki2FB8vd0Rjx9lkTNiwUTFaN0stCELLCQOGpi1IHZaJbWNXumnKo UgAScZWkCJdZ5NRy9jBwA+MIJV5/A8A8dRNQjC9KylFcnknBMUFGMTcuV1viVvUBx/UJ1DgIWFW3 7ttyBEyBqVK9DwuETPjeTFcW4w+hTqKAjy8m01vgJcAlFxNKF0AooBogCQQumSmNva0cOjWhoPCK FU1NPl8gDkouo10vqCjsBlwxCzlfXoX9ru5yMdUHKskaKsoPeKazT0GCsOflipy7QR8s+q7aGC9r V25ZBAvwbaUtKiaK4Cxz5cflxxssdFIdsFFgsSkysO2KCc7mNfPgmkVrjKXSAjThWEG2kgG9a2L+ CqguPGND3/lkYtRmU7psprBzOZtxWabonaMoe1H0O7yiSvWV+fwLRX421ehOrtbDX8qnKd0Vu3V/ xH9K8Z7KgsttqHDVkk8DyvMl5C8HO8dzVWDAnzpwpQCmtwn8tK48tXOllred7XLZyrR4eQgYztyS 5JZTeDh2pm6qUfiWJ4tS4WjRZNCkly5/LPd4oEAWPPyRbKepEZfWJe0oERfA3Wg9HxIdp/UYBcM2 rRw1plGU0qqINaFTJWzj0KGk1oyK1CJlhg42iIRFpcYjbIxhXqKF2sqaUSbjrQ6oHylpnM4lxjWb qOvB5jgBqOqZKRQ35l5NVV21Q94Wdr3KSlVIWQW9KzpuUwx8qRaZCqct/BJgkDil11XmSlmw9QQl CFH6i9MGZXEaEEmxWgvVVoybrSZqiQPiwFEj6XtBEAYXKApgPooCvZisOJwpN3Q5JCwV41MVXUGI fSWmT6ROHrXL61irrCGyWVJSBG1HLSQ93JRX0lFiz2t/gBuPHInn2avvqABRoLV0PQRQEmf+D2Z6 rRx32XhuAICmUUqFmtqZ6ELtEBS9AARg9kIpXoojyBR1QAs534KmNQKPVi0tJ6qgPic0iC15w0NO qXFy7VL3XRB6CMdAOZwpwMTuCSvPa7CtI0acLVRjbWoFA2IMJozB0UaCTvJROohmVeqs2MVlCZ27 x5ztpI3DhTHqfwUgk8Ip4I0v5mkAuFCVgsFmX3I1XlVGkLgr51sLFbUZd4out/BjLUy5nmjaQscD RToOfRdMO5Cu4YkoE12vXWLAkacUbgKlVE1b+PCORgIfCG6qKFFQVO7DAoFe474HP1XYQAMLmmSt +0y/si1G6eXKD4nl2JUiWVEaFp4oHVNv78D8VqfuTqtPmufczCvq9LEWj19wdjE/JWIhRQehInoY g0Dzxcg5FzegnSjYm9aVDlwn+cE1vXA00ElV2ow+FXBcg2obQQNajo4qmg1z44r7kbOkel+OfI3k jGxahywhS3eekxRPhKyiNLC3O4LLIjI0kAbhp5Lrm3EbJ7+tlWFMrD5+9OiioJGFSsoLOUUZwExX eAZmJMhsqiNVOrurMSdo0cJM+nSeWPNaOh0o+jHdNnKtOSxM0dRYCqpNTXKvHb4t3tJ5LGQ8zINl zRhOqooXe6zkmTrhwnI18GC41Mo3vhaTHBASfhAcpsJCcIRzsiIVFp5iEV9aZncFSWZc5PJ3iVKa WtQbhw2xOd1KFL9JO4DwY4wEzfrC25AKsrx59n3FrAkBbM+JDsztkk3drgKqqgr5LvA2SVyMwaID dMdx2xh9HNCjiVJqUb7zHwMIWNn6u+3bSjn18KEKAkgZiAz2/8RUo5iG+U48HgkR4hac2bk0jGK2 KPL8lznlTRMLom+Lka8opQKAIxgcuy1ovxRezQfNxAVAfXhKgyLdXiAfLawHqLwK77aeWZRAZXmP /teHVKQ4J+AWG+cpF1RVuNQBMXnuLtk1wJmxq+EVSigKWBnl5ITLUez8XThfhqt+w8jegE45pCE4 d3ieurm6P1JqIDEUpDyCpFg4T80hyMTbCCoSZ7jzpKgr5dHBy+nJsJYAAeQexclqqGuH6MCnu4fX mRibKw+icKWDRYje4gwyi6IvC4Kx0Mh2vbItNEHbzLsLFqV3FyxwV1JLJD7vdargzxwaQ5uX2poC 18NCilO5dt1O0t3BOU9SioiToNNveNGPpluwSRZEnbqMvJJ0aQHMUlqpyjqbYhZxl4iXs3ECWrl1 althjnLegrGv2gziTZMULaGiFJ4VdTmZ5+54wHOgeTqCB/RbedjIxzzdf43+Ptxmyec/Pf38kCZ/ JnnyU/fvW/L5l24KX4fUE/jQnraaZHvI+SmzdEtaBy+3KE5zOEQhz3xiv3JnBvbSahhm2Xiqeq8z h2WvMIJ1jju5UB+vAXQF5gbRqzenVfFg9jsqH4QeUn/VMlhG/zGS98Pb+gZN5oeEcUka/3WgDTes ADylOUH5IMJ2I5x6w2RfD5dtsvKFPiFAAWKcdq8HXYnightbFj1fFKcsKA7VjdGCcX+mwsTga9rv bd66kmXAI/N0hVF0XOSF3TZHsS5z/Eek2KqCzkwO94nS0/eaudsGP9+kDnfrz5QJ6oxCd26erp3i nTMRoeWLetQ0AlHk6XL/VLFAFr3ZpRBIUFMCRYFOOPZgkditgNnEHa+m9m/aOHS6ltYpgtbsMUBn QRtkDSwfAwOaFSa5ppQHE8FetaPvsi5UxDovc7NxXx+My2VOE5rpuBSBR2LRPYXLumWSkE26+ykK s3lOeoyquCj5gTHPHJlaROyy9i14UrPns+zVxybALwhnDw08E75AmtixRbGNRdsfm8SRsnX2UlAH w60YiwQFReTm1s7RjVL4McvByiYnpu/A++ZF1GPrgpXkDQGYiQNQFnbPG3IHws8vNAwiNOlBOnJP 4SY6NN1Ktt69pGkGzo3oskwMMvS5eEfun7csKsT0WVnpkInQzQ7wzLqgt0kbdVU4Wl4WzkZBD9XL STrHvR25ZGqkonRJm5KDqjaTY2BcgMaIoWA3LSyJF2hUis4WjT81GmeII7i5zuVJGXymUeIddmnU JtqgKEfnsa7M66mhicx92wvO3l5tLsAsQUc7iKMpD2i2364Pj0UA25krByo+TOLYBq4Uto/h9QAw AMYkPcvaEkmoD77EPOmIi2XjURRgZZRq0aDsuLt6ap9oX+7Ux3EeNjetnJsuxIb60tozdq/AcQaX RYF4WSQS07aIa2lytmzk30RMbw4a9/Lb66wWR5oocquS7JSiM+1NJWLHAYWKJnX25RZAoXOyL/x0 TWyayaU0F7nzZJ+t1rGu++MVj2QZFbpuy7F3AXkqSUCgcLfA7L0caMoiiYFmguA+gMxR4CrcVOQc NM++KFpEXDwCNDUYWLqsfWEoUpseNDKg8DwbqWipMaVAkNU5bzdioQmSynmJBU935lMPT700BM3a /ACaVb6AvRfT7uZundUDYbkMhQYHAe8SwFwCzHoAi0X6zJF7F5JES5mcivac0nLJIKzNoGfB/h4m wrwY98Ci5FIqhAGNOwlQQZ6Px48Wn7OCzKKKYLC33EinDSoFLtoyoPkJe4HvFC+QCq/tklSR8I0I rwAQKMdlRD3EjOJAnJUnyW7ULDVRB1VAXo9CK1sguHejNVBAXrDbahMCqQqHtGPlWFBmF2ymon6c p1Ir+nZGKZCDwLxFJhyXD5yWeQK7oqkFNzFG0FYTQV7Lm0nEiTIb2DFIH1TEQpKSIWLbjOJeAuBY 4UzBTRXNdP1twYONaXBXEDW590e0Ytt2vAlKlG7U85zCQIUlHitY+hoZEc8TWttP6zsRW1G49Xdm fj6LvwiMA75AdD0ESWnqlMSJyGqVOrwrQL04jXEY7Jpl6r5Tn4FMbdJDP+E4XQdp8iSSA30spmcr OgYapEaaCMdZssXiOMrSJLWpZYitS6fztCRYKDLDj483OITGMOp2LhmITwycLUrr+AmecAaPDbfr TPL5eeE3F0omB0rvJP+xHzFlDzSMgD44SgA3NcGMFUFo6SqHYKQChlG4+IJmhzH68Jk0huZ4lqbz mKJ8HN6f5r5xYzpOrKYsXcZEH241vQvLxpMh1+TCRfQdTCR3OR6HmsfyM8gfEayYv1HIloqTNS0S ORTHZAgycLlxCBwEKsXgdUc7ck+NM1UO6QqYzMA1mueIAzMYvUmr0Tj9TMgbD2XyHpt3xNtK0m/G m/ndEW9v5JIQ76tmgLXUTWkyjixwj/BLkIJAhCowLal1NDHBbHsM7lBSKfrK8cxHnqJq4Ahb4urN uGekULFRUGIutjjKY9fUZFr1cwyzfjU9oChHCSIiC+EExbbZzJAbDKJMGsyHq0ZOp1EctEX39lwq 3Sxnjtl5Ttmx8+1MJaN8xcLz4m7MLlRYW3TVFTjzCc/hrU8g0PU+otuXHbvU+k30rpoeFnT7bIpI NUVxFmJEYVNcE+sJkrDUdUJTj34tHX4W9M+BRbWozxF4rXxRFZnQFkexKZzDEfvHRDYXUxKmBJvL zc5wgE1cazYQiIA/K4oLuLLyBRU/hHZWE2lipWlbuRRzc2r1qhUiLiNaCP5AVrG7SkQCXwCpau4J /EDej1W7/wJC9//fp6efH9LkzyRPfur+fUs+/9INfh3yypmb9VxTjwGK2+ZnVd28kN1uovVxCd/7 y76PQUCG15B44SOVzxS1N7A3CQcnXzUnZYL2PfO2dFrV2rwozBrf663/Xv5dhy/afSc/utfN6n7e +x9fvp+Riek5AvmYfHz4PyvZdHNlbmRzdHJlYW0KZW5kb2JqCjE1MCAwIG9iago0OTYzCmVuZG9i agoxNTQgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNTcxLjc1OTk5OSAgMF0KZW5kb2JqCjE1 NSAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAo0MjAuMDc5OTk5ICAwXQplbmRvYmoKMTU2IDAg b2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjMzMC43OTk5OTkgIDBdCmVuZG9iagoxNTcgMCBvYmoK WzggL1hZWiA1MC4zOTk5OTk5ICAKODAuMjM5OTk5OSAgMF0KZW5kb2JqCjE1OCAwIG9iagpbOCAv WFlaIDQ3LjUxOTk5OTkgIAozOTAuMzE5OTk5ICAwXQplbmRvYmoKMTU5IDAgb2JqCls4IC9YWVog NDcuNTE5OTk5OSAgCjEzOS43NTk5OTkgIDBdCmVuZG9iagoxNjAgMCBvYmoKWzggL1hZWiA0Ny41 MTk5OTk5ICAKMzAxLjAzOTk5OSAgMF0KZW5kb2JqCjE2MSAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5 OTkgIAoxNjUuNjc5OTk5ICAwXQplbmRvYmoKMTYyIDAgb2JqCls4IC9YWVogNTAuMzk5OTk5OSAg CjQ5LjUxOTk5OTkgIDBdCmVuZG9iagoxNjMgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNzQ2 LjQ3OTk5OSAgMF0KZW5kb2JqCjE2NCAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAoxMDkuOTk5 OTk5ICAwXQplbmRvYmoKMTY1IDAgb2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjcxNi43MTk5OTkg IDBdCmVuZG9iagoxNjYgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNjkwLjc5OTk5OSAgMF0K ZW5kb2JqCjE2NyAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAo2MDEuNTE5OTk5ICAwXQplbmRv YmoKMTY4IDAgb2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjY2MC4wNzk5OTkgIDBdCmVuZG9iagox NjkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA3MTIuODc5OTk5ICA1NDMuODQwMDAwICA3MjAuNTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzAgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA2NTYuMjQwMDAwICA1NDMuODQwMDAwICA2NjMuOTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA1NjcuOTE5OTk5ICA1NDMuODQwMDAwICA1NzUuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICAzODYuNDc5OTk5ICA1NDMuODQwMDAwICAzOTQuMTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNDIuNDAwMDAw ICAzNDIuMzE5OTk5ICAzODEuNjAwMDAwICAzNTIuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0 dHBiaXMjMmRwNyMyZGF1dGgKPj4KZW5kb2JqCjE3NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDI5Ny4xOTk5OTkgIDU0My44NDAwMDAgIDMw NC44Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjE3NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDE2MS44Mzk5OTkgIDU0My44NDAwMDAgIDE2 OS41MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjE3NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDEwNi4xNTk5OTkgIDU0My44NDAwMDAgIDEx My44Mzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjE3NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzEwOC45NTk5OTkgIDYzLjkxOTk5OTkgIDM1OC41NjAwMDAgIDcx LjU5OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9V UkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNz YWdpbmctMTcpCj4+Cj4+CmVuZG9iagoxNzggMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFsyMDEuMTIwMDAwICA1NC4zMTk5OTk5ICAyMTcuNDM5OTk5ICA2MS45OTk5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJICho dHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLWh0dHBiaXMtcDEt bWVzc2FnaW5nLTE3LnR4dCkKPj4KPj4KZW5kb2JqCjE3OSAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEwOC45NTk5OTkgIDI4LjM5OTk5OTkgIDI1MC4wNzk5OTkg IDM2LjA3OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJ Ci9VUkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaHR0cGJpcy1wNy1h dXRoLTE3KQo+Pgo+PgplbmRvYmoKMTgwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNDk0Ljg3OTk5OSAgMjguMzk5OTk5OSAgNTExLjE5OTk5OSAgMzYuMDc5OTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0 cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1 dGgtMTcudHh0KQo+Pgo+PgplbmRvYmoKMTUzIDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQg MiAwIFIKL0NvbnRlbnRzIDE4MSAwIFIKL1Jlc291cmNlcyAxODMgMCBSCi9Bbm5vdHMgMTg0IDAg UgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+PgplbmRvYmoKMTgzIDAgb2JqCjw8Ci9Db2xvclNw YWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+Pgov RXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYg MCBSCi9GOSA5IDAgUgovRjggOCAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4K ZW5kb2JqCjE4NCAwIG9iagpbIDE2OSAwIFIgMTcwIDAgUiAxNzEgMCBSIDE3MiAwIFIgMTczIDAg UiAxNzQgMCBSIDE3NSAwIFIgMTc2IDAgUiAxNzcgMCBSIDE3OCAwIFIgMTc5IDAgUiAxODAgMCBS IF0KZW5kb2JqCjE4MSAwIG9iago8PAovTGVuZ3RoIDE4MiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnic7V1Lb+S4Eb73r9A5wHj4kkQCQYCxZxwghwCDMZDDIodgNptg0V7E2UP+ ftiSWk3WJ6okNmV3e9rGru0aqVjvFyn1xz9/+0f1r9+rjw/f/lN9H34+fNuJO1G7/qsS/vtDCFD2 Titx+Kqs1HdN20G/P+9eqpfd191X//+XnWy6G4cf/h+PS4ju+/fvv+0+9ovvesi3h7/63/5Xqeov /r9fq5/+7oE/D/gOFzzvrGs8HUJI7f/ch39KLYy+80RJDxf0z8PF/9797Q/VbwfC1J3tiJc9geGf H6QwsvYs+b/OIfnldKvHpZ2SdWOTv4eItR7oMZ4JVx94EMqzrk3t7/BfdSWNsAe2PdzLoJHmznjq FYWrthOACvHsE/gP4vkloNnp4Sv5e0RzSJsSHf6O5mAto3V3DaUthge8jHj2CfyU5kJyTtCcoiGl ly3kPK3r5xi+SM7TtpGypUJyVlq5jgYd27PSRh2W9fCIBgIfaQ7w7BP4i9mz0nUvHx3bhtJNLx+g LYIHvIx49gn8G8k5QXOKhpRetpDztK6fY/giOU/bRsqWCslZ2x69F1Vkz9r25PhfIxoIfKQ5wLNP 4C9mz9qaLmX2NIdr1f3vQFsED3gZ8ewT+DeSc4LmFA0pvWwh52ldP8fwRXKeto2ULRWSc2N1Fwek iO25sabzNSliGgh8pDnAs0/gL2bPjW26XNzTHK7VdvkOaYvgAS8jnn0C/0ZyTtCcoiGlly3kPK3r 5xi+SM7TtpGypUJytr5J6XCS+tkO10hS8xD4SHOAZ5/AX8ye7fC7JLWoF5sdyCS0RfCAlxHPPoF/ IzknaE7RkNLLFnKe1vVzDF8k52nbSNlSqT5F1G2PlPSDora9QEkNH8NPNf8Jzz6Bv1w/KGrXC470 VqKR8tigR7RF8JCXI559Av9Gck7QnKIhpZct5Dyt67gfXCbnadtI2VIpOcta9OsSe5b14FSEhhh+ ovmEZ5/AX86eZa0nbUPWZtLXYnjIiz754CT+jeScoDlFQ0ovW8h5WtfPBL5EztO2kbKlmObjmNPB 0G/V7LAxPnOpuq2UrWRd/feffpGv3WgwYwApu++Qlh6SGEC+zNx4/7T7+Nh4h66efql6Cj70P556 oj9Y5W3p6efqjwea/lQ9/bo7jFsHgOoA7QmgO4A9AQy9osfx5WlgfxtJay2uUNLayKuTtDHNFUra eE+8Nkk3Vl2hpBunr07SrbNXKGkr3NVJ2rXmCiXtbH1tknbCXGHt4XyfsZGkMzdzX2Zu7PhxldRT /PgWy1uONC4mP6C2pYBPFPCFveWxA9QzIqg7gDkBHlgc9Ulq+ey3LmJf9aqQeoYZoB0AVEJKsBKi /Eu4BQQCYtfUFHnSQewuVw8B6b0MHXWJOUotJQxuAUrhFqD0MwUAc0AHb8qA9J7KA5CCORh6BdxC kcoHTnNLLBc8l9qDBLGDtjNsCpblkZbw7do37lFoA01RwqSmvLDql59KRKE+CDfmqEtLPQgkRo0d nQ70sj4qK01Vyfs6XQUDGdjHekoVJNktmEPDBeeHeMHnMbBCPuOyIRdFCMtC7IMQA6rM9tvZqARO x4Y2FDsv1BIBxOg2csuMykc2FADaBqTAC0UK+WOBCHkfo/k0JxfQZc2gfjFC9D25R39iyylgBtIl GAjcstTrigTy9phyMPi9TiAH9vkKDFYBibGVIJjhlvnjPEUpIyJFvVIOgvAIlSAVMrYO7zqPAR18 dIQr+NgHOMCSgRfoNiB9Fiidh2JyRpWqpgYDeZ3vJPm+gCedVyUbPzKq7VRuOLNRcCYOBkvlUSRZ uLG8oLUC368tCFu8Z2dkU5bSjIlHkVohJxiCofIhBmol3pTXj8AmameqKhQzRKFEZbwqPrAyBByY 2HikfMFRpKhXIvY6Pjuw8RK5za4/7Zz6+WkdW14uwZqR2S+k4NykoBhiSolgr8a9sFeq/NZPb7cs 9M4UoasjEWLFxZcLm3S9bIrllY31JW+n4FH8ADxRcMY7T3f9U5P+K/l7tC+14Hp+12rlop2hdNuG U81d52qnJvxxOgZAhzADGCayUAJJebqkpRC8BvFquKTX4qkjhhZZ2mkDDFK6I7fgHmRvGs1MFWCp vdFVFlNK3b64rnWtFutaJjLCGmsYHFyqOVW3VAcgUEWvgHUAq6SKBACoGswF7QfWhakMqBqCICyb mGPNrDI0t1BXzdkxONQ9KILeoxqKFfwHJAS629B/3uQcgPcg70eWHIqa25DlCzp+EAN9JJufcVl+ U/d1citwyxYOWOFlFMklzlqUKPjZgwNQBPFVEcYQdlaBMuUHAGAfAMg4A/I68zB2FWyReJ97zf2W GRxDjgkGQpLui2O1zq8Ly8Bm++vYA0TYcvZwXp/VCCYXLLapM8eyHRnueNIOpoHbxFN2xvCOeyYz PlJRoo4uUmknzpKtKQk1dL1YrEP1CqZECz6+pYJ1b33EhfURb1JpN52nOXIoPiO6zqVfSAww1OSP C2pRIIj3c89apo+2lduNPDPtdYQqF1s3dIlzcz/2GGdOX5Gx2bBhaRF02nAFf6oALBnY50tNdkOL LxQWNKLrZ6kLCloalxaYeobflugRS/q+Ofq+/EyX5Q/2wRVwPqic79ej7/fiCDoPdCkI26BcttHI 6V5KnEd/m3mIprl/waH/BXuiYA9gZFD+UesvaezttSQ6O+5EwmYBf0SVn7rwJUrG8xtss5YzdGKD Y0HzaMRoHvQgF6ZTGmHUl1LKb+RR+eiU73okCwUJuw8LMXpJAmYN922DVKOPVmi+kFUAkDPZy9gZ uBTF4Kk0qgcThOB3Nv5px+i0YMvcsVfww50iww5+YMDuxOE0ZIvdcNyrFLTMxCkMy+5wDB1PCc7M ZW6bpGdMpFtNnrK/bZKekZFvm6Qxt5e6Sfoj9KpnHiwWOo4OYFKb9LsXs1t7m25MVR1FtF1gH7Wt R0ovZB91QRMA5sCnMXZeWPCBmHNfPaIjvRQZOmpJ7RIeQKZ1Olyx4KnNjEE222mpxIN8Z0blRsZS fr+791aNTBZo326799T5bu0rcdhN29e325u39fF1l7eaZruaZmZd9QiZ8G2PL1hvF8O6l72rY+1o upCiS2y1b/EY+I8+AWGFrOFFE/SWkqbujqZ+2xvg2J3dGzjPkZ08OvJEMOSf0Fz/kjbckYJVwAtf 5XTTlhthTjVJ9gsfTXlnvYYbw4RO9IKrnq7k9yOGvg2MbU2Nj88nLj30uvUTjE40brE8MzqziWdT obaj4sPKPKOtkImq47zNqQswhq06k9R7h5XzViLFMSvodjrkBxsHdIozNLQQ0GEzJlA4pA1HllVU 4ateljDPrDw+gDIE5xkykC76phjtKA5gtqYOQCUISIcsCm9kKMG9Ou4jSPBdUAuQjgCYHEK1S+WB VRUF6OngmMzEk9xKHytDyx4sCjw3eEaipYoy9AoeB0Q7Ma19OGZ9AgyDdHgyCHxwBkedODgXkH4/ XWRDjA1uMdQbeF4oIIMXI2hKoYSBkIdCfUaVr0O6goFphtFRqaMqwehYwiQN2kX08okzGN5f0CyB 28fp1DCnSkpYBreAAwmDKxJT2lWKoqkgxwoTz5nOyBT1wt8C0YHWAQtECN7AMjfsBdRldQuAxAmL s5zQ0KdlMkhHSkFzkLTWRzo+R6EqwfdZbxgq5ZlIt/aVWXOVwVgG6gAp/RCSQ7ktsdyWoq48BnNX dz3Z4ZXOIgTsd98Wfa7J1HJMx51GNlv8HSgOmR4mV7ClAjP4oAhtaJ0GIYAGK2wF6BVDEoG9vcAH aHUMNaeAtg3qePg0FUqH/szSAWOYxLmCmdKf5zZ1AmLuuA8U1IADQgAICKp0dtkM5lBziYc14GgC PM/g0tyW6FpQhEAH9QbeLIGOxb3R1puWkyHjENOikEGTkYYQD9kJDA9CBp9paUUIdQVfVGNVSVdB pDQ78Q3TEO3gXPJcv8gWTYBUUwDcctyVEDMCAdUBgCoGmqyc5hdKQmAG7AGKExqpJaQyqM2o1WGl AZabYK5I6THOYEC56B9sr4u3rFe2XN9T4RsWoL4D/6C8oH/wXQbQ4SjSe85hAJCysTUloVKHklA1 Y0moTBsCLq8kPFAcGSMt+EyiRnyTbHQQZzS+BJ9e84lJ8zNS8yONw+uLH4dDs1myDTRtLOPbgHhx vXMbEJ9N+m1ATEi/DYjXKuo2IJ5n7jYgZui4DYinK4PxtT3ZA+JGnLoB60LA5XUDw4C4Jp9Y/KMO iMF++QGxTBx9mimooeTGVgBCMz+6pf6M8sge/75N62ddbJq3QeQ8Ya8ziIRRHd4CZRXPC1RAVz8y nCHsNv/j6r2rmf81wsYZv+m2hC844x8oDsPqZc//Gh0XZbPzvzcT9PSHwrYuflI+0dXAaXBmPS+R xII2XlDILPxJfrrPtQz4GZ4wh08oggIj0Ba8Opn6ceK1dNlC0breUii6++Tf4IFwuk8NDCLHvQWH n1TpKAQFOf00e76YnN5UTM5G6Cd4vi/LkJHtlgwZFb8GA59vZg0BTCU8AO2/qxdPqGy6FYcf359z A/DX6uvu//lI2fBlbmRzdHJlYW0KZW5kb2JqCjE4MiAwIG9iagozNDE4CmVuZG9iagoxODYgMCBv YmoKWzkgL1hZWiA0Ny41MTk5OTk5ICAKNDY5Ljk5OTk5OSAgMF0KZW5kb2JqCjE4NyAwIG9iagpb OSAvWFlaIDUwLjM5OTk5OTkgIAo3NTguOTU5OTk5ICAwXQplbmRvYmoKMTg4IDAgb2JqCls5IC9Y WVogNTAuMzk5OTk5OSAgCjY4Mi4xNTk5OTkgIDBdCmVuZG9iagoxODkgMCBvYmoKWzkgL1hZWiA0 Ny41MTk5OTk5ICAKMjQ0LjM5OTk5OSAgMF0KZW5kb2JqCjE5MCAwIG9iagpbOSAvWFlaIDUwLjM5 OTk5OTkgIAo3ODAuMDc5OTk5ICAwXQplbmRvYmoKMTkxIDAgb2JqCls5IC9YWVogNTAuMzk5OTk5 OSAgCjY1MS40Mzk5OTkgIDBdCmVuZG9iagoxOTIgMCBvYmoKWzkgL1hZWiA1MC4zOTk5OTk5ICAK ODAyLjE1OTk5OSAgMF0KZW5kb2JqCjE5MyAwIG9iagpbOSAvWFlaIDUwLjM5OTk5OTkgIAo3MjUu MzU5OTk5ICAwXQplbmRvYmoKMTk0IDAgb2JqCls5IC9YWVogNTAuMzk5OTk5OSAgCjU0MS4wMzk5 OTkgIDBdCmVuZG9iagoxOTUgMCBvYmoKWzkgL1hZWiA1MC4zOTk5OTk5ICAKNzAzLjI3OTk5OSAg MF0KZW5kb2JqCjE5NiAwIG9iagpbOSAvWFlaIDUwLjM5OTk5OTkgIAo1MTkuOTE5OTk5ICAwXQpl bmRvYmoKMTk3IDAgb2JqCls5IC9YWVogNDcuNTE5OTk5OSAgCjQ5OS43NTk5OTkgIDBdCmVuZG9i agoxOTggMCBvYmoKWzkgL1hZWiA0Ny41MTk5OTk5ICAKMjc0LjE1OTk5OSAgMF0KZW5kb2JqCjE5 OSAwIG9iagpbOSAvWFlaIDQ3LjUxOTk5OTkgIAo2MjEuNjc5OTk5ICAwXQplbmRvYmoKMjAwIDAg b2JqCls5IC9YWVogNTAuMzk5OTk5OSAgCjc0Ni40Nzk5OTkgIDBdCmVuZG9iagoyMDEgMCBvYmoK WzkgL1hZWiA1MC4zOTk5OTk5ICAKNTYzLjEyMDAwMCAgMF0KZW5kb2JqCjIwMiAwIG9iagpbOSAv WFlaIDQ3LjUxOTk5OTkgIAo1OTEuOTE5OTk5ICAwXQplbmRvYmoKMjAzIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNTg4LjA3OTk5OSAgNTQz Ljg0MDAwMCAgNTk1Ljc1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjA0IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDY2LjE1OTk5OSAgNTQz Ljg0MDAwMCAgNDczLjgzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjA1IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgMjQwLjU1OTk5OSAgNTQz Ljg0MDAwMCAgMjQ4LjIzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjA2IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjkxLjM2MDAwMCAgNzk0LjQ3OTk5OSAgNDUy LjYzOTk5OSAgODAyLjE1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAoaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0 aC12Mi0yMikKPj4KPj4KZW5kb2JqCjIwNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzI1NS44NDAwMDAgIDc4NC44Nzk5OTkgIDI3Mi4xNjAwMDAgIDc5Mi41NTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtb2F1dGgtdjItMjIu dHh0KQo+Pgo+PgplbmRvYmoKMjA4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbMjc3LjkyMDAwMCAgNzg0Ljg3OTk5OSAgMjkzLjI4MDAwMCAgNzkyLjU1OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDov L3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1vYXV0aC12Mi0yMi5wZGYp Cj4+Cj4+CmVuZG9iagoyMDkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFsxMDUuMTIwMDAwICA3NzIuMzk5OTk5ICAxNTMuMTIwMDAwICA3ODAuMDc5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86c29i QGhhcnZhcmQuZWR1KQo+Pgo+PgplbmRvYmoKMjEwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMTYxLjc1OTk5OSAgNzcyLjM5OTk5OSAgNDA4LjQ4MDAwMCAgNzgw LjA3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VS SSAoaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMjExOSkKPj4KPj4KZW5kb2JqCjIxMSAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEwOCAgNzYzLjc1OTk5 OSAgMTI0LjMxOTk5OSAgNzcxLjQzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAv QWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjEx OS50eHQpCj4+Cj4+CmVuZG9iagoyMTIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9M aW5rCi9SZWN0IFsxMjkuMTIwMDAwICA3NjMuNzU5OTk5ICAxNTIuMTU5OTk5ICA3NzEuNDM5OTk5 IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRw Oi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2h0bWwvcmZjMjExOS5odG1sKQo+Pgo+Pgpl bmRvYmoKMjEzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTU2 Ljk2MDAwMCAgNzYzLjc1OTk5OSAgMTc0LjI0MDAwMCAgNzcxLjQzOTk5OSBdCi9Cb3JkZXIgWzAg MCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3htbC5yZXNvdXJj ZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjExOS54bWwpCj4+Cj4+CmVuZG9iagoyMTQgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxMDUuMTIwMDAwICA3NTEuMjc5 OTk5ICAxNDYuNDAwMDAwICA3NTguOTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86dGRpZXJrc0BjZXJ0aWNvbS5jb20pCj4+Cj4+ CmVuZG9iagoyMTUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsx NjQuNjM5OTk5ICA3NTEuMjc5OTk5ICAxOTcuMjc5OTk5ICA3NTguOTU5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86Y2FsbGVuQGNl cnRpY29tLmNvbSkKPj4KPj4KZW5kb2JqCjIxNiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzIwNS45MTk5OTkgIDc1MS4yNzk5OTkgIDMyOS43NTk5OTkgIDc1OC45 NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkg KGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzIyNDYpCj4+Cj4+CmVuZG9iagoyMTcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs0MzUuMzYwMDAwICA3NTEu Mjc5OTk5ICA0NTEuNjgwMDAwICA3NTguOTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9U eXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9y ZmMyMjQ2LnR4dCkKPj4KPj4KZW5kb2JqCjIxOCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzEwNS4xMjAwMDAgIDczOC43OTk5OTkgIDE3MC40MDAwMDAgIDc0Ni40 Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkg KG1haWx0bzp0aW1ibEB3My5vcmcpCj4+Cj4+CmVuZG9iagoyMTkgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxNzUuMTk5OTk5ICA3MzguNzk5OTk5ICAyMjIuMjM5 OTk5ICA3NDYuNDc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1Mg L1VSSQovVVJJIChtYWlsdG86ZmllbGRpbmdAZ2Jpdi5jb20pCj4+Cj4+CmVuZG9iagoyMjAgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNDMuMzU5OTk5ICA3Mzgu Nzk5OTk5ICAyOTAuMzk5OTk5ICA3NDYuNDc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9U eXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86TE1NQGFjbS5vcmcpCj4+Cj4+CmVuZG9i agoyMjEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMDAgIDcz OC43OTk5OTkgIDUxNS4wMzk5OTkgIDc0Ni40Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3Jm YzM5ODYpCj4+Cj4+CmVuZG9iagoyMjIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9M aW5rCi9SZWN0IFsyMzEuODQwMDAwICA3MjkuMTk5OTk5ICAyNDguMTU5OTk5ICA3MzYuODc5OTk5 IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRw Oi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMzOTg2LnR4dCkKPj4KPj4KZW5kb2JqCjIyMyAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI1My45MTk5OTkgIDcy OS4xOTk5OTkgIDI3Ni45NTk5OTkgIDczNi44Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1Ymxp Yy9yZmMvaHRtbC9yZmMzOTg2Lmh0bWwpCj4+Cj4+CmVuZG9iagoyMjQgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyODEuNzU5OTk5ICA3MjkuMTk5OTk5ICAyOTku MDM5OTk5ICA3MzYuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24K L1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMz OTg2LnhtbCkKPj4KPj4KZW5kb2JqCjIyNSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzIwOS43NTk5OTkgIDcxNy42Nzk5OTkgIDQxNy4xMjAwMDAgIDcyNS4zNTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzUyMzQpCj4+Cj4+CmVuZG9iagoyMjYgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxNTguODc5OTk5ICA3MDguMDc5 OTk5ICAxNzUuMTk5OTk5ICA3MTUuNzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM1 MjM0LnR4dCkKPj4KPj4KZW5kb2JqCjIyNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzIwNi44Nzk5OTkgIDY5NS41OTk5OTkgIDQ0OC43OTk5OTkgIDcwMy4yNzk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzUyNDYpCj4+Cj4+CmVuZG9iagoyMjggMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxNTYuOTYwMDAwICA2ODYuOTU5 OTk5ICAxNzMuMjgwMDAwICA2OTQuNjM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM1 MjQ2LnR4dCkKPj4KPj4KZW5kb2JqCjIyOSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzEwNS4xMjAwMDAgIDY1Ni4yNDAwMDAgIDUyMy42ODAwMDAgIDY4Mi4xNTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzYxMjUpCj4+Cj4+CmVuZG9iagoyMzAgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMzcuNDM5OTk5ICA2NTYuMjQw MDAwICAzNTMuNzU5OTk5ICA2NjMuOTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM2 MTI1LnR4dCkKPj4KPj4KZW5kb2JqCjIzMSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzI0Mi40MDAwMDAgIDYzOC45NTk5OTkgIDM0NC4xNTk5OTkgIDY0Ni42Mzk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly93d3cudzMub3JnL1RSLzE5OTkvUkVDLWh0bWw0MDEtMTk5OTEyMjQpCj4+Cj4+CmVuZG9i agoyMzIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMzMuNTk5 OTk5ICA2MjkuMzU5OTk5ICAzNTYuNjM5OTk5ICA2MzcuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnczLm9yZy9UUi8x OTk5L1JFQy1odG1sNDAxLTE5OTkxMjI0KQo+Pgo+PgplbmRvYmoKMjMzIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTguMzk5OTk5OSAgNTQ2Ljc5OTk5OSAgNTAx LjU5OTk5OSAgNTYzLjEyMDAwMCBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAoaHR0cDovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL1B1YnNEcmFm dHMuaHRtbCNTUC04MDAtNjMtUmV2LiAxKQo+Pgo+PgplbmRvYmoKMjM0IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTguMzk5OTk5OSAgNTMzLjM2MDAwMCAgMTQ1 LjQzOTk5OSAgNTQxLjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAobWFpbHRvOmZpZWxkaW5nQGljcy51Y2kuZWR1KQo+Pgo+PgplbmRvYmoK MjM1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTUxLjE5OTk5 OSAgNTMzLjM2MDAwMCAgMTkwLjU2MDAwMCAgNTQxLjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov QSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOmpnQHczLm9yZykKPj4KPj4K ZW5kb2JqCjIzNiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzE5 NS4zNTk5OTkgIDUzMy4zNjAwMDAgIDIzMC44Nzk5OTkgIDU0MS4wMzk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzptb2d1bEB3cmwu ZGVjLmNvbSkKPj4KPj4KZW5kb2JqCjIzNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzIzNS42ODAwMDAgIDUzMy4zNjAwMDAgIDI4Mi43MjAwMDAgIDU0MS4wMzk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1h aWx0bzpmcnlzdHlrQHczLm9yZykKPj4KPj4KZW5kb2JqCjIzOCAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI4OC40ODAwMDAgIDUzMy4zNjAwMDAgIDMzOC40MDAw MDAgIDU0MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAv VVJJCi9VUkkgKG1haWx0bzptYXNpbnRlckBwYXJjLnhlcm94LmNvbSkKPj4KPj4KZW5kb2JqCjIz OSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzM0My4xOTk5OTkg IDUzMy4zNjAwMDAgIDM4MS41OTk5OTkgIDU0MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Eg PDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpwYXVsbGVAbWljcm9zb2Z0LmNv bSkKPj4KPj4KZW5kb2JqCjI0MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsK L1JlY3QgWzQwMy42ODAwMDAgIDUzMy4zNjAwMDAgIDQ2Ni4wNzk5OTkgIDU0MS4wMzk5OTkgXQov Qm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzp0 aW1ibEB3My5vcmcpCj4+Cj4+CmVuZG9iagoyNDEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFs5OC4zOTk5OTk5ICA1MjQuNzE5OTk5ICA1MTguODc5OTk5ICA1NDEu MDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJ IChodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMyNjE2KQo+Pgo+PgplbmRvYmoKMjQyIDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzE2LjMxOTk5OSAgNTI0 LjcxOTk5OSAgMzMyLjYzOTk5OSAgNTMyLjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAov VHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMv cmZjMjYxNi50eHQpCj4+Cj4+CmVuZG9iagoyNDMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFszMzcuNDM5OTk5ICA1MjQuNzE5OTk5ICAzNDggIDUzMi4zOTk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6 Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzI2MTYucHMpCj4+Cj4+CmVuZG9iagoyNDQgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszNTIuODAwMDAwICA1MjQu NzE5OTk5ICAzNjguMTYwMDAwICA1MzIuMzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9U eXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9y ZmMyNjE2LnBkZikKPj4KPj4KZW5kb2JqCjI0NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzM3My45MTk5OTkgIDUyNC43MTk5OTkgIDM5Ni45NTk5OTkgIDUzMi4z OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkg KGh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMyNjE2Lmh0bWwpCj4+ Cj4+CmVuZG9iagoyNDYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0 IFs0MDAuODAwMDAwICA1MjQuNzE5OTk5ICA0MTguMDgwMDAwICA1MzIuMzk5OTk5IF0KL0JvcmRl ciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJl c291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyNjE2LnhtbCkKPj4KPj4KZW5kb2JqCjI0NyAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk4LjM5OTk5OTkgIDUx Mi4yNDAwMDAgIDEzNy43NTk5OTkgIDUxOS45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpqb2huQG1hdGgubnd1LmVkdSkKPj4K Pj4KZW5kb2JqCjI0OCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzE0My41MTk5OTkgIDUxMi4yNDAwMDAgIDIxNS41MTk5OTkgIDUxOS45MTk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpwYmFrZXJA dmVyaXNpZ24uY29tKQo+Pgo+PgplbmRvYmoKMjQ5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMjIwLjMxOTk5OSAgNTEyLjI0MDAwMCAgMjcxLjE5OTk5OSAgNTE5 LjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VS SSAobWFpbHRvOmplZmZAQWJpU291cmNlLmNvbSkKPj4KPj4KZW5kb2JqCjI1MCAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI3NiAgNTEyLjI0MDAwMCAgMzMwLjcy MDAwMCAgNTE5LjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9T IC9VUkkKL1VSSSAobWFpbHRvOmxhd3JlbmNlQGFncmFuYXQuY29tKQo+Pgo+PgplbmRvYmoKMjUx IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzM1LjUxOTk5OSAg NTEyLjI0MDAwMCAgMzczLjkxOTk5OSAgNTE5LjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8 PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOnBhdWxsZUBtaWNyb3NvZnQuY29t KQo+Pgo+PgplbmRvYmoKMjUyIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawov UmVjdCBbNDQ3LjgzOTk5OSAgNTEyLjI0MDAwMCAgNDkyICA1MTkuOTE5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86c3Rld2FydEBP cGVuTWFya2V0LmNvbSkKPj4KPj4KZW5kb2JqCjI1MyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzk4LjM5OTk5OTkgIDUwMy41OTk5OTkgIDUyMi43MjAwMDAgIDUx OS45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9V UkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzI2MTcpCj4+Cj4+CmVuZG9iagoyNTQg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs0MzIuNDc5OTk5ICA1 MDIuNjM5OTk5ICA0NDguNzk5OTk5ICA1MTAuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8 Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3Jm Yy9yZmMyNjE3LnR4dCkKPj4KPj4KZW5kb2JqCjI1NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzQ1NC41NjAwMDAgIDUwMi42Mzk5OTkgIDQ3Ny42MDAwMDAgIDUx MC4zMTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9V UkkgKGh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMyNjE3Lmh0bWwp Cj4+Cj4+CmVuZG9iagoyNTYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFs0ODEuNDM5OTk5ICA1MDIuNjM5OTk5ICA0OTguNzIwMDAwICA1MTAuMzE5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8veG1s LnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyNjE3LnhtbCkKPj4KPj4KZW5kb2JqCjE4 NSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAyNTcgMCBSCi9S ZXNvdXJjZXMgMjU5IDAgUgovQW5ub3RzIDI2MCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0K Pj4KZW5kb2JqCjI1OSAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9E ZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+ Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y4IDggMCBSCi9G NzIgNzIgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoyNjAgMCBvYmoKWyAyMDMgMCBS IDIwNCAwIFIgMjA1IDAgUiAyMDYgMCBSIDIwNyAwIFIgMjA4IDAgUiAyMDkgMCBSIDIxMCAwIFIg MjExIDAgUiAyMTIgMCBSIDIxMyAwIFIgMjE0IDAgUiAyMTUgMCBSIDIxNiAwIFIgMjE3IDAgUiAy MTggMCBSIDIxOSAwIFIgMjIwIDAgUiAyMjEgMCBSIDIyMiAwIFIgMjIzIDAgUiAyMjQgMCBSIDIy NSAwIFIgMjI2IDAgUiAyMjcgMCBSIDIyOCAwIFIgMjI5IDAgUiAyMzAgMCBSIDIzMSAwIFIgMjMy IDAgUiAyMzMgMCBSIDIzNCAwIFIgMjM1IDAgUiAyMzYgMCBSIDIzNyAwIFIgMjM4IDAgUiAyMzkg MCBSIDI0MCAwIFIgMjQxIDAgUiAyNDIgMCBSIDI0MyAwIFIgMjQ0IDAgUiAyNDUgMCBSIDI0NiAw IFIgMjQ3IDAgUiAyNDggMCBSIDI0OSAwIFIgMjUwIDAgUiAyNTEgMCBSIDI1MiAwIFIgMjUzIDAg UiAyNTQgMCBSIDI1NSAwIFIgMjU2IDAgUiBdCmVuZG9iagoyNTcgMCBvYmoKPDwKL0xlbmd0aCAy NTggMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dXa/cuJF9v7+inwOMR/yQ WgIWAWyPvcA+LGDYwD4EeQicTYLADtabh/z9iJJaIus0dSg21a2eOzZm3Je3RRWLxfqu4s//+flP p7/+8/Tz+8//d/o6/fv+80v1pqq78c+p6v/+5A/o9o3RlftzapV505yH0a/fX36cfrx8evnU///H i2qGB6d/+l9eXlENf//59R8vP48vfxlHPr//7/7Tv0769F/9f38//eGP/eCfp/ncF76/tF3Tw1FV yvQ/fvN/VKZq1Zum/9yPV/JH9+W/vfzP707/cIDpN+0AvBoB9H/8Samz6pp+RN0E8o/l0R4K02lV N230sz+xMRM89mRs0w6f637pxtZuPe4HY8e19R97HDTKvrE99FqO6/MbPY3P83yLzO/Q8xcP5s5M f6KfA5h92LoBnBFm7111NYADsIXj3lrmeb5F5pcwF8JzBOYYDLF92QPP1/f6ezCehufrtBGjpUJ4 ruvKuuNatSE917Vqhu+0IQxifIbZm+dbZP5i9FzXuhs+tyFt1LXVAw0AbMG4t5Z5nm+R+XfCcwTm GAyxfdkDz9f3+ns4noTn67QRo6VCeO50M77WhPTc6fYilgIYxPgMszfPt8j8xei5090w/wiz9y5T Dd8B2MJxby3zPN8i8++E5wjMMRhi+7IHnq/vdUDPiXi+ThsxWgphvqhpHSgtm3SfxvaYsabttb2T qk///7/9Sz4Nqk2GAqWGvz4s40hEgfqx8uC7Ly8/f2xOqjp9+ctphOCn8Z8vI9A/ddZ2py9/Pv2H g+n3py9/f3Hq4jSgh4HzMmCGgXYZsPIb4xwfvkzL3wfTdXd+Qkw3PT99Nky3nXpCTHeV3gnTmUbO j5UHV9eju345qqknUJSSsP0iB7phoJ4HlPyGaZflULi6CFyqN2d7wOoL7zBmmVRSoMOJQpwoJ2VU b5TWjnZ6zq/bzh/49vI5iaivvW59C1YmW90MB7G/aK0k6QBxyQHdyN34OAzY5ZFaztGwb9hKfkNS vX4rHkFCeivoBggJJjXv5Fp+YXCo98NAdwv9KjifLZuj+ii5wIdhoFnBB59DLr/yDtZefCJ2Ht3Z CUjTyM2ycj01w0kFpPlWfqOT33gnBjQQ7wiYXgbOclI5B7wFJ9V0DhhoJAVUcg6AVKIQ4ZCTaokx fER+Q/G1yG/ApIbCAbuv5NlVwNzeM/pQhtIY4PQXBhjgFMlSAqZhK+ERIDo4HnJAyTngiCFOzxKF rXwL7K1cC5IlgB6RIB4cnZz0nRgAgoGBGMFskfhOAQ4kfmOqY0t8B7HPVkGe24gK8BAh4NDpQwsk q95uUP3WVdJWXSjlLGn6LJUPI9mTlUgDriiFLQp9KZ/1h+vns8RiOxOT+SUUcsDPxEe9t4DWWFCH n3dSwbaA9BpXq6qVEc6fUFyBdIIBEIoAGghFyp41aJZvr1PuyhygA+PygedTOYqaGDwixWbCaqUw ylgt7guIbwB9OxwoaihhJqAQNFO+t9ttWmNNL9BaPUu4urb+wPEknIPYZwIg4RLsL/CxSJdKCbMP bUnJFEGKmA90jhKAAQsAU1pKs0lB9SYtZ36urBacDwgpTApwwDciJ80jmAeqRO78+eT9yuxikBt7 WJsgesHemB4poq7MuhhaNXLgNyNXfGMPI9e8pxoQLA5oTD6CauWvyQ7W3blXCjo7awlGdf7A8bQE B3FgBx3aDnbo9KGNEfEmzU7XYs9sc+w9cxAHWAAjUqrV+pF71qMz4O77+S50NUetpO9CfbiOEuCh K7Y5BnDkgJHRGN+cT46eVadOq8WXphrjDxyPHkf5vSBfA56kNopaMcgaqfOicSInTQiWwVuax50L t60B1vYwW9XZhsRku+bgxHS2AVosmK1wTjtqDL6TxiC37CSpqFryC6Au6adMeAsY2GCTy9cmGOlg UFL7MYc7UnwkWJjwiPQwI+hwhAtEgDlOAUFIhR/lHOBOAEiBLcKkIz6UWgGVx8jlYqxhNIV+aviG lhjyNK97s1LH1FZZKfcFaIlG3ckdj0h/7y1gY4D1s93trCU5A2DcGuLGjwYjlEI6iVuPqXLfLXjM gc1QnCKkMLBFn1z3SWg9h1C2G4NqSKrVi8tY6cYfOKDsrWyw6GMbgw6dPrQljEFltNizRh98z3qI AyzQ1LUpOrYcXGseuImNLr+JTSs2sVMH38SmDbAA5+xYe9ajM+CNO1r05rynRQ8DGjIf5enJtuhN u9Cjix0uAwekx1H6LciHOC1P45DKramYBcENeEzDfaQBP0SgFiQVDKpvM/HbkLrcwTw2dZ3bEHFA OxDuouFdtEdgIGI5PSarV6sABbs4f/SgzHiUYbqD8x09KjMLZZTIWQAlVpq/6BY8VnzdxAGzVp4D yofRcVMgAYHXNkwpG48JQXR2/bRx/8Audjka6tJhYOVmJTCK7WIIcwWoKa8gnF7CcqeTZpjhtRHa V13rY3PB2lTrXPBQZrhDpw/tntZAbcKDcps1AME6GJCCoZw1UC/xZtU2/sDx6HGyBmbkQ3yPC52M cB7IKcimTvBjy4FnMzHaJsR8Ce9Ip0P604M1emT663SIBTja1BpFTYrHkYBk5QAnJuBKjyQmPdqr lJjubcDqVoUEOeRaH5kgHcQ+JoERcQMWHHoQpUzQ02noL8ZlH5QIZDbSX06efsjMXOnUwbmbkccy Ulu4wqoyMg8wspwT8wYShfdCEBw0AwjXc4sesgQgWaNAJTkidbvPE+31WnwDi2ZAZMjV2kbMwavz LbyFIihhcTTzgidgYe4O52mSUZoHhkIcd1nlaZNnoUgwem4WgpnZipEVhu/B+57haijgFLGQIwFe AZnL/cROEZ6oDgM2tfhhk87VOJuzabwWLa0/cDwx6SD2z8CxnSIOnT60JQw3PXjvvT0z2h58z0a/ 64KF58pNcPgtvYlm8Eb6m1ibY2+iMaHwOXZugkOnD+2e3sh4p4QMb6SW+aOYrCDdk5isUK55wLI4 FOG0gg3y/LC0jvcSKFD3vkuZO+SBJpS5S0iRHHjNG+hJIwXplYF9gspn13bTK4R3vV/0gQvhHcQ+ QfPScPD0FcnDxkd43BloraKUtEdZwp5229ry5Wux2x3gNFLTvcWu37OH3IrzJKPJXjJ9PCYyOPRY 0reU6O9i6YJBeSdLl4b/wRaOFRAUkfBzReYTG8ewlSWMY3V2AQmvItgVr3oDxxNxDmJ/R49tHDt0 +tDuqKObohXBXEfflj984wleFodMkDcd4e0voCsmDxhK7nwflZz3+8pp7wXCaXu/L1DJsbvZPjp6 z6+MV/Vb284fOB4DcxD7BL1L4mdCGTpV0kADTdCmMwoyIRgs9e2M2BMq8Vx55uE7UHxB76fl2RAU y0jZhaDYbzm8hLQzcnjVA7NXHAsLRN5jcni5Ep+cw1tEBViKsIB1QXsv2WgJlXhAIfRzOqzO7mr+ TFDzV/kDxxN5Y82feZZi206Q2446e9GaP1DAgc2hEi/V/JI6+7I4cG2AJszbzdHug8AWEtRr7nrm DdK3O8lLGALgychpQQtaPUgJ3rFuu+mUo+bXdc/ivMqGxnUuMweubHAQ+2eAp5ihvs2bpvCWOdud 1bu0beX2Bw8RZGiPh3WJo0oa0dhWfORYqgwaOQZzYDE01RaKEdAVTxN6MwJCGAGAoDCESMAAOcjm JtijcNYhZMTX4iXgbanQMbV3m4Wt/QHHV+9dfWOWy/zukv2aYcZjlzU+Ke+RxXkE7xmWmha/qV6J enXQ4QAXtoFXZ/tZRYFQoGEexykyYupcQ6cFoBC2AegDlg9zUJcV9xxiZsn2WgxUvGGjwL6D/ttg iMi+91CymJBxLskSCAYzziWk3NuG1Zb8zBVIyS/R/C+hs2EGl8q4/Y7iNEHo0tViFgZlbDGtbLuM bRZ/jXadSpeBh8jYJuqL+S10wOZ4+tDBY/LEh263C+E9yqsNuUhwiSLkqsBVEAfpGHmUuwBsZUIO Z12j+ZDDHcs74yBe5YKH8kjboQv+Au2eHulz1CM9nS3fmQBsnra3Qre2lQQJfrFid+CZtguJfE17 QNeJtFgwAwbuapKeknJrsZWKvQSbe9ABHilIyP8pGDpoNyTs0VwVvHZlu89aU3d7zj17kCIjIU3w v9Nbgp/nWj0M7JaIaYCgvU/E4uzykNols9Iq7Q8cTyY6iP2jl1/CtpaiD2eAX3gHyRqvIHn+MXqG 0iEFZKjoH6Xim5E5yIOf8BaIH8McwDj5pPIRFCTAScH+oLeeYiYK52DA8+XyMSNGlRPO3VycX+Di 2LzreLlsAXFEcZawVdwghXuRJUHg/Yb09sIrKJJHBjKxuCWINxgX6GLIjWmeRJahryTQ3X1u5ztK J0jTuRyxrvEs8mDgeNqHg9jnLU9WQO/w64O/aqIvyNLV9Cf6OdwN/v2EHdr20mHZ7UnV11tVOFO0 mcm/lpv2Vp4YEJDwDSvZXytRqcTGq8iVVlD36p26kZqUd8pkPSHyEKkRTikKUIvSrixm5Mt+Myq4 aBpWA7OCYII5AEUwBzxyB8Vz3aPR6VAk1Ct7I+N22NgaqpGgwylEGOVAOW9NXdnLSyBmvXaRYjY/ GvpILhiFO58wIRpkW8Y1ulKDzvAjoGynSYoJGjQc/7v4RPAeLd4LAowhOOsF+kmA3lpkcaDZyLVA 3V2JMjs+Ry25BxI/v905o5oNIomP8apllAxO2RggpVdMYRygJRe7+N0GRdd2ZsloU8HA8TTfUXVc eHUJYXcfFxkG4GkF2H0yxe6T1ZmvUXhGN1UH4BHwh07B5i2nxDXGrqvau0in9gfum5Iy6CqLhgTk ntAJBpRZCDNCE2IwEWhuGL4FTio/djzcub1NKkavH3rfTx1sZ84NpYf175SoASwXrK/1jNM9rozj 9WQlLokYWJFW4Y1xy8Dx5PXIrnQcsb+16E++Us5DY5HbMKuQlrTSx6YlB7GPhYTu1aDJ0FTCjNsH p5Q3bzcemTmodHFS0c4qCEilqY9NKg7iAAtSo8Hqr0hB7AojejbKaOrylOFaYvmUYVyLmUNTxtAS a00iQUo3ZRGcq8Alp5x2MKbzQNoxQx+esrRjTBfSjq0OzlUcxKtc5a6XtSzfSGBEkZtoHhP+q8oz IqsEI7LNwbUZB3GgzfBby8BRA64cKbMS2Az4mB5JGU2a8lLC57uJulrBqupQ7h2QutqQVcWur1uj jGe7zu8x/aekPrGHn75uhd3f2OrY9OcgDtAitRlQkRJ87LQMLrmKcbPPxSwxkqG9yjLwCPev0dFj XaIgEVI3MioDj9pVDxt0QMiAa+KAdUi3AvdgxFu6xpA9OXX/OyHrgM6OcjM2L0gscQkURmN5XsFh kxvPdci+THeW7OtYosNBvMrjDlVu6NC5elJy1E1XIurvmVUH37OxRNTDAhTAvX+gVaF22CItt8ja g2+RJlsEHbIeeUeEQ2fxPasrsWdtdfA9q6sQC0+W591W5TexbcJNrKvu4Js4XNa+YOHYF6U5dPrQ 7lg+X9v2wnoeFJFfq8reYh3abonID3JgHjgeOY4W5Iz6hPgHtSAhuvHsQVQ1Sp8FSSXi7YP08ShF H51S1Ch9FiyAD4emNOIAPAKtIzJaaCIBFoiZHMozrnegSC0p0gxmxoEpUjOKRIcQj9XSpBEk4hIR uSPxOzNaSEWpywwWkk9dXX1s6jKjhTRjIaGHGrQ25U0lId4b6Uy7KYgHKXGPJKauLk5MroFPQEy2 1scmJgfxOjG9wvBurZMow/OiQikNqKvgNIVqJN6qgLZMSKjwou14jhLMru05PEtNdXDG7CBePUsJ wWzgkLzfq2TueEAjAcmHHK6mSmO7NwWiG9UI2rEHpx0H8brKmBrM2+wVaPzUtrM/8IiY8dx3gN9z ndOUOKOV/F0K0fjtyRk3NGS0Xy9xpwfeYQHVEzQBJ6HbOr1cAldLdVi85IJ2034NdPqg/MtzwBCe J7ivMwrLf83B/VqfQzkzXOgaypljiWMHsU97xw7uj5dLrpyUHPV7SB/z96ytD75nYzLQgoXnikI6 /BbfxE6Fm9goe/BN7FSAhWNHIR06A531FXUIa9R8pdMoZvzYiLzVDQYSult119U5aG640pkLIeOt yRImgcZbCko85Wqge9mkIyivkw68GF4jUTKZfCtoxZ5oHPNQiH+PNmL9ETPXJbGjtVqo32AGQ18B 0OigXx243qCBvYkPwCOIReDfv8i3QKsJgBQoPNJJC8rvVtaSgKCIzQfd6iCiBbYFdLzzFMlIC6e1 SQF0KH+HtcAcsBaOdViLhAORLFd76V2x8hVE6lsGiAJjXC5GR1qgrK0OrFGAlNMDzAFYhjngWPK9 BIoBSDkcQEIAWKTRXru2uYBlemIMREk8he8G/tkEDHTqGgiiGdz7a0iFtVCWokGaA5aBo0JRjJx0 MkW97mNycSAulCT2rbfZrwippo6CQZkhIh1wDCjl7ILzPvoWwPHUeU9VG7YSJB0XSrGNWmEPFgiG 8s8MhMBbFKiU8pEElCWcQoCMyj7YuykQi51qvfeC7Oc4i1wEvMbaJWVmbHfCKdvOhMvsHaSFonzY ft6R28GtGjApbCYcM9BBt/Pl5L27kcnWJuCyk3N3jf8B2cFAxMniHfdIMGNNsQU+BDjNlgcl5FQb pSgUl9yqgRPElXbQYrcffrjtCnQy3AWqpJhI/8A1RQdsBS5ztvPtpzvp0GT3NjlGddYEI5fyV3Qt AKNHNs5FLldKgMjoxtTQQRmOFFVKinhSSjgKCgjpfCK7kZ/aNmCoOfigBxdZDOCDGrk5fJzb1uVE 0nzHRgL75FQJc2R4eGDjJAGhtwp2ktPtLj4QiqBLMcOi0wKHTfDFwTe2cwdkqDiCkMARorQMbrIE uVUAz1M3Bc/cAp0VEQ/Xrfy60FpAHXiiI4AUwG0BVFyzIwm3seZmqJZfePMVU5iyTUSiZL2bCjVX pchZXy45LKHbvA4KWXV0FNhdPLzwCHCEAi57Azl4XMvcI2KREX3hIZ0E4w/oEMJRHLDniQpy90qG gsytshJaJTzCnasZMVBgD5HrB247lamivQSrN2104zg1wOpLhOppUgHC8brimwnKIQ80SlDB8YPs osBu7xOa1V0VkHJWdIaLU56rQP1tiEP5lisUApeg0P1HP19O3ITCmrBefv45HHBCCiAkYbXUX4Ic k78WJgU4gKnQuEBChA9UcDwQEd24hIyp5zvTAR9A/nCmQBxQggGddZ8wmhrKKpbFQeUBbiV3FWTE ZgEfEDTlOQLb/Q93Ss2AbJcEfgmGceTOuBUM4cD2QFqCKkiNWlg/ahQA6XZLKWe3wQ7ikSSuUHHT SS6/1sDZ6AHZhx3YxhBed5fcpYR94GobpwfJ61Cub9faeXAWTXoJOj/rSP2QU1VO8jVzxzOIiPPw HZi03PfG6YUHwGGftiftZrDPK14znqJNtzIhnxJuoeQRcNg6bkxk8+AbLaPmHJAh+nMT0qs5DfHQ IpBMhkGSwJbgkUi/9C1H5gplUuGXwYYy1PrXnqeZ4Ajh8YuE3JSIC6+EgGgv6sJUtOSjbHsC1NTP clN9Aax/H2NpuKBtWW6sTHvNT0p98QmpnzlY3n4wMfZM/Y8JziSAPSH0vB32XcxYTP5MEAhQgLWd /ydYyyVoJiVPIEEFaMQAmpTcggTQoFZ7H+vnbIPzjYZ7Rrhyu3qbYIQXYQmpJuWaBb1d8VbvC+zU KHe6Nh1jNLKYgY7DuOhhX7h2k8Ahy/mwb9T/hyZhy27z1NyEkG9G4ik/pzRNMMFbVAJ0eEuGt51b IZQrXTkf3FVewNGHtJ3gcKXEnbO8hNBRifVSEYtKVkZ1FM9NzmGQgLKILl9AYLRq1twxzyrDF0zX kuCHQBuCsu4ErCYAvz3+yNUhngXNy3ivrI6zd57hhDvBZwVBXCJEy7M6qCBOqPOf6HtNH+RR/HJO 99sOrzk34emldnfGWU2Q91BiyGUGVf94YVqGvLuPHwLxkaH9FhB/6Kjgzm6udvFywIzOCKCHeV1a b5Rtes6B2yNNJEE6JLAcWgLDkcyznVOqGx4UXlWdDbYKTxDkVNNUwwSUgbgosN0pyi9P7+V8ii+X 5ismqAvbGTmKnCInhBfi8fryjEJm6pI7rhCCVmoJrZWoDrZXz4IqPP5gp3KxxF3OXDsEnCUcGcAh j5+Xs9vsBo8shzyDDDOURZorUUPrPeD13ANXQluizoKELKjILQMrkGKYLzt2fqN7ceiXu9BYii8d Nma7rzQBh9utiYSiJO7nAYUqklu0Jup4dgXFKQi2DHs0B8nbdaESZaw5Qnp747Urfi+a5ZLgs4at +/U2uu1mL8RxG92qEo1uDdxxCF1rofPtRBkeAko0nAXQptiED5pE0mQEgycSkojATPa639dXqBhk yziyS6PbztoJFPtBQA8DCeVjtGQxIeEL3pKhoKKHn4eWeFcgqBTllbMlmjpICx5TMeFAAxx8tdyC 2Z6pnLDbGVWMnGKgsgFcorw/JHc0ct8TzLE9q3Cfutg9aMzKjZoGClhn3Xm+Kh1yf+Re2413jV27 klhXp67rGndt9fjx/EZVtm5OSnXjp86N9lJcteOHr72oaN60XW1NdflVEz7ZjHMO33Qf7fj1U/ig vcxph2/6r+t/NUIzP3mB8+vL317e/W4nOaGM6n8a9JgIKSTkqHKTmXdKLNGLm2u8vIfSdpZ1Je9N 0nFOcJzngmSg7CAd1lJc7NzLUmJ1vDl5BhwZGKKVqNxfFlNYbmTRVRUyiIy+JRBRQqcrcB2orQJf J99+zg+4V4E3Q9megXXVvN0uxZQzfiYx5j7rQZz4YsyNmkHmjJ8CQXb5ZRM+3EzzjqLM7Xw3PHEK H626y7z9p0CYTb/UVfDwDO9dxJmqY6SXk1LH+ar0CkFGFbpngCc+6GqF7RaZohp4Djsr0RRkx5Om m+Wk6fO1k6bby4nQLZw03V6O1vJwM807nzRtr500bed5LZw0PR+t+eEZ3rucNBNl8li6yS+TKaEW 3sca5rl7POiRkGS2vQkU5yP7HDVcHhxGiAuBoc5dCiWymQv4fnLSF2KR9huLTuouPIhX0gS2t1PJ aWLFy3B4OmtCY1x+FDP6bZVoAkqbr8KAKVHLcuHE9paux7zJMZfgwHgoN8foRan2nT0+znPQn7qV plhFATWhOy9qQtdeUxO6WXHuOlAThl824cPNNO+sJnT1NTWhq+d5a1AT3C8noOpATRjm3V9N6P9e NiOjJi6jCIJKp5QK54zWLBkRZX44YTG8zyN3dPC1ZNx1dxcmkeH4yatNLaAEZagWaCoCYBkpi9vb b5dxH6kuPP8J3eC2C6ec1m4cq8lmQRH57Zh7jABeVZucWAHTjVlapmFY5tejAoVkBDpopDEBQ/Ko Th1Fb9dflF70F6Wv6S9KX/QX90noL+Mvm/DhZpr3or8ofU1/6UfneUF/GX45ARXoL+O8d9BfjEo/ nNtLI1GhybBHeDYXN4RB1PITzy964KvdHvXm908ldPqmqQUJ8Xnugs2wRrfH+BMCF7z8li9uu46Y cHHafdIkymgzTcgNElzhJVr0Z1wLl1OxnhraKqPv2Ca6mu3pr0XqcxMQn6FF8ohydmh3xW+WU1u6 /TqFfdI2IvtyYxGwu13NJ7syt6zDanZJHOP8jsdWtl/ymKAw8CtbMiKQJZyxPJ+En/573ilfhqc2 s5sth93zahDwzpeKr6qzXgyPs7lmeJwvcVD3SRoewy+b8OFmmnc2PM7VNcPjXM3zVmB4uF9OQFWB 4THMewfD4zyzq1eemHeb2PB2ISjjsPNnQbCRb6Vsc8ILhq3vSShWUSb2PsG4+Si/AX1CP2w7qiWJ WbdyQUVcOm0tZuVkdZ8rpDIaG4FfFPvaZgQbSlxwU4IB8MgBXwtP48hI4s+IgmRcbMxVb36VV7a6 Mhyy/u/pR3/UVDOcnumfr99zWcGn06eXfwNOHPkLZW5kc3RyZWFtCmVuZG9iagoyNTggMCBvYmoK NzQ1OQplbmRvYmoKMjYyIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbMTI4LjE1OTk5OSAgNzkwLjYzOTk5OSAgMjY3LjM2MDAwMCAgODAxLjE5OTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkz Ni5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kj MmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iagoyNjMgMCBvYmoKPDwKL1R5 cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMTQuMzk5OTk5ICA1NjAuMjQwMDAwICAz NzIuOTU5OTk5ICA1NzAuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJm IzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRo IzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDMjYxNgo+PgplbmRvYmoKMjY0IDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTI4LjE1OTk5OSAgNTQ4LjcxOTk5 OSAgMzA0Ljc5OTk5OSAgNTU5LjI3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEj MmRtZXNzYWdpbmcKPj4KZW5kb2JqCjI2MSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIg MCBSCi9Db250ZW50cyAyNjUgMCBSCi9SZXNvdXJjZXMgMjY3IDAgUgovQW5ub3RzIDI2OCAwIFIK L01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjI2NyAwIG9iago8PAovQ29sb3JTcGFj ZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4 dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GOSA5IDAg UgovRjcyIDcyIDAgUgovRjYgNiAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4K ZW5kb2JqCjI2OCAwIG9iagpbIDI2MiAwIFIgMjYzIDAgUiAyNjQgMCBSIF0KZW5kb2JqCjI2NSAw IG9iago8PAovTGVuZ3RoIDI2NiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic 7V1Lr924Dd7fX3HWA8yN9baBokCSSQp0USCYAF0UXRQZtMWgGTSYRf9+/ZB1LFI+lGXKx+feZNDG kY9kPSjyI0VSb/708z8u//r98ub9z/+9fPF/v//5qXluTDf9uTT9fz8uC2T7rGQz/Lm0Qj1bN5Z+ +fr07fLt6dPTp/7/vz0JO1b0f/Uv508043+/f/nt6c308aep5Of3f+mf/neRlz/3//v18re/94W/ +PaGH3x9ajvb96NphOr/+Z/lP4XshHnuOyX68gb+c/jxv5/++sPlt6Fj8rkdOy+mDi7/+aNQjXTt s+7/Vd7lnGoCVxOy700jnOxHOj+rZ9FocxGiGx9sN5bqvqD1T1+ehLDPbWe0asJLG1e2vt3xt+Nz M9a4gKpNaLcZfxt9dJiqJqoc+vuln913P9yelG83puXd56c3H/uvqMvnf16mZflx+utzPxVK9P/q v2Mvn3+5/KFpZPfHy+dfnwbC9AV6LFChoHk7FrTXgo9jgbkWKFhlalTf+IWDjX6ABQa28Q5+VsIq qKeoSkGjqKdTGx8+97tpsQrP0yYe9nHTk/z8DAh25Vc5y5zxgXHpexJKr73UYO2b92BoAg3+I/wF XCb5ITkbW3Z4MTHLFg5osTQ7WjWgVZqsUAG5RURDzj1qdIUSr9Ssp0aFuLbagu2tp464G1sC7dWf 4Hdb0AbiGXgwaHtzMABIvyVjQZ9FVeBoM+iBXKlyvrNoQ8OOoZ6iCbLbv4La6Bg22SyHOrnaM7SF UEfoaUcTgqqg1UZfQRTDwmSaBoyfptQaNCTFxDFuiXvUEVSAPoPWDvWd5gc0dW9nsiVcJ3dh9hGE ciYmCDGNXzTX7wg4AbBAGNA1JcBoFNxm4i31C6ngjMApQp/NgIwkMpNvOWa1L+5nVTYuHm42XFnV LGSP7b+G5y6hWUg5awDDE9Asppc2rmx9u7NmIX2NWLOQw7up3f4JaBbjS98pu9QspnbraxZSzgQs PyICRrwVkkUOOyJZuJRwn8Bdj/HKexIVIXaE+lEAC+6j9HgQf2s3FqAREp0JBD1Ro7TMo7kxOesS SQVaoYWNZhDM6wI0upXx9se6iBaQIaipb1ftBIs4RLu0SCe3LtZOkL2CNmCglaBNHDSp5m4qFvAt lcunVbSJSCbLMtzT8iFEIOTuTsi2AuIm+R/mbizwVMqYZBKjQYyGVq0Z7IRImPFBPL2AeDoJ8UyA eAZDPBMgno4hnl5APJ2EeDpAPI0hng4QT8cQTx8E8UzQUaB1CS85h92nBvRK0O8xDIwDrkEpqd7C AiRYaSCFZpnFVoBWlx4/qSVkgC8GU2FiuEg1RmclB5FZwbxzSAEjDGAAiLwRFZECWwhIqyT6xruq YCOubAAeaGXd6oTQJlgaWhbA0+16NK05YM7EsRE5QGCBmkirZwh6oI7VUM/48Ixb4BmXxDNtwDMt xjNtwDMuxjNugWdcEs+4gGccxjMu4BkX4xl3EJ5pZ3aGxebjGnk4QMJ5dPgSQUPOexXJg3kiWju0 VDTDR0KD5omIn9FmEHr4HAebubS81yAFNneBQQ4bOdAMFZxj0ctPm+xoAEB3jBaJqFG4dBgA51pO eWBW51aJKhcRf7ctVwUv1awzqrmiGdWk0IwSM5oZngCamV7auLL17c5oRjUpNNOXzu02CM2ML32n IjQztVsfzShxrHUGrzD6LM0BaREJGd6aq9q+Qy0OvwXEmmnGu11pxpwYMR40pzR7ow1td7K205Zk 0lsEiyrEvGiARB+LkM4SOz1Oy203jYrZQ8YM1TjSqqRTYKhWgFUKjJWOD80o6XbTCK/+hyEBzTFp 0FDFeEXPB2qUVky2++RhlZJeObLRDMM75rL3Oih0FtAyyTMF8kmj54yWVDToKDBN3gl3F5iUyFnH E5QbDWBudJ38yn1Nxjx8WgcRisTSdsRQYNrDIjTDcoOOt2jAeBbfIqklmHcaMJ/aEq+MuuquRqd0 V2NmHbN/grqrCcrqtbL17Qbd1YiU7mpEaFcg3XV46TslIt11bPcA3dUE95JXHpZGi0Q6BqkYAWxR zOvgbg4bGc0BM87mab8vkoTw+DkskYgDFhiAz6Ka6p7RRLv/gXAW6ilD6MNayFUVq8L9PbgZ/S6U k6tzSEctZehdNHojd2pGPE1BbCiaZtQPesdUISpyHbKDMfaGAtmYQu61ugW7mxahicFsVwlKAAJH DCINEGibeh1p/4IYMZ/y0i6UlzapvLRBeWmx8tIGbaWNlZd2oby0SeWlDcpLi5WXNigvbay8tAcp L21QXqbFWEa+0fgFAQnaT5BDNymwm273Tsjw3uHgRbSTDFoGxOAL/FeRRQsxCdKjmUUDoH3VyEQO dc6zSOJH9IEXm8Pjt47y0pl493P4RJcInu3nPRm22CphTseaa3WzwWy43eOnYFPRZhbsIUkb52k4 /xr9zLi1COkATT2MK9Zp0C38hUImxIKjWhou0EdTXAhZiytC1iKFkLWYEfLwBBDy9NLGla1vd0bI WqQQcl8a2kUIeXzpOxUh5Knd+ghZi1lGqnfk6tAqH320xsCaUU99wrOFxg+PKvB5HUrLgsz7HSjQ sCBDNHOgzCrcfLvxPiO6nOO055AgqQwITaslVXwZC06uKuWOaAn2ULDp0JaSsFGc6Qj+gk8iyKuz spYpZ+WRf0+cWyFn5emljStb326QCDLlrNyXzu1K5Kw8vvSdipyVp3YPkAjqRYZendUGeOIAr8c5 8ssYHBJ4yCsQVTkkBUlJqDndsTqh5rKJGQRHhA9eOtQopBi8y4pniMeaodcjy0kIUAKrSD/KKi6v 5/WApvcUfdB8jHpP87qM9Hu0HbpALBcEBNWJEVUW7KntgUgn47r6xixX4Q/HIKrt2WpKYoa2n5Cv bWUeXm+D8LuvHX6L6Zpmbth0TZt770rcO72XnQOLeYjH6Gmi2zmI7CTRDHz2ALewELukhdgFC7HD FmIXDAAuthC7hYXYJS3ELliIHbYQu2AhdrGF2B1kIXbBBPSC7AEZGiPtNcohiTlMCOSGr2RT4HBo 5EgeW5CvrmbW+U2qCr3+dEDEyvrvdaLo4u1fR0bS9n46wJODhDhSAFa8L4IHvHYbAs0L+OGRE7LF yPA9BDA9ZXu9tx0gqgcPARzSMXwNzykEaJoZAQ5PAAFOL21c2fp2ZwRomhQC7EtDuwgBji99pyIE OLVbHwGaZoOPAJ2PldZOOfIRI82KZnDbVZyc9Ls0D+Tws6UZ2kmcN7JDyffGrzUx6WbYyIszDe49 aldxV1muGcKgqEqQl7ITiwh3TPCIFmtAq2elbz7hoxbCRyWFjwrCR2Hho4K0UbHwUQvho5LCRwXh o7DwUUH4qFj4qIOEjzq/8CFtpRnG07MSeJ3DRrqnd7JZnkVKbj9cqZKONyMYh+76igvzXvOEjtlD hvimKZeDUB8t/JzFtGDM6SM6xE/wK3RyQdrrnWHH4JifgoyWtJrB4FZVNYDjSkIaTog0UKBa+AsU 34lu0cyQUwV31mw/wdTo7hSUrpW0rNW5oKMgP8NLQgcv71oQHtZ+vTiFdDQqiujPxTo7R9PaeDQc gCkjkICMCcnQFtAhEQ1c+Jj7a8Xg3/HCSfGCmS4+vO5k5a81Fjfm/RDRjs+EcpEMD6cOF2u8bDjE Z3TrFka3Lml064LRrcNGty5Y2brY6NYtjG5d0ujWBaNbh41uXTC6dbHRrTvI6BYu8RA4b0qVuDc6 ZA8i/gznkztdZZ7hOrw9u2KGS0tByD6JxTJuXCzxasw4SCuwGtyKHt8hbYYdYaVZI0QUs6gXdpVd 7MnqLrAna5oEe7Ihd6z1uWMXPGZ6aePK1rc7syerXYI99aVzu/0TYE/jS99Bt2RPU7v12ZM1al5h dLHJMZGAd0qgzmAWTBwu0h5XDHYAfIRJXg+CF4YeLs01SI8bWqfLkSPbU70iWpao4CNcOxSEneFg d0jijnud+5vJlnjlEEUXNRTYLLZ7OtZxuSt20mTRQKxt8+HZMQa47SAIq5M5JQgXoP2ckR+qIEyT Ng5WubqlIPwDrSZtb85N07bzAGIyDS6Il16HAoZPb95jMpkXHFBuD+0qCSgtsPvTyITWvchfINsJ j6jqWkB1tN9yWrN4lo3/0z/r8Ay0jZVf5WD0jA+MQ3WSEA9tAO4azjGiSpRw5iOsIpOzcVnTs1g1 EQcGtIYaH3CtXAfWisbhK3E/t34BGxUry7sooGmGNiPBrzQoq9eKhF18trkf3Slh8ujuFp/dlC7k oWh3uC7nDrTrIRZNiHehGS1VPCkskKDk6Hd7+ouDYASHByep8OATFxYY4Vqwuic5DVw72eRRNLtu TQhkbPntUcn4+IG21tEG+oJAj/uE1NWxTeET9tzD8AeUTFIDuuWTTPdBIhYMqICrlsRhIuWMdFvB fJcks7UjZ24nZmPjOcyIceDgO1WSXdGS+pi4VGMgYRYwwO33AxTcupd9JsQiMp0w+RNSkFGjijP9 9ozKOTgU1cm97+pWLiuahtC2I3dqRmqDKnkrTgMZKsL/naxbdmBTFeP/10JUD+SwQyoI+IIExlM0 pzZMM40HCjAVn+OMM7N5m3ac8fnB9zvOuFYGxxnXqoTjjGu1d3AZnoDjzPTSxpWtb3d2nHFtk3Cc 6UtDuw10nBlf+k41S8eZqd36jjOutX6qE8lKGFwYMrb4d78+0I9j/PpO6wXCgTwPdWnaCRsmrfm6 ER/HL+o0XnAMgQmcoa9tI1bJjrxBMuMWrQJwRrvo0vo9Qy5DDnUuw3iDekpz4SNv1d0bHGsBkb28 MMVN004TGcf9xyhMB/YUpcs0DZRCbGEqrbjC2Vak4GwrZjg7PAE4O720cWXr253hbCtScLYvDe0i ODu+9J2K4OzUbn0424pZimI/cMQDtrv9ZAi8KnuAhnc17GZ1HOULsAvNeejP3ucaRQQz8C1z9JF4 jTuF8PkGsm/SfqWQLJEJhI/fSXfld7JN8TvZzXxJdojfjS9tXNn6dgO/kybF76QJ7RrE74aXvlMm 4ndjuwfwOzWDgO/8jiDwktTkx6DEghzJtEWbZpEF5o47+eLQ92rQPr4cMLKKmzSLDaF1MTfYqZs8 lB+FERKwwgf3JDYGDChjV6H13u4DgHM10NEpnEYTvSENCwdjXrlFam9OGTCYEjlEe+MWWDwQNH1d XnKHhLhkuF5vJ2WWZJEFzhoIHxR4wNK3XaBZL4A2cHDZzhs7jzMF3OsF16MWpFvdDroKlo6G3PTF BHLhq/RQkGIWSeE2sEeHFD446TogHmHnTNxqTY+3GlYFp69WBWdSVgU3X8w9PEGrwvjSxpWtbzdY FZxMWRUG0vPtSmRVGF76TsnIqjC2e4BVwc0eGgdZFWhHg4Jj9Cp2B7rr2z1pC/wMsLSmj83oa6S2 wyr8C1Li4Q2PWGkBjKCNlVX0HxrO8KXBuP/Jo2kaij3QN3Nvd4rMsP4htYP0TOHML8Wj/3ZqlWa2 Q+CdtybtdPHr5Gy6oF381CLd4S5p3vXy92t4tglp3oUcVp3PYbUQydNLG1e2vt1ZmndaJaR5Xxra VVCajy99p9RSmk/t1pfmnd4QS3Kf+zJKEu8WBJeQR37G+41dfSBR6klj4E8KVOmCVNw4f6eWqARd 4ZlI1gi9y5Afw0Gm8u1qbaV0WIechJacg5NcHwlXThYebvnM8NJeeLrvYeGib2pm4f2zxCy8L/Ws dnyKWbh/aePK1rcbWHjXpVh4Nx8fD0+QhQ8vZRNVDv09gIX335ljSmgWngA227NvstzBTGox2iJe ijKxbc+QhU3OdXIZ0PJmxUbE7A9Hn46i9acHw5KqbLsju/oJUuYxPoVHZvfiSGe44Ah3kl8oUr8g eSHmQ7kmCQ6NS/SNZZNMSTzod/+xvVRXLc+7aNQCaagk0lABaSiMNFRAGipGGiogjZ6+EkhjKJ3b lRBpTC9lE1UO/T0Eaah8pHFQ4oEjscnjHVXJMYvIYt0e/ahKWjCgg/IqsIRmNBb0vSDKjnaxLNgz tG83bXEpSKROGgr0NBYhbwgBmI8P6Z84X6+APeP4rkaqFtQ0NKyCLBR1uoq/i+w++H48tGn4bggT jQnOeCijU0Eo2nYogYBTgQsx0oFQhI/sYAGKEoIFLHxGKhXP8nn5DG2mpRMpkHnSMXuvEvCHGiXP NgvIEGcNr+Kox5cT9FZQLUlSWBeBBJNxAoFobCWTbO3kXcbKeFvi3U9PapVk7R8YWbu1q9/lCG2g g91pO1uBg2TBLdYclxZzeM9wRPYVXOFEu37QRlSWPB2YQjjOF/kY5M7YDt2CbVdAu3QGFXJj5jhM 0FNUQ4fIyF5Fi3J6UrcfjWObGIct4z0DUc28vBWrPSsQ/wW7jMSLfBa/Tl4tfl0iZH7wlJgtcx0M mfcvbVzZ+naDxa9LhMwPpaFdGDI/vfSdaiKLX3dIyHz/nZmxvEqL376MSA9sqylGDY9nI1VKx5Re 5Q4ABVP+f7+/IgvfuCZenJJQbo6QsRqeushiJOD5XbZBcK9q6uJZ1qQtCydRwwYxtCmKUTMLnhFC ZhPAoZr3PtFVoEVvl4cZB9pVrud6lZrI3tvpWkDtD6/O3Kry4lUTIcOl8/1z4tL5vtRnoRmfgGoy vbRxZevbnVUTIROXzg+loV146fz00ndqeem8b7e+aiJk8EGlDakchwTb6TnD27KESx6S9fsg/8ST JJvHvLkAVm5X786SEuChUuJ2Mt7+j5wS91xAlAdma7n63fuAV6xFIR8nGAiC9J0M4FElmff22F4k yUru/OVI1YyGf8xNG0rrzWRIAmI+NGcWaM4k0ZwJaM5gNGcCfDMxmjMLNGeSaM4ENGcwmjMBzZkY zZmD0Jxxq1uvSu55WiuAwX10PHOVfC04UXAG8iAVWjQ6Fg2XnLIXHShy0EqVXOFLh09uv/SOCc21 8fan/agygOdJ1IySDFcFuUu3J3TnE2e2vYoz26XEmZvPN4cnKM7GlzaubH27QZxZmxJn1s7tWovE 2fDSd8pG4mxs9wBx5mb0gYz8WE3AVoKCax/ojPx3Ojgt8IyiE6OhG6hWrtjmTYJx3/QszPGXBQlN 7nMGQnse1Lk3poq8Mw3gDyfI5xKG8mw6/wfLAvCO5ps3GhtnyN5OTCKbGRH4IEYLZwguBPXBQWyk v6jBF71FaesHVkekLRgRyiTSoLD0j3DPayhHOjAtMm3EKZ+WKW90vWkZDXmL9n00yI0h4jG/hZBb dSsgfDGV6Y1cPFFSm6oTJU0Tt58Ydfo6yfIh2a7ukJwGa4/0D5IYELl4HxuuPio3xNH0Wt0qI/Kq 2TKQSsJeYz8JC7uN6hjqF8wj9SzXSLk20kos9/rFOix3MaJHYrn1pmViudf2H5zlVpsoz3Kv7eNR r8DBvSy33pAmlrtYex8GeoPgkUMaLoB82+smt4ihQeoLqrNkcP1/l2/9DAg7DsX/9eVrqTPip8un p/8DwLgCa2VuZHN0cmVhbQplbmRvYmoKMjY2IDAgb2JqCjU1OTUKZW5kb2JqCjI3MCAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIyOS45MTk5OTkgIDc3MC40Nzk5 OTkgIDM2OS4xMjAwMDAgIDc4MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3 IzJkYXV0aAo+PgplbmRvYmoKMjcxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbNDMxLjUxOTk5OSAgNzcwLjQ3OTk5OSAgNDkwLjA3OTk5OSAgNzgxLjAzOTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM1JGQzI2MTcKPj4KZW5kb2JqCjI3MiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzM0Mi4yNDAwMDAgIDc1OC45NTk5OTkgIDQ4MS40Mzk5OTkgIDc2OS41MTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRvYmoKMjczIDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTgxLjkxOTk5OSAgNzAx LjM1OTk5OSAgMzIxLjEyMDAwMCAgNzExLjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlz IzJkcDcjMmRhdXRoCj4+CmVuZG9iagoyNzQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFsxMjguMTU5OTk5ICAzNTMuODM5OTk5ICAxODYuNzE5OTk5ICAzNjQuMzk5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzUkZDNTIzNAo+PgplbmRvYmoKMjc1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMTI4LjE1OTk5OSAgMTk0LjQ3OTk5OSAgMTg2LjcxOTk5OSAgMjA1 LjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRt cCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVy Lmh0bWwuaHRtbCMyM1JGQzI2MTcKPj4KZW5kb2JqCjI3NiAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI1MC4wNzk5OTkgIDE3MC40Nzk5OTkgIDM4OS4yNzk5OTkg IDE4MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIj MmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJl YXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRv YmoKMjY5IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDI3NyAw IFIKL1Jlc291cmNlcyAyNzkgMCBSCi9Bbm5vdHMgMjgwIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUg ODQyXQo+PgplbmRvYmoKMjc5IDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9D U3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAw IFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y5IDkgMCBSCi9GNzIgNzIgMCBSCi9GNiA2 IDAgUgovRjMwIDMwIDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKMjgwIDAgb2JqClsg MjcwIDAgUiAyNzEgMCBSIDI3MiAwIFIgMjczIDAgUiAyNzQgMCBSIDI3NSAwIFIgMjc2IDAgUiBd CmVuZG9iagoyNzcgMCBvYmoKPDwKL0xlbmd0aCAyNzggMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp4nO1dS4/kthG+z6/oswHPim8SCAJ41usAOQRY7AI5BDkEaySBkTWy8CF/P2qJ Yov82F1sitR0t2cW9mgoqcRn1VfFquK7P336x+Ffvx3evf/038MX//v9p6fheVBu/jkM47/v1wXc Pgs+HH8OlolnbabSL1+fvh2+PX18+jj+/9sT09OL/td4c/nEMP377cuvT+/mjz/NJZ/e/2W8+t+B H/48/vfL4W9/Hwt/9vSOD3x9sk6P9RgGJsY//7P+k4lhkM92vB7Lh/TP48P/fvrrd4dfjxXjxxvH 1+YKrv/8nsmxZfpZDnxDlb9dePHl89O7n9xYwcPnfx7mGnw///r89Unx8Q82du3h88+HPwwD1388 fP7lSR2WAvYyFdhQwN9PBR8+j/1UUluGtR2/dxg/yuXYwcu1emaDVOOlmy60m0r1+H/rr748Maaf rVNSDOGmjl/Wnu707HTNpzcOyas80OXTs9FHx5u+UsvLob5fxkF9+a7TWDDBpsHgdulqNXW1CH0/ /JgMxmCnAnMqeJ8+8VMyoINOn6Bf+SF94iV9wqRPfEgL5rbI08RiU4G7oh5MpK0VVAfxgaoHPgHN TyvGePoK9Cl8RaY1hT6VaeOgk1OiOPopUfgs1oMmmjafzyPHxIUSnBAwdaF5aQewH9KqqRPrqV5l Uth4lYn36USE0YTGQB/BRHRp3eEJoEGPBMw7mET0/Ie2wLyjVyrQgCWTPiGGVlJDuJPUkENOaki2 cPfxKpUa000dv6w93SA1hMlJDWEWuuNVKjWON30FTSQ1Jro7SA0pfFdLvxiHC0MMAwhzD/g3vELP cFjy8ATwAHgChAIQJecv1pTk8BmG1oT3jNMtGiusa4XsBa5AL0/4LE2UZDVNekgPPO4hLwQaMA61 gpsqCzdVgJsK4aYKcFPFcFOt4KbKwk0V4KZCuKkC3FQx3FQ7wU21CMIM4wBJCGyhAhrSco4UJwXs icYbwGtI9FTAa+6Hb9I8AGhcjxXxs9B8EvafZcYVdd/GnZRLlkw77qRXsMZkYY0JsMYgrDEB1pgY 1ugVrNFZWKMDrNEIa3SANTqGNXonWGMWQcA/pOoBiChgG11EZTrnC1Q7IFqhLlyvYdcIdVLnZKlI wGEg+5S9J9koCB66T4F7FyiltLCCz5AiIPPdtGoFHQD8C1htWlCwHuArtOiBV0gcWNM4qCktRmFS NWPFdgUUbRYo2gAULQJFG4CijYGiXQFFmwWKNgBFi0DRBqBoY6BodwKKdl+LScE86sHgClgAqT7C E/IlbQs9wYHR0DAZ+hTGpQtwBBokj8yoGiwVq6m8h60Jnm5NFIxlhQGdHqkzknirndLEq479SONi errTNsUGNvUa4FWhW5xRE7f1u+d2Ygg2GpjNr2Qfpgf3+sXMuolRwU5iVLCcGBVsEaPHq0SMzjd1 /LL2dBcxKlhOjI6lgS6I0emmr1QkRme6/cWoYEGMAv9K5xGuNJrVVkDais27DykvsikkAKI0gqcx XvpZrFhaD0TFFbypwpa0y+qF5iMyo/k9TLoCvalakdgoE7mLl9DbcL/KcO/Euc7YDdrIdxHkexeT bQVPTbvsnAK0rf3Cirj97SS+XEl8mZX4Mkh8iRJfBokvY4kvVxJfZiW+DBJfosSXQeLLWOLLnSS+ 3HuHhTYN0rIX5nwFjqC1reu9EWq2KeAJMMhdLzZQHeVJ1ZlLXxFpxaCmdD2gAAyy17NeaAsQFWkB Nr9AjsDgQgEYcenGkOppQbfTm9tddHzFh5hB3Oz4cxgYeKV6TbWR5/q8PKd9KoDZlTqnNZCaZiU1 TVZqmiA1DUpNE6SmiaWmWUlNk5WaJkhNg1LTBKlpYqlpdpKaJoB8A1Kzx8ZehUMqTrUWxrOURoaz AmqgPZpS6VSlCFzvxInNAxrQzbSNnsbfpDJBG3qRgdFmvYrhpvujwCHienWTnhC34pC6ZrUbAx3k oM/JLwx0eGnE4Y/c9mu4ZhkOL8XCiY9XCYefb+r4Ze3pLhxecpvh8GPpQne8Sjj8dJMP0cuhvntw eCmk7+o3vYhci4+sFzXE4ytxLmFOpVuMUMDUdixd4BLYG49uZZKalzPJVjBYWn1iktbkmKQNzMxa YJLTTR2/rD3dwCStzDFJKwNdCUzSBq4YXg713YVJutD3sMUCE6t6q/qi9xI95aGgBS5qE4cES6uF D1QPF5EaWUTvTFeET9AwEIJ7AEoW+OKBhQHcKNPPNGRxKuwg0SxOriw9m1ickjywuJH3ZFickgsr UovN+8Sn5ps6fll7uguLU3LIsLixNNAdUhY33fSVGtYsbqbbn8UpGUC5S1lcFwWDhoG3635Kq481 FclP8ec55H78Ga9luE6m/ZmnSiZLwQemCXS0ReU3swYVzyCwU5/zir3AI/GV9Alh84ANhhbY24Wv sCtDJFuuRDkkK3FjhMVdTSLJedL4dIqg0zs5zRiMd1rwcJPoKFRjdk5vvNCudD3streeSKDJjogK alxNmBYNC8lXsHXdNlGUESdoZWQOWhm1QKDxKoVWJmCp08va0w3QyrActAphWcqHZUUfZQuWCi+H +u4CrYy5MWjVxCyDfIR2JiLNhfR0rfFRplVyOly9VHe8P9EruI2nKToow24+owAdgz4/4/V8SRaT rNrLEDDiXoMJ/FC/DuSTade/kpljnzVUn/KhD+/aGojM48ETYCxJsaNoCS1ccB5Mg1IyWzmkhlrj tEtPtBTSiR9JSAM7wDT4BJEIcgbiNAF8NtjK6SNW6VkFBVgzCFsCOzZ0GYkiaAfkmjhlEkTAfOip 4Wx0lTdDvFIL7Nx0l9GeGTfPeF9JcWzCd/VgY6otlM1tlv6K6b3nXqYW5Q4f8ko0dlYb1frk8KF1 zuFD68Xh43iVaKPzTR2/rD3dRRvVKufwMZYudBU4fEw3+RC9HOq7hzaq9eLwURBAglzhepe2AnUU fAubhBSBbQh4bQsoTeqnrxuns/Iv3sUQWBNTD15x0B8VeZPI0MeSjEY9xHUze5s26sThjM5xOLOk FTpepRxuuqnjl7WnGzicETkOZ0SgK4DDHW/6SomIw010d+Bwxi1D/GZvoybjm73ttextp2n6Zm/b 2d626vo3exshA2/O3nYavGLLSBu9z6mF6iNbU+7ZEAaOJ7Qh7HdmKq0YzE4Zjm6Yz8z+TKv1ToMk OmSWZN8yzasCBbvGAjXhmYYFqrRuSYcXNHAQeUBHlUuQ4FadTnD2Q7a+bkmxDGdBbzacZ/Rmwxf9 9niV6M3zTR2/rD3dRW82IznUm8fShS5zqd483eRD9HKo7x56s+GB4f2+ohwKgBUdHrtLrqESWUyz L1rFv5FwDNwuoNPrQtUrLJQ3kh2+HccTp7guI3JxXUYsexbHq5TjiSWua/Wy9nQDxxO5uK6xNNCF uK7ppq9UFNc1092B48nQ1btwvJqwe1rtr4g5pdVTmnvTGddJTozLuQGObhG32idnbY+8FJ3OdthF mu11YMSQLPa37NJXjxSdOrc6/XAbRVOps31YmrL4UvsfOf1wAUICGlflC9mGXfQKu+gsdtEBu2jE LjpgFx1jF73CLjqLXXTALhqxiw5gRcfYRe+EXUxg3+mA0g5CKLzpqUciXCBacHjAzab66JFNnfZq wbR5TfJBVejm9I4G6VJLW4EwTck8lmsjMG18J43ecIpBk+OuYCsBhhc6EZuHByp1cURVYoh5xq3k 2z1HdFtz+TBt8xobDFrNpJFbSSOXlUYuSCOH0sgFaeRiaeRW0shlpZEL0sihNHJB/LhYGrl9pJEN h5e3Ofm0Rw6kTgkFKlS0ivMCrt9QRiZHY3ZalNK4twKittCDK5Ig3o0hkHbdxG0t+kiZ0j3ajTEQ IweKGERF9i4QtRWmBDSD00AK6pHuyKp5OTB2/pGbbYxgDUZ3Yf8sSNoWeykkjkDefr2DdJOdIzo2 rds2puUnKGJ5DorYkHnScoAi800dv6w93QWKWJ6DImNpoAtQZLrpKxVBkZnuDlBEhPFL3X+7nBJa oOXSAKjiHElS0BRUrIV7ANTj+mMj+5i1aAAAKBMWPO2D0SJPMnmaLX62y+bCPsfLS6njdVqA9unm djH6VGT/q5A7ULF9TPgV+zM9TfhWqrPf7YF/muwT7rO2K/Y8WyxUrodkYOj10CZhaIVv4G3tWF6a IqRPU4FfNw0xaNFOq/LXH5fV5cTBnRSkLm5R+7JQXT6n6hL3Vpwi38UM9VhspmPsvbXlSXbFaipu Uk0dOyXZdSyXZNexRYV0DJLszjd1/LL2dBfV1LFckt2xNNCFJLvTTV+pKMnuTLe/aupYSIRQ4exe YeHcJ3t1F12kIurod+XaX2DLoHUT2iAAGyDpZ7EedFwizEI6sqlLiqdSALhR37UqWfx0FpQzaddB aG4UESOjjWqGZ9m+kp8T7ZBZzS+bIC03/ioFEQXQq4mJrAd8x9UNrCvlus0M3G6Vqt9lU/W7kKrf Yap+F1L1uzhVv1ul6nfZVP0upOp3mKrfhVT9Lk7V73ZK1e9Cbued4nR2OVYelzyEf3axAt3NJnAT dRT6lByXkigtMqyBZiMYG9BjW+WmonKcMif+pmyOv6klXvB4lfK36aaOX9aebuBvSuX4m1KBrgL+ drzpK6Ui/jbR3YG/6UW23kr+nrejSO4ltc4cun+aQXB6A548Qp8Akfbgwx0aIZxIum1bqM5dzRnp laDQ+LfjayqVySHux3aCcnWwhMseLOHCwRIOD5Zw4WAJFx8s4VYHS7jswRIuHCzh8GAJFw6WcPHB Em6ngyVcyDy+U/gqjeppc1GBA+0dSdvHZYti0PEcgwRVdAHCNRja66XvOaZ3iQZg+DNnt1+g4T/7 OmnrhIzH4rUs/RWe/BU75hWbe3SE2zl9cqMFVduEE8MmBG0L4A0q4kNe3OlQiEbSd+QjcpG+47VC 6TuW6llKTlex9PU3dfyy9nS99B2vOUrfY2mgyxPpO9/0leIr6evpdpe+43eWndXbSaR9fQoxZOI+ Ru3k0o6bAkAkXX0S/OLvOaIHU1HRmdka5uK8Q+xgbbxCUN7SqWYhw20DuU+nzWUy2+f7iHmj4257 KGv19Zm7ajx26bbQfUp7tLeADnqyO6xHuzQ7UIsdTD4ipFfBW5f8NUqh0lV4s0Gcfk0gd/12zdYz h5LhbQcEhToBQZE5b2AsNQtgE+l5A/6mjl/Wnm4AgiJz3sCxNNBNzxuYb/pKiQgIil3OGxi/ExJS 3woQfKjABXpF074R7djEHaIxZpNp+mbgruKsXmCLs4cHYGhvk2Rs9B79VcaOu5q80g5Jp7/t6BXb pVbdVpAa/sbM7m1QbsgLVxCq0gNLNnTT3WogFHGH3Np4bwuh7TF2Nam2ro/KRm9gMgoZ3aNpZ6kW 0Y4tdKs+R2GReLfL4SloKYTkR6AScJXOkCb7EMom7K6ivWRwVztV8pTUcbzO5K4YS+2i8kFSR39T xy9rTzeokrmkjsfSQDfNXTHf9JWSkSq5T1JHPpySOsKZmAUbZxXppbusJGCC12dczWxDFJQgL21x kGgLMVCRyZXuI9Lc8FqbvhXy+kwE+6bkZDUZSVtkU2+TtdomHIEOz0Ww2Uf/bGB/6iKPfZ60NppD SB5ZgNirM6n0BkbFR+RdUmHu93S7W/eT2TZTheXxTG2yo9Ii5RHJzN/Ee4EUpWtKL8QWyna7uEnO QhpIOgU5Hd7VRL5X2AXInREMOildRBuNPFzGvXxj/G4bRISvFOxT0xWhly7dOhoQXJ8F5Q3v0eK9 16kTnLFwRuB4nTkjcCxd9qSPV4mBYr6p45e1p7sYKNiQOSPwWLrQHdIzAuebfIheDvXdw0DBQqLX m9nrZmApaYIK4DOAtW/GXN4gDwwKLDptGekwUCCN03rg0SV0f1SkKN0tyJezU5be8Tpn6WRLlt7p KmUkS5be9cva0w2MJJel91ga6IKlk/HAOaIsvZ7uDozklKUXfKnaJMyg9Rh63bTIOnL9yd8Fcp6E UwUuewUuySR7bnM+DT0QdDo7ODmH3u+tOIbh+pQqNX6Qj5e3auvxNSbhGfS0w0cKPABI0douMx9n qjwzn2yUmY8zy0/iyGZy6oylQWzYNKeOv6njl7WnG8SRzeTUOZYGumlOnfmmr9QQiSO7S06d8Tsh BVbFpkoFz6/QsRpYLt7Mbn2Sfu9jMtnTHrjRCV2JeFXhqQnQGDr6o4V3MQ2tWpyrQHY7frZCEaRZ RsMotFfKacz5wMpbU6FwN0FftKnyoc+L3SeyRQxDMiFgAdBZE6EPyc0s9JYH32A6r2KFTZlWNWjw 3SXaoiIZ/UPPfpJRFxi1duLc7RZMrIo8K+d/YEmn92gAf4HYxB/02eMqpixWXC4pELzzg6bkEvXB o/6S/6JJvjjkz1SrbpGxSYu8k8gqrh5i4n9K2YRMBZxLusXHLjbrFsFc124R0y7nir6Pu7nQRGzz PNHXnrouLcGuzIux+o4ypm9HTQ4iK/qZVudDiqubJAfWtUlyTku0GnvAb+RkgOniw39a1VFxRTAi n3ZgHT/M01qDP5jfQl1VG95R6RMvfVsqh3mlB1NWd5YrWfLF1vPL85ZTi+6C5Uqt+naLGWL698py FRddO0pxG9Pvz3KVNH2bNJ8ksxr722O5fBY7QuyH/VjyxdbYj+mkRXfBiLgyfbtF85j+vTIiwVTX jhJ8iOn3Z0RCuL5NkjIZ+9tjRD41qwk+2W2wn3eSWO24pGDQ70yuctR0xn5LElr38CiXWxen1Okv XFzyxdYraZBJi+5CuAip+naLGpLcSXcqXKQP9u/VUdIHpwX6OxgWuOnbJMGTsW8sXMZ/h29jTZme Pul/fflamxvk4+Hj0/8B4aonFmVuZHN0cmVhbQplbmRvYmoKMjc4IDAgb2JqCjUxMzgKZW5kb2Jq CjI4MiAwIG9iagpbMTIgL1hZWiA0Ny41MTk5OTk5ICAKMzQ1LjE5OTk5OSAgMF0KZW5kb2JqCjI4 MyAwIG9iagpbMTIgL1hZWiA0Ny41MTk5OTk5ICAKMzc1LjkxOTk5OSAgMF0KZW5kb2JqCjI4NCAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDM0 MS4zNTk5OTkgIDU0My44NDAwMDAgIDM0OS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3Qg L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjI4NSAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkgIDI5 Mi4zOTk5OTkgIDIxNy40Mzk5OTkgIDMwMC4wNzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzptYmpAbWljcm9zb2Z0LmNvbSkKPj4K Pj4KZW5kb2JqCjI4NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzEzMS4wMzk5OTkgIDI4My43NTk5OTkgIDIyNy4wMzk5OTkgIDI5MS40Mzk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly9zZWxmLWlz c3VlZC5pbmZvLykKPj4KPj4KZW5kb2JqCjI4NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkgIDI0NC4zOTk5OTkgIDIyOCAgMjUyLjA3OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRv OmRpY2suaGFyZHRAZ21haWwuY29tKQo+Pgo+PgplbmRvYmoKMjg4IDAgb2JqCjw8Ci9UeXBlIC9B bm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTMxLjAzOTk5OSAgMjM0Ljc5OTk5OSAgMjIwLjMx OTk5OSAgMjQyLjQ3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9T IC9VUkkKL1VSSSAoaHR0cDovL2RpY2toYXJkdC5vcmcvKQo+Pgo+PgplbmRvYmoKMjg5IDAgb2Jq Cjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTMxLjAzOTk5OSAgMTk1LjQz OTk5OSAgMTc3LjEyMDAwMCAgMjAzLjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlw ZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOmRyQGZiLmNvbSkKPj4KPj4KZW5kb2JqCjI5 MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkg IDE4Ni43OTk5OTkgIDI2OS4yNzk5OTkgIDE5NC40Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Eg PDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly93d3cuZGF2aWRyZWNvcmRvbi5j b20vKQo+Pgo+PgplbmRvYmoKMjkzIDAgb2JqCjw8L1RpdGxlICj+/wBBAGIAcwB0AHIAYQBjAHQp CiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfNAogIC9Db3VudCAwCiAgL05l eHQgMjk0IDAgUgo+PgplbmRvYmoKMjk0IDAgb2JqCjw8L1RpdGxlICj+/wBTAHQAYQB0AHUAcwAg AG8AZgAgAHQAaABpAHMAIABNAGUAbQBvKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dL QU5DSE9SXzYKICAvQ291bnQgMAogIC9OZXh0IDI5NSAwIFIKICAvUHJldiAyOTMgMCBSCj4+CmVu ZG9iagoyOTUgMCBvYmoKPDwvVGl0bGUgKP7/AEMAbwBwAHkAcgBpAGcAaAB0ACAATgBvAHQAaQBj AGUpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfOAogIC9Db3VudCAwCiAg L05leHQgMjk2IDAgUgogIC9QcmV2IDI5NCAwIFIKPj4KZW5kb2JqCjI5NiAwIG9iago8PC9UaXRs ZSAo/v8AVABhAGIAbABlACAAbwBmACAAQwBvAG4AdABlAG4AdABzKQogIC9QYXJlbnQgMjkyIDAg UgogIC9EZXN0IC9fX1dLQU5DSE9SX2EKICAvQ291bnQgMAogIC9OZXh0IDI5NyAwIFIKICAvUHJl diAyOTUgMCBSCj4+CmVuZG9iagoyOTcgMCBvYmoKPDwvVGl0bGUgKP7/ADEALgCgACAASQBuAHQA cgBvAGQAdQBjAHQAaQBvAG4pCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1Jf YwogIC9Db3VudCAwCiAgL05leHQgMjk4IDAgUgogIC9QcmV2IDI5NiAwIFIKPj4KZW5kb2JqCjI5 OCAwIG9iago8PC9UaXRsZSAo/v8AMQAuADEALgCgACAATgBvAHQAYQB0AGkAbwBuAGEAbAAgAEMA bwBuAHYAZQBuAHQAaQBvAG4AcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hP Ul9lCiAgL0NvdW50IDAKICAvTmV4dCAyOTkgMCBSCiAgL1ByZXYgMjk3IDAgUgo+PgplbmRvYmoK Mjk5IDAgb2JqCjw8L1RpdGxlICj+/wAxAC4AMgAuAKAAIABUAGUAcgBtAGkAbgBvAGwAbwBnAHkp CiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfZwogIC9Db3VudCAwCiAgL05l eHQgMzAwIDAgUgogIC9QcmV2IDI5OCAwIFIKPj4KZW5kb2JqCjMwMCAwIG9iago8PC9UaXRsZSAo /v8AMQAuADMALgCgACAATwB2AGUAcgB2AGkAZQB3KQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0 IC9fX1dLQU5DSE9SX2kKICAvQ291bnQgMAogIC9OZXh0IDMwMSAwIFIKICAvUHJldiAyOTkgMCBS Cj4+CmVuZG9iagozMDEgMCBvYmoKPDwvVGl0bGUgKP7/ADIALgCgACAAQQB1AHQAaABlAG4AdABp AGMAYQB0AGUAZAAgAFIAZQBxAHUAZQBzAHQAcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAv X19XS0FOQ0hPUl9rCiAgL0NvdW50IDAKICAvTmV4dCAzMDIgMCBSCiAgL1ByZXYgMzAwIDAgUgo+ PgplbmRvYmoKMzAyIDAgb2JqCjw8L1RpdGxlICj+/wAyAC4AMQAuAKAAIABBAHUAdABoAG8AcgBp AHoAYQB0AGkAbwBuACAAUgBlAHEAdQBlAHMAdAAgAEgAZQBhAGQAZQByACAARgBpAGUAbABkKQog IC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SX20KICAvQ291bnQgMAogIC9OZXh0 IDMwMyAwIFIKICAvUHJldiAzMDEgMCBSCj4+CmVuZG9iagozMDMgMCBvYmoKPDwvVGl0bGUgKP7/ ADIALgAyAC4AoAAgAEYAbwByAG0ALQBFAG4AYwBvAGQAZQBkACAAQgBvAGQAeQAgAFAAYQByAGEA bQBlAHQAZQByKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SX28KICAvQ291 bnQgMAogIC9OZXh0IDMwNCAwIFIKICAvUHJldiAzMDIgMCBSCj4+CmVuZG9iagozMDQgMCBvYmoK PDwvVGl0bGUgKP7/ADIALgAzAC4AoAAgAFUAUgBJACAAUQB1AGUAcgB5ACAAUABhAHIAYQBtAGUA dABlAHIpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfcQogIC9Db3VudCAw CiAgL05leHQgMzA1IDAgUgogIC9QcmV2IDMwMyAwIFIKPj4KZW5kb2JqCjMwNSAwIG9iago8PC9U aXRsZSAo/v8AMwAuAKAAIABUAGgAZQAgAFcAVwBXAC0AQQB1AHQAaABlAG4AdABpAGMAYQB0AGUA IABSAGUAcwBwAG8AbgBzAGUAIABIAGUAYQBkAGUAcgAgAEYAaQBlAGwAZCkKICAvUGFyZW50IDI5 MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl9zCiAgL0NvdW50IDAKICAvTmV4dCAzMDYgMCBSCiAg L1ByZXYgMzA0IDAgUgo+PgplbmRvYmoKMzA2IDAgb2JqCjw8L1RpdGxlICj+/wAzAC4AMQAuAKAA IABFAHIAcgBvAHIAIABDAG8AZABlAHMpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tB TkNIT1JfdQogIC9Db3VudCAwCiAgL05leHQgMzA3IDAgUgogIC9QcmV2IDMwNSAwIFIKPj4KZW5k b2JqCjMwNyAwIG9iago8PC9UaXRsZSAo/v8ANAAuAKAAIABTAGUAYwB1AHIAaQB0AHkAIABDAG8A bgBzAGkAZABlAHIAYQB0AGkAbwBuAHMpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tB TkNIT1JfdwogIC9Db3VudCAwCiAgL05leHQgMzA4IDAgUgogIC9QcmV2IDMwNiAwIFIKPj4KZW5k b2JqCjMwOCAwIG9iago8PC9UaXRsZSAo/v8ANAAuADEALgCgACAAUwBlAGMAdQByAGkAdAB5ACAA VABoAHIAZQBhAHQAcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl95CiAg L0NvdW50IDAKICAvTmV4dCAzMDkgMCBSCiAgL1ByZXYgMzA3IDAgUgo+PgplbmRvYmoKMzA5IDAg b2JqCjw8L1RpdGxlICj+/wA0AC4AMgAuAKAAIABUAGgAcgBlAGEAdAAgAE0AaQB0AGkAZwBhAHQA aQBvAG4pCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfMTAKICAvQ291bnQg MAogIC9OZXh0IDMxMCAwIFIKICAvUHJldiAzMDggMCBSCj4+CmVuZG9iagozMTAgMCBvYmoKPDwv VGl0bGUgKP7/ADQALgAzAC4AoAAgAFMAdQBtAG0AYQByAHkAIABvAGYAIABSAGUAYwBvAG0AbQBl AG4AZABhAHQAaQBvAG4AcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl8x MgogIC9Db3VudCAwCiAgL05leHQgMzExIDAgUgogIC9QcmV2IDMwOSAwIFIKPj4KZW5kb2JqCjMx MSAwIG9iago8PC9UaXRsZSAo/v8ANQAuAKAAIABJAEEATgBBACAAQwBvAG4AcwBpAGQAZQByAGEA dABpAG8AbgBzKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzE0CiAgL0Nv dW50IDAKICAvTmV4dCAzMTIgMCBSCiAgL1ByZXYgMzEwIDAgUgo+PgplbmRvYmoKMzEyIDAgb2Jq Cjw8L1RpdGxlICj+/wA1AC4AMQAuAKAAIABPAEEAdQB0AGgAIABBAGMAYwBlAHMAcwAgAFQAbwBr AGUAbgAgAFQAeQBwAGUAIABSAGUAZwBpAHMAdAByAGEAdABpAG8AbikKICAvUGFyZW50IDI5MiAw IFIKICAvRGVzdCAvX19XS0FOQ0hPUl8xNgogIC9Db3VudCAwCiAgL05leHQgMzEzIDAgUgogIC9Q cmV2IDMxMSAwIFIKPj4KZW5kb2JqCjMxMyAwIG9iago8PC9UaXRsZSAo/v8ANQAuADEALgAxAC4A oAAgAFQAaABlACAAIgBCAGUAYQByAGUAcgAiACAATwBBAHUAdABoACAAQQBjAGMAZQBzAHMAIABU AG8AawBlAG4AIABUAHkAcABlKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9S XzE4CiAgL0NvdW50IDAKICAvTmV4dCAzMTQgMCBSCiAgL1ByZXYgMzEyIDAgUgo+PgplbmRvYmoK MzE0IDAgb2JqCjw8L1RpdGxlICj+/wA1AC4AMgAuAKAAIABBAHUAdABoAGUAbgB0AGkAYwBhAHQA aQBvAG4AIABTAGMAaABlAG0AZQAgAFIAZQBnAGkAcwB0AHIAYQB0AGkAbwBuKQogIC9QYXJlbnQg MjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFhCiAgL0NvdW50IDAKICAvTmV4dCAzMTUgMCBS CiAgL1ByZXYgMzEzIDAgUgo+PgplbmRvYmoKMzE1IDAgb2JqCjw8L1RpdGxlICj+/wA1AC4AMgAu ADEALgCgACAAVABoAGUAIAAiAEIAZQBhAHIAZQByACIAIABBAHUAdABoAGUAbgB0AGkAYwBhAHQA aQBvAG4AIABTAGMAaABlAG0AZSkKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hP Ul8xYwogIC9Db3VudCAwCiAgL05leHQgMzE2IDAgUgogIC9QcmV2IDMxNCAwIFIKPj4KZW5kb2Jq CjMxNiAwIG9iago8PC9UaXRsZSAo/v8ANgAuAKAAIABSAGUAZgBlAHIAZQBuAGMAZQBzKQogIC9Q YXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFlCiAgL0NvdW50IDAKICAvTmV4dCAz MTcgMCBSCiAgL1ByZXYgMzE1IDAgUgo+PgplbmRvYmoKMzE3IDAgb2JqCjw8L1RpdGxlICj+/wA2 AC4AMQAuAKAATgBvAHIAbQBhAHQAaQB2AGUAIABSAGUAZgBlAHIAZQBuAGMAZQBzKQogIC9QYXJl bnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFnCiAgL0NvdW50IDAKICAvTmV4dCAzMTgg MCBSCiAgL1ByZXYgMzE2IDAgUgo+PgplbmRvYmoKMzE4IDAgb2JqCjw8L1RpdGxlICj+/wA2AC4A MgAuAKAASQBuAGYAbwByAG0AYQB0AGkAdgBlACAAUgBlAGYAZQByAGUAbgBjAGUAcykKICAvUGFy ZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl8xaQogIC9Db3VudCAwCiAgL05leHQgMzE5 IDAgUgogIC9QcmV2IDMxNyAwIFIKPj4KZW5kb2JqCjMxOSAwIG9iago8PC9UaXRsZSAo/v8AQQBw AHAAZQBuAGQAaQB4ACAAQQAuAKAAIABBAGMAawBuAG8AdwBsAGUAZABnAGUAbQBlAG4AdABzKQog IC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFrCiAgL0NvdW50IDAKICAvTmV4 dCAzMjAgMCBSCiAgL1ByZXYgMzE4IDAgUgo+PgplbmRvYmoKMzIwIDAgb2JqCjw8L1RpdGxlICj+ /wBBAHAAcABlAG4AZABpAHgAIABCAC4AoAAgAEQAbwBjAHUAbQBlAG4AdAAgAEgAaQBzAHQAbwBy AHkpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfMW0KICAvQ291bnQgMAog IC9OZXh0IDMyMSAwIFIKICAvUHJldiAzMTkgMCBSCj4+CmVuZG9iagozMjEgMCBvYmoKPDwvVGl0 bGUgKP7/AEEAdQB0AGgAbwByAHMAJwAgAEEAZABkAHIAZQBzAHMAZQBzKQogIC9QYXJlbnQgMjky IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFvCiAgL0NvdW50IDAKICAvUHJldiAzMjAgMCBSCj4+ CmVuZG9iagoyOTIgMCBvYmoKPDwvVGl0bGUgKP7/AFQAaABlACAATwBBAHUAdABoACAAMgAuADAA IABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUAByAG8AdABvAGMAbwBsADoAIABCAGUAYQBy AGUAcgAgAFQAbwBrAGUAbgBzACAAZAByAGEAZgB0AC0AaQBlAHQAZgAtAG8AYQB1AHQAaAAtAHYA MgAtAGIAZQBhAHIAZQByAC0AMQA1KQogIC9QYXJlbnQgMjkxIDAgUgogIC9EZXN0IC9fX1dLQU5D SE9SXzIKICAvQ291bnQgMAogIC9GaXJzdCAyOTMgMCBSCiAgL0xhc3QgMzIxIDAgUgo+PgplbmRv YmoKMjkxIDAgb2JqCjw8L1R5cGUgL091dGxpbmVzIC9GaXJzdCAyOTIgMCBSCi9MYXN0IDI5MiAw IFI+PgplbmRvYmoKMzIyIDAgb2JqCjw8Ci9UeXBlIC9DYXRhbG9nCi9QYWdlcyAyIDAgUgovT3V0 bGluZXMgMjkxIDAgUgovUGFnZU1vZGUgL1VzZU91dGxpbmVzCi9EZXN0cyA8PAovX19XS0FOQ0hP Ul8xOCAxNTQgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzc2VjIzJk Y29uIDExOSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MgMTUg MCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYXV0aG4jMmRoZWFkZXIg MTA1IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM05JU1Q4MDAjMmQ2 MyAyMDEgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzcmZjLmF1dGhv cnMgMjgzIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIj MmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2F1dGh6IzJk aGVhZGVyIDc3IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5k aXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3Jlc291 cmNlIzJkZXJyb3IjMmRjb2RlcyAxMTcgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzVzNDLlJFQyMyZGh0bWw0MDEjMmQxOTk5MTIyNCAxOTEgMCBSCi9maWxlIzNhIzJm IzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRo IzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDNTIzNCAxOTMgMCBSCi9maWxlIzNhIzJmIzJm IzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJk djIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBiaXMjMmRwNyMyZGF1dGgg MTYyIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjEgMzIg MCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMiAzMyAwIFIK L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IzIDM1IDAgUgovZmls ZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYj MmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjQgNzQgMCBSCi9fX1dLQU5D SE9SXzIgMTAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y NSA3NSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I2IDE0 NSAwIFIKL19fV0tBTkNIT1JfNCAxMSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNhbmNob3I3IDE2MyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0 ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0 bWwjMjNhbmNob3I4IDE2NiAwIFIKL19fV0tBTkNIT1JfNiAxMiAwIFIKL2ZpbGUjM2EjMmYjMmYj MmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2 MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I5IDE2NyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxMCAxNTUgMCBSCi9fX1dLQU5DSE9SXzggMTQgMCBS Ci9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMTEgMTU2IDAgUgov ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyNDYgMTk1IDAgUgovZmls ZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYj MmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzI2MTYgMTk0IDAgUgovX19XS0FO Q0hPUl8xYSAxNTggMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZD MjYxNyAxOTYgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y MTQgMTk3IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIj MmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM21pdGlnYXRp b24gMTMxIDAgUgovX19XS0FOQ0hPUl8xYyAxNjAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJm dG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFy ZXIuaHRtbC5odG1sIzIzYW5jaG9yMTUgMTk4IDAgUgovX19XS0FOQ0hPUl8xZSAxNjEgMCBSCi9f X1dLQU5DSE9SXzFnIDE2NCAwIFIKL19fV0tBTkNIT1JfMWkgMjAyIDAgUgovX19XS0FOQ0hPUl8x ayAxODYgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0 ZiMyZGh0dHBiaXMjMmRwMSMyZG1lc3NhZ2luZyAxNTcgMCBSCi9fX1dLQU5DSE9SXzFtIDE4OSAw IFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNxdWVyeSMyZHBhcmFtIDkw IDAgUgovX19XS0FOQ0hPUl8xbyAyODIgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzcmZjLnJlZmVyZW5jZXMxIDE1OSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNyZmMucmVmZXJlbmNlczIgMTk5IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZh ciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJk YmVhcmVyLmh0bWwuaHRtbCMyM3RocmVhdHMgMTI3IDAgUgovX19XS0FOQ0hPUl9hIDEzIDAgUgov ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzIyNDYgMTg3IDAgUgovX19X S0FOQ0hPUl9jIDMxIDAgUgovX19XS0FOQ0hPUl9lIDM0IDAgUgovX19XS0FOQ0hPUl9nIDM2IDAg UgovX19XS0FOQ0hPUl9pIDc2IDAgUgovX19XS0FOQ0hPUl9rIDc4IDAgUgovX19XS0FOQ0hPUl9t IDc5IDAgUgovX19XS0FOQ0hPUl9vIDkxIDAgUgovX19XS0FOQ0hPUl9xIDEwMyAwIFIKL19fV0tB TkNIT1JfcyAxMDQgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZD Mzk4NiAyMDAgMCBSCi9fX1dLQU5DSE9SX3UgMTE4IDAgUgovX19XS0FOQ0hPUl93IDEyOCAwIFIK L19fV0tBTkNIT1JfeSAxMzAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVt cDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1s IzIzUkZDMjExOSAxOTAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw OTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz UkZDNjEyNSAxODggMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMy ZEQuaWV0ZiMyZG9hdXRoIzJkdjIgMTkyIDAgUgovX19XS0FOQ0hPUl8xMCAxMjkgMCBSCi9fX1dL QU5DSE9SXzEyIDE0NCAwIFIKL19fV0tBTkNIT1JfMTQgMTY1IDAgUgovX19XS0FOQ0hPUl8xNiAx NjggMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYm9keSMyZHBhcmFt IDkyIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0ZpZ3VyZSMyZDEg NzMgMCBSCj4+Cj4+CmVuZG9iagoyODEgMCBvYmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCAyIDAg UgovQ29udGVudHMgMzIzIDAgUgovUmVzb3VyY2VzIDMyNSAwIFIKL0Fubm90cyAzMjYgMCBSCi9N ZWRpYUJveCBbMCAwIDU5NSA4NDJdCj4+CmVuZG9iagozMjUgMCBvYmoKPDwKL0NvbG9yU3BhY2Ug PDwKL1BDU3AgNCAwIFIKL0NTcCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRH U3RhdGUgPDwKL0dTYSAzIDAgUgo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjYgNiAwIFIK L0Y5IDkgMCBSCi9GOCA4IDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKMzI2IDAgb2Jq ClsgMjg0IDAgUiAyODUgMCBSIDI4NiAwIFIgMjg3IDAgUiAyODggMCBSIDI4OSAwIFIgMjkwIDAg UiBdCmVuZG9iagozMjMgMCBvYmoKPDwKL0xlbmd0aCAzMjQgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVj b2RlCj4+CnN0cmVhbQp4nO1dy47duBHd36/QegC3SVGkRCAIYPfYAbIIYLiBLIIsgp5MgoE9SGcW +f1QEkWRPNQtiZfSlT3dxkyrKbFUJOtxqvjQ2z99/kf1r9+qt4+f/1M929+Pny/sgUk9/lTM/Hvj F9Tdg6hZ/1N1XDyodih9/np5qV4uny6fzP9fLlwNFe0vc3N6BRv+/fb86+Xt+PLLWPL58S/m6n9V Xf3Z/PdL9be/m8KfLL3+ga+XTivDB2NcmD+/+H9y1jHxYJjippzFf/YP//vy1x+qX3vG6oduYJ6P DPp/vuFS1ZybmvVNLL/MVR8UE7o2dLvFa5+wEJafpmpl25qnGOem6aKR/TVj0pRr9tAM5aYPFG+G P+q4vG6HDqh9Ol8W6Pfd87PHsxb2Z/E64NnjTdl+H3j23qW4GoYq5i0sn9sy0/myQD/muVA/L/C8 xMPSuOzRz+mx/hr226p+TsvGkiyFPE9mQINSbNIt1TTmfsdaY04qLqv//tO85dOgOxkayod/PjNj yYKGvlyp+P7p8vajMiakevq5Gjl4M/56Grl+Y9jmXfX0U/WHnqk/Vk+/XHqDZAvqoaCdC8RQ0M0F TfzESOPDk2l9psl5uVJxaJCujJVMNIgL3jeoNnZ6ZEaoiF0o4O+2scuRXV73w1rXrZHe6bp74KyR Fed6uFB6KDX/N309Xj1fuJHiTstGMHdThZWVpTs8O1zLoUYVVZWOrhyeDV5qblqmpsqO32ejDe9/ 2HkwzC/b1d3Q1Xru+zoajJrFBaMwcU8i21gAf4wL3g8F8kqVD3GBHAqaKzRiVpFoTIOPT3A2l5Ad sOK98BoZP/EuLvgYE42fWNPNdK/Ca8A0QDdDlZgoSIQ1QOLKW4DT+C38kWKMx6+lq2C3g5RBAbQl lmVsPimpnEdCxh7TNAaTl63d0risQLuLtB+GDp6AxoD6g3A3MQ3ow9gp3FmFbhuZye42kxNEKwMq A60BuSPNHXYzDFVHvbbI+MeNEywebtD2D5TFwOZDF8aMYa8DUegPspNpxjgAHNpzkRYUO6iECRGq DgUV5QEGl/Tc39NYImNgqLarA0pM3GPlILH0ILFMQmLpILFESCwdJJYhJJYeJJZJSCwdJJYIiaWD xDKExPIgSKwmpyneU8pZBADRUO1OEBmUFeQ5NgkZkLl5T3YQKLwg1TlWtCUbeXhAcDY0c61HAKvS iJAOiHaEOzdiZs5C9T8NZjq5Fy0DiFu1ujHHoKhyjrbzHG2XdLSdc7QdOtrOOdoudLSd52i7pKPt nKPt0NF2ztF2oaPtDnK0+tXRLugzzSkUgBmBvMqrCyS7qJTKC1Y7lRdMJFResMaqZn8Vqfx4U4WV laU7qbxgLKHyptTRZbHKDzctU8xX+ZHu/iov2GTlax2DC1oZaef6XeeSawAGBazCt5P1LZF/OKhx uziaPXwCtKWcBeQz6BE8BXoEn0BPfxVbQD6BHq+ysnSdBeQp0GNKHV0APcNNy1QAeka6B1jA2oUX YAHBApASvyI0ug+C2cckch0XnAbTwFBBsETnIMGw0FN0e+RKVsxigbEGSEcnWOmpoRUYb3uHFJpf i5QZBLGOpWwFnKG9BInpffud37oh8y8aPbVFxW+J4zWrmAXcRitmt9E2KbfROvPeSnAbrfMTc2Vl 6Tq30fKU22i5o8vBbfQ3LVM8cBsD3QPcRttOgyFjPAKKBJaGxgH01AUZkhVB45pEPSRRWB1A22Y0 khnTQbR9j5FkDeu3Mnpse/oQidJjC+MCgw2ON7YRS4u7YOr3NuPV8CZUmGaUB86v9BkN6aETYbh3 QW8LCOBW79WGXYSZ/owIJtsVl4Wi9JQqqj+d+iZnPiwkKpILF7peb8rpKWXgHfSfHu1D1oKUGMsS jO1jmOquDge3HnvZC01WaAh0IumoEzB6+2iucFVFFp0YOEUowJFm9tpcaAELuWZkSF3dR1jtZOg8 EOIx7gA65IOxA1UEWAFPAI27OuIi5r1h7WJzSSwPk9LovGjzHj9hF+HdHr41JoD66q51Inxr6ml+ or+KwrfxpgorK0t3Ct8aWyMM35r+3kjXXEXh23DTMqX88G2ku3/41tTO6J8260catIS5ouU3dk/0 ogpo3YqpAbAjZCo80Rh6WvaYbBu9/oFeQ0MuIywB1+/VQfSqG/BNANdpyL/TIqPIHhwzqwUdgmoI S/lirdtvgUwj5qRfI1JJv0ZMSb/+KvYawrkJEST9errOa4hU0s+UOrqQ9BtuWqaCpN9I9wCvISag sGKBDNozMHkl0k10RJax44vOYG6fgcLZcvot9KQ0aVh22TWUkwa5kymmo/4McYAqdOaAnrXPWF8A jcsYqIUFGLfO2LShwVixzypj1QI5ZVcikbACqmTDvTLxm6xvGP9z5Ss3Bda/89zj9mB9xejTS+rp VBR00C6zBqJrIunfvqoJJZdGu7RZpidrSoBseoq0hGcDeSANOWaEdlHt2OauCEK3Q6FyIYXyQgqV DCmUCykUhhTKxRAqDCmUF1KoZEihXEihMKRQLqRQYUihDgoplFtHAIkoeso/YxK8xKIAcu9K1koh ujH0YgSaRoaPKLDq6+xbhm7DQ5CYpAPb7Zshcjr5mI1qTduFqoyNKbAvc4U5iO27+DEeh0O2w51G Yhb8XZmgo3sNOhbk4dsNOsrBHe3BHZ2EO9rBHY1wRzt8o0O4oz24o5NwRzu4oxHuaAd3dAh39EFw R082UtpVYOyKEMB4bRcTTLPQRnKXLOyr+u6vvitO2dk+l4sDVeD4HwQEQIMGdwth9o1gRqlQUZER YBUYgV6mUzUl0vQlhD0jRUAvAYbAJXuGoQh2kXxDyuhOUQe8BbJs271DMfcu69m9yzrl3qU7ZVLW 4N7HmyqsrCzdyb3LOuXeTamjC+59uGmZCtz7SHd/995Pe1hthe029GbI7WvtVshAhu+mzUjG7qoM m/AKKk4JKlZwSosUPS4ZM9sZoTpI4doN6rfueNChvchJZdJZx6wDcekJj+yRKOO9m8l74xoL2FxL y4TQlEXIOTBk+9bZFcm6Ahs0D1qXkbEegtZVstczApGGxxIDS5vEO2os91uJJqUHtGQSaLmzC6VE oCUdspIh0JIe0JJJoCUd0JIItKQDWjIEWvIgoCVPtxKNnkrOWCZbZK3lnaaNSkxgHHNYAr0TFDeY F9NwNe9QMMqV0vB22qHQX8Ua3k47FLzKytJ1Gq5SOxRM6URXwQ6F4aZlKtihMNI9QMPbycujiUZP kIFZXlWNQMIlzjxbcbw8JCnove/0QcfHbP06ZjaxxDHXYAKP1KAiOxRme5AA+SCZCx+iuRZug1Mg gUXOuRbw2oz4hAbXAIFUgYGYDHPnclwrtovCclv68woZX4bIyOLuNvUptefQdcqhK3ckomLg0Meb KqysLF3n0HXSoWvn0DU6dO0cug4duj7GoStWr9as82weec0wlvdwGevJYk4FjH7GrNR215sTbJRY c1sCeaydT7xx+lRHyk5vGEdWC2zAKWbOFZ8zMP03AhPm3J3vqDhkYMabKqysLN3JnCueysCYUkcX MjDDTctUkIEZ6R5gzvmGDMxpzzB9PWpyu0F7PWryaWPwWS6ku9E4jyf+zKr7+/qiyrdxzvuNp2Qq 42Esq+QpmcILC29zksYnOSfZspSTdKdZKnuape/phpsqrKwsXeckVZtykqqd6KoWnGR/0zLYBk5y oHuAk2zFNBgfSHhOfxBz+8QkaCvMMq6AY/SRR3sc4FiL+Al64yHYJrottHvL2GZ5lvNNaSf6er7p IX63Ca1BRiy64sxjwOEFRDnneK+1oWeRdKTqusXBhNZtP9pqhZTRmWQ4qu4kaaYVWy6/6zTTfQ4L 2euYYRapAydd3fYzSTL2qa2QmIzMXMZxKrTxyxjc7Wcbrg5ki5jHljmfkxGmr9jXTMdUEKjR31M/ JnGBKRVy2cedzi6HBSpLK1ZKRJCt+0j7asxxewTZSukiyFaqRATZyinSa6cP+s5h4HhThZWVpTtF kK0UiQjSlDq6Io4gh5uWKeFHkCPd/SPIVrqPXkjSftFnt2w/zeNep/XTQUWJxXMZngcMHv0JLzLE zjrJlExerQCAZ3Hn23eHvPqIm3yEs0oPNbM/i9eBKV/xPG0KN750MJTGQsvkMfbDfs2unuykVVD/ 8xptJBgW6IAcQCAEu+1ULG1ed3fxkDVp0+FxxuMADArgvVbdumVGoGCpymqvnenX2JXhkl0ox6uB S5IoF01I1X5jBT4VXpMy4PX0u7igjQqsYfeIxj66hsD+Xdq/evvxwc8/xnyATMSMbT0d/tpItWyP kXJUc0bqY9p9QPshpPKeWDCw61qnFlqnh1MvO3c0ihUQz2q0YAIgTP8Yjb91Y3Big8e7d5gke5Da /jj9TaFu0SPZrhMPsre2ZrSb1i/4cvnsmeuQZOgP8HWE7V8mdrVvJ8lxnYt9aZdKzn3ZxNpmpyJ9 1ABUYACs/wbL4IlXPMPJZVwlfsJOCEEqHuYIAEdcIcq9TfJ7GfbF8WHDKVCdbqYWLhykCsmSXSRb SyfZUvsF55Vs13McjmQB2YgL6niTGnSliK0mFIDQclhVFZsikGKctQNzBm8BXYmbD3ywhUUYV16L MxuggLE22Q7aGyalP840OF/NcmHSQk6huY3qFZyg3adHS+KEmSpYExon2FlGiJk8WWxiooD5AGss GOEifSjEHn04U4UuAyQJrQNoqcgnMohClXJoTM8LYk6OxnSjnM8azmV1Baf1WXPnokkmYZT9ytMV Kw6OEMcHoBjwEbvKBAaEKK2EYHyb+E27ndV3xW9adjN+437BeXXB9dyd8FsJFdxF41ATYEVoTBRU 8gRgrM1FOFfBWDbVa0Cia0oSnVjtFkM7wE01ZNMAe4A1hEwYSAngBkgNQZ6Hxm8L6bUi46DVHuPg qNYLmYlrPRT3oZ1pu9YhcYEF1gXQmWAuFjk5OjOc6skj8f542rngrB7J61y00bHBRVQEATKk175J hCNY7Vp4R4Rj2OCTPAku/YLzypPruXtlqEZx0hsKUEbhO4KxVcHVyYCjSHXClBWpGiuAFVSBFVvZ Gumn0T2oZf5VL0aEuBpkwf56/pqrvL3DuP5A9enyf782Qi5lbmRzdHJlYW0KZW5kb2JqCjMyNCAw IG9iagozODQwCmVuZG9iagozMjcgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250 TmFtZSAvUVBNQUFBK0xpYmVyYXRpb25TYW5zCi9GbGFncyA0IAovRm9udEJCb3ggWy0yMDMuMTI1 MDAwIC0zMDMuMjIyNjU2IDEwNTAuMjkyOTYgOTEwLjE1NjI1MCBdCi9JdGFsaWNBbmdsZSAwIAov QXNjZW50IDkwNS4yNzM0MzcgCi9EZXNjZW50IC0yMTEuOTE0MDYyIAovQ2FwSGVpZ2h0IDkwNS4y NzM0MzcgCi9TdGVtViA3My4yNDIxODc1IAovRm9udEZpbGUyIDMyOCAwIFIKPj4gZW5kb2JqCjMy OCAwIG9iago8PAovTGVuZ3RoMSA4NDQ4IAovTGVuZ3RoIDMzMSAwIFIKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnicpVgJdBzFma7q7rkkzYzmHklz9MxoTs3d0xqN7vuy7tO2MGYsjTSy rQNpjG0g2AJjjG2uHECyfgk51zGEJOAYEnAckk0cEhOul+y+5WWzu4TN2+AlDxY2xJbG+3dPS5Zl QjbZqdfTf1f/VfX/9X//UY0wQkiKDiISod7BUPSPxYcPQ89xuG6a2r1/UvLNsUtAX0RIX5tOJScm H+4wI2TwQ195GjqUeeL98DwBz6Xpmcy+p3+tugeej8Dzyd1z48l9ioVTCBnD8Dwyk9w3jwJoFzxz 7+nZ5Eyq/9cXKXg+CUIMI5J6Bj+IREgq+pyIQQiX5O7kq2iSUEtFRL6YIrgf9RgivtmH9l1Gwi/S MNiE6pHtMiF6PduPGUktfuomhL7wm39EiKoULXGrIQJaM0LEhAhWQhKEGJVN5bSpbM0EnS3Fj2bT ouFLjzdTLyGMQB4RDeN0CNmw3gBNp3KoGOxyQ2NVjIqqXFFgCpP41L8Ql0iSxMQT1LeiIW8gZF/e LFq63B6O+qKRAHni0gFYEo1euUgZqR7kQ3HQS2vgp2Si8fK4QSzhm8Pudqli0ME1fY7BoOOWcwgc EqxVF7pKE4m+PW0txZ9XWego09W9+93b73A5mxq2jKaO3DBWETfq8feU7e33BCJRX5nJTOE/jrS2 M2yJORTsCAQCIYdLb3zgflzyyK7pxkaLCeOyQFfP9M79xqOn+nqwXOl01TYkYQesV/5A+ER+VISQ ExZ321mVg2XijI7ROVSgAKMHOQmf1+eP/9MnDrH7fvrT4qK6omKjWZovluIPiNfueu+9u1aGe6w0 FlFiUPrKCuzpBaoSARZsDpLfSXdOMdKBGU1O45z+mo2P1MOvfkMmyZPkS2V5Ulm+5KlXsq8+9YxY KpZKpNAtk0j+4YWzEu5BBg26z32L+F6x1+MqCwfL3B6vdaUTLGYz2BxWl8vptNJWPfG7laJim93k sDudFoetmPgN2GnkytuUGeykQyyITIDeYnfO5oVOwSiSWK5n1Sw68TprQqPM+PZPvLOweUtNndWG 37rjhrGqhNl0VqN1usrjTS3xCrdHo8MGvdtZHqttqYh73DodYcn+9thxjB22tpZd0w8QIYztjta2 9M5jnxjsj0a0GqzRRaIDg7feMTAYiWq0WnU0MjgAVgI/Io6AvAEOzTHWxTeGk0dr0OqYcgFPUQ5L nNT2nMwG1f3gRqcwgcGZ1Aad2eT1JPRaTYHaaLTUlvlLzAUKTNbaS+12m9lkNJosVrrEoqkJBSym QjkmRcRXKQpjkznMNLX0r1wASY6Cp5GiCyif8xgJ5ywqzGBMhrOfPHT6NH7j9WwH/gV+ZyZ7QHRh OUnIs6GVR2CLkQwhyWHwtMq/jIprkMG16Fqn6He/fT+/QCErKFDk5xfI8/7nt9nk+ZVClTJfnq9Q 8SiRSsQfPPMBR3KwKVRiqUReoJQX/uk8ecDJxkLxRFV5mIk5l5dES8tL9TW1kSqmubmEtlrM5hID ObP8KUOJmd+I5haHjWVqq1iS9+17QY0a0JyPKRqW0ZGg+72nT58W0U88celfqcrLP8lZinwHLAX+ b1O5BAgJ5uBiy5rxtLzx9Ncajw9AZALnyYuKff7ahijrcGm0pzkjcjbEZBFt9XrKY21bG+rLfFoN 8WQvG7NblXK9weevqetfuY8ctLtKHTajQSrSG0osJqsm6HaaisCaekMg1NY5vhICXYazI+QfqE2o A02DVgL23fF18GZZx7qIxbW4a52gzGoIY8AxwDUAalqJWBO7VmHDBp8hSre1tzMxq03+HXVtdaom Gim1gxI6kwXCS0V7ur0zGNIZMDZoo+GervmFkcEQKM018nGCp+ZuDhiL3d4oy7ZEGKtNqcJYpaSt 0UgzyzJeT3FRdhRrNaX2aKS6eJPHqyp0O6urR570Ot0mS6HaYW9pTk/ec2d6qrPd7cQxNmmkLeYS rYaS6QxmS6nLtfzjNxcy5Pn5gd4YY4Qfw/b2z+/p7YtEtTrQI9LXAzaeuvK26DHRw6gFcLAxlEs2 2NwgJIH4KohZG2tTCVu7GnWmAmVbN99155N37kh2tMOmnCkudTFsU8vmgzfeVFNrobHN1lC/Y/vB gbbWRNxfZs6OEcOhuoaevm3bdz596PDo1rIAcf4rhw9t38ZEMBi6zF9d11XO+H0Wi6rQ4+3YNJU+ cDC9a1O3z48VcqPOXGzOPpYtDpf5bTaNFuOK8h3Jw3eDZndfeZt8G2I3l71U2muNFwe4cxaFiGNw 8CAGTKyBZDV+qnBlQV5Jkd9XV8dGXaUQ0k7z4QcAzBuQLLbSHl+MbR2rb/D5NFoI1wN9sXKAhMKg g1E1A8Ti8jccpS6bw2CUUAY9+KJJF3a6i0xyJTboQsH29hTxKmD4UHYUYng3SqAtHIaFHeXA6tAa eEGv8TfBQGv+xkQ/Ps7Hr8Z5jTYY6uqez4yOBkU8HDmHfBLnkEmBS/o8sUj9fHdXKKjVPF8gN1ki 0Y6aGOv26g2QzF2l5WzbpmjEYpIXEPbbp9KbNoEd/GUpolBlKDJZTdktIrG7tNRi0utkpFpdVGKy FDGuUqO+IM/jbetMpQ9O9PSUs2YTLlSFw0MjhzM9HCAN2GyqiPf15uoYMQHRtYKPOrzgQi3hwAIg oa0rcFbhuhp8MKMSjeT0USgVCpUi++nD2QfEQuZVFfKvTl3Ge8X5eTKZVEKSUkmBLD9Piuc/IJ9g 2FiACcci/lDUtVxP/kCp1Rj10GKVFfEQw7qWhyDWhrRWGvKwpbDQYrHRtFVLvgpFE0bPgfXuQG9w lSkDUfW5H73xBvTSgMQ0aARVqMguxKZVNLIqzoe0OXvhFx+fmbM/l2fQ26wet3eqpjr7Ln7JZI7F u3q0Wza/YG0IhixWuaK99RjZcmLZkervT1RZaC4nJWCNMxAFhzfg57pYeHULcyB3CVFwvbOvxrr1 jTyDTdZ4Rf9gentnd0Wl063+gr6j/WAiGnbYdRqsN3q8lVWtDfUQ56F+2pX++VO70uYvyYxGu8Pr D9xaWQWhUOd2xssbygJ+v89VajaBKcq6K6s9XoiTSrnNWs50W0c9XqlEp7FZIxHaqtOqFNpCvc5h Z5juT/d04bq6Y1qf2aQulEmcrk6/yazRyZWFkEULNXqjzV7mh504CztwO+w2ZwNw87PnREu8bcbw K0QvMc/1a1ibbgy/j1957DEuG3KVcwpGqJHz6u45oMpedavVreG6ctsoSuFY+di22+94aOVd/NqX jx6ZGK+I/wB7fB2dU+lbwWqVc9tvbGlxu4mXv333PVtvCIRESx7v0MjSXU/fPzXRWE9bLn+7tLSt dddOoYJbhDzbgbbnEBJfjcRxdkMIlrjXubyOL2o5iXTrzb3q/e619CdZjQfAjz//lf5B7PU01g8P jf43VM8mc1mgkvX6rLRaK3peZi5hmZ6uuZ+np3S6KqVSqXDQDidT6tIbCgpIsdnuCIYSVY7hxjq/ T6f7cVNldSBYVBIOakeGH9nZ2uRxK5UEVdUUClpMSrlEqtHaHFFVfXnM4zLotm3/VjbY5/GCY85L KRFWFJhLoAJgvWXgSaojtCUarqpkt1CERFZU7A90bAmFwW7gNUS16GfIwcVxB1fRs7F1YU93tfoS 66DSx9OnH300P89qijH91lJ7sUpvUHuNJfJCSvw6+cxyB/nMXbdWxiLuUoOOJMX3wjEI47wCjc5i cSfv4jwJrEH+DKxRc/XUE9evP/UI6WHNSOsKnpwXCbbCGoWctpbHum9qqFeekVksDNvRmTy4eUu8 oqgYq9U2a6CMZRIVVWNtrSxDWxXfVSQS090M+I9cQdi39fTGE+BKmI3tLmiuqQuGTGbs93V3pif3 zQwN1Nf4fcVFBXkYqqtAZXWTYisbA5phu3s4TA9fuUj+ASq8MrQpdxriSh9NoTNX8LBcBRRjr8mC glZ4Q6pkN+QUko0ODO3/xfYdGN9/6+BAlM+EQl58ghASyco/c6qHwy2tFazLodVotKWuWHlrYzhi pZWqJ9OBwNF7cRHB4kAwKTPojHrIFvjLlzVc5rDoDFKZFqr6kqISPH9zbx/DGowGPcsMDuxf7OuJ hg06CPkM0z/I6clHXMjyVytZPu7+6EfkrpdfXv7Myy+DRbeBf30INU6Ks6jgG/SGOLxe1Wvi4yrW NhZF7nU+tbFRH9od7e0zsw9n//SpT3m+K7eYmHBnx+RwW2uMMZusdCLR27e9urK6vCIUsZdqtF5P e/uO5OKdN97QUO92Gp9XFpVwZc/AjsZmt69QDSAqb2vtr2+sB/dgXE7YgLu3bNpUXmGm8Q1j33RW +INWm1qtlFst4WBTs98HZaDaUKBScKckH1diT7S3hoI6HdboPd7q2l5b1OspKVHIMS5UWyweX7DO 4y0pUcMUSggpJrPPl6iEfQvC+eg0xEVJzvMgUemIV76fNVGHqbcul1BvnTiB1n134E5RKht/irJx XxuSK+Jz54hL54j7VhZFSytPEEPcdwWen8rm+IFTZxOuk1Rg+ZNkdPkX5COipRPZ6s9ldSeA2wBn kN+DffkzGlQA3AGNO6PZsr/OvvFDvJR96DxW4IIXsw/hw/j5bDPhJxTZMfzVlfdXXuNWAxEpJayW x2Vkm0rEOrlFT+Cp7A9x99fw6Gep6jdPvXXZ+FnAUgh44zyveVVjqCUgpKx9zVglbOTNp1bSxN1n f5J9kJRI8/JlBZLsIyJZPtdE+D1cl30B1x0nzyx33U/uFcuVsLfa/JWLUrmiQCFXcN8W0LPZS3gJ aoVC8E+dAEuJg4Ohg8VLlCgvX16ouc1fbNz8xkm2zO902ezW+qbGBq6imAJJCwDR9ZxWV6PQVWfd mC7WTmSrC61poptiOjv6+/t6Guq8brUa4nu4Mh4MO116o+RZmY2uSgz270oPDiTiVgt3kItX1NTW 1JZX+PwG4jcH9mzd3NleW1NX09I0WhXy0xYVpAyLtSxYqdrU3MRAnQgxKRxta7+xrb4hUcWWM2yE YSAAJT7LeW8feKYD9LCiunV1i3iD621Mw/ZrPW/tK4YDO92NzVu2TqY3b61vdLpczsbGrVt2TWzd 3Njocp6B2tftiSfauxNVLq9Gq9N43YmKztbKCi/kJuKFnx89PjTidGHsKh0ZOn70wi+PHxsccNhs joHBY8d/+fc3zzY3mEtM5obm2Zu/9qW5uaYWk8ViammamxMqCK7CMyAfh1POC2wbdxyTq8a5WkZQ x7OfzHacIx7Zt22svo47wPjK6hvG8IMf6g1eX3V1V7YKvzRQXe12atVEx8ozoqUSM8N2brqxub6h vNztLlz5InmxPhS0wb6vfKjTOB3RyKqPPQTyyDgcc/4F8ujwFKlefucc+Z/UWyvvf37lx+BmnA0O XblImSFTeKH+QJiw5U4dq3iMxfnGpQotdzrmzxycRUjXtXnBcP1ZI7t4W/9gdDUnPAkJAg4bVGRo 4NYLO246i+UKKx0Kt7SVVzhcaji5CaeLxnCYtqqUhH3lZ4GyiWKT2VBUqKKkBsjQpaVu6r+yWywl Zm2xbioYOHo0++/zfb0sHG+5lBAbGNyX6e0LR6GeNOhj0cF+lPuKIXZAPh/l4tMG//jLXzGu/6Th uH4SEuXl64ucrngiGLLaC9VPX/3IYTCbXKXRUMNt7a1m0mgxez3RSMNAdaXbqVE/de2ov+YDSCS6 87pvIWvjdYCduvqBlfsQpz9/ffo7x9LbldUfcB/ON/6urGRHJIdF3Bcx8VonjJHUZntQk/Ql4GAk h/mZ1v98xEXULDqPTlKLaJRIIKvo/JUVoEeIU+gIhdBR6EOS+5AMn0f3Qv8R7p04gabgfjdch8Sn 0EngeQ54abgSQJ+FsWPr5jRD/yg/J/CJRtA26k0U5N4DfRLeGeDdCbhC8P5ZuHNz9/Hj3+Tn4Nbg vttrUTX6DPo+LsRp/A38In6R8BE1xINkiDxBvkfto35F/ZtII3pU9BXRt0Xvig+Kn5WUSB6QfFFa I+2TpqUHpF+Qfkd6UZYnm5W9llecF857LN8q7K0PcRW8sGPX/Ux4ZK3/RvR9gcZIiWsEmkASvE2g SVSM/06gKeD5lUCLUAGxOr8YKYgygZagW8mwQEuRlvylQMuQgpIKdD4yUf0CXYCC1AWBlqMDossC rUBl4tdhdUxBvEDP85JwNEYWbBZoAilwt0CTKIZTAk0BzxmBFiEj/g+BFiMTIRdoCXqfqBRoKfKQ jwu0DJnI3wt0PqqgDAJdgG6gZgVajrLUZYFWAH5uQ01oDs2j/WgBTUMeTKMMotHX4YqiMLQ4UANQ 6U3AvR0l4a0fqA40i8ahnqFRA9oNjV43epF/SsE9Bfdb+LEcZxeMakQtMFsDGgK6F/VA7zTPn4Qr A9xJ4E2hGbgvoF3QN4cmP3Z91DQ3v39heiqdob9OR8PhOD2QmqDbkxk/3TE7HqQbdu+m+deL9EJq MbVwS2oiSHd1NLYMNAx19PbQ04t0ks4sJCdSM8mFXfTc5LXjEQg9jXbwinBLT4NAs7D8IDzNguCo a3pHaiGZmZ6bpQeTs9DBiTqF9sCWcCqggdTUnt1JIBqAexzezfIKLsAcAX5LPnb2hsXx1OxEaoEO 0Nct9NcKNsLzLq5xRmD3OOuikdTCIscWCYbjHz3tR0z6cTL8/yyaw84UP0uGnzvHOc3PPQwcgzxX Hz+S29AMv9oszzX0ESv2woqTMJ7b/quc4/zcGXjOzTwHdFowzU4w4AIvwQQ/blW3RQ5x63b2L6AH IDc1vZhJLUDn9Cw9HBwM0n3JTGo2QydnJ+ihtYG9k5PT4ym+czy1kEkC81wmDXbfuWdhenFiepxb bTH4USjinHcB3HfuGiNcRU7T3ML8XE5cBDvH7dgt/D508+wZ3k/5IYOZ1C0pujuZyaQWOeY0/3oe VUIZH0J7+RaEQddKMC6sH+SpGa7kT2cy85Wh0N69e4NJQYxxkCI4PjcT+tunzUCEmuexkOJRPAW8 OUQH+TlnwOU+dunM/vnURGpxemoWAB9MZ2aAf5gPUqug5ACQA+9HA3uSv3NwW+RHZED0JA/QVdAv AnB2AHxSPGi4GeeEeTme3QIIZ4VVk6AEN5oD6yqQ96yz7V5ennH4p0H5OXjHjRnn55jnTTexbva/ VmaA0/BiigNtJg1AXgfryTlA6OLcZGZvciHFgXxxz46dqfEMnZkD3hS9G8A6C0OTUwup1AwH5z08 1vamp8fT9P65PXRyfDw1nwHYc+x/bubg3w6G3R+h6/8RBrvXpBEwgND/ArLqiBNlbmRzdHJlYW0K ZW5kb2JqCjMzMSAwIG9iago1NDQ2CmVuZG9iagozMjkgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1 YnR5cGUgL0NJREZvbnRUeXBlMgovQmFzZUZvbnQgL0xpYmVyYXRpb25TYW5zCi9DSURTeXN0ZW1J bmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoSWRlbnRpdHkpIC9TdXBwbGVtZW50 IDAgPj4KL0ZvbnREZXNjcmlwdG9yIDMyNyAwIFIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovVyBb MCBbMzYyIDcxNiA1NTIgMjc2IDcxNiA1NTIgMzMwIDQ5NiAyNzYgOTM2IDIyMCA1NTIgNTUyIDc3 MiA1NTIgNTUyIDgyNiAyNzYgNDk2IDQ5NiAyNzYgMzMwIDcxNiA1NTIgMjc2IDQ5NiA1NTIgMjc2 IDY2MiA2MDYgNzE2IDY2MiA0OTYgNTUyIDU1MiAyNzYgNTUyIDU1MiA3MTYgNjA2IDU1MiA4MjYg XQpdCj4+CmVuZG9iagozMzAgMCBvYmoKPDwgL0xlbmd0aCA2NTEgPj4Kc3RyZWFtCi9DSURJbml0 IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lE U3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1l bnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAy IGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5n ZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMjk+IFs8MDA0 RT4gPDAwNjU+IDwwMDc0PiA8MDA3Nz4gPDAwNkY+IDwwMDcyPiA8MDA2Qj4gPDAwMjA+IDwwMDU3 PiA8MDA2OT4gPDAwNkU+IDwwMDY3PiA8MDA0Nz4gPDAwNzU+IDwwMDcwPiA8MDA0RD4gPDAwMkU+ IDwwMDRBPiA8MDA3Mz4gPDAwNDk+IDwwMDJEPiA8MDA0ND4gPDAwNjE+IDwwMDY2PiA8MDA2Mz4g PDAwNjQ+IDwwMDNBPiA8MDA1Mz4gPDAwNTQ+IDwwMDQ4PiA8MDA0NT4gPDAwNzg+IDwwMDMxPiA8 MDAzND4gPDAwMkM+IDwwMDMyPiA8MDAzMD4gPDAwNTI+IDwwMDQ2PiA8MDA2Mj4gPDAwNkQ+IF0K ZW5kYmZyYW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJlc291 cmNlIHBvcAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKNyAwIG9iago8PCAvVHlwZSAvRm9udAov U3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9MaWJlcmF0aW9uU2FucwovRW5jb2RpbmcgL0lkZW50 aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzI5IDAgUl0KL1RvVW5pY29kZSAzMzAgMCBSPj4KZW5k b2JqCjMzMiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnROYW1lIC9RVU1BQUEr RGVqYVZ1U2Fucy1Cb2xkCi9GbGFncyA0IAovRm9udEJCb3ggWy0xMDY5LjMzNTkzIC00MTUuMDM5 MDYyIDE5NzUuMDk3NjUgMTE3NC4zMTY0MCBdCi9JdGFsaWNBbmdsZSAwIAovQXNjZW50IDkyOC4y MjI2NTYgCi9EZXNjZW50IC0yMzUuODM5ODQzIAovQ2FwSGVpZ2h0IDkyOC4yMjI2NTYgCi9TdGVt ViA0My45NDUzMTI1IAovRm9udEZpbGUyIDMzMyAwIFIKPj4gZW5kb2JqCjMzMyAwIG9iago8PAov TGVuZ3RoMSAxNjExMiAKL0xlbmd0aCAzMzYgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0 cmVhbQp4nO0bXW8bWfXaSbvlll22C6wQiOVuYKUWzTpLy65QC4iJM0m8dexgT9LtE4w91/a09ow1 M04aHhDiBSSQ4AEQH+KNN34ASOwbvCFekBAvoH1YELwhVloJpKXlnHPvfNlONk3SDyTixr5z53x/ 3TMnLisxxs6xr7EFxprt5ctvvfq9n8LOt+F3pz/c79370PonYf0X+F0bSMftvlF7mbGSAdevDGDj /Gee/Dpcu3D9icEovnPuY+wPcP1NpDoMug77OPsgXH8Xrs+OnDtjdoa9B65/CNfCd0YyfO4nQLv0 S8Y+9zIrLX6//DpAsDNXzvwIdp9Tnwt/ZL3yM4yVz59bWDi7WC4v/o1V7v2evX2Pf+LLl4AS2+pZ LhNM3Lt39gN3P1D68ROj0ptfZqV7oBn+lFnv7g8We2d+Blo+wdj7Lzx/4YXnLzzfW2TvRAsfeeev d3/wxFP/eis8e4mVWFB6vfxm+Q20x/sBJijH//l2+Y27f0Y6JfX761/8+Ddfet9n32aafOEn4VRi Z9M9wHlidPejjD3N7nXudRZ7RCn/U178HesttFgA6w+CzRSvMjAoJxRmfj5c+ny6/8PSZb0usfOl N/W6zBZL/9brBfZ0Wej1Iqzben2Gvbf8Vb0+y95X/rlen2MXwApqfZ59dOFFvX7ymZ9e/IZeP8U+ fe07ev00O3/tT3p9gS1eews4lhbR1y8Rd1yX2LOl3+o16Fb6h14vMFG6q9eLTJQ/pddn2IfKrl6f Zc+Vv6XX59hS+Vd6fZ5dLf9Tr5984erCdb1+ig2uvaDXT7Nnr/1Gry+wc9f+zqpg6THbZyHzWJ8N WAzRc5F12SX4vMxegtcVWHUAQrAVgIlZBL8hk8xhI2bAbo35AF+BlcmG8BKsldKK6ErCpwScXXh3 AZIfgesrKVcbOO0Cr1uA4wM0yuEAzv1xXIXVLcDbYROA6AKsQ9QkYTikkQAqPryPAaYDdD2AE4Af AHeH7nHGqsF4P/T6g1hc7F4Sl1966Yro7IsVL47iUDojQ9T8bkWYw6FoIVQkWjKS4a50K3wG9RVE tZ3d0a3A74sVZ3AA4qq85exMRHfg+H0ZCSeUwvPFeNIZel3hBiPH80GyooptUjCCbYXcdny4WAFl hqASWwmG7kEoIgPLIYtjo+yQLyKwYED2vQweuQIvtiPDyAt8cbly5UqRckL3xWm6SPbFeZL0iLgK gFiHZyJLL/DBnjG4h1GQxODiq2wZXq6msQs0KoAbwGcIbpdEL6QAqQBdCThsEMfjq8vLLhDdnVSi YBJ2ZS8I+7LiS7i9lpMgCagkqGdTB+9hkEoKdAk6BmwPYDGsTydYkdI63NkHmAFhenBvTHrFlBho tZAwMJWQ6u6UJaf1yJJxUkjGg7Th8JqnuwoJB1Z5q82WBQ4RcPwXP1KpOf0CN9/fmc4e3OG0imkH o3BEtr4NewF44N1kQc22iN6IqGXJ5ZFMA7ontV594uJrrxva78pbipuKMRXvBskVkPd9wh/rBFYc AqAa6xjzdBQ4RENZmmuaMUkxHU9dgsM4VNQTCgitZFexLCn/Vewt5aJkiTyHuC59RiRXF3AcrR+n LOhChI6ISkx3Evv0YDXUmXQxlTHjgDUN5Y8hflX0I8fMJrgzpqxxgUOXsBNpXNIgpljrwN2Y7ioe /BAOhs7mLkg2ISrKJnsUAwOqSrG2zIj28holOoSFqFTSTsiGRs47uB6RP5Wvea6CRIBtHKCHkeq5 TBVEEGWVD4q2p61a9P7hWieWU9KO04iOSa4s6jKN9sgeoyNxSLKhR1Xd1xrKHEeX3pGHQZ9oiVsA 0SV6CibxX49OIlXZEg91ibdLEnta0quUnbaWzgGKAVWGzAf5WpRZYLYS+AAf62yICrBJrmQWy9eA PJ4gnR2SnFNtLsaasoY6S5xD/BnQKSi070f0mdWPo/gippMIT1ZHa1QpWOowXLTJvj5bFHe0eY9k dHUkDSlOw3RHSYo2dXM+z0ddcoI6dCJ6VDOGdMVTjVySFP3l56zRL5yrilNSQx2KHhW7CY9p+0Tv qlMiJdcaZBHmkI+OLkGRz7Q95slmaH8PCc87oJrz1Dsh1VmH6kpGN9mJ0ohM8mX69JC6zknSIuG0 R1q5hL805zxcSvWexuBwLzltl3JRpnKmPnW+dCjfg5ysE50HSZzswl1vjsUku0N29nUmj+GlTi+H KqpMMfJ+VzInO3xupgyowgv6jLSMkiLpoDhJat282u3SSeCT3/P2mmdVnrNc3ofHzdVI9+9Ca5Jk W5JJ2DkM094j1BhFimOK6Nvw3tceU+chRhVPq+qDrFQHa9XRORLr87CXWmqDWcSnyRpwhXyacGWz G9BHtuheDfYE9HEtuLMDV6uwu0p+MekO3l+ibLwBa6TYZNtES9FowTvSvgk7SFvQNV5dB/gG0EJc i71GPCyg1gbJmrBG2puwW4dPS8MhRhV2tuEa1+sMu1DFrwFYNuUO4qEsSlIb9jOuRalqxDGRbBOu WkB/Q981gXaN6KH8BvVHuG5oOZXlWkQdbYSUkWYVJKrTFe5uw+cWwLXJnibprKRtkA5rcF/pYpEE yhNKoip8bgFvhFgHuWyyAnKyNaRBfkR9VgkfuV4nKCVZU3sZ1xmViralkgPtv5NybpP+dXgJ0t+G HZt8YwL9hG4SO+tEAeXmZI1t0s8kOzSJwwrBoRXRnvU04lo5r1TJXug3lHyVOJlkkfZcTRJqee/M iw6eclgn/SyyVJ2g22BHC+Br6Y6KxxrpWtW2VjRV3KuYqOesWyUd0bNfBK6WjimTbFfUAv10g+TP tFAeMPV7NWezzPsN7d1EHps423OscoNy0SIok3zdTnNkjfJ3U0u+nUZYVgO2dXw2U8mK9k3yKIE7 Su1QtBLeRQ+uUjzVtYTt1BoKgh9CV9UuC861Lj3nxGndLp7c+a4x60bzfaeRq7X5TkBV4XWCHU3B ZbvqaUmdWdmzTr53m/eEnTwdq14+6Xqz7kPVbvVMlO96XerPVQ8YpV1JQH1gkHYme3Q3O9PHenYS FJ7zkLNDZ7+R8krOooyW6isd6haQWzTHmgefUHzmyXBM573iskfrWHcmqN9Ew+L+V6aehpP5z6wP xFwfJLrM6xzy9g/J32P9LOWRhbGfrGi6IUueyzKboAXU3G005fUs+pDaVTY9VUAb9HOSu2RrztQM D3lyqlfJjOvRT51Oe8D9OM2DeGEeNN15Pbh5EJ87DxIPeR7EjzQPKnby3ZxM2awjgTzaBHXehIU/ srmSmJkr8f/PlXJzpWzC8L85V+KFE/bRzZX4nKe1x2GuxOfOlTKNHs5ciR8yL3g4cyXO7neulP3V 6TTnSlm+FedKB52+B0+X1PO56iQet+kSZ8Xp0vzpxsOZLvFDrCtyFny8p0ycYmy2m3n4Uyb+GE+Z +NSUKXvWfZhTJv6uUybx0KZM/D6mTOKBTZk42WAHqL5K0iprm3D/4c2O+FyfP6rZEZ+ZHYlHNjvi B86OshnQg58d8fuYHR1G98HOjpLKevCJMjvx4ceY+OSnNKc58eEnmvjMPrMdb+LDcxOfw+YOpzGh iWfof4FlkwZOfPCqwtgafUELv9eG34xLv0wnLkZSio4cBnuXKuII34KriPXh/ngQCW80DsJYuqIX BiNhhnJXfwks4UHfupuob93l2XCecd+RoSOUaOlX9/iLh/7w2S/5Hfn7gWKKsxdxR8Sh48qRE94W QW+aCudbMhx5EX2HzovEQIYSePVDxwfVDdAd1AI0sFjYl4aIA+H4+2IswwgQgk4MFvPABI7ogtAc IOOBTOzU7QajMYAjQDwA6mBl6UdgvSUyydIlIOYKJ4qCrucAP+4G3clI+rETozw9bwhOuogUCUG0 g168B+ZfukSShHIcBu6kK4mM64FiXmcSS5SBFxAMcHN3OHFRkj0vHgSTGIQZeZoRcgiVKYHsJAJ4 VMcQI4lacwqQaGDkeBjIczkIRSTBDwDtgaha/SnWKByQHaOhY65MR4z2BhBYMwjoht4k9IGhJEQ3 EFFgiGjSuSW7Me6gfr1gCMGGCnUD3/VQj+gq5zaQczrBriQNVBSRAGkQ+EEMbojULnplnEWAuiei gTMc8o7UVgMxIEucgp6BD3ERilEQyrlqi3h/LHsOMKoooYp3R84+ZAugu17Pw0BzhjGEHiyAqOO6 pLkyHSaoE4Jck6ETcmTkysjr+yRGX+UqIGGEOl0gEiFGIk80zQlJcmBABnOG8wlonESOjBqI5w/3 hZcLc47qhBK/f0+wuIjQkOiXJD0kxJwMCWkvCN1ILKV5uIS8kxt8CdN2iUwGnqnrfOlIyCSkOgEf oE12Ay8VTN6JIWOEMx5DejmdocQbSnegjAueOWXgxGLgREBR+gWbYNRl0e2Kie9qgTNROQmnNDzM q1EwxKwmt6GTHDHE6gG5kgCOne5tpw+KQR76AcdQvb+gKrCCggUiymEPhdqwxFqzYYt2c82+YbYs UWuLrVZzp7ZqrYolsw3XS4a4UbM3mtu2AIiW2bBviuaaMBs3xfVaY9UQ1mtbLavd5s2WqG1u1WsW 7NUa1fr2aq2xLlYAr9G0Rb22WbOBqN0kVE2qZrWR2KbVqm7ApblSq9fsmwZfq9kNoAnCtYQptsyW Xatu182W2NpubTXbFtBYBbKNWmOtBVysTQuUAELV5tbNVm19wzYAyYZNg9stc9XaNFvXDQHEmqBy SxBIBaQEGsLaQeT2hlmvi5Wa3bZblrmJsGid9UZz0+Jrze3GqmnXmg2xYoEq5krdUrKBKtW6Wds0 xKq5aa6jOgkTBFPqZObgiLBuNayWWTdEe8uq1nABdqy1rKpNkGB7sESdxK02G23ri9uwAXAJC4Pf 2LCIBShgwr8qSUbqN0BdpGM3W3Yqyo1a2zKE2aq10SNrrSaIi/5srlEEbIM90XkNLS/6CPdmowOg EFsruGqZdSDYRjFggxdgIbqsO105jjG2dXKr0khlVNVOg6JWFQEI4XUfElft0RKOJcgsOnVUdcsO bDyODVV6qXxAdMNJpEqvuyuhAkZYSoKQB1hM9ryIMh2OwFGgzjwROUNgBliYRQQFtdIZAlqUillI KJ4chuPQA5S90IuhmAhnAruh9xV9DIf6mCINRKYBcsmKg5I/lNEYTilvVw73KwAb4llGknh+LwhH WnUyXze+mrQKsegTcTeIeRD2K4Jz6rhO3Dod9f9HnE4fxFUfJI7TB/GsDxLH7IP4bB+ki3yXKEXJ mTGnQc0aFn6SXkkkvRJ/PHolrvzwwHolrhL2RL0SP8VeiWe9kjhmr8QLfcExeiV+UK8kjt4r8Vyv lE/fQrsE5zkUidNql7hul8SJ2iVeEJeeG0+7ZeJ+IE7cMvFTbZm4bpnE8VsmPt0yieO0THxuyyTu p2Xitrmz+WoTxTY3jtUd8Uzzk3RHPOmOxEm6I57vjsSxuiM+tzsSJ+mOMFgLiZI2PvzAxkfcR+PD D298xBEaH06NT7F3ePeGJk7gv0BNA6/AR+Uk/2dwmeZ2t+F3mWZnLv1Vr0J/Xx3DXvGvhYf/D8Pl Pe+2t+xBsbpTGQ/Gy7piHus/fjL2Xw11pMdlbmRzdHJlYW0KZW5kb2JqCjMzNiAwIG9iago0MTgy CmVuZG9iagozMzQgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL0NJREZvbnRUeXBlMgov QmFzZUZvbnQgL0RlamFWdVNhbnMtQm9sZAovQ0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFk b2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAwID4+Ci9Gb250RGVzY3JpcHRv ciAzMzIgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL1cgWzAgWzU5NSA0MTIgXQpdCj4+CmVu ZG9iagozMzUgMCBvYmoKPDwgL0xlbmd0aCAzNjggPj4Kc3RyZWFtCi9DSURJbml0IC9Qcm9jU2V0 IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lEU3lzdGVtSW5m byA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1lbnQgMCA+PiBk ZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAyIGRlZgoxIGJl Z2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5nZQoyIGJlZ2lu YmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMDE+IDwyMDExPgplbmRiZnJh bmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9w CmVuZAplbmQKZW5kc3RyZWFtCmVuZG9iagozMCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlw ZSAvVHlwZTAKL0Jhc2VGb250IC9EZWphVnVTYW5zLUJvbGQKL0VuY29kaW5nIC9JZGVudGl0eS1I Ci9EZXNjZW5kYW50Rm9udHMgWzMzNCAwIFJdCi9Ub1VuaWNvZGUgMzM1IDAgUj4+CmVuZG9iagoz MzcgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvUVpNQUFBK05pbWJ1 c1NhbkwtQm9sZAovRmxhZ3MgNCAKL0ZvbnRCQm94IFstMTczIC0zMDcgMTA5NyA5NzkgXQovSXRh bGljQW5nbGUgMCAKL0FzY2VudCA5NzkgCi9EZXNjZW50IC0zMDcgCi9DYXBIZWlnaHQgOTc5IAov U3RlbVYgNjkgCi9Gb250RmlsZTIgMzM4IDAgUgo+PiBlbmRvYmoKMzM4IDAgb2JqCjw8Ci9MZW5n dGgxIDYzMjAgCi9MZW5ndGggMzQxIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eJx9WAlUVMearv/e292AuAC9iIBNC3SLyNI03Q00+yb70uyrbLIoLSoiIoIgGhdi4o55cSEeNWgc Y3yaxOjTmGTGyVNjOIbh5ZhMni8xJudMnOQdJy9P6Mv8dbuJmJOZvl33VtWt5a+/vv/7/7oECCES EkcYEtLY0tlQ8OUFrCAbCZGeaVpWU9+wPU1DiGwh1hmasGJGhkMClqux7NtkWbtelCH1xvIWLH/T 0lpX85Ju79eEyJuwvNZSs34VicaxifwLLHuvrLEsW/B+mBrLE4TARQLEixDuY9EoSkBA5SJcrBQu jRfAR6DjRoFMkvEAbLcD2xVgu3mEuGGjMIPBYJQr5HK5jJY0arVmgVjisgOUSlNeaJXWccZMUK7W 9qYsP2YSjT4NYA4F5UaoABJnewSEWSuYh3eqFgZAaSnjg+sOnBzhdFw98SGLUQqDQR+mxgHVGjH+ ZFKcQxdKp1OJxT4L6BuN0aCT08kVnBZgrlvklf3mzj9tTU7qv9pReeKFanf+oefq7Jjq+TJXhpt3 3VCucpOJ4K6LbIb5oGmwJwAg//B/7nzhs33Z2qot+Ymp2mDPkpxrE6BdpEw3ojx5k3dFP4oeEw8S jPKIOQkVRCGW0zn9OCPKYtCrGRSEldM6+hYFU6v1VCus8ugkqdJlGT0APIxZuusQC9E3QrIM88FS V8cfqRpsiQAwWQbLqwYtkZGWQdFjaGow9u8fMhe+tr8vbIRhRnS9+4/kvQmBK5sb+H9C2sAHnWuv bk9N3fF+R/v729NRQj0hoiFh15xQQjcV4OWGf46phSjrBH/W+gNE1sN9vutDCOTv0R2AQCBMKu5k x+SnXAFnJm6E0O2mwouNmJHKdXKDUcYV8A+YykLdZeAfXP9j61A0Z7Zm1hfPh5vMzQn+3ZtQVNlP cTP5KdMkqicKnN8He/vIdC6MHw6gF4s1YrXa6KJjmo7xD3btYsAjME8jmz/Ly28+c4wzgT8/ds1a wo8DzHD+mGMBnDRpTBmOGY0YU4puEX+KRaplu6rtWJCIFSpUsRFVLhWK9Kbi3K2vOPvGNOVV9qSr YMnmt9e0nb8MwILrivqlFvDM3ttRuTFLw7JfAPEINeWYktpXbshoPt0ZD5Bw5TtXVfCGrQBdFtPS qo6C2PW9r9ahJP0owdsQQFibVcDb/B3QQQA/irqPRP35oJQyEkrRgXIwijkIRqo9g4uAC4mATrQN u5w+FLUCOnBFTPC6Gwmx0dAYd7tv3fWkLtDpEm5vMhZ6Ork4iyVOMyXzSqPb9Aq5yHGW49wy0S2o Livg/zbC955sXgmVVSfg4L+BtLBp5SOIMrrnWbakxa5rzJYlJEJr8Oj+2A3Lc+cmpBCUMxWtahda lRvRCHI+Z0tUp5LfQS/T1PvxS2lpL93q7fn3l7MA0nfd3hRZnewHoE6ujjBVJ/v6Jldz9ZB36C/b Bj4fzMkZ/GzbwBd/yP0Wwir783L6KkNDq/pzs/uqwlCLfSjGzyjBbDtn6ELlChe1D6pE3wfKCdlC L3enZUNBnHn8HJM5IeLAh4ENqz5H2ZFtYBjxzU7nJRjmH4CSJtpDNDqJr0gAIew1RLMjbSdTgUyl VwF7duIE8NYv2X3Wuwy2/s7a/egR00+1Eo5a0aJMC0k4IX4Upwgub1aAmy5UNgUrvCukdFNDjWK5 QgWCjvRqg1GApJHTqj0BHn7Fx7mDlHMPTjOcgnny2Qpvk67t5HHI1r6QcXkQZsrAyJ+CdktGHmSW 1nr6KqSzfLyjApiG02eA71sU6ePS6hXo7ODk4CSRep3dt7sg1HA0IEgOV3teSImNTXFz5RwkjhKb JrkqlNrVpknKvZR3baxLlQldK97F+43zq4aiBH0eqm1nmH+1FjEP37kJJWVDdO2HkTXmoFadEbuo LTsQNFS5LqpQilYN3IVNDSfXxQH843urBTGv7Fy3rpORJm2+3PbXx/A0AJ3DjVWr17QCSpWMugwU eJvAlJGy4ul8Tck6jILeaECyDnRM6zrd2P3BnwGSt97YWP96T9YM/rFndV7rBvDymFseW1Tlzlys H1plAsj9ln+44y/7skytQ/UrKgEuncgZ0AWGAFS12LyRHR82+xSQQVkOV/kIl+rB+T+PHcaDvw1h NFEr5vx52nd4clJEfZqceFPO0ankNsYxov8ReAfF90FmFazEhyrJnhtmhja9naTSa2TQ1b1yKSyJ TTjdbm1AdWU3twK0NvMXoLW1DaCtld8D+giPtMKyoJUXMpJ2L806EBmunyRQbM4vBLP1HNRVLa3F FXXiDteiLDNQZkFkI3I6/g/Rla0BB8jlLdDJv8ecYLVI5su7eXfmPBzHnibcBX/cBZ19F3zspi4w kEKELEQZXvCbKjmHgKYL1FDo486EKjgnJqn7zdYVp9dFK5Uz52si/KFIHwCr68KLPRRzHfhHYnCw PuyKTobP+QOmAKY06zbLPC7eUaMHXc22gogK79kKmXzGchd/77AIkLnNDlr8znu1oS8XjMY3u/gs CAyHAxR7JmTNCkHXi9DvqATwTpeUsqfgTmW/cafR1OQNBxrqz/Qkx0RE7qgLazhg+MlQHOcLvnEl YcayOJUqrkw0an1szoGyY591t43m5i2ZC9n5LAe6qr7szI3lIdryTVmZmyqpimjEw/ShJILn0qup O6EuBi1JJqNeTIWeq+8M5LgGyBYlL5y5e+DVV0F5hjNZCtGrMGMMA7Bj4IVrE/1sN46mh2Gmlrk6 hUSm1nqPCWSu8v9lj63SkZvEuGJQsawKmDvQzY/89b/5EejnzBNjrP/4OaqdTtTOHwSZFgkWrpfL jVPmqVbbgyu3Z3w9pZ1OUIYebK4b7k4FiDV6ZZfXaZsO6n4KK4n3BfCNLwlrrbFp52nA6vxsKDk6 umnVqHlhfNA8yDEzrtYh0FVuyszqqdDCQF9exsZyQUMDyKli0VnBfqhrZ0QyeATKa8n8dvb7CYXo LG+F69jOiMjzwXa+dO2UQo2CfJIFFGnPuRoqv5sKO//SB4y8OtHSBczGFUsbOP4hpGw619J2YyAT 3XHnyfolHTHBTIno7MSYPgKYvVs3vwzlpTVHVkVlDNzoaH1nazosCgIalpGEyRFks8cC7oWAUfMs TENESWzRIkLeRnRh2EDQpdEmJ3dfp89+MrTt3p4MgKD619aMDG4G5tiLR96Q8KOzIAq8dz84lg/B L33yfX5rLAZz2zv3HnXkZjXsizYXA8SsO9NSvKU6QebvWV9a3dTT+dNEfNfFtuLtBxYGzvIJNPkX 1gF0rEE5txEi1gusS6hBC55MIK33YCYyhgPoeC3/lP87jwbFDYy30yQaHa/gTiCdYf8u7H/IxrK2 yJtKPz1jU69wR2fQBcqGqtR8+PXBXD7VdDh20eHGkLzlSTbfsAypKSvBqnyWY2e99kcmpyC7AFyN 5h04axlqtwu1u0hgFY3al2qXkUldp7G7hFqpUQhrQgUjVojaHYKCi/knrw9ZL1RWvPX0yM5vTtY4 8qNz3ni57MUaHejqd1fk9i5WyGc7sPerBmLWdAJY7vBfXbrEf3VrReaeTzbveYX6hq6uD7an4klA aQyk5ko6+ASO6sCdBNo5fcpAwtTTTETxOwQCBymD6gbRSjYuAVdlgIdXVnmttnlQ95OhNNYX/OKL www2EuHM//yRia8sgeIjY5si2pZXa9SxaCnl5RE2Iukp12rLe3Myeyt0qCFXPobLRuv2QImobctk QrCn1shQNrk9eDUCq3n4hP8IDoNHeqaLat784HnuEQULvQJ9fFzhJnLAfdZvvI8R+yeiAYgcx0Qi fMyeM0MVnBIqEtaewsdjvE4jliicSfaMNgXSxCmmFqxRCVRK5zW6iJ4P7oxqyqVJ8Qcr61/fmBjb 8XpjcG56qj/4xZWF5TfN4cf04fFXe5/eXgLWp2HlSWqM95IqjGGF0RSrMUWc+UxNOZQd/7x3873B PJjtFxN8MCwvWhkfF1e32KAHOHKojuv4EgxL+zIzu0tCQkq6MzEI1NvZRJSO+He0876wfZwCYX/H eh41oxONTjiwvzwN4BxskQ5cnObZL9LIW/DsNk+nwsgbIzcQlvcrHdKlTwFzynkLhIBnBplK2Avh 2ODjA1f9QhZ4SVORzL0jcoJuz+S/T+69uLrtytZUWLuhrgLiO08399yMKWLACZycpRVxRZWAvnYH kr+Ik7flavMilfC3lW92xcd2vdHScy4qZl992d7GcICCnBXvu0ckewYZAerK7tO14+lMrEKMOE95 AAoUlZsb9wgi+bHhU/yD4fP8GISD+q2TiIWnrJim8XOs88QTuvcnUHfLURu+wllDiNEkYqlM4DiV nm6r8NMYKAlgrGKP5BQCDWP4BWNQXVuJLotzlM6GNN/5wHAz1DHhCyYg0lB/deIrJKC2uBRPA4CX u3taHJNbVCFdqAx10aeHB88zuoZrzT17GgI8XZaCa8nhiAaM/3Jhq4s8pNGYj9wDQkSNtlmG+BQ8 O+LTdmwX249AOjk9W4p+z7ObGu4sO92dBC5BER5ZZTW6T5eB0vrjbz07Zz5xCaD0yH/0mNa+lukf FzgXLlmvi+d8CaGVW3LQuU+3SYq1hOlRlO3iZmHs92frBYol5pSVRgsjTPDTAOYU9jmEXvq8DZ/w axe4xeyytjEPx7/DHv0Y7JqBCBg8jq15+wzPJlDBKHPLqme58Y+5iomxZz2AouBV5FKTPeJwkdLj MdWJWC6cLyg29S6cw66X974IKOCSjLxvdm77uiB9CdqF87YtAFu2sU8mnHsuJ6RnZaUnXO5hn6DW iyf3iH5GflYSA55jhHOyjQpV3s99rsCwSmEEiWK65o02bpCIzH5RAXO9DNkhN/gP+RvXQ7MMXggE Q1boDYhe827p+cPWB4eP+i0NqTpoiYi0DFZVDloiARLvBa7feSAz7+j+fsPdu4Ytz75cgNZw6hTD nDogdZv6WIFHyO031l3ZTvWATClpt3nC56xBNAZH+fe++js/8ug7/gqcAumTp+gBh7jq8eNcFRLD rvE2ijQt6j4Q4w0nMtP21QFPezRc81MBFzjIn7P+wKSAcpBP57dCFxPMdk9s+4m/Bgk/MBbs3cB+ yNbj7CL73rnp3Oz3Pv6hua0Ivua/Na8pEo3yP/O/oFt2sj2xZzzyjgZ5J5DE2GJsjZ1bbECnNPRc pGP/dEGdIvvcCRvruVkz5spmmv7UsX00URXk5Qza8LjR/pbzfUswpmh9tbJ0Wzx6E7FY2laSZPb8 eFk7A6rovCAdZZ0SM1eblLBQlo3xx1qLoX378dorTwsbWyHjpQ/XN55DU4pKDk9QK+fWWSA6ie9k dnVG1aSp/VKqTZ0W+hGAqFCDqchHM4RYhKqf6l/FjEETP3zhIj+Mz91QcvUKlGAU64fHmGzrfes9 KOGHUQ9H0braUIOz0dbxtBRKV+lqFL54+NDAxpd19TvKLCl48V/SS6rwpFaS/vUZ62WkGCmUA/An 3WIrmkDz5lnwaynNHw9gR4F34+X0JIl7A33C3pDn9mRqM+gXUbClT9YUjS6dHfU/hAi1v/nxMYiw x9hO/GsV9mHv8XcIcdxJyORbknZhpOm/CA5v3NfEC9MOro0EMhHI2xHELLpJ9FjXwZzBd20kGuv7 8WnCulTWi/RheQf2DcC6CKzrExWRw5hPofXY5xH2H8Zyp72PiY6DSY9lOhetH8BkxH4J4jNkm8SL dGGfMjon1rviMwXLAzheHx0DZXLC8gmsj6D1+DyEfY9j/jC+K5HsIh7YTsveIg34TMCkwndH4RFp EFYqJQlkJ173yT/BE1JgAF6BH5ggJoOpZtYz95if2flsOdvM9rAfsQ+4MK6TG+LOcR+KnETzRZWi t0QjYmdxvviIeESilaRKiiRvSu46qBwaHfocDjlccPjC0eBY5NjuuNfxH05yp0SnQkHTESSWenP7 Dv72J0KJWIL+CV+7YtmWBzIPS7Y8Q2bBYnuew/pIe15M5kMBSSStZBWenteQZtJImshaPMtXkBCi x1RIzKTYXtKSALwW/257LcpIL29Si2/+v/7eJIksI21C35VYUttr1mFqEUa2YG4ljmrCN4n2eVrw aiZ1WNOIuU5s1YRjeJMaUo/XMkxTMxdhXQvWrMB8itCzGVuvwpHXTZMr8VeZvDEuCMFLi9xky+lJ Nvax4Hjtwhz5OOJKIZeJq1mGErTjqDUo1//dbvobW30mjp+AUrSQ+v8FS18NZWVuZHN0cmVhbQpl bmRvYmoKMzQxIDAgb2JqCjQ2NjMKZW5kb2JqCjMzOSAwIG9iago8PCAvVHlwZSAvRm9udAovU3Vi dHlwZSAvQ0lERm9udFR5cGUyCi9CYXNlRm9udCAvTmltYnVzU2FuTC1Cb2xkCi9DSURTeXN0ZW1J bmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoSWRlbnRpdHkpIC9TdXBwbGVtZW50 IDAgPj4KL0ZvbnREZXNjcmlwdG9yIDMzNyAwIFIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovVyBb MCBbNDk2IDYwNiA2MDYgNTUyIDI3NiA3NzIgNzE2IDYwNiAzMzAgNTUyIDI3NiA1NTIgNjA2IDM4 NiAyNzYgNDk2IDU1MiA2MDYgNjYyIDU1MiAyNzYgMzMwIDcxNiA1NTIgNTUyIDYwNiAzMzAgMzMw IDU1MiA2MDYgNTUyIDU1MiA2NjIgODI2IDg4MiA3MTYgNjA2IDU1MiA2MDYgNzE2IDI3NiA1NTIg NzcyIDcxNiA2MDYgNzE2IDYwNiA2NjIgNzE2IDc3MiA5MzYgNTUyIDQ3MCA1NTIgNTUyIDcxNiAy MzYgXQpdCj4+CmVuZG9iagozNDAgMCBvYmoKPDwgL0xlbmd0aCA3NTYgPj4Kc3RyZWFtCi9DSURJ bml0IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAov Q0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBs ZW1lbnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlw ZSAyIGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2Vy YW5nZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMzg+IFs8 MDA1ND4gPDAwNjg+IDwwMDY1PiA8MDAyMD4gPDAwNEY+IDwwMDQxPiA8MDA3NT4gPDAwNzQ+IDww MDMyPiA8MDAyRT4gPDAwMzA+IDwwMDZGPiA8MDA3Mj4gPDAwNjk+IDwwMDdBPiA8MDA2MT4gPDAw NkU+IDwwMDUwPiA8MDA2Mz4gPDAwNkM+IDwwMDNBPiA8MDA0Mj4gPDAwNkI+IDwwMDczPiA8MDA2 ND4gPDAwNjY+IDwwMDJEPiA8MDA3Nj4gPDAwNjI+IDwwMDMxPiA8MDAzNT4gPDAwNTM+IDwwMDRE PiA8MDA2RD4gPDAwNDM+IDwwMDcwPiA8MDA3OT4gPDAwNjc+IDwwMDRFPiA8MDA0OT4gPDAwMzM+ IDwwMDc3PiA8MDA1Mj4gPDAwNzE+IDwwMDQ4PiA8MDA0Nj4gPDAwNDU+IDwwMDU1PiA8MDA1MT4g PDAwNTc+IDwwMDM0PiA8MDAyMj4gPDAwMzY+IDwwMDc4PiA8MDA0ND4gPDAwMjc+IF0KZW5kYmZy YW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJlc291cmNlIHBv cAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKOCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlw ZSAvVHlwZTAKL0Jhc2VGb250IC9OaW1idXNTYW5MLUJvbGQKL0VuY29kaW5nIC9JZGVudGl0eS1I Ci9EZXNjZW5kYW50Rm9udHMgWzMzOSAwIFJdCi9Ub1VuaWNvZGUgMzQwIDAgUj4+CmVuZG9iagoz NDIgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvUUVOQUFBK0JpdHN0 cmVhbVZlcmFTYW5zLUJvbGQKL0ZsYWdzIDQgCi9Gb250QkJveCBbLTE5OS4yMTg3NTAgLTIzNS44 Mzk4NDMgMTQxNi45OTIxOCA5MjguMjIyNjU2IF0KL0l0YWxpY0FuZ2xlIDAgCi9Bc2NlbnQgOTI4 LjIyMjY1NiAKL0Rlc2NlbnQgLTIzNS44Mzk4NDMgCi9DYXBIZWlnaHQgOTI4LjIyMjY1NiAKL1N0 ZW1WIDEyNS45NzY1NjIgCi9Gb250RmlsZTIgMzQzIDAgUgo+PiBlbmRvYmoKMzQzIDAgb2JqCjw8 Ci9MZW5ndGgxIDE1MDk2IAovTGVuZ3RoIDM0NiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnictXoJfFTVvfA5d5aEsA5kYZU7CSFEQvYFIgEmySQZSCZhMglJyAuZzJIMzMYsCQHC IpuIKIgIIsWwSpVaytMuGH2vD22rCJYqbRUBAX22NVqer4+nkDn5/ufceyeTiNbf7/u+Ge7cc8/5 n/++nRsQRghFog1IhlBldVrmK9v/twBmHoOrttXRaTv7+bK5MP4EoQkft1lNltYsnRGhiW/AXG4b TIyRRf4envvgeVqb079qx86ETIQm8QjhdIfbbLoj+/shhCZXwfoBp2mVB1WhVnjuhWfeZXJaf1F/ 4d8QmjICrs8Rlu/lepACyRWl8ncQIoXCnavGHGeL5LjhkTKZUs5x8g0I/XQM4hci8VNo9/sQj/h7 nDKaROMDEU58C6axuMwhG3lablMcAykjEBqnUqsS1Sq1TY76fLJJfZ+SpyNGff2VV5kMO6IQUixX XGZwAEO/UYpmoiLryRjFZXL1nl5+hmK09t9S2hS30Wg0FQjFRyjjlHGxebF5uTnZSdNl8rhY1ZgI pZpPmj6Oy8uV2U6bWjBuMZ0+3WIytZzGbe/Ah+wnz7xzEeOL78g/eHjT570bN2G8aWPv55sexnH4 wkWyl+y9cPHiBbwCr7h4gUpj67+paASaaoQSlRHKJMCuGpOXq86Mi41TTU+aniCykQVs5CkaV3j9 a8mjH3z44Qe4fa3fu8LR2ua72N6BcUf7RV9bq8Mwe9IUfOn32Iptl34/eUouOV+WEL95818+27wZ J6gXUoqfgTbkoI0opg0FU5tKfRsbyVG8FLuw8V4vjpK9WYaVZfdyyB3YcQmUMwdvov5E9XcJt5H9 eBPpoth6YK0AsIlrPXgjWa+4fHcmXTsFlMbK16DJ8KBS56hAi/SbAHLGUZoxuXm5WbFxsYqxZL8y cnTMtGmpK+drMDmAbVWNS12/tlm4F4K1bvzsrtl5E+NjxuGaJc8EP5A3HzOlp+L2VUBhEkKyY4pD KIZRgC81WJZKHZ80PUeVoMpScVl4JXkC81Mbf0kuvF9Xf+aM4hD5j35EEvWgqH5UX/c+voIRnify K+sFfik2UfUxEp951CCy3rTU9NQdukWURW1D3bqxMdHJsrTY4VF19ceDffLmXzqzMzCWyak31fXf UiQBtpA3xUSDGTMBFeCW8QPeRO3N/XpVwfz5BasC8wowLpgXwPyxI0eOkY/JtaPHjh2VralZ0n24 pra25nD3khqMDh4kvaT3IHxwNI4+eBCoLQU/GqWMRtFomqiLHOpO8YKzUu5lmYIjSx4lO0HtuKiu PvDulq0Yb93yrm9p3WHvvLlz53m9c+dhPG+urIer+6b3iDk1DR8/iuVYBr+p6X1vG6sPdxvh0324 2gh66wZJlfJmKifEYUy0gJ9+8yhNiZkEYKYbt2EO48gIVey0+DS3ZgG2kQOLGxod5yw2/DJ3ytP4 yKOpj+TPnZQwLhrX1hzgku91H2lJTetoBzp1/TflOaBRNZVQMlC0EKJ5qrDoSQRx5TkLyxZW7jMY jYZ91RULNTU1S5aQSy/CB6fV1RrlBeSjjAnjl9QfPFRbj/HE8ZnkCj9KhQ8ewLE4Bn5Hq0Cr4BHc WNCqLDx3nKI800vefK8bktNHYhwo7kAcDKNwTP+YRsNL3FTsJIbgDbJHcbkPydHdmZChWP5a0n9L /iZIMxKlAQLgPkYM85ycxAGF5U0HcbKY3WAmQkVdETIRd2Rl3hycNmuxpUSL7WRfWUPDxpccLoy3 b8Px7xUV7/S3mGt8fl8Ap23bgr/GiUk6bWISXljqSt4W3HjClppmsxx941+W4snG5CQcG5eKVZNH j8S4vVOIA1FqJjOTVxn9TS+VE2ysmAC2VjI5sRqrp2Ib5LZY3EpKSYe8ue+uTHmvm8l3UxEF8k1E CbAxRh0rJjHJUNQv1RAGCpoUwJIRiqi+V0fq9Y95VrV3bVi3YR159/kXMH7+OI7Hkc/9iOzG+XOb 7Qs0Y7gs27r58yGdFZPe9PET8bMHgL7q0I+e637SNr8AoJzA53LQbgtQzxriK3FxoL04cFGaI5JU sWJI0tREc1NOthAs8jj/ckeTLSNz+rSW+XhscxPevJncdbevWrvc6/Hbc7LxtOmO+X9vbl7dGWxx OcGbbqePHz9hUnZK7PioYdMqq17814aGsWOm4TE5EyZOmZyfPj52VOQDixcfP1Nbg0ePoZo8gpD8 OmT+B+CB+hXOFfgI2TkLlEODKYLTc7vvnePUuoR4XFIaWLrc0blxw/rVeMTep+bPfxtPIp/iSfhG 4fz5xW0QUIlJ5bhsZlxse8cfVttXnAZKLyAU8TLoIhUoiSmX5t/svOwcSffwKA5jwjOz/GzRssaV v7ZaMNnP4fgEvQ28DpL/VN7QljcbBm2FtcY2X0Od7ETr7FzIyTeDtVzZyFEjJ7XnZWOj8bngh1zZ 2VwY1h5kmbspIx3nzQHvaCRaxSh5J2SrbLHyxQvaz6KJNket4sBEyjAT5cikFBorptATNHdd3LJ1 65aLgfq6RZBZfvwi6VluajE3NdQ3/rTa0OspmDf3Ib9HyKmvQxrBR7rv3T3SnZrWcqJPRb56/Ams GqPGcXkTJlWUH5cpDdV7n9VX4WrD3r3VBmqjCaQEKlgzUkneTqMyIYe5TN4EcPxZUDtsJLm0qfnA u56lD84YHyVvDkZyX9/L7dEt+nzK5PKpgGU75K0vwdIgKYRabIwyTDSWIal/AtZY0RHjJQeQCw4g O/t0lZ4K96rfG/A4Vtjb9lcvxgbj0QNHdpeWYK12XVPTsqaVKz0OHP/kLq1WlpjU3PLUNZ8fR6um 4+RcqHQ52RZbTvbXkDH+pQaKZ0zsDDxxqmoMbmr+980GmsPLwEemgKQjqKTj2D+slsnUZbix5zU8 E65G8gHpfK2HdEKM98nkQTnXd69bxvURsCb0Esok1mFFUW+WqTH7yuQlwRPLSBeXjM9zyaQreBI/ 8w4eQ27TDoFL5AyhLgGyzXd1Caof2CU882R4l6CMDp4U2wTgD7KzErGeJx6oiIUwKUGlogQgzOJo zNGwGKeWUerc9c6c7OycziNkPVeOkx59BOOSsl2V8ws0l4jt57Pz5jTJ5s9KabOlzMRkI7kTPK+4 bDb/cW/Tsllj52s2kDrs8yTPwJTyUlLL/Hw0q8tSMydyMC6sREt+r+bOitXXy2rx6vAKLfg52S/r EIqvUIiDMwcq9LGj1Lm/uUM12wgZpgRsympSDE0yOVgdkF0KnuH0fbGcPnhe3nw3eKAf3eVs4TVs +ECtUwk9HTeb9nXB39HeLvhbbg5YrzO4TdwjPy/VvdAO+eigl2sNPkPhyVXyN3JVgHbjHu4Wd12q LG7OH3yMu06uSphu3Ie6hIs7du+KhI28QPfIUE9/v2I7s2ssSqbRJaSGhATVOLFth2EWDTpq4UTB 2Cykxi5NS8U4NW3p5Zu+ufn5D/lv3sS2tcVFGO9+kvwxuJErxLk7d2Rlyfbg5Bn68gdnkDeCPpyZ YW7OTCed3IRpppbH/rx8BVZcblp20bWoQvQyxs0IFEdlEP0qMYH2AlkSPz3cejzlmX0Y73uG3CJk Pd542T2voGCeW3F53Ya/9nZtwMG78tfJMjw7x2rJzWWagf7qHOCNYZqR/AeUIzWQYCHwl+3b583F G5/rJq+Ss4eeg3Zj468qq6oqfyVb37eR/MeBZ6FOzqOnHHKZnXLG0bqsSBArcSJtSGkUQNxSLxUT LTv5PPEAeeICO9TgVrzi/Nt4ueNtPIvsJrfoEWhZ0yvsBDTpnfPYSY81GI5Bu4Ov/GIpOa2UwyHo 9voN4hkIZIGTaOQepiMxo7JMgdUFeCU0hgj74OKwi3STYvJf5B+kWHH53jl5Ab2gdXLf2027Moip JqhnrNdNDK9XVCO0axondYZioHFjabrQLW0IXNy6ZcvWi4GGpcf9c+fNm+tnMXYk+LIyip0qjh4n QdJ39HhaqizPWHvoOWMtFmKM2hfiSZEFvHPQsyFM0xycMBKYm3JfkQZ8YgE+dfkyeSq4XL4/+ITs pT4D+Su5jcdgdu7aA/3QLNB7qCNRSh2JWBMSwzuSnPCOhJ4G5efXBNpbHy0snDWz/dg3djvevYe8 98Tjux5/fNvmrq7iollp2/Z+3Nq2axcetXrTRsUJ8kbulMnQDFTOVSfEqTNtra9+3bEaT5qUg7UV iUkPPqgvmZ44VZ1ub/vX66tWjY0WIzBiTphtaFOSwNrYv2EjrsV/JU+Rk/8gJ1kve0M2FQxS3HdF lnivh+5OgoDcCXmcnp5iWLsVI4QwRCAr7LKdv6mY8gDOJBfJgTNnbNY/KaM/nzSlSN+P+rplzRjp f16/BPAcAj1xwEWikAdixE6I9WzhDUGe1Lt8IHst2D4zdWYGVu3fh48/T65sWNO1ptPtaNlhqMS4 0rCjumnZCkgdn342PFL5yPZ//Pcj22nDj9NK4xO0Re3tEPUxcSlSLeoEGYSzseCdrAHGB3F38Cqn J3qyiDbDfT/DzwZJ8Ah+j8wCfzgne0HWxk7BEdS6Cewra/vi/BeQLy9zM+lFPWgdyJag+BKqQbrY 84edCUNeESE1aSByotQpgwtwn9oysrIybLYsOGRmZOH2Zcaayp8sax5TWFHe+OnOHfhHh8g35Opz hzHu+RUusbWYuBt4QdHDmxcUFi7Y/HDRAu4i6U2Ji8FNplfTJ47HW7Z+cHvXk/jNc3g59r7/3hiV 2N9DD0OzMAg/jvkBtAH4t8SB13z6F7wG7ifJlr5vyBaugEsgL+Py4PXgr3ELOUQzYH+/cg7Lx1Oo HkKOjFkyjBX7WZaKuYJHP1+3dm1Xb/B/8NPY+PyJDnsWfOyrTp4kp8ly+Zm+lQH/x9f8PowT0jN9 1s1bTrywaavFn57J6uqo/gLZ1xBNGrSY+lt4hy+GU4RIjuaDpJzYgTc5oT6f3qcLqqa2oDkvTmzC ZQFzZdXs8sTpPRNG/aGqEnrWQHlSYufq92vrG63exqVzFsxIennauHcAKG9l+VQ19nvfMjY0kAPF 6gQ8r+DnC6bFY22J4ue3kqLHjZ+YWqwfIW+oqVsbqKxKfzBvju5Jg3H0yAe+SI6Jo0fP5JKFI4ct aajb1Kovz86anbdo1+LFeOSY4NYpiUkZxemZmtjk6TlFObR9pJ6GTwvvW6if4dOih9G10+Qr2RTw XnZWpcEXoz7NOclneEJwjzL6xt3uGxRqB/mK+1qAwmracOSoua+De/AE8hkAf3VD0XyD5lioOU0A xfqWxLBXB1TFsiHpNokSkyHh3QHLq6sH5Vodzb6fiW8NWFbl/jg427YcAVocstO3GBAfPI2PPKk/ zpOOB2AstfQaDlIBHsLWhaU11dWnmptV2vKKhv/csRMfOogjcMLh7ld7yKv2ZhPeYMnOysq2WKmj qXF0SnQcbm56LXPCROitPrz95G78xptkP9n5h/exahT3dxozhfCh8UO7eOhPvgTNK8VuCqu3y63B s2Q7lxTMUFz+4J5cfpb2JF2gubHsLWI6WiBEeXjPlyjldLG5jxADnRZy5pXjosMqAEjGveXIfwjj h/Idy/PnzMknXduLtTt3YhUevXOntnTbvspyvGcvgSbqqb368mcaMjMa6zMzMjLrGzMyuYP0NOzK f+ihfJf7ofz1M2qNG14zm7HJ/PoGY+2MB5uW7bru8Xo913cta3oQz6xPh099XUYqTk+nMfYp/Ogh Fwx6+/Epfd1AL3kz6SIn6FtADpnAbmmhN6djBJOoxgiCYDBXonzgwC97KTtnbVd2Tk521xo4SD/c fZhcIX+mWevwc3gGTjzczfXiOL/X64fy+YnPDylgAtn51nmMz78F/YHv/FtvnafvgfsLuV4xErJw AjfqWvC/riouf0NP/05ylb2xVDC+ZQnjLuG2/71swZvIu2QHDgjVSskJ3abYhbB/sj5OSdzkKAjm hNEo/CQuxSX4Ke5uUIkJ4bi73BUyFd8QqqVyZeg9qlQraLM8E/9bMEM2gTwQfIk1zNc5dbCg70uu PPhyWJ+rkHRKt7De9p5e6ISl09TAO5YovAk/hnfgTcE/kRwAPCPX350JkD+FiJcrx9LzKVaDY+VR B1KLHieTkz89o1uIF+r24+QNCzQYa+aTr+58fO3KlRvX73xx85OPrt28RekdYxmBYRmXKzqeWkrW x9ZrFizQrMfJ+xbpdAv3k6++vHXz2kef3PzizvUbV65c+/iO8Bb7luIu2D9ROMsnDH2LnRRe6mjL pLi7+8Czx+mb7GvX8MNPPbptdRfU7P9c27Vq1dWHcrKSP+fq3FCd2Zts+7vvsjfZJZBT8fqHv/xi 48ZIpQrHYw7h/l6oV9dBV5EQeqIJVNH4OPQrRnwi+Fum/14uuq87uIMDu/fvJDb2vnok0z5NJAlC bw5W2LefXNDPXTUP1u/2kL8++ih0P8WFmxDX30NK2BuxkcKbAFW08BqAvc4S3pA5HBd+Ns82PRGL LwZfvtHe8TlOS92mROQjiJCt5NkIt6IbIsQKCgur+jRScNj7D/aiOSeLveibLh6F44WiKVU3lhPj xD1Jktmll9T0y+SSzc/JbqjLzcY4O7ehPisHH3igsLjuJ8sdDseLdcWFD1xaW1qC8eQH8pc9/sQJ //IV9XsXV+dm28ybNu5Zt25d/YquPXv3nT16fP2GomJcXLR+3ckTr1z/5S/WLEpKxEePkT8ncZPW lpSWlazpLC0pKSUNpUnJuGvt7367bi2ekVyyKbhonNV8yFxfu7CzqPABPt984OArex/eZGkBRtJS Fx9pyczBhQvWrT1x9PVXThzvokevmiXdLV5/F7m992n2dx648n782Ihlo+f+D/2D1tAP2FIbCYUN 4JShSdgT4STQfQyHPrs/K3JP6C9G0qdcfgHZuLfAbwIoSgljxXW4dqPPZFHoEncX9SjOoFOy99Ak 2VfolGI9qlOcRY0w1y1/HdVxr6NTyjMAYxPGijw0VeFEdfJzaDngOBJZi15g8HloAjxvj7CgMmUG iqI4lcmwD9bkJ1Ejw9GBemQG5KZ35QR4vgr39XABT5HvoQKAPQU4GhXn0J6IOwC7BiXB8yGFAZ2S z0TnYLxekYymKo+hHjlCozgfdAcn0Wm4doh7KU/b4eqSZaFP4d7CQbyAnE7lTJSkzAKaQJfyJ+47 ptwNujjf38vd7d/Jvd7fA1qHgzv09DFwvjajg+gVdA5dghNaMq7C2/Cb+BsukyvlmrmfcK9yv5eN ljXL9squyzPlNfLn5b+Rf6KIVVQrdit+DOfXDxV/UXJKnTKgPKi8ogxGzImoi/hxxO8ieiMfjCyJ bIh8MfLtyP5ha4ZtH3Zw2E+H/S1qdlR51M+ifjMcDR81fOrwBcMbhzuHPzz8+PDfjJCNmDQid8SS EbfFvweWIxutAmF/HQz/xOJRofn8EAyG82++OOaQHOnFsQyND83Lw8YKOBUZxLESxaImcRwBVf5n 4jgSjYr0iOPhaPywbeJ45LBxyA+YsXwYPPmHPSeOMZoeNU4ccygy6iFxLEPpoXl52FiBxkcViWMl SolaKo4jUPNwLI4j0eSJ68XxcJQ++SfieOTY6VHbityeTq+9tc3PzzAn85np6Vl8SydP/9Lq91pN zhRe5zKn8hqHgzdQKB9vsPqs3narJTUEw9davSa+2uTy8YVuh8VgdVhNPiufkZqRHoKhIBRiFoX4 QTRHRt2P6MioIWTtPt7E+70mi9Vp8q7g3bZv4xkZVWX1Ou0+n93tovBtVq8V6LV6TS6/1ZLC27xW K91objN5W60pvN/Nm1ydvMfq9cEGd4vfZHfZXa1AxwyMU0h/m5W3uV3AmMlsdjs9AE4B/G2A3WE3 W10g/oz4EgoRnwzILLzJ53Ob7Sagx1vc5oDT6vKb/JQfm91h9fEzKEa2ga922/wdJq81Pplx4rV6 vG5LwGxlaCx2EM3eEvBbGQ+DNqTwdpfZEbBQTjrs/jZ3wA/MOO0iIQrvFbQJaAM+gKfipPBOK5Pa E2hx2H1tKWE0UijNNLeX91nBFABtB1ZF8YeQpswBWg9VtF9UHSPU0eZ2fnsDNYMt4HUBQSvbaHHz PncK7wu0LLea/XRG0LHD4e6gApndLoudyuHLpwY1wqKpxd1uZTIIvsRYCDmCy+0HQ/iEWWoXz4AP CGu8r80EYrVYRb0BI3YXbxokqdsFnuHlnW6v9b6C8/5Oj9VmAkKpEluD152mTkrB6bbYbXbqbCaH H9wPBoDWZLEw6QX1AXGPyQucBRwmLyNlsfrsrS7GSKuj09Pmo5uol5rMgMRHd0gc+YZSErzOIijN 5Lg/AnGPxMcANmDP5ejk7YNcHcTxWun/5mCwdOCjqqS2kULECn5nFZjvcHstPj4+FI3xlLa0wMfT 4I0XlQbWKRejpsUK8UTxBsAOVIR2tz3EmnWVH+KGN3k8EGSmFoeVLgjSA+4hhmkz+fk2kw8wWl2D tQLkBnzcwgdcFpHl+MG5JV6Q8fst64N8BtHNTEcNZeIdNItAzEiAHpN5hakVRIN4dLlDOeSHu9Yg UpC4gEmrwyawVablSyr1Rr66ssS4RGPQ8rpqvspQWasr1hbz8ZpqeI5P4ZfojGWVNUYeIAwavbGe ryzhNfp6fpFOX5zCa+uqDNrqar7SwOsqqsp1WpjT6YvKa4p1+lK+EPbpK418ua5CZwSkxkq2VUSl 01ZTZBVaQ1EZPGoKdeU6Y30KX6Iz6inOEkCq4as0BqOuqKZcY+CragxVldVawFEMaPU6fYkBqGgr tCAEICqqrKo36ErLjCmwyQiTKbzRoCnWVmgMi1Ioh5UgsoFnIKnAJeDgtbV0c3WZprycL9QZq40G raaCwlLtlOorK6iOavTFGqOuUs8XakEUTWG5VuANRCkq1+gqUvhiTYWmVFs9QISCieIMqINuKNXq tQZNeQpfXaUt0tEB6FFn0BYZGSToHjRRztgtqtRXaxfXwATASSTAIGVaRgIE0MC/IsYZE18P4lI8 xkqDMcTKEl21NoXXGHTVlIUSQyWwS+0JO6iMNaBPajy9yC+1EZ37tncAFN0tClis1ZQDwmrKxrdg mX9pV5mtHj/1bzHIhSTJEqqQRVOY5wrJANy41AXhK8yxIfg0xBerQEKWGwgxWpxTxCRM0wh4OFQl IQlb2q2QCX00pUCMuGlS6bD7WLxDOXS6xfrnMzmAGOwKQUHONDlgmy/E5uCgkgqjx2uHLR1eux9S Cm8KwKzXvlosyV6xZA2VgFIZyr/X6vNAxbK3Wx2dqQDrpXWNcWJ32dxepyg6U5/Zny/lUj/fypBb QHC3tzW1ze/35KeldXR0pLZIFFIhFaIi5EYe1Im8yI5aURs0jTyaAW13MtwzodFMR1kwagEIHhUC jB/54PLCkdKEnCgFZnXIBfCpMNIgB3x5aFolXD72ZIW7Ffa0w68FIL+Nh0e1DMIEo2r4dbGdhcCb A3ZQDA4GSfHwKANwZABn38YjYZFwzArh+H8n50gU9YMlpbDfL62d7aQjP5uxwIoT7l60AubccMz4 IfzQq4rhdDKMPvh1w7qEv42tWUX5WhklF+CjXFJcNrZqDVE0ww7KQyvMpTDe3IxLF9vvYdh8IgU3 YPXDmh2e6NUqymMWNS7h9DMuKC03oy3IbWZwToAUsEsYKLTAuwPuZtjpEq0/A8WjkhCOeGZButfC 7j7Glxn2mET5eLjoTACoWNkuuiLpxwYjB7MbxSzxOECB+iPl3486mEasjOKATuiMB37dQCXA+Bzg xsIk8DOfa4FVP1uVaHw3hRRmN2pdB+yyhHTSwfygDaADbB/VjJPNhUsk4fcO8k2B2wDTYUqYdejY yewp2doDUC0Mtw92p3yHHCkhOdMAkxeefCxKHSHcdlGrg63//VJLmhO49YQ82j/E6wYk6mD6cP4g ClI02EAGL/NWH9szQNHCfimNFHanmlgOEGaGT4AJ92Mqr5vZRbCQmdG2MI7tIqf5oQg1ijtNgNXN csSAHcLz0oAWvp0RXADvFyPCNwhWipcBrYXngfB9PJPbJFqrRdTMgL8JGrGzfabvsSnFLOQML/Mi t6jlH2pxCtPJ+LWxTEBxp35LW9+3n+qlMySDk0WhncW0lNko/34x+wkzArdUr5Yw24d7nyC5h1ER dBYALCa2T5LKwrilNnOFaaQV4KhEbeKcNyyXmpgXCT4s0RiqI98/lSk811kGeZqJ2emHczCYzlB9 3I+3FNHmDrbP/j1Z3StmICvjyzkIrzTjC3mlFDdDq4hVzHfWQZrvYFJZ2P74+9TG+JDcQ3dQeKny xg/xNCF2yofUmhYW++4wfgNiPEhWaIdV+320ZkWrmK5dYkR74CtUMhPLrtbQjnDbC3x/f8S0sWzP s7tP5NHKvOm7fUWQ7n55nK4GGNRgLd9Ps3yY9sLt+H8Tsz6xP+NFaaSokyKKdhKOUC/iFXcMxuhh nr0CfltFqwn10cX0O7QP+f+Rtb5bqhYxVvxifbQN0lYZ0jJalUgPT5RWJTwZ0RLoMA1sTQdzPPR2 BliphadimC1m9tGwFboezyJzCYwpxkpUw3AJOAzwS3HXwwzFzbNn+rQI4PWAi+7VojpGQwvYqhmk geGugNlyuGtFOLqjCGZq4JmOSxHtTgV6ethlZDFE91FeBE6NMD9AdTBXOkZR4qwCngyAv0xc1QBu HcNH+U9hmqJjfYjPEpFTDdMRxUxxFgFH5eyJztbAvQrgqpk+NUxmgVs9k6EE1gVZtIwDwRICR0Vw rwLaFKIU+DIyLiglowiZwiSk8hSz/ZTqIjYrcFYpWpmOB7CkiroU+KD6rw1Rrmbyl8OXZ/IbYcbI bKMB/BJeyXdKGYaKkB/VMPk0TA+VjEIhW6NapPosD0EawqxSxPRF7UY5L2aUNEwj1feVRMI22Dr3 8w6JQimTT8s0Vc6gq0GPWoDXhWYEf9QxWYtE3Qo4Bb8XfKI8TLtFTEZq2cVAVSv6lIbpbrAUQoRQ /gekECygEX+LwnQ2YH29aN2ikK0rmZd9WytLWCxqGZSG2bo6pIUSFr8VIuc1YR4m2bFG9M/KEGeD 9SvFkQT3Q3KHgEuiPdiCxcyfykUOq0Pa+Od4B/KXFmqcmZ1//KH8PbiSh3eSAx1qeC+aEpZzwzsD IRuXMljnELiBWSFPC/Vr4AwU3svdr4pJJ2ehxx/ohKVuRMjhwlkpvBO2sJ5d6Al9oS5FqCPuUKfS wVYH6rtwOnQyiPDzn4/RFSQLiDuG4hL6TBPrHCg13320+X2VauiJ0cNqv0Clg439YpdC5QuIsHR+ 9ZBTsnfIKeuf2UCS5Z/p38vs7RHPWHamYdpfpop4vUg6rw3ohGrAxtacQ6w+4H0UWz4a2pdSHbSG cW4RLe5m/UUqO3/5gZt8ONWmgYboNxX8YagMqWJX+H8Ah8mYPWVuZHN0cmVhbQplbmRvYmoKMzQ2 IDAgb2JqCjg1MjMKZW5kb2JqCjM0NCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvQ0lE Rm9udFR5cGUyCi9CYXNlRm9udCAvQml0c3RyZWFtVmVyYVNhbnMtQm9sZAovQ0lEU3lzdGVtSW5m byA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAw ID4+Ci9Gb250RGVzY3JpcHRvciAzNDIgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL1cgWzAg WzU5NSAzNDUgNjc3IDg0MyA3MjggNjkwIDM3NyAzNjkgNzA2IDQ3NCA0ODkgNjgyIDcxMCA3MDYg NTg4IDM0MCA4MzAgNjY5IDM0MCA2NDcgNjczIDU5MCA2OTAgMTAzNCA3MTAgNjQ3IDY5MCA5MTYg NzY4IDcwNiA3NjQgNzEwIDU3NyA4MzAgNjc4IDQxMiA2NzggNzU2IDcyNyA4MDYgODQzIDEwOTQg NzEwIDY5MCA3MTQgOTg3IDQzMiA2OTAgNjYwIDUxNyA2OTAgNjQwIDgyMyA0OTYgMzA0IDQ1MyA0 NTMgNzEwIDY5MCA2OTAgNjkwIDM5NyA2OTAgMzYyIDM3NyA3NjUgNzY5IDYzMiA3NjggNDUzIDQ1 MyA4MTQgNzE4IDM2OSAzNDAgOTkyIF0KXQo+PgplbmRvYmoKMzQ1IDAgb2JqCjw8IC9MZW5ndGgg ODg5ID4+CnN0cmVhbQovQ0lESW5pdCAvUHJvY1NldCBmaW5kcmVzb3VyY2UgYmVnaW4KMTIgZGlj dCBiZWdpbgpiZWdpbmNtYXAKL0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09y ZGVyaW5nIChVQ1MpIC9TdXBwbGVtZW50IDAgPj4gZGVmCi9DTWFwTmFtZSAvQWRvYmUtSWRlbnRp dHktVUNTIGRlZgovQ01hcFR5cGUgMiBkZWYKMSBiZWdpbmNvZGVzcGFjZXJhbmdlCjwwMDAwPiA8 RkZGRj4KZW5kY29kZXNwYWNlcmFuZ2UKMiBiZWdpbmJmcmFuZ2UKPDAwMDA+IDwwMDAwPiA8MDAw MD4KPDAwMDE+IDwwMDRCPiBbPDAwMjA+IDwwMDU0PiA8MDA0Rj4gPDAwNDM+IDwwMDMxPiA8MDAy RT4gPDAwNDk+IDwwMDZFPiA8MDA3ND4gPDAwNzI+IDwwMDZGPiA8MDA2ND4gPDAwNzU+IDwwMDYz PiA8MDA2OT4gPDAwNEU+IDwwMDYxPiA8MDA2Qz4gPDAwNzY+IDwwMDY1PiA8MDA3Mz4gPDAwMzI+ IDwwMDZEPiA8MDA2Nz4gPDAwNzk+IDwwMDMzPiA8MDA3Nz4gPDAwNDE+IDwwMDY4PiA8MDA1Mj4g PDAwNzE+IDwwMDdBPiA8MDA0OD4gPDAwNDY+IDwwMDJEPiA8MDA0NT4gPDAwNDI+IDwwMDUwPiA8 MDA1NT4gPDAwNTE+IDwwMDU3PiA8MDA3MD4gPDAwMzQ+IDwwMDUzPiA8MDA0RD4gPDAwNjY+IDww MDM1PiA8MDA2Qj4gPDAwMjI+IDwwMDM2PiA8MDA3OD4gPDAwNDQ+IDwwMEE3PiA8MDAyNz4gPDAw NUI+IDwwMDVEPiA8MDA2Mj4gPDAwMzk+IDwwMDM3PiA8MDAzOD4gPDAwM0E+IDwwMDMwPiA8MDAy Rj4gPDAwMkM+IDwwMDU4PiA8MDA0Qj4gPDAwNEM+IDwwMDU2PiA8MDAyOD4gPDAwMjk+IDwwMDQ3 PiA8MDA1OT4gPDAwNEE+IDwwMDZBPiA8MDA0MD4gXQplbmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5h bWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQKZW5kc3RyZWFt CmVuZG9iago2IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAovQmFzZUZvbnQg L0JpdHN0cmVhbVZlcmFTYW5zLUJvbGQKL0VuY29kaW5nIC9JZGVudGl0eS1ICi9EZXNjZW5kYW50 Rm9udHMgWzM0NCAwIFJdCi9Ub1VuaWNvZGUgMzQ1IDAgUj4+CmVuZG9iagozNDcgMCBvYmoKPDwg L1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvUUpOQUFBK0xpYmVyYXRpb25Nb25vCi9G bGFncyA0IAovRm9udEJCb3ggWy0yNC40MTQwNjI1IC0zMDAuMjkyOTY4IDYwOC44ODY3MTggODMy LjUxOTUzMSBdCi9JdGFsaWNBbmdsZSAwIAovQXNjZW50IDgzMi41MTk1MzEgCi9EZXNjZW50IC0z MDAuMjkyOTY4IAovQ2FwSGVpZ2h0IDgzMi41MTk1MzEgCi9TdGVtViA0MS4wMTU2MjUwIAovRm9u dEZpbGUyIDM0OCAwIFIKPj4gZW5kb2JqCjM0OCAwIG9iago8PAovTGVuZ3RoMSAxMTcyMCAKL0xl bmd0aCAzNTEgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nKV6CXgc1Zlgvarq bqnV6kN939X3fV+6j261ZNnWLUuyfMpS67BOS+3bYOyYyxcYCATDQAIM4OAAEyCEDTZXZhISmJCw mfl2svtBhp1kB5hZJiEzgK3y/lVdLcvCMMd2+blevfrfe//77/8vYQjDsBLsJozAsM7eUPRz995K GDkJbfv49P4xZ8tj90L/YwyzLkzkhkdH3mszYZhtO4wlJ2Cg7AbcB8/fgmf7xEx+X9OT3qPw/DKG IdH03Miw5gVrNbz6Kby/bWZ43zzWit2DYY4ueKZmh2dy+z/4/RfwPA9IbMAI8m10J8bDSnhneTFY wVi4E8PYGF5RwsMFZCmO83CS/DaGP9OI7buEcb9IU28Ga8Qsl3Dy9/SNuJN/Dh8HFB9+728xjKzm ZZndMIThWDOG4aM82AkTYFhMZpE5LDJLM07RdvQteoK34Yunmsm3ATKPPU8OkA9hZYCFzCazJCwy gFbiz9xND6In70ZP4tvpPnT+LnSe7rsLQ6gDvUPciM8zVEQJixJ14GH0zre/jSFcTg/gL/HeYt/A Grj8cXpAsPuzE/CINtADxEF4Z4EHhVrFXjani71SzlSSvWJ8AXvhMqU84GvJDF/cnMn6Ako1Qmpl wJfNbL44nGnxBeRKvOLE/gOL+blde+bnpvOLNx46c+cNB/O7Zqd37Z3btZjffxAOz1CLfAsoIsB0 GGYhLIQNxRDiNnVxewkICyk8vvT27T9G9P9Af1r6F3G5RFguKCV5glKhSCQW3Yd+gW6kj/KyX/yI +G8Ot8tmNWjLRXqD1eZyOeiNcLYuONvu4tm4VW2FEyUTcW67WOHMKmK3UuXzZ7KbXt2ezfp9KiXz mM1uf3VTNsM84oozh25czE/Pze/ZNZdfPLD/xG0H9+cXd83t3TU9uyt/8AbYBHvpykekmazGUgyl OXLGotyOQHq+mq9WwGVzJuACCtu409r4BXQSMjQjEhq0fm9DQyLqtCvkLyAc4Tj+XWjQI3Rmyu2N J1o2NTZ5vXIFWb3U0xVPmi3lYrUSJtX14IuXv2ezOy02tUZAqlVGg8mgDDtcWkO5BJgVCqxtzeG/ ZHC9eOUT4nNeH2bDMHkiJmdkywIIqmIqjuvKIm5WBq+L363eh56lu5Dfs8Pl93iA3hq11ebzx2LJ R7q7ifOnkY7+3emlfJfDiXgEjxTwebcLBCWCEpKXzXwTf5ilD3BeCxzxw54xGcOTGMePVJQTPhB1 jjU2a2F/GHrpBQJ+GsrsdSdjTT3pxmBAo0IvSCsMJrcnVBNLOFwqNXqe9xZ9IBaJBYMuh0ErLUcq dSDU2ja6FMJf7ExEKZNIpFJ7/XUN3UunGDk8AtxqIzswNcsvxbWcSOEFpIgiNhw1lKvYSrZZbPUN Q5t3zQ4M1TVYbQjddMM/frp3z8tKtcMdTzQ2pSqdHqVao/K4EvGqxqqkx61W4aY7JqayrRYbslla s1OTdyD1qRPoxEn69zf0dkcjCjmSKyPRnt4DN/b0RqJyhaIiGuntYSj4B6CgEnAOwAOD11UayVZL tLpIW3aAVIZiibq+THMgpNah5/nAmtJS/lOCEn6JgEcSPD1l8ntqqnpTqaSXuFcgIJHVVlXT0TFI k/iFVE1VIuZxazVmirJZbIa6WMRuBSxBGYGOdwBOOeBqKVYOdhTECEwVNFcipsT/ER267EWP06+h P/70p6dPnyZMp3/16qvMSe6GWX7QlVKwgglkYUyWRXk3fm7pMLF+qR//xe2E88Ttl//uBMOpw8Cp 2+DUbdg22CHKCafLyp24yBtmIFE0WqnEKjkSuIr0ALYqGfV0cDxMJTgIRjtVZLtEIhHbKJsjZneq 1CIRwTdaQNCrqtse7uxCHmdTQ29338flYr3R40tF3V6DsULBe7nUqI9G2tdN/WRsVKlc+rue+jqP G0h0sTJZ5QsYjCjgm8MROQ/qgMQio97jTiY8PoNJKkP9G+7b2ZJxO2VinKzJhIImg6RcUCJXWGxR WWMy7naqlVu2PUsHu9wePmUOh2qqExtJnF+i0QRC60A+GGo+x2gWUAgk2XIdBZLFE6zJScQY8YWm XK14ShkxulqfWLsD1gcRGovZ703EMz1NjX4fyO+X9InotTrtNotGXcJTqfUmg1n+JSUEPj4CWN4P ll+N2QFPZGP8WlHxixYaEXELyA/HGuICfdc/v4L+ft/QYF212YDkCq+vsWkTuvMz+h36E6TpqU7Z LTIJ3rD0Gi+r1YWjzdmB+rp6OIFTsvQU8fZ7tFcht1kCAdj92JWPyRagURTLAMn4nB4XzZ16hblb 6f1iRQIpUdE1WThfhdJIIXc6qlPrUqGA067Tih6SmS3xxPr28fzQ5voG0G8Ql+b0xoHtRzcPVVXp tLQjFIn5/AYTga8p1eodrkgU/Vt/y5pYQm9E4jK1kjLZA4FAyOZUaez21pbpnacemNrZ1Gg0eL3r 2ienDmvQr1C5xOGsbxre2tDgdMikjH4cpwdIHbkWi2G9cLJl/Y8v+28lXGpWEJhzxVMrNUYmTSWX va/1+lYOl6VjUY+TMmkKbgjhzxQcEueedCZwS5F448+3btuxHQfzpXA4Y8nG5nDUSJVLxOVmUzic rQaNdIF+rUVCEByrPag16nWaCikplCustnA0fSmJXtSaDHqjMeZya/XlYgRWUYU0d55een9PV2co qJQjrS6e7OyZmerojif0eoU8GunfAPL/BPDWTq7DBhjOXstIV0p17WFSRUu5Ms4pEk3gLCqPkpOQ 4kXakcGcquzundi2tr2y2uGqeFik17rs0UhVdTRitzPI6X3+2vqWpvqGSNREITS1883ObDaZcNrF j5So1Babxxv8E7hhlyuZbGpsyVSnnHaUaK+t9/hVarGIMiWi7eZKs1VaQfJLBSq51RyJUCalUiJW SJXwFIt03N3bg0ACzFQkmlX4jQaZlM+/L6Q3yhUiiVSmUFltyUo2ejwL0eN3MT6GpRIIJZAyTwxd fpz44Oz9aA7NnqW3MjEm4wErQSOqwB87r7UHLCGWLQh/BQWXFYXzlEeR39faMjS0bbhjfVXKZhW/ Kmto2t1fXWu1S2QIySR2a21V/3RrS8XFUqutsqqza+T41uHqWr0eNz06PdXUqNcCV72B6tqMeFMi rjfGkus7RnMdXalKgzERnxU11zUEQ2BB/d72tRNjjLzngNtjvCFMj/m+zO+iB2DcHiEtRJQyvIA8 OQZuLZ3Zun3fTdu2NzaZKWSzNjUOb73h344de7Oz674HOzpQV+f9j65tw889ffQbg0O+QCi4afDY 0SfOHz3Sv8HvQ+efpr+LxMeOInT0GP0H+g/Hj588AZRUgmX7IXizONg1G7EykiVsREzOiZCyQGJ5 caBIc3mM+OKtO0qEZSVlpUJhqbCs9J6fv/j9LQSfFJA8UiiC4ZJbXzvKKyuFd4hH8uFH5J5Ff6u3 WSm702mjrHYzHYBo8Dsarz8UBnIFPGCQFehJekBpdVg9QVMgEA76vTp827XSIQfRQIx0fADSMYTX vI0eOUvfRZ+5H5Ie1l7fBPbaCjYzuyJGsiybbWXRbHMnRKBbNpusaFUT8qIvsi2bdPImr6+ldeu2 cdqNHty9eVNTg80ilVlskVhmQ7ox4NOo6P+7rv3e937bXVVlt8uk3VpdMNyY7ryMhG0NdaGATosO TbSuCYQUSl5WrnB66ho2VEVi4IfN5aUGozeQqsLdO0MBejvIHuNoo0tPNPh9Jr24nLaKhEZDKMh4 zHmQoU6QoTqIKL5Ggr6kC0oQpVTRkjBxDtnuCIarazLZjltGRhvTIFOUuakxN3r7SPu6ypTToXnK mW2dHWpocHmkFai/93thr9tG6dRi+jfovZs1er1KLZEk4lu2HDl89vGjhzcOBAKMIQnU1jdXztTX Wm2Z5pHcEfqPx0+iUkG5UCwqRV3fZrjjhRN8h9eObcEOYHdhGK9o71Y7sqIbcF57uqLJW81C9bI3 LLpHJthCRaNZJAOfg2S4THDbKlc5VTLsdUAqYjCqjFa7zx9NVM92dEVjGh1Sq8AGxhsk5WJhGZ8P JtHvS6c3Zmuq/T6NhrESbWs7TJTJZnE6vF7KrDij8/kj3mjIo9VqlBqDkX4Zgg8IR11+u1Orl0jA Easbq1J+j06zdqizO90fDCGZlDJHw00uu9Vs1GlEZcIKqVYFHkdXoSgTGQ3xWDbbtb6xnolsKT3s ZHc6nHWVbICOkLTCaotEG1uTSZ/farOkItEwqFVwYGTHAd/JXfktSa0O0pzSW0UkH1IAo0EhLxMi kZg18k3VNV6dTms0OKzhyw+O7prPh9rWjyYCIYutQoHKSsGcV4AE7gL+7QEJbLqaey+7qNXRSCJ+ bTSywk8VAFG1Qu7zphu3NMQiHpfRoHrY6PZU16zvGDs1NpHOmi2UOZPOjZ4YbV9fmXI5dE9KtTq7 MxSt2djQ5PbIFfi5Y6NjLa02u0bjckFO19Ta1BxLmqlYZMumo0ceevzI4Y39oYDeGAjV1jc1Bf0+ cJBKsKUgm4w23QKWYjObA6zIAPD3uej/PfRriP3JZ08zscqVf2BzQB+2rqB5jB+RSR1RNmIB4WTa NbkyJ8ZFGhWVL7EqMyO2Rru690MEgm7b19sVZcOT5wvhyXmmz1xLv5WUU6ZwqDmbjDttiooKhc0R T2SbQmEzJZU9vTMYRiePIy2eQD7/MKlS6LRqVSl69JLcZbebTEp1CVkhYxirR9O7OrviCUilNJpE vK9v32JXRzgMMSIcItbdCxTpBO5OAHdzK+ym9TrRSOKaWORabn8pKlkdn10Tn0yYqfqm7SM3f3j0 G/aXRBqN11Nf27+mttrv1WiQ2RpPpJsz0Vg8GHJ7THBau72hoX9DbrG3m/HaipfLlGqrA4xwVzJp sZZL9NqQv742m6pMJWIBn5WCXGYBItV4wmDcvOkZR6U/aLZUVIjLjYZgoKHF7zMaKqQV5ZJypRyC Ikcs0rw9mwn4YBaSq9ye2vpOS9Tj1oMRRlKZwehyBWodTo1OIpOJJTKFkkk8UpWMJIGfIW8FT6pi PCmKoZVWiblQDP/5r+nOnyGRQFhSJiwVCHjgNoVlwhKkeBM8YKPaRFltJkqppMwWC2VS469zmUcO PFnFymoQ48e45QVX/RRjvMic27OufWb+BH0apf7s4P7eHr/3VYOxsnpD/+79j7w7MY4/e+7wkYFB X4CXRQ5Xd8+hG87fun1bfa3RcOmP6Jab4RzrOd8pWK7fKfG/vEhnyTh57tIAee7BB5nTfszlzmVM PiQAuJiMKYYRd9F3HXv+efSbd+k29NfojzvoOd5bl4fxcjq0dB8zjznPDli9jK0hKi1ce4S4b8mN P7g0SiBe9kF66CwdexCgXwfoOoAuZXBhIAEfJTqCP7a0+RXiIHmOrnho6QOYgHGU2gawCqYytBxb sVNW0GqFjye3IYOptn5o8wH696+gtw5t3VJfR5lf7el99F/p7voaj1MhJ/5iw/qO2lq7fYkGehlM 8WTbuq2H0o1L/4TUCqcjFgUcF0BfNhaqlGogwQKR+P7lXyh4739BFc/rLZwXzsnSiamHElNL//rK K7jwFXxu6Qwvu/QzPPnFjxj4ewB+J8BrmOqCRVZMdxJF+8oQ7c/Qi4pQpK6xpTXd1tbSUBcJ6x5H w2eIJY/VoQXJRPeABzF5vdFL688wtdJPgDy/QT4GQ2Zv9MlHyEf/GgYLb0Bm2Zoui1fh/UcsBCEp wCFsK2A1A3AstxFkhzH2H/EY/Qp94XX0ML34E+RH3jfpRfQYepluxv24mN6E/nzp06VfMfNHYP4o xOu9/36Wz17LWT7rNq55+HKtTSnD5Xx+uVipNlu1OrmitAydA9v5TWh4eUWFTmuzhgb9XgUuUyuM Brs9VOf16rTlQvQkNyvjcOFPdybiVrOkvBCzdS9952phgC9XafUGI5hSq0Enk4TDo0GnTacRl18t 0xVn9/U9uXQKZPE5yGvTZBfEaFuuyqKLXyz7KNSsk1CuPHkxqFld3xCsIpeSf60ZJtOQtAZDa9fP VEaiPj9lU/FYl/ECnP4ZznuQWsoE4WSkYWb92lBQIX9JVG4whaNrauKFgomiwm5PxLNrohGTQSzC rYfGJ9at8/oRuHy1ymaN4RKZSmMwGeiNPMLldJgMKmUpUaHQ6kxmbdzpgBhFiNyeNWvHJw6NdnQk 42BSFaHohv5b8+1doahCadRXprq7gS6nQFcawLdUYoNfke+mimWN1QXmFXGEYHVIt8rBkg1MspTe un1PT2NTLGa3q84baqs3t9XVQJilxpV2ZyAcT6WG13ckUwYTZa6t2Tgw99GBfT8Gr+qMJ1ua4gmb Xa6okNqtQJVIIuZ1G7T4K39x662bNgdDMqnNWpXq0m/2AIFs1nR6x/DREOMSIO23WcBz9eXG+/tq ay2Wx594pi3dGAOiIpXG7a2qyaararx+CMBgDUsswmjGcdCMdWxUUbS2X4qYlKsiJrUSLHLz8/QX TCkoGunuXDB4XB633aoCNro8gHo6EjVTTA77EXH+ch9x/rR2tK0lFAAvjxMEySPOMFVpRCBhmc4Q DK0Tnmbs5zjnaYRMNbSAC4rJYpBkWYhzzy8t4Ad/8jJ9Jy1Cn6IG+jXUcJI4cPm200RmaR0zO48G yQHi44IlkTNFUWhMcmYkPiAG77mHxu65h7E4SqKd+AFrLRn/Aikm04iTp93v08pTnveJdvzw0hH8 MFDmM/wy8d95P8fEAOdQ89QCgnClHCkeEcMfRiUB+ncv7b33wb0X6P8TQGWi28jHxo+1fbEG4Vew NZ+13TKFPAxWz135iEwXYzaEc+JkUzBqxHxUiafYi/nEoWBKTQXtW1k9/4q6Emjd6NiF/Ib+EFtn xNHToG7P4zgZ6u/b/caO4ZckErMlGE5n4gm7U65QyJ2gYE0N4TBlrpDiVvp/nzqF/L4dOr1RpZbK yBK10mQC5pH/RG80QtahV02Gg+j4Sfrv57s7E1GdBoxgorf/4N7OrmBYDrjEo72MPt0L+rTmq/Rp OX+6XmVE+XUmZvVh14Drq6rp6589tGlzXb2xUHzYtnnvmgZIQlwu9XljbX332tpar1eljmwczG/r 6qhMmUwvVlTYIUptiUaibo9Wp5C7HIl4pjERs9uYAnOub6Cu0WoLBfs3HNp//7O337Z5UySIJBKL LVnZad7kcTMZ5PDIkU1ACjNVWd3ZNZWpTDFZjrTCbIEcZ01jUySqN6pVHndNFYauXLpiJ3955Rjj 5wQgfTzyb/7n9u0gSWmwxreD9wIds6ykUaJ4xtR1wjV5DH/N6fKEozW1HTaDySzXaGQdrdlwBe19 FZUIZVKJRCQkCJFQKpZJRJcv7ujoSlYZTDgquZVAeE310QgZWrpR7/I4XGaqREiZnHZIb/AjwDXG m0bY/GlFbWL5Kn7pK16JVep/zecAtnSRiCnJSIXCRDk9brAEJkquQM8gZQVldsGIy2E2KiogmHW4 kpWZ5lQVwwv+D8ucjob6jQO7pjcONtTbrEt3vEF8mI0n3B6L1WA2mKw2tzeViUGKaTGbYcBm9bqT Ka/XaJBI5AqIt+N1oo3t65IJyqTRBMOZ7KWX33wTQ8vfSNMr6kkrv45eU1e6esrlylLBkF+tLr0z wWM/9ZQIKqRyaaFXQu58590LMwIBpLA8iYwZg8afeWaGx3b5JWD7CPZTHn/iAvqGXKc1GyxmU7a9 vcVkthhMECXQN/Cyly+k6+ojVbHmZgNlMhmNejW6g96l1hsNJhNlaM6CmMei9XVJIsPYktMgRSZy HdaGTTK6tsJnLSe/CdtqFVxZi79OWRt4L/8q5eOogI9vymSZqqzoh9Lq1JbKUMBilksRrjCYgUOV rWNr1gRDCvaLdjjYvn52fkNPkOBq3U8Vat07p6yQHHsi8XhzmHEM8KNM0XA6Ho96XDoNPYgUcrs1 GqnVrnN7ZFKXo7a2/3WQW4NJWmGhmjO50duOjo+1Zp2gzMMaymTUK+RkqVJtNNmdzst/9cFCnnhn vqszGlarQP+jHV3zuzs6gyGQQsAp3LGeiUHP0gPEBbDEgmIkDx7iLG6jz6A55qP+ic+/cwJonATp OQHSo8fMAEcAHGGTM82WiEGzgEQwLQbjFjnxSAaR9D8MzvbT3+yb7Xvzt5l/QYKNs4NoanB28N2l xizamSGa6Dem6QnmLxTQt6ZR3XShR09M02+gOsBLDHhFOLwKyb8MiQGnM4DbwAn+thOfnQB7coir uZmxRubvIL5UuV2V9gpWSf1ygFKsLvIYle2EBCzdvHFobGJwqDHtcDod6fTQxqnRocF02un4AYR1 Lneqak17VY3TI1co5R5XVeXalupKj1OtpAc/wh9949gt3b1Wu93a23XLzW+8dcvN3Z2UGYGt7Oy+ +Za3Hpra2dCg0yKk1Tc0TE499MDEZGOT3oiQUd/UODnxwL7PPwd9PQ0eksmwHCvi1OKp2GLGteUd WYysA2dQXTu0eX9+YKCqxmB8BYnLKFMi3tVTlbRZJeXoIvrw9uEdtfUGI9Jra6u2bbmVmLn8vR3N zB9agCcM+tpaJ4gWoD1BfxN/oZCXIDnkFcQ5VEq/CYP3Lu1kDAkqtO//ovHYNkntn5g/tln9u3IJ tPKXwD/E1IS5H8zhn1u6H2QJstQrO8hfFuzSil+GfBtj/lolT76NOuCOkW/jcuj3F/qoC+4vQbvI 3Y9C+wO0O6DdDe0maM9BewTazdCOQ3uisB4LOwZNyT0zMLug+bj7LRx8J7Qs9349tI+5/uvcfYG7 3wP4fFJo2FZoI9zep7h1xrlzMPt9xr27j3z7yiW4p7k5WAF3dBbuSbiL4X4I2mnoA/UhZ/ZjVXC1 YkewF7B/Rs3oRvSXuBmfxI/hZwkfcSNxgfSST/FivBbeI7yP+Gl+P//HAkcJr2Sq5KaST0vvLP1R 6adCgdAmrBZ2CU8KHxA+J/xfwg+FdJmp7F6RVfSU6JNySbmtvLJ8qPxn4m7xFvGfS+SSm6RmaVQ6 Jb1R+pHMI6tiuZTB7mbkgeP+6p8B9S+Pb8Uucn2ESRhdZvs4JkBbuD6B6dADXJ8EmL/h+jxMhBfX 52Ni3Mf1BdgBIsz1SzAF8WuuX4qJyRKuX4YZyG6uL8KC5Ftcvxw7zLvE9cWYj/8u7I7IUnh6mcWE 6SPMhIxcH8fEqJ3rE1gc5bg+CTA/4Po8TIN+x/X5mAEv5/oC7FO8muuXYG7iKa5fihmID7l+GVZJ qrm+CNtMznL9cowmL3F9MdbPPwgUn8Pmsf3YAvi1cWwCy2MUdg5aFAvDlYJeD5bDRuG+BhuGt37o tWGzkNMHodeETcNFrZi9yD7l4J6D+x52LgO5HmalIeLpgTl90O/EOmB0koUfhpYH6GGAzWEzcF/A pmBsDhv72v2xzNz8/oXJ8Yk8dY6KhsMpqic3Sq0ZzvupttmRINU0PU2xrxephdxibmFPbjRIrW9L Z3ua+to6O6jJRWqYyi8Mj+ZmhhemqLmxa+djgPQktoM9CLP1JCA0C9u3s/c5eD25I7cwnJ+cm6Xa 52ZhgEF1HNsNJGGOgPXkxndPD0OnCY45Au9m2QMuwBoBliRfu3rT4khudjS3QAWoL230n0Wsn4Vd XIaMAPUY7mL9uYVFBiwSDKeuv+x1Fv06HP7/OFqQnXF2lTy7dgFykl17A0D0slBd7EyGoHl2t1kW qu86O3bCjmMwnyH/VcgRdu08PBdWnoP+BMeancDABRaDUXZe8WyLjMStoOy/Iz0gcuOTi/ncAgxO zlIbgr1Bqms4n5vNU8Ozo1Tf8sTOsbHJkRw7OJJbyA8D8Fx+Avi+c/fC5OLo5Aiz22LwelLEKO8C qO/cNUy4KjmZuYX5uQK6GFCOodgelg7tLHie1VN2Sm8+tydHtQ/n87lFBniCfT2PVWMhuPayVxAm XYvBCLd/kO3NACQ2kc/PV4dCe/fuDQ5zaIwAFsGRuZnQf33ZPFioeVYWcqwUjwNsQaKD7JozoHJf u3V+/3xuNLc4OT4LAh+cyM8A/AbWSBWFkhGAgvBeX7DH2DsjbovsjDygPswKaFHoF0FwdoD45Fih YVac49ZlYKY5IZzldh2GQzCzGWEtCvLuFbzdy+IzAv9TcPg5eMfMGWHXmGdZN7pi9f8sziBOGxZz jNDmJ0CQV4j12BxI6OLcWH7v8EKOEfLF3Tt25kbyVH4OYHPUNAjrLEwdHl/I5WYYcd7NytreicmR CWr/3G5qeGQkN58HsWfAv2rl4H9dGKavc9b/oBhML2PDyQCG/T8cekgUZW5kc3RyZWFtCmVuZG9i agozNTEgMCBvYmoKNzY5MwplbmRvYmoKMzQ5IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBl IC9DSURGb250VHlwZTIKL0Jhc2VGb250IC9MaWJlcmF0aW9uTW9ubwovQ0lEU3lzdGVtSW5mbyA8 PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAwID4+ Ci9Gb250RGVzY3JpcHRvciAzNDcgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL0RXIDU5NSA+ PgplbmRvYmoKMzUwIDAgb2JqCjw8IC9MZW5ndGggODI2ID4+CnN0cmVhbQovQ0lESW5pdCAvUHJv Y1NldCBmaW5kcmVzb3VyY2UgYmVnaW4KMTIgZGljdCBiZWdpbgpiZWdpbmNtYXAKL0NJRFN5c3Rl bUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChVQ1MpIC9TdXBwbGVtZW50IDAg Pj4gZGVmCi9DTWFwTmFtZSAvQWRvYmUtSWRlbnRpdHktVUNTIGRlZgovQ01hcFR5cGUgMiBkZWYK MSBiZWdpbmNvZGVzcGFjZXJhbmdlCjwwMDAwPiA8RkZGRj4KZW5kY29kZXNwYWNlcmFuZ2UKMiBi ZWdpbmJmcmFuZ2UKPDAwMDA+IDwwMDAwPiA8MDAwMD4KPDAwMDE+IDwwMDQyPiBbPDAwMkI+IDww MDJEPiA8MDAyMD4gPDAwN0M+IDwwMDI4PiA8MDA0MT4gPDAwMjk+IDwwMDc1PiA8MDA3ND4gPDAw Njg+IDwwMDZGPiA8MDA3Mj4gPDAwNjk+IDwwMDdBPiA8MDA2MT4gPDAwNkU+IDwwMDUyPiA8MDA2 NT4gPDAwNzE+IDwwMDczPiA8MDAzRT4gPDAwNjM+IDwwMDRGPiA8MDA3Nz4gPDAwM0M+IDwwMDQy PiA8MDA0Nz4gPDAwMjY+IDwwMDQzPiA8MDA2Qz4gPDAwNjQ+IDwwMDUzPiA8MDA3Nj4gPDAwNDQ+ IDwwMDU0PiA8MDA2Qj4gPDAwNDU+IDwwMDQ2PiA8MDA1MD4gPDAwMkY+IDwwMDQ4PiA8MDAzMT4g PDAwMkU+IDwwMDNBPiA8MDA3OD4gPDAwNkQ+IDwwMDcwPiA8MDAzOT4gPDAwNjY+IDwwMDM0PiA8 MDAzRD4gPDAwMjI+IDwwMDJBPiA8MDA2Mj4gPDAwMzY+IDwwMDVGPiA8MDA3OT4gPDAwM0Y+IDww MDU3PiA8MDA2Nz4gPDAwNUI+IDwwMDIzPiA8MDA1RD4gPDAwMzA+IDwwMDU1PiA8MDAyQz4gXQpl bmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3Vy Y2UgcG9wCmVuZAplbmQKZW5kc3RyZWFtCmVuZG9iago3MiAwIG9iago8PCAvVHlwZSAvRm9udAov U3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9MaWJlcmF0aW9uTW9ubwovRW5jb2RpbmcgL0lkZW50 aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzQ5IDAgUl0KL1RvVW5pY29kZSAzNTAgMCBSPj4KZW5k b2JqCjM1MiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnROYW1lIC9RT05BQUEr Qml0c3RyZWFtVmVyYVNhbnMtUm9tYW4KL0ZsYWdzIDQgCi9Gb250QkJveCBbLTE4My4xMDU0Njgg LTIzNS44Mzk4NDMgMTI4Ny4xMDkzNyA5MjguMjIyNjU2IF0KL0l0YWxpY0FuZ2xlIDAgCi9Bc2Nl bnQgOTI4LjIyMjY1NiAKL0Rlc2NlbnQgLTIzNS44Mzk4NDMgCi9DYXBIZWlnaHQgOTI4LjIyMjY1 NiAKL1N0ZW1WIDY5LjgyNDIxODcgCi9Gb250RmlsZTIgMzUzIDAgUgo+PiBlbmRvYmoKMzUzIDAg b2JqCjw8Ci9MZW5ndGgxIDE1MzQ4IAovTGVuZ3RoIDM1NiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnictXoJXFNXvvA5994ExLogIF2mzwsRqRVBQUrVugQIEgwBk7CqQMgC0Wxm EamtuFSRamutS6tSpNRx/DHWcZy2D23tvK4u2M6rjl+HOu08ZRzbN77W1+n0s0gu73/OvQkBbevv 974v8d6ce87//PftXEQYIRSJ1iIWoSJ9Wvpr1d+ZYGYrXKV19kbr0Z1/sML4rwjdf6jeYjRbiwo2 IPQAWX+kHiZGr4oshOf34XlivcO36sXs1BJ4/hIhvMTuMhmTs1MNCD2YC+tHHcZVbrQU5cPzd/DM O40OS89bp19H6F9iYe4vCHOj8XNIhjjZAu4cQkK2+Mvo0TbGGskwI+UsG8kxDLcWod+MRXwBkj7Z Np8XzUf8LUYeK8TivREO3AvTWFpmkFXYzVllB0DKCIRiohOikxKiE6wc6veyD/RfFXZHjL75rUc+ GeGBPoS4r2QXCRybEJcQrYhOkHPfBL7uDnwtu9jZd1E2heA9AVBmeSyKhwcAmZQ8SSGPkMfBMCP6 kaxHssbHj+fMXXjO3Cd2l5QeP55dWb7yHZOJORBYwrS1FRfhqppXAs3y2ECbOWM6xitXER7fAVyN gFPkMYPgilO80wUfruZWuzz2K6DrGrjCnuJWowyAjQOqyYlAVR4/Ph7+jY+LjZAnJ8JkJjxkpGc9 kkkg4N+krEnAU3r8eHaL1mCofDpHhdOn7Zr3vl63+slPK421dquptnbdgjw8PePX83+tKcR4hftj a2UFN+/IQ7Ex+OGHDUrFJH70wxrt5tbFS/C4sRPffuS+B6ZO0RVMTp40ZuJC9YaXykrwmDFEihNC KXcAOIxFExFKokKAQjKAePTYCLlCnjwJE20RvmNFLrH3+PFZFeWrz61talp7bnV5BfMo1pVs36Ez GHQ7tpfoDgWOyKM6TenTOjqEm8LNjg6cnoavn/V7vf6z3V4fWJ5B7oErXBNQvR8piGYSQAFZgDor DqySzCdPihkrKiBCoh3BNfUfG1lv/VebxVRrrrMtE/6xrw3v2tl/5an1/8ro9Jv3La4axVRV/r7W gu+/L/PIw+PjcWsrjsLjXmnH259//4XKyrLyl4gnuAd62WtAOUGyCPUDItl4ibwCLBLNZD1CeGKv abXFRb8zwed3RcVabaFOv1TYuQu/uAtHlCwq5jIPPxwfh92ejz52e3B8bErnxHHj9u/Ho3F020t4 bAyhlwZKvgleEkfoUTXGiW6qyMzInAGaZm4eNScl4zThk+NHj5aVnZTH7nlocp1pW38a+8k27Zul JcRKj4O+pgLXowg+LBkji7CcmQWYiNbAUpngNhkJmZJUEZmSIZm3/6OkVDnftWfpYtzVNa+quvlV sxWvXXMLM1hneKFm8RK9uaZq8T9WrWIyMjJW186cjbHT/tpkTWBdp3VaOsa1NR0na2rGrVmgwuPj UzuTY2PWrCGyZQFr38raqGzRRCqiRwgC0GAmkS8aN+DVwsZJE30nT15ctKi5WdYmvLst0N6SnLy3 uOg8U7MNzyXSrQDp/CDdGDRhUDrialkkIECCGEYUMBrcgvHuKiktLdm1o7QE45LSHTdaNmO8ueXG t80tLc3sX7y+M2eIk5055fe+1NoqXBf+q7UN47ZWHINjW1uDuQCo3SEXxN11LuBqjgRTgch/JdiY xhCGlCJaJFFkmJgASwJlzhD9me3o6ppdVvFEd9PatU3dT1SUBU7T4DEYaCCxbzBVP1w/ZElLxxA+ kTiyo2NaujCeRk83jSRRDrYA5CDaJ3oKFyIDhIhnC3jFpCkv6QwQr0uXbIqJH/8g+9q4EREYm61v B46BCNZ0EIHjaB4AGQ6ADGOoDMNDflhKSI4DOuzVIWEf2DYkKcw6fpxJCwt6Rjc0I1gOATGQohQh eSZXg+4hOTSG/sMKllWUdv3tas/frnYJl3r++9serqZ/N7uMXLfa2d39y8jOVwd6uXLYGU8qREZ0 0GWC6ideeKRr7pwnd5aXgNvnllX43zVZ8AnmYMC4v6i4uuqXzOpb7Yet09NXrZK8ohVYiqK5HGdg rADvOHGcSfp74Aiz/Ebg1HF5bL8N9wa+CxxmFIHPYc8ZhGSzofaMpHsSCGW4K86cZb44ezaQeFZ2 MdDKmPumMKcCM4mOAZ57BuCjRN+jKYdoOonkmnjCM6QFvEN4plCDsabwGeFRfLpvfRPGTev7hLOy tMAfcIG6eWOB+iDknEtfuFcEDhHvgwxeSaOHWG6Yo+FhjhgPUanAaeHOxniHeOLsri4mLczTAr8Z 6oamzh++B6regSuyHtkNKWaBSgwjUo5hwD94MWaTeJEym/z52g0Yb1j7+Z/XEXHW/RnPPPkmxm+e FE4J77958uSbMg1+5YBwVbj6yoEDr+AH8AMHXvnl+T8K+4X95/+Iz5/Htdj4x/NEh2NB5/WgQ4ZY CuMETNwlgVUwbwlfM0nC6qvMzPObA9WbL8pGB+5jj/RNwU3COrDVbtB9AfBLqhykKpIb6TdYYDKl qCFFmXxxC/NOv8Zz+sMMY3ISBk/fWG1b3tC43Fbx5dNPJyoW379xU2dn58qzp2bbCwsKVmoWJiTk nJt2/33Y639niU7vfvDprUD1EvB4BAmkW8uCxHjpwgVBIFJsgmjbFtJeoqg9ks+jx4oZj0QayXgx UImYLa3aYoyLta2tUIOKW/s2PfXUpr5bT23CeNNTsuI9+4SPhHMv7sN434t4Bs7Yt6f9w9NCs9D8 4WmMT3+IG3Hj6Q+BlzlCCdTcGhQNGiReAQmaxEsW8fUMZkeRuuCJHXbNww9nJAiz38NVuOq9+tNz 5uK9EyduMnDa/p2snUTdUeFbZrV8HMGCpdIZrwAlklqWxaxunq/Mnr+p/QX1wgL1i/Jxf7t8+dq1 K71X/9575fIXvVeuE9k/YDsZ0rHRvgmLIRONXZ3MxE4ImIvMFHIBpQNAySVSismQAiRCIdnsQPvu hWqM1Qt3t2/Mno/x/Gz5uOtXer+4fKX371d7r1y7dvkyGhIbM4DWDClLSjESDzpOGNJ/BQtpWLSw HTrDzl2L9PpFu3YadF1Na4VbtSWli4qLtfrXKytnlVc88fEa+Hz8REX5rC5mzimXA2OH69Rph9Pp +E/h8tNbx4ya8LuUuLjqqt8vNk1Pp5WIw2zbS9PTazvFvBPxIHD4MPAnVZ940MeMwao04w65nZus qqne8JvqKnx85kz/czr98ZmzVj4LP8fnVpQ93lhWwrY8MXsWxo2rr5Cy1V6kFcsW09ahhdwSLGEk /8+ZS3wDooP4hpzoGpOYmiO6gLCkD3KvgT18q51Yv21gHH4P/FlG/ZlVxNy4cGCdTjgs/BueT9YH e2LaEUM3LI/94ToScyXeQa1OV86chezYR3tzM/4L08RsoCsQmWbmgcBVZsMBki8HBmRHab6kHUYG L2aXhKQEkl/AekkJeMd3OPO5ZzF+9jmhW8jG+/Fvz53F584JxYJRlnarYesWnIZTtm45+Nobwjph zetvYKADeLnrFO94NJn2LsGMOThMTkhOIB5A0kGwVwdqOLeDxGCH8BaesqMgP79gh3DxLMNde/IJ PF+5Gjxkc0tf4EvmTODz3OytW3KzGasw99Esj3tmFj5YU/PblkW6mARz3QvgHpjITrJoMuSBYDea zIupICnYDCs40RtJhZAlW72+9cJAcwvGLc0Yr/d5rcv9DU8Jr74HH6zfuGqlrPZi1bRU3Nom9Ah/ gg45LbXmQv7EifiTP+A6XAf3xCSgegisTXKonGocCl3CIfbfAlcuYCGQIbtY2rcODk0sehrq6xaa o6ah+YPRTpMGKCiJnFNmiB4bF6YlUnfp+YWVD5Yi4sDMFvBTve655/Q6rNMLv9ywoACvbfrii7VN +QVrt+sXPbXp+5sbIKfpdc8X4IL8DesL1OqC9RvyC5gPoBg2b9YUajXNzYWasgmV5euO2eowrrMd W1deOUFRa372M1KwPnvWXKvA8/zzlcr5fq+YFkgWWAvZthkk4UESlJUpHTZiwrtmcKhoUrCAeRxW PonAlzVa7cJTy21jZpdX2P9j/QbQfS9moes8eEi4WlioxXM3FxcVFW9u0UJSmNA1MSYWN2/EMaWp aWCmTdevbt1C0zEpZGPGMC8sXdrRXr10aXV7x9KlYlyAlsUegrTQ0nWGPRq4n/QNzM3+uXCQFfI6 A72dErwC4EeEwSvOsJUBN1McOHqWgOZ3BrKk7iQjCEm6UrgpzuCxzO73hRuBZe/LLt6awF3um8Jd vjWBaOkG2Pg9TiHmZVKtyHn2xoULpGZxCoGczgeymWNiDJMUwUR2Bm5Czv7BAWuzga9GyCAjSVUG lyL/IJNwZmE57uwRTggnevDvBE8PnownczWBvwTewV1CPlPAjBdW4G2E/hH2K9YB2GUUhyIzJoOV 0TteR5IM3kvu7Fev4nnCO6/S++27aE5KoneMBnfJLtIMdTiYpwZ2C1aajUbRbES6WrEaZp45a62/ Ujhv46NZkJ52CP/d+HjnwoXvgnxQTrhKmjNQVkK0LDMpg6hewAXCHmw5iwv6D3Ry3vyu/L6LncCV GaAP0C5lFO1S2AyiTFLrMlm5wGAhU7h48UygSpbU38t+1J9xSGjHNe+BPAOXhFKaQUeJdS86VuRt PO1syfuFRfrX8qbbJiVh+p5h66fVNa04fdoe+UPkfQPUVuySLCRWVbGkShmYW0Y1RbtV8LGzzKf9 1SAnsCx2pzIDrMejRAAndShGwZL2iPLNQXSTtig6eC5TsM/Mnzdn7kc9vy9QLWj481l8GqM1a/D8 nMDTwnYNqc2a7cxb8Qvy1wj1uGlX+vRAi+wiXrb8T88sXcoUBb7OzdmwPjcb+GqG6OyA6Ay+IwnG HX1HQvJv0pAaPUN6R0IPz5ChuXyfpa7qYHnlY7N+9fgV+zK8fYfw5fKVjU2PN6z0HK6uysndu7rX bNm65Z/1TofswAdZDzwwX+k3T8+YcF/Kcufrn7lW4HvvTfv3vERFbk6TY94c/t6pNTW//tDjiaHn k3I4ZV0CvxbjDZPWESesYJcFNMxr/U8yrwUsXM2h/ks7DrFJoENaH2kMEXgxhmiVvEDcEKIo0BOq lblQ+Q+Cvu8J1lwSUxA3uefwLDyzl9w+EloE4QPhXQFidRz3Nbn6psjG9t2Q7CmfIO1PAB8j9lbQ EJ+Kn8RNeOoHQlO30ARx3h/J3oR9E/oRh/ouk72/HeiVTYa9caKPib1nZjQNhQTy/uVYd1nZe++U l3U/97xwTfjrtucxoPHfsC3HeLntBrulf4lwaeeuXTsxkdor3JTOApNuPwvEYAXJ/snBQiYdDW47 EszDUd99njh23FjxQIAfE48IdbY7HA36/l34/BsGMxj/8Tw2kqMBPSvc6joOsd0Pfn4NZIsEy1Gl gmK4HtyG9/UEbnRDPOxlrP3fQmY9JWlRtkyMa3LuI4rE9AjXhrnAA+z9wveBDHKQa2EaAvn9vcwf AtNB4m3gs7ul2jjkfQxxz5AXs9KxmTYPQfnJC5kDtFa00LqBRxRqtJrTtuWjZ1WW2y9vWL+55bLQ v7nl0K/wL2CBnQ0F4+Wl1RhXL30ZSgbT2KWIjWluFr4pS0vd3PL3v23ZKnX5oIUxY4gPgl/Ey94G HyRniwQ4HLEJkEXBc+mliKFXZgK9uHjhcwNOyq3HE23tdfhR4WUdnivsq2+vEy7VvVwvfIBrDMLb 2GZlNwrH2GbBiPcLxr3CsT1CLW4j1x6s3Yv3E022gk68oJMZYvYg2SJJLkVuVvDtppRmZww7dZHe np33nH4RfuFF4cvqWotNbzE5T1pMePHSXx55Y2dx0SL9C4aqao/XYq64CuUV5+WzSbyx9rnPGx/H ODZ60nvp996PFy7c9hQcCw4+NmuFd+6ccTFJr02IHkvahCcNpZD3Vgz0RkymVuPRdPQIyhva1dDU EtbF0MaAAsgH388qkkiUJqQPvr4liUj2Sdn09PTpZSXp06enl7xUBfW99eUlS8Fm+2/dLIW2H9bK oNmenlHCNrf3V7azB/sbX6quWlrd1r54KVh1O1YXPLVBvXChesN6jXotdjjffMvudNrfetPlYIxw zlm/UV1QoN64buHCph/+IR8F6yehh3Q63jrhdIid+RXODH6cJPUFQcUCkwlBK4ReOBDVf87eF2if MnXK1L7nt+Pdu4VvqmtMdZU1NcsPW83kDdFhXdEiA2knnh8TGYE3t/znt3DgjB7Ld6fH34uXLG7d t2QxKHhoVwCxjjtpW0C6AvkOiMbrwoNcrHCYViTInVzsrT8Jh7dtg33Bkzx0oQli9mMKAh9ewD34 s/OBU5Dx4rmvxBPCnPD3LFh8NwP/1vVgL/b3CDyDeoQlQsVnTJx0gMzov8msDmxkHwyeWMuhokZQ zZCMnHAUH7pxQ4DJbT/0byMwp+hZM1Y8kSaQdySZjEso/+YbeezNL7bJuW1Sr0764STynhxiJ1o+ NKrjadhDAx89Nn58Aqiae094gxnnf+aZduHl9z/88H1cvX3jeveKJ9dsEf5r89NPb8Yxy0r0F/H2 g4Em/cMpGH98Djuw4+NzEyfmfVo1fdqePcInwvk9e3DsOMTgTFKiqZahsiTRyhLNKlic2d3dHdsR J0CJCKwQ9mELQNB3MxHLqZ9P/Pm3MyQ7KH7+FQ1+LOv4X/fc1YsavFq4CXzQN3TysdBR/AI4+dG3 dNC1KTIT4Hb76zompbtbaOzuvvNrO9mcs2fPgmV6UJXsEneQeBL0nnE4E8su3brJRfYJMoa9IWwX dryBPzmIP0FDYWMyKWyPjOkTODl74w0h7aCQ9gZ2EFX34BrZJbZD+utOQhz9UlBysR2HbnTSv1fB 9fy7fGX1mMf+Sf4wN/wDneaDEQfBFphQlD6wJ8IhgHNGrRyoHaiNOBj6y1fwU8Z9hKxc70CfbBw6 wcxE73BTkIvZAnEQi05w19EKzopWMJ+gNO4aWs0qUBZ3Fa0gsLC+gi2gvyfkW1ApzB3hOmDMoTPc BXSGrMs1yCtrRGNl8Wg34LwEv83cW2gOOwEdZY9ADzkBHSBwEd1AC+YBpo3wwCxBZ5heZJZPBjxP wrUb8MSjQ3BtgWudbDTQ2Avz/QB3DN2AC8H+2VwS8AAXs2RgN8BdhsvMzBy4xGSgDzg/wG+jfDVz Gagc9rRFfIVy5ddg7hI6RngFPfTL5sFzPNomfw21wW9rxF6QNx74IjTQwHUqz2pJhgnolDwDedlM nEllBR3Avp7gBfqNQw8hHXTpr8P3BvRLFrwZX8D/l0llypjnmePMP9lx7ExWzy5nd7OfcKO4yZyZ c3Od3Efc1zJGNlHml3XJzsn+LPtK9r2clafJffLfyN+NSI7wRzwT0RFxIqI7oieiLzIuclqkOrIm 8snI1sjOyBOR349QjVgywjPi+RFHR3wa9S9RmVHFUW1Rn42cMnLPyP8z8urIb++JuGfSPY/eU3BP yz377+kdFT9q6ijlKAP1jjK0gHTuYX8lDf+Mx6ND87NCMBjFwBOW/qYqQ9XSmA2b58LGMuglzdJY DlFbKI0joMt5VRpHotGRdmk8Et07YoM0HjUiBrkBM+YgPyHfiH3SGKNJUWOkMYOioiqkMRs2z4WN ZejeKJM0lqPUqExpHIFqov4pjSPRL+73SuORaNovXpbGo8ZNilqd43I3emx19T7+IdNkPn3atAy+ tpEnf3H2eSxGRwqvdppSeaXdzusIlJfXWbwWz0qLOTUEw5daPEZeb3R6Q1NkhkxM1bkcRqfOYrcY vRZ+eur0aXdFb1TUnQiOihpG0ubljbzPYzRbHEbPct5lvR3PqKhii8dh83ptLieBr7d4LECvzmN0 +izmFN7qsVjIRlO90VNnSeF9Lt7obOTdFo8XNrhqfUab0+asAzomYJxA+uotvNXlBMaMJpPL4QZw AuCrB+x2m8niBEEfSswjEImTAZmZN3q9LpPNCPR4s8vkd1icPqOP8GO12S1e/iGCkW7g9S6rr8Ho sSROppx4LG6Py+w3WSgasw1Es9X6fRbKw5ANKbzNabL7zYSTBpuv3uX3ATMOm0SIwHtEbQJavxfg iTgpvMNCpXb7a+02b31KGI0UQjPN5eG9FjAFQNuAVUn8YaQJc4DWTRTtk1RHCTXUuxy3byBmsPo9 TiBooRvNLt7rSuG9/tplFpOPzIg6tttdDUQgk8tpthE5vLOIQQ2waKx1rbRQGURfoiyEHMHp8oEh vOIssYt70AfENd5bbwSxai2S3oARm5M3DpHU5QTP8PAOl8dyR8F5X6PbYjUCodQgW0PXHcZGQsHh MtusNuJsRrsP3A8GgNZoNlPpRfUBcbfRA5z57UYPJWW2eG11TspInb3RXe8lm4iXGk2AxEt2BDny Dqckep1ZVJrRfmcE0p4gH4PYgD2nvZG3DXF1EMdjIf+jhcKSgZeoktgmGCIW8DuLyHyDy2P28omh aEwktIMLfCIJ3kRJaWAdjRQ1tRaIJ4LXD3YgIqx02UKsWVb5IG54o9sNQWastVvIgig94B5mmHqj j683egGjxTlUK0Bu0MfNvN9pllhOHJpbEkUZf9qyXpedRDc1HTGUkbeTLAIxEwR0G03LjXUgGsSj 0xXKIXfvWkNIQeICJi12q8hWvorPK9IaeH1RnqFMqVPxaj1frCsqVeeqcvlEpR6eE1P4MrUhv6jE wAOETqk1VPBFebxSW8EvVGtzU3hVebFOpdfzRTpeXVisUatgTq3N0ZTkqrUL+GzYpy0y8Bp1odoA SA1FdKuESq3SE2SFKl1OPjwqs9UataEihc9TG7QEZx4gVfLFSp1BnVOiUer44hJdcZFeBThyAa1W rc3TARVVoQqEAEQ5RcUVOvWCfEMKbDLAZApv0ClzVYVK3cIUwmERiKzjKUgqcAk4eFUp2azPV2o0 fLbaoDfoVMpCAku0s0BbVEh0VKLNVRrURVo+WwWiKLM1KpE3ECVHo1QXpvC5ykLlApV+kAgBk8QZ VAfZsEClVemUmhReX6zKUZMB6FGtU+UYKCToHjShoezmFGn1qkUlMAFwQRJgkHwVJQECKOFfDuWM iq8FcQkeQ5HOEGKlTK1XpfBKnVpPWMjTFQG7xJ6wg8hYAvokxtNK/BIbkbnbvQOgyG5JwFyVUgMI 9YSN22Cpf6lWmSxuH/FvKcjFJEkTqphFU6jniskA3HiBE8JXnKND8GmIL1qBxCw3GGKkOKdISZik EfBwqEpiEjavtEAm9JKUAjHiIkmlweal8Q7l0OGS6p/XaAdisCsEBTnTaIdt3hCbQ4MqWBjdHhts afDYfJBSeKMfZj22x6WS7JFK1nAJCJXh/HssXjdULNtKi70xFWA9pK5RTmxOq8vjkESn6jP5ZgVz qY+vo8jNILjLU5da7/O5Z6WlNTQ0pNYGKaRCKkQ5yAVNYiPyIBuqQ/XIB8fCh5AJTYbfdGgyp6EM GNUCBI+yAcaHvHB5kAUZkQOlwKwaOQE+FUZKZIcvD218EJeXPlng1wJ7VsLdDJC34+FRKYUwwkgP dyes3g4VhAlCTAXcLpgnT4SKncIRWuRlUipc0/4fyjcKRd21hAT2p6W00Z1k5KMzZlghknjQcphz Ietd8UOuYorTQTF64e6C9SD+erpmkeSro5ScgI9wSXBZ6aolRNEEOwgPdTCXQnlzUS6ddL+bYvNK FFyA1QdrNngiV50kj0nSeBCnj3JBaLkobVFuE4VzAKSIPYiBQIu82+HXBDudkkUfQokoL4QjkVqQ 7DXTXy/lywR7jJJ8PFxkxg9ULHQXWQnqxwojO7UbwRzkcZAC8UPCvw81UI1YKMVBnZAZN9xdQMVP +Rzkxkwl8FGfq4VVH10N0vhxCinUbsS6dthlDumkgfpBPUD76T6iGQedC5coiN8zxDdFbv1Uhylh 1iFjB7Vn0NZugKqluL2wO+VH5EgJyZkGmDzw5KWRZw/htklaHWr9n5Y6qDmRW3fIo33DvG5Qogaq D8ddUQhGgxVk8FBv9dI9gxTN9E5opNBfoollAGGi+ESYcD8m8rqoXUQLmShtM+XYJnE6KxShBmmn EbC6aI4YtEN4XhrUwu0ZwQnwPikivENgg/EyqLXwPBC+j6dyGyVr1UqaGfQ3USM2us/4EzYlmMWc 4aFe5JK0fLcWJzCNlF8rzQQEd+pt2vqp/UQvjSEZHDQKbTSmg5mN8O+Tsp84I3JL9GoOs32494mS uykVUWd+wGKk+4JSmSm3xGbOMI3UARyRqF6a84TlUiP1ItGHgzSG68j7szKF5zrzEE8zUjvdPQdD 6QzXx514S5Fsbqf7bD+R1T1SBrJQvhxD8AZnvCGvDMbN8CpikfKdZYjmG6hUZro/8Q61MTEk9/Ad BD5YeROHeZoYO5phtaaWxr4rjF+/FA9BK6yEVdsdtGZBq6iunVJEu+ErVjIjza6W0I5w24t8/3TE 1NNsz9Nfr8SjhXrTj/uKKN2d8jhZ9VOooVq+k2b5MO2F2/F/E7NemkWDtXsw6oIRRToJe6gX8Ug7 hmJ0U89eDvc6yWpifXRS/Q7vQ/5/ZK0fl6pWihWfVB+tQ7SVj1SUVhHSwhOhVQRPBlQGHaaOrqlh jofeTgcrpfCUC7O51D5KukLWE2lklsGYYCxCJRSXiEMHd4K7AmYIbp4+k6eFAK8FXGSvCpVTGirA pqeQOoq7EGY18KuS4MiOHJgpgWcyXoBIdyrS08IuA40hso/wInJqgPlBqkO5UlOKQc4K4UkH+POl VSXgVlN8hP8Uqiky1ob4zJM4VVIdEcwEZw5wpKFPZLYEfosBTk/1qaQyi9xqqQx5sC7KoqIciJYQ OcqB32KgTSAWAF8GygWhZJAgU6iERJ5cup9QXUhnRc6KJCuT8SCWVEmXIh9E/6Uhynoqvwa+PJXf ADMGahsl4A/iDfrOAoqhMORHJVQ+JdVDEaWQTdeIFok+NSFIXZhVcqi+iN0I57mUkpJqRH9HSYLY hlrnTt4RpLCAyqeimtJQaD3oUQXw6tCM6I9qKmuOpFsRp+j3ok9owrSbQ2Ukll0EVFWSTymp7oZK IUYI4X9QCtECSumeE6azQetrJevmhGxdRL3sdq2U0VhUUSgltbU+pIU8Gr+FEuclYR4WtGOJ5J9F Ic6G6jcYR0G4u8kdIq4g7aEWzKX+pJE41Ie08fN4B/OXCmqciZ5/fKH8PbSSh3eSgx1qeC+aEpZz wzsDMRsvoLCOYXCDs2KeFuvX4BkovJe7UxULnpzFHn+wEw52I2IOF89K4Z2wmfbsYk/oDXUpYh1x hTqVBro6WN/F06GDQoSf/7yUriiZX9oxHJfYZxpp50Coee+gzZ+qVMNPjG5a+0UqDXTsk7oUIp9f giXzjw87JXuGnbJ+zgZBWX5O/x5qb7d0xrJRDZP+MlXC60HB89qgTogGrHTNMczqg95HsM1Cw/tS ooO6MM7NksVdtL9IpecvH3AzC061aaAh8k0FfxguQ6rUFf4PSWBhqGVuZHN0cmVhbQplbmRvYmoK MzU2IDAgb2JqCjg1NzcKZW5kb2JqCjM1NCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAv Q0lERm9udFR5cGUyCi9CYXNlRm9udCAvQml0c3RyZWFtVmVyYVNhbnMtUm9tYW4KL0NJRFN5c3Rl bUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChJZGVudGl0eSkgL1N1cHBsZW1l bnQgMCA+PgovRm9udERlc2NyaXB0b3IgMzUyIDAgUgovQ0lEVG9HSURNYXAgL0lkZW50aXR5Ci9X IFswIFs1OTUgNjA2IDYyOSAyNzYgNTE3IDMxNSA2MzAgNjEwIDU0NSAzNDkgNjA4IDM4OSA2MDcg NjI5IDYzMCA0MDggNjMwIDgxMSA2MjkgNTc0IDc0NiA1OTggNjMwIDc4MSA2NzkgNjMxIDMxNSA2 MzEgNTg3IDM4NyA0NTYgMzg3IDYzMCA5NjYgNTg3IDMxNSAyNzYgMjkzIDM1OCA3NjQgNjgxIDY5 MyA2MzEgNjMxIDYzMSA2MjcgNTcxIDc0MiAzMzQgMzM0IDU4NyA1MTQgNTE0IDI5MyA2MzEgNjMx IDI3NiAyNzMgNTUzIDY4OSA2MzAgNTIxIDMzNCA5ODEgODU2IDcyNiA3ODEgNjA2IDY1MSA2MzEg ODMxIDYzMSA5NDMgNjMxIDMzNCA0OTYgNjc5IDY4MCAzODcgMzg3IDc2OSAzOTggNzgxIDYyOSA4 MzEgODMxIDgzMSBdCl0KPj4KZW5kb2JqCjM1NSAwIG9iago8PCAvTGVuZ3RoIDk2NiA+PgpzdHJl YW0KL0NJREluaXQgL1Byb2NTZXQgZmluZHJlc291cmNlIGJlZ2luCjEyIGRpY3QgYmVnaW4KYmVn aW5jbWFwCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoVUNT KSAvU3VwcGxlbWVudCAwID4+IGRlZgovQ01hcE5hbWUgL0Fkb2JlLUlkZW50aXR5LVVDUyBkZWYK L0NNYXBUeXBlIDIgZGVmCjEgYmVnaW5jb2Rlc3BhY2VyYW5nZQo8MDAwMD4gPEZGRkY+CmVuZGNv ZGVzcGFjZXJhbmdlCjIgYmVnaW5iZnJhbmdlCjwwMDAwPiA8MDAwMD4gPDAwMDA+CjwwMDAxPiA8 MDA1Nj4gWzwwMDU0PiA8MDA2OD4gPDAwNjk+IDwwMDczPiA8MDAyMD4gPDAwNzA+IDwwMDY1PiA8 MDA2Mz4gPDAwNjY+IDwwMDYxPiA8MDA3ND4gPDAwNkY+IDwwMDZFPiA8MDA2ND4gPDAwNzI+IDww MDYyPiA8MDA3Nz4gPDAwNzU+IDwwMDZCPiA8MDA0OD4gPDAwNTA+IDwwMDcxPiA8MDA0Rj4gPDAw NDE+IDwwMDMyPiA8MDAyRT4gPDAwMzA+IDwwMDc5PiA8MDAyOD4gPDAwMjI+IDwwMDI5PiA8MDA2 Nz4gPDAwNkQ+IDwwMDc2PiA8MDAyQz4gPDAwNkM+IDwwMDQ5PiA8MDAyRD4gPDAwNDQ+IDwwMDQy PiA8MDA0Mz4gPDAwMzc+IDwwMDM4PiA8MDAzOT4gPDAwNDU+IDwwMDQ2PiA8MDA0RT4gPDAwM0E+ IDwwMDJGPiA8MDA3OD4gPDIwMUM+IDwyMDFEPiA8MDA0QT4gPDAwMzE+IDwwMDM0PiA8MDA2QT4g PDAwMjc+IDwwMDRDPiA8MDA1Mj4gPDAwNTM+IDwwMDdBPiA8MDAzQj4gPDAwNTc+IDwwMDREPiA8 MDA1NT4gPDAwNTE+IDwwMDU5PiA8MDA0Qj4gPDAwMzY+IDwwMDIzPiA8MDAzMz4gPDAwMjU+IDww MDM1PiA8MDA1Qz4gPDAwNUY+IDwwMDU2PiA8MDA1OD4gPDAwNUI+IDwwMDVEPiA8MDA0Nz4gPDAw MjE+IDwwMEQzPiA8MDBGQz4gPDAwM0M+IDwwMDNFPiA8MDAzRD4gXQplbmRiZnJhbmdlCmVuZGNt YXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQK ZW5kc3RyZWFtCmVuZG9iago5IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAov QmFzZUZvbnQgL0JpdHN0cmVhbVZlcmFTYW5zLVJvbWFuCi9FbmNvZGluZyAvSWRlbnRpdHktSAov RGVzY2VuZGFudEZvbnRzIFszNTQgMCBSXQovVG9Vbmljb2RlIDM1NSAwIFI+PgplbmRvYmoKMiAw IG9iago8PAovVHlwZSAvUGFnZXMKL0tpZHMgClsKNSAwIFIKMjkgMCBSCjcxIDAgUgo4OSAwIFIK MTAyIDAgUgoxMTYgMCBSCjEyNiAwIFIKMTQzIDAgUgoxNTMgMCBSCjE4NSAwIFIKMjYxIDAgUgoy NjkgMCBSCjI4MSAwIFIKXQovQ291bnQgMTMKL1Byb2NTZXQgWy9QREYgL1RleHQgL0ltYWdlQiAv SW1hZ2VDXQo+PgplbmRvYmoKeHJlZgowIDM1NwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAw MDkgMDAwMDAgbiAKMDAwMDE2MjI3NiAwMDAwMCBuIAowMDAwMDAwMjM1IDAwMDAwIG4gCjAwMDAw MDAzMzAgMDAwMDAgbiAKMDAwMDAwMjc3MiAwMDAwMCBuIAowMDAwMTQyMTA5IDAwMDAwIG4gCjAw MDAxMTk4NDcgMDAwMDAgbiAKMDAwMDEzMTU4MyAwMDAwMCBuIAowMDAwMTYyMTI1IDAwMDAwIG4g CjAwMDAwMDAzNjcgMDAwMDAgbiAKMDAwMDAwMDQxOSAwMDAwMCBuIAowMDAwMDAwNDcxIDAwMDAw IG4gCjAwMDAwMDA1MjMgMDAwMDAgbiAKMDAwMDAwMDU3NSAwMDAwMCBuIAowMDAwMDAwNjI3IDAw MDAwIG4gCjAwMDAwMDA2NzkgMDAwMDAgbiAKMDAwMDAwMDkwNiAwMDAwMCBuIAowMDAwMDAxMTM3 IDAwMDAwIG4gCjAwMDAwMDEzNjggMDAwMDAgbiAKMDAwMDAwMTU5OSAwMDAwMCBuIAowMDAwMDAx ODMwIDAwMDAwIG4gCjAwMDAwMDIwNjEgMDAwMDAgbiAKMDAwMDAwMjI5OSAwMDAwMCBuIAowMDAw MDAyNTM1IDAwMDAwIG4gCjAwMDAwMDMxNzIgMDAwMDAgbiAKMDAwMDAwNjkxOSAwMDAwMCBuIAow MDAwMDAyODkzIDAwMDAwIG4gCjAwMDAwMDMwODkgMDAwMDAgbiAKMDAwMDAxNDM3MSAwMDAwMCBu IAowMDAwMTI1MTk4IDAwMDAwIG4gCjAwMDAwMDY5NDAgMDAwMDAgbiAKMDAwMDAwNjk5MiAwMDAw MCBuIAowMDAwMDA3MDQ0IDAwMDAwIG4gCjAwMDAwMDcwOTYgMDAwMDAgbiAKMDAwMDAwNzE0OCAw MDAwMCBuIAowMDAwMDA3MjAwIDAwMDAwIG4gCjAwMDAwMDcyNTIgMDAwMDAgbiAKMDAwMDAwNzQ5 MCAwMDAwMCBuIAowMDAwMDA3NzM4IDAwMDAwIG4gCjAwMDAwMDc5NzEgMDAwMDAgbiAKMDAwMDAw ODIwMiAwMDAwMCBuIAowMDAwMDA4NDM2IDAwMDAwIG4gCjAwMDAwMDg2NjcgMDAwMDAgbiAKMDAw MDAwODg5MSAwMDAwMCBuIAowMDAwMDA5MTIyIDAwMDAwIG4gCjAwMDAwMDkzNTMgMDAwMDAgbiAK MDAwMDAwOTU4NSAwMDAwMCBuIAowMDAwMDA5ODE3IDAwMDAwIG4gCjAwMDAwMTAwNTYgMDAwMDAg biAKMDAwMDAxMDI5NSAwMDAwMCBuIAowMDAwMDEwNTM0IDAwMDAwIG4gCjAwMDAwMTA3NjYgMDAw MDAgbiAKMDAwMDAxMDk5OCAwMDAwMCBuIAowMDAwMDExMjMzIDAwMDAwIG4gCjAwMDAwMTE0NjAg MDAwMDAgbiAKMDAwMDAxMTcwNyAwMDAwMCBuIAowMDAwMDExOTY4IDAwMDAwIG4gCjAwMDAwMTIx OTkgMDAwMDAgbiAKMDAwMDAxMjQ0NiAwMDAwMCBuIAowMDAwMDEyNjczIDAwMDAwIG4gCjAwMDAw MTI5MDQgMDAwMDAgbiAKMDAwMDAxMzE2NSAwMDAwMCBuIAowMDAwMDEzMzk2IDAwMDAwIG4gCjAw MDAwMTM2NTIgMDAwMDAgbiAKMDAwMDAxMzkxMyAwMDAwMCBuIAowMDAwMDE0MTQ0IDAwMDAwIG4g CjAwMDAwMTQ5MjEgMDAwMDAgbiAKMDAwMDAxOTQ3MSAwMDAwMCBuIAowMDAwMDE0NDkzIDAwMDAw IG4gCjAwMDAwMTQ2OTEgMDAwMDAgbiAKMDAwMDAyMTAxOCAwMDAwMCBuIAowMDAwMTUxNDI0IDAw MDAwIG4gCjAwMDAwMTk0OTIgMDAwMDAgbiAKMDAwMDAxOTU0NCAwMDAwMCBuIAowMDAwMDE5NTk2 IDAwMDAwIG4gCjAwMDAwMTk2NDggMDAwMDAgbiAKMDAwMDAxOTcwMCAwMDAwMCBuIAowMDAwMDE5 NzUyIDAwMDAwIG4gCjAwMDAwMTk4MDQgMDAwMDAgbiAKMDAwMDAxOTg1NiAwMDAwMCBuIAowMDAw MDIwMTAzIDAwMDAwIG4gCjAwMDAwMjAzMzAgMDAwMDAgbiAKMDAwMDAyMDU2NCAwMDAwMCBuIAow MDAwMDIwNzkxIDAwMDAwIG4gCjAwMDAwMjE0MDUgMDAwMDAgbiAKMDAwMDAyNTEwNCAwMDAwMCBu IAowMDAwMDIxMTQwIDAwMDAwIG4gCjAwMDAwMjEzNTAgMDAwMDAgbiAKMDAwMDAyNjUyOCAwMDAw MCBuIAowMDAwMDI1MTI1IDAwMDAwIG4gCjAwMDAwMjUxNzcgMDAwMDAgbiAKMDAwMDAyNTIyOSAw MDAwMCBuIAowMDAwMDI1MjgxIDAwMDAwIG4gCjAwMDAwMjU1MzcgMDAwMDAgbiAKMDAwMDAyNTc5 MyAwMDAwMCBuIAowMDAwMDI2MDQ5IDAwMDAwIG4gCjAwMDAwMjYyNzYgMDAwMDAgbiAKMDAwMDAy NjkxOSAwMDAwMCBuIAowMDAwMDMxMDEzIDAwMDAwIG4gCjAwMDAwMjY2NTIgMDAwMDAgbiAKMDAw MDAyNjg2MyAwMDAwMCBuIAowMDAwMDMyNjI5IDAwMDAwIG4gCjAwMDAwMzEwMzQgMDAwMDAgbiAK MDAwMDAzMTA4NyAwMDAwMCBuIAowMDAwMDMxMTQwIDAwMDAwIG4gCjAwMDAwMzExOTMgMDAwMDAg biAKMDAwMDAzMTQyMSAwMDAwMCBuIAowMDAwMDMxNjUzIDAwMDAwIG4gCjAwMDAwMzE4ODcgMDAw MDAgbiAKMDAwMDAzMjExNSAwMDAwMCBuIAowMDAwMDMyMzcyIDAwMDAwIG4gCjAwMDAwMzMwMzUg MDAwMDAgbiAKMDAwMDAzNzE0MCAwMDAwMCBuIAowMDAwMDMyNzU1IDAwMDAwIG4gCjAwMDAwMzI5 NjYgMDAwMDAgbiAKMDAwMDAzNzc5OCAwMDAwMCBuIAowMDAwMDM3MTYyIDAwMDAwIG4gCjAwMDAw MzcyMTUgMDAwMDAgbiAKMDAwMDAzNzI2OCAwMDAwMCBuIAowMDAwMDM3MzIxIDAwMDAwIG4gCjAw MDAwMzc1NzAgMDAwMDAgbiAKMDAwMDAzODE2MCAwMDAwMCBuIAowMDAwMDQxOTE4IDAwMDAwIG4g CjAwMDAwMzc5MjQgMDAwMDAgbiAKMDAwMDAzODEyMyAwMDAwMCBuIAowMDAwMDQzODIyIDAwMDAw IG4gCjAwMDAwNDE5NDAgMDAwMDAgbiAKMDAwMDA0MTk5MyAwMDAwMCBuIAowMDAwMDQyMDQ2IDAw MDAwIG4gCjAwMDAwNDIwOTkgMDAwMDAgbiAKMDAwMDA0MjE1MiAwMDAwMCBuIAowMDAwMDQyMjA1 IDAwMDAwIG4gCjAwMDAwNDI0MzMgMDAwMDAgbiAKMDAwMDA0MjY2MSAwMDAwMCBuIAowMDAwMDQy ODk4IDAwMDAwIG4gCjAwMDAwNDMxMjYgMDAwMDAgbiAKMDAwMDA0MzM1OCAwMDAwMCBuIAowMDAw MDQzNTkwIDAwMDAwIG4gCjAwMDAwNDQyMjQgMDAwMDAgbiAKMDAwMDA0ODcxMCAwMDAwMCBuIAow MDAwMDQzOTQ4IDAwMDAwIG4gCjAwMDAwNDQxNDcgMDAwMDAgbiAKMDAwMDA0OTUzMCAwMDAwMCBu IAowMDAwMDQ4NzMyIDAwMDAwIG4gCjAwMDAwNDg3ODUgMDAwMDAgbiAKMDAwMDA0ODgzOCAwMDAw MCBuIAowMDAwMDQ5MDcwIDAwMDAwIG4gCjAwMDAwNDkyOTggMDAwMDAgbiAKMDAwMDA0OTg4OCAw MDAwMCBuIAowMDAwMDU0OTI4IDAwMDAwIG4gCjAwMDAwNDk2NTYgMDAwMDAgbiAKMDAwMDA0OTg0 MyAwMDAwMCBuIAowMDAwMDU4NTA2IDAwMDAwIG4gCjAwMDAwNTQ5NTAgMDAwMDAgbiAKMDAwMDA1 NTAwMyAwMDAwMCBuIAowMDAwMDU1MDU2IDAwMDAwIG4gCjAwMDAwNTUxMDkgMDAwMDAgbiAKMDAw MDA1NTE2MiAwMDAwMCBuIAowMDAwMDU1MjE1IDAwMDAwIG4gCjAwMDAwNTUyNjggMDAwMDAgbiAK MDAwMDA1NTMyMSAwMDAwMCBuIAowMDAwMDU1Mzc0IDAwMDAwIG4gCjAwMDAwNTU0MjcgMDAwMDAg biAKMDAwMDA1NTQ4MCAwMDAwMCBuIAowMDAwMDU1NTMzIDAwMDAwIG4gCjAwMDAwNTU1ODYgMDAw MDAgbiAKMDAwMDA1NTYzOSAwMDAwMCBuIAowMDAwMDU1NjkyIDAwMDAwIG4gCjAwMDAwNTU3NDUg MDAwMDAgbiAKMDAwMDA1NTk3MyAwMDAwMCBuIAowMDAwMDU2MjAxIDAwMDAwIG4gCjAwMDAwNTY0 MjkgMDAwMDAgbiAKMDAwMDA1NjY1NyAwMDAwMCBuIAowMDAwMDU2OTE0IDAwMDAwIG4gCjAwMDAw NTcxNDIgMDAwMDAgbiAKMDAwMDA1NzM3MCAwMDAwMCBuIAowMDAwMDU3NTk4IDAwMDAwIG4gCjAw MDAwNTc4MjEgMDAwMDAgbiAKMDAwMDA1ODA1NyAwMDAwMCBuIAowMDAwMDU4Mjc1IDAwMDAwIG4g CjAwMDAwNTg5NDggMDAwMDAgbiAKMDAwMDA2MjQ0MyAwMDAwMCBuIAowMDAwMDU4NjMyIDAwMDAw IG4gCjAwMDAwNTg4MzEgMDAwMDAgbiAKMDAwMDA3NDE1NSAwMDAwMCBuIAowMDAwMDYyNDY1IDAw MDAwIG4gCjAwMDAwNjI1MTggMDAwMDAgbiAKMDAwMDA2MjU3MSAwMDAwMCBuIAowMDAwMDYyNjI0 IDAwMDAwIG4gCjAwMDAwNjI2NzcgMDAwMDAgbiAKMDAwMDA2MjczMCAwMDAwMCBuIAowMDAwMDYy NzgzIDAwMDAwIG4gCjAwMDAwNjI4MzYgMDAwMDAgbiAKMDAwMDA2Mjg4OSAwMDAwMCBuIAowMDAw MDYyOTQyIDAwMDAwIG4gCjAwMDAwNjI5OTUgMDAwMDAgbiAKMDAwMDA2MzA0OCAwMDAwMCBuIAow MDAwMDYzMTAxIDAwMDAwIG4gCjAwMDAwNjMxNTQgMDAwMDAgbiAKMDAwMDA2MzIwNyAwMDAwMCBu IAowMDAwMDYzMjYwIDAwMDAwIG4gCjAwMDAwNjMzMTMgMDAwMDAgbiAKMDAwMDA2MzM2NiAwMDAw MCBuIAowMDAwMDYzNTk0IDAwMDAwIG4gCjAwMDAwNjM4MjIgMDAwMDAgbiAKMDAwMDA2NDA1MCAw MDAwMCBuIAowMDAwMDY0MjYxIDAwMDAwIG4gCjAwMDAwNjQ0ODUgMDAwMDAgbiAKMDAwMDA2NDcw OSAwMDAwMCBuIAowMDAwMDY0ODkzIDAwMDAwIG4gCjAwMDAwNjUwODkgMDAwMDAgbiAKMDAwMDA2 NTI4NSAwMDAwMCBuIAowMDAwMDY1NDk5IDAwMDAwIG4gCjAwMDAwNjU3MTEgMDAwMDAgbiAKMDAw MDA2NTkwMCAwMDAwMCBuIAowMDAwMDY2MDg4IDAwMDAwIG4gCjAwMDAwNjYyODQgMDAwMDAgbiAK MDAwMDA2NjQ4NyAwMDAwMCBuIAowMDAwMDY2NjY4IDAwMDAwIG4gCjAwMDAwNjY4NTQgMDAwMDAg biAKMDAwMDA2NzAzNCAwMDAwMCBuIAowMDAwMDY3MjIzIDAwMDAwIG4gCjAwMDAwNjc0MjYgMDAw MDAgbiAKMDAwMDA2NzY0MCAwMDAwMCBuIAowMDAwMDY3ODUyIDAwMDAwIG4gCjAwMDAwNjgwNDgg MDAwMDAgbiAKMDAwMDA2ODI1MSAwMDAwMCBuIAowMDAwMDY4NDQ3IDAwMDAwIG4gCjAwMDAwNjg2 NTAgMDAwMDAgbiAKMDAwMDA2ODg0NiAwMDAwMCBuIAowMDAwMDY5MDQ5IDAwMDAwIG4gCjAwMDAw NjkyNTcgMDAwMDAgbiAKMDAwMDA2OTQ2NSAwMDAwMCBuIAowMDAwMDY5NjkzIDAwMDAwIG4gCjAw MDAwNjk4ODIgMDAwMDAgbiAKMDAwMDA3MDA2MCAwMDAwMCBuIAowMDAwMDcwMjQ2IDAwMDAwIG4g CjAwMDAwNzA0MjkgMDAwMDAgbiAKMDAwMDA3MDYyMSAwMDAwMCBuIAowMDAwMDcwODEwIDAwMDAw IG4gCjAwMDAwNzA5OTEgMDAwMDAgbiAKMDAwMDA3MTE4NyAwMDAwMCBuIAowMDAwMDcxMzkwIDAw MDAwIG4gCjAwMDAwNzE1ODUgMDAwMDAgbiAKMDAwMDA3MTc4OCAwMDAwMCBuIAowMDAwMDcyMDAy IDAwMDAwIG4gCjAwMDAwNzIyMTQgMDAwMDAgbiAKMDAwMDA3MjQwMCAwMDAwMCBuIAowMDAwMDcy NTg4IDAwMDAwIG4gCjAwMDAwNzI3NzUgMDAwMDAgbiAKMDAwMDA3Mjk1NyAwMDAwMCBuIAowMDAw MDczMTQ2IDAwMDAwIG4gCjAwMDAwNzMzMzAgMDAwMDAgbiAKMDAwMDA3MzUyNiAwMDAwMCBuIAow MDAwMDczNzI5IDAwMDAwIG4gCjAwMDAwNzM5NDMgMDAwMDAgbiAKMDAwMDA3NDkzMyAwMDAwMCBu IAowMDAwMDgyNDY5IDAwMDAwIG4gCjAwMDAwNzQyODEgMDAwMDAgbiAKMDAwMDA3NDQ4MCAwMDAw MCBuIAowMDAwMDgzMjQyIDAwMDAwIG4gCjAwMDAwODI0OTEgMDAwMDAgbiAKMDAwMDA4Mjc0OCAw MDAwMCBuIAowMDAwMDgyOTgwIDAwMDAwIG4gCjAwMDAwODM2MTQgMDAwMDAgbiAKMDAwMDA4OTI4 NiAwMDAwMCBuIAowMDAwMDgzMzY4IDAwMDAwIG4gCjAwMDAwODM1NjkgMDAwMDAgbiAKMDAwMDA5 MTAzMiAwMDAwMCBuIAowMDAwMDg5MzA4IDAwMDAwIG4gCjAwMDAwODk1NjUgMDAwMDAgbiAKMDAw MDA4OTc5NyAwMDAwMCBuIAowMDAwMDkwMDU0IDAwMDAwIG4gCjAwMDAwOTAzMTEgMDAwMDAgbiAK MDAwMDA5MDU0MyAwMDAwMCBuIAowMDAwMDkwNzc1IDAwMDAwIG4gCjAwMDAwOTE0MzYgMDAwMDAg biAKMDAwMDA5NjY1MSAwMDAwMCBuIAowMDAwMDkxMTU4IDAwMDAwIG4gCjAwMDAwOTEzNTkgMDAw MDAgbiAKMDAwMDEwODYwNSAwMDAwMCBuIAowMDAwMDk2NjczIDAwMDAwIG4gCjAwMDAwOTY3Mjcg MDAwMDAgbiAKMDAwMDA5Njc4MSAwMDAwMCBuIAowMDAwMDk3MDA5IDAwMDAwIG4gCjAwMDAwOTcx OTUgMDAwMDAgbiAKMDAwMDA5NzM4MSAwMDAwMCBuIAowMDAwMDk3NTYzIDAwMDAwIG4gCjAwMDAw OTc3NDYgMDAwMDAgbiAKMDAwMDA5NzkyNCAwMDAwMCBuIAowMDAwMTAzMjg3IDAwMDAwIG4gCjAw MDAxMDMwMDcgMDAwMDAgbiAKMDAwMDA5ODExNSAwMDAwMCBuIAowMDAwMDk4MjMyIDAwMDAwIG4g CjAwMDAwOTgzODcgMDAwMDAgbiAKMDAwMDA5ODUzNiAwMDAwMCBuIAowMDAwMDk4Njg3IDAwMDAw IG4gCjAwMDAwOTg4MzYgMDAwMDAgbiAKMDAwMDA5OTAwOSAwMDAwMCBuIAowMDAwMDk5MTYwIDAw MDAwIG4gCjAwMDAwOTkzMDUgMDAwMDAgbiAKMDAwMDA5OTQ3NCAwMDAwMCBuIAowMDAwMDk5Njcx IDAwMDAwIG4gCjAwMDAwOTk4NTQgMDAwMDAgbiAKMDAwMDEwMDAyMSAwMDAwMCBuIAowMDAwMTAw MjMwIDAwMDAwIG4gCjAwMDAxMDAzODEgMDAwMDAgbiAKMDAwMDEwMDU1MiAwMDAwMCBuIAowMDAw MTAwNzEzIDAwMDAwIG4gCjAwMDAxMDA4NzcgMDAwMDAgbiAKMDAwMDEwMTA1OSAwMDAwMCBuIAow MDAwMTAxMjIzIDAwMDAwIG4gCjAwMDAxMDE0MjUgMDAwMDAgbiAKMDAwMDEwMTYzMSAwMDAwMCBu IAowMDAwMTAxODI5IDAwMDAwIG4gCjAwMDAxMDIwMzEgMDAwMDAgbiAKMDAwMDEwMjE3NyAwMDAw MCBuIAowMDAwMTAyMzQ1IDAwMDAwIG4gCjAwMDAxMDI1MTcgMDAwMDAgbiAKMDAwMDEwMjY5MyAw MDAwMCBuIAowMDAwMTAyODY5IDAwMDAwIG4gCjAwMDAxMDMzNTMgMDAwMDAgbiAKMDAwMDEwODk5 NSAwMDAwMCBuIAowMDAwMTEyOTEyIDAwMDAwIG4gCjAwMDAxMDg3MzEgMDAwMDAgbiAKMDAwMDEw ODkxOCAwMDAwMCBuIAowMDAwMTEyOTM0IDAwMDAwIG4gCjAwMDAxMTMyMDAgMDAwMDAgbiAKMDAw MDExODc2MCAwMDAwMCBuIAowMDAwMTE5MTQ0IDAwMDAwIG4gCjAwMDAxMTg3MzggMDAwMDAgbiAK MDAwMDExOTk4OSAwMDAwMCBuIAowMDAwMTIwMjU2IDAwMDAwIG4gCjAwMDAxMjQ1NTMgMDAwMDAg biAKMDAwMDEyNDc3OCAwMDAwMCBuIAowMDAwMTI0NTMxIDAwMDAwIG4gCjAwMDAxMjUzNDIgMDAw MDAgbiAKMDAwMDEyNTU1MyAwMDAwMCBuIAowMDAwMTMwMzMwIDAwMDAwIG4gCjAwMDAxMzA3NzUg MDAwMDAgbiAKMDAwMDEzMDMwOCAwMDAwMCBuIAowMDAwMTMxNzI2IDAwMDAwIG4gCjAwMDAxMzIw MDAgMDAwMDAgbiAKMDAwMDE0MDYzOCAwMDAwMCBuIAowMDAwMTQxMTY4IDAwMDAwIG4gCjAwMDAx NDA2MTYgMDAwMDAgbiAKMDAwMDE0MjI1OSAwMDAwMCBuIAowMDAwMTQyNTI1IDAwMDAwIG4gCjAw MDAxNTAzMzMgMDAwMDAgbiAKMDAwMDE1MDU0NiAwMDAwMCBuIAowMDAwMTUwMzExIDAwMDAwIG4g CjAwMDAxNTE1NjcgMDAwMDAgbiAKMDAwMDE1MTg0MiAwMDAwMCBuIAowMDAwMTYwNTM0IDAwMDAw IG4gCjAwMDAxNjExMDcgMDAwMDAgbiAKMDAwMDE2MDUxMiAwMDAwMCBuIAp0cmFpbGVyCjw8Ci9T aXplIDM1NwovSW5mbyAxIDAgUgovUm9vdCAzMjIgMCBSCj4+CnN0YXJ0eHJlZgoxNjI0NjgKJSVF T0YK --_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_ Content-Type: text/xml; name="draft-ietf-oauth-v2-bearer-15 preliminary.xml" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.xml Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.xml"; size=48682; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:04:21 GMT" Content-Transfer-Encoding: base64 PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnID8+CjwhRE9DVFlQRSByZmMgU1lT VEVNICdyZmMyNjI5LmR0ZCc+Cjw/eG1sLXN0eWxlc2hlZXQgdHlwZT0ndGV4dC94c2wnIGhyZWY9 J3JmYzI2MjkueHNsdCcgPz4KCjxyZmMgY2F0ZWdvcnk9J3N0ZCcgaXByPSd0cnVzdDIwMDkwMicg ZG9jTmFtZT0nZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTUnPgogIDw/cmZjIHN0cmljdD0n eWVzJyA/PgogIDw/cmZjIHRvYz0neWVzJyA/PgogIDw/cmZjIHRvY2RlcHRoPSczJyA/PgogIDw/ cmZjIHN5bXJlZnM9J3llcycgPz4KICA8P3JmYyBzb3J0cmVmcz0neWVzJyA/PgogIDw/cmZjIGNv bXBhY3Q9J3llcycgPz4KICA8P3JmYyBzdWJjb21wYWN0PSdubycgPz4KCiAgPGZyb250PgogICAg PHRpdGxlIGFiYnJldj0nT0F1dGggMi4wIEJlYXJlciBUb2tlbnMnPlRoZSBPQXV0aCAyLjAgQXV0 aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVyIFRva2VuczwvdGl0bGU+CgogICAgPGF1dGhvciBm dWxsbmFtZT0iTWljaGFlbCBCLiBKb25lcyIgc3VybmFtZT0iSm9uZXMiIGluaXRpYWxzPSJNLkIu Ij4gPCEtLSByb2xlPSJlZGl0b3IiIC0tPgogICAgICA8b3JnYW5pemF0aW9uPk1pY3Jvc29mdDwv b3JnYW5pemF0aW9uPgogICAgICA8YWRkcmVzcz4KICAgICAgICA8ZW1haWw+bWJqQG1pY3Jvc29m dC5jb208L2VtYWlsPgogICAgICAgIDx1cmk+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vPC91cmk+ CiAgICAgIDwvYWRkcmVzcz4KICAgIDwvYXV0aG9yPgogICAgPGF1dGhvciBmdWxsbmFtZT0nRGlj ayBIYXJkdCcgc3VybmFtZT0nSGFyZHQnIGluaXRpYWxzPSdEJz4KICAgICAgPG9yZ2FuaXphdGlv bj5pbmRlcGVuZGVudDwvb3JnYW5pemF0aW9uPgogICAgICA8YWRkcmVzcz4KICAgICAgICA8ZW1h aWw+ZGljay5oYXJkdEBnbWFpbC5jb208L2VtYWlsPgogICAgICAgIDx1cmk+aHR0cDovL2RpY2to YXJkdC5vcmcvPC91cmk+CiAgICAgIDwvYWRkcmVzcz4KICAgIDwvYXV0aG9yPgogICAgPGF1dGhv ciBmdWxsbmFtZT0nRGF2aWQgUmVjb3Jkb24nIHN1cm5hbWU9J1JlY29yZG9uJyBpbml0aWFscz0n RCc+CiAgICAgIDxvcmdhbml6YXRpb24+RmFjZWJvb2s8L29yZ2FuaXphdGlvbj4KICAgICAgPGFk ZHJlc3M+CiAgICAgICAgPGVtYWlsPmRyQGZiLmNvbTwvZW1haWw+CiAgICAgICAgPHVyaT5odHRw Oi8vd3d3LmRhdmlkcmVjb3Jkb24uY29tLzwvdXJpPgogICAgICA8L2FkZHJlc3M+CiAgICA8L2F1 dGhvcj4KCiAgICA8ZGF0ZSB5ZWFyPSIyMDExIiBtb250aD0iRGVjZW1iZXIiIGRheT0iMTIiIC8+ CgogICAgPGFic3RyYWN0PgogICAgICA8dD4KICAgICAgICBUaGlzIHNwZWNpZmljYXRpb24gZGVz Y3JpYmVzIGhvdyB0byB1c2UgYmVhcmVyIHRva2VucyBpbiBIVFRQCiAgICAgICAgcmVxdWVzdHMg dG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90ZWN0ZWQgcmVzb3VyY2VzLiAgQW55IHBhcnR5CiAgICAg ICAgaW4gcG9zc2Vzc2lvbiBvZiBhIGJlYXJlciB0b2tlbiAoYSAiYmVhcmVyIikgY2FuIHVzZSBp dCB0byBnZXQKICAgICAgICBhY2Nlc3MgdG8gdGhlIGFzc29jaWF0ZWQgcmVzb3VyY2VzICh3aXRo b3V0IGRlbW9uc3RyYXRpbmcgcG9zc2Vzc2lvbgogICAgICAgIG9mIGEgY3J5cHRvZ3JhcGhpYyBr ZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMKICAgICAgICBuZWVkIHRvIGJl IHByb3RlY3RlZCBmcm9tIGRpc2Nsb3N1cmUgaW4gc3RvcmFnZSBhbmQgaW4gdHJhbnNwb3J0Lgog ICAgICA8L3Q+CiAgICA8L2Fic3RyYWN0PgogIDwvZnJvbnQ+CgogIDxtaWRkbGU+CgogICAgPHNl Y3Rpb24gdGl0bGU9J0ludHJvZHVjdGlvbic+CiAgICAgIDx0PgogICAgICAgIE9BdXRoIGVuYWJs ZXMgY2xpZW50cyB0byBhY2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcyBieQogICAgICAgIG9idGFp bmluZyBhbiBhY2Nlc3MgdG9rZW4sIHdoaWNoIGlzIGRlZmluZWQgaW4KCU9BdXRoIDIuMCBBdXRo b3JpemF0aW9uIDx4cmVmIHRhcmdldD0iSS1ELmlldGYtb2F1dGgtdjIiLz4KCWFzICJhIHN0cmlu ZyByZXByZXNlbnRpbmcgYW4gYWNjZXNzCiAgICAgICAgYXV0aG9yaXphdGlvbiBpc3N1ZWQgdG8g dGhlIGNsaWVudCIsIHJhdGhlciB0aGFuIHVzaW5nIHRoZQogICAgICAgIHJlc291cmNlIG93bmVy J3MgY3JlZGVudGlhbHMgZGlyZWN0bHkuCiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgVG9r ZW5zIGFyZSBpc3N1ZWQgdG8gY2xpZW50cyBieSBhbiBhdXRob3JpemF0aW9uIHNlcnZlciB3aXRo IHRoZSBhcHByb3ZhbCBvZgogICAgICAgIHRoZSByZXNvdXJjZSBvd25lci4gVGhlIGNsaWVudCB1 c2VzIHRoZSBhY2Nlc3MgdG9rZW4gdG8gYWNjZXNzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2VzCiAg ICAgICAgaG9zdGVkIGJ5IHRoZSByZXNvdXJjZSBzZXJ2ZXIuIFRoaXMgc3BlY2lmaWNhdGlvbiBk ZXNjcmliZXMgaG93IHRvIG1ha2UgcHJvdGVjdGVkIHJlc291cmNlCiAgICAgICAgcmVxdWVzdHMg d2hlbiB0aGUgT0F1dGggYWNjZXNzIHRva2VuIGlzIGEgYmVhcmVyIHRva2VuLgogICAgICA8L3Q+ CiAgICAgIDx0PgogICAgICAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkZWZpbmVzIHRoZSB1c2Ugb2Yg YmVhcmVyIHRva2VucyBvdmVyCiAgICAgICAgSFRUUC8xLjEgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0 Zi1odHRwYmlzLXAxLW1lc3NhZ2luZycgLz4KCXVzaW5nCglUTFMgPHhyZWYgdGFyZ2V0PSdSRkM1 MjQ2JyAvPiB0byBhY2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcy4KCVRMUyBpcyBtYW5kYXRvcnkg dG8gaW1wbGVtZW50CiAgICAgICAgYW5kIHVzZSB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbjsgb3Ro ZXIgc3BlY2lmaWNhdGlvbnMgbWF5CiAgICAgICAgZXh0ZW5kIHRoaXMgc3BlY2lmaWNhdGlvbiBm b3IgdXNlIHdpdGggb3RoZXIgdHJhbnNwb3J0CiAgICAgICAgcHJvdG9jb2xzLgoJV2hpbGUgZGVz aWduZWQgZm9yIHVzZSB3aXRoIGFjY2VzcyB0b2tlbnMgcmVzdWx0aW5nIGZyb20KCU9BdXRoIDIu MCBBdXRob3JpemF0aW9uIDx4cmVmIHRhcmdldD0iSS1ELmlldGYtb2F1dGgtdjIiIC8+CglmbG93 cyB0byBhY2Nlc3MgT0F1dGggcHJvdGVjdGVkIHJlc291cmNlcywgdGhpcwoJc3BlY2lmaWNhdGlv biBhY3R1YWxseSBkZWZpbmVzIGEgZ2VuZXJhbCBIVFRQIGF1dGhvcml6YXRpb24KCW1ldGhvZCB0 aGF0IGNhbiBiZSB1c2VkIHdpdGggYmVhcmVyIHRva2VucyBmcm9tIGFueSBzb3VyY2UKCXRvIGFj Y2VzcyBhbnkgcmVzb3VyY2VzIHByb3RlY3RlZCBieSB0aG9zZSBiZWFyZXIgdG9rZW5zLgogICAg ICA8L3Q+CgogICAgICA8c2VjdGlvbiB0aXRsZT0nTm90YXRpb25hbCBDb252ZW50aW9ucyc+CiAg ICAgICAgPHQ+CiAgICAgICAgICBUaGUga2V5IHdvcmRzICdNVVNUJywgJ01VU1QgTk9UJywgJ1JF UVVJUkVEJywgJ1NIQUxMJywgJ1NIQUxMIE5PVCcsICdTSE9VTEQnLCAnU0hPVUxECiAgICAgICAg ICBOT1QnLCAnUkVDT01NRU5ERUQnLCAnTUFZJywgYW5kICdPUFRJT05BTCcgaW4gdGhpcyBkb2N1 bWVudCBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQgYXMKICAgICAgICAgIGRlc2NyaWJlZCBpbgoJICBL ZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlIFJlcXVpcmVtZW50IExldmVscyA8 eHJlZiB0YXJnZXQ9J1JGQzIxMTknIC8+LgogICAgICAgIDwvdD4KICAgICAgICA8dD4KICAgICAg ICAgIFRoaXMgZG9jdW1lbnQgdXNlcyB0aGUgQXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFC TkYpCiAgICAgICAgICBub3RhdGlvbiBvZgoJICBIVFRQLzEuMSwgUGFydCAxIDx4cmVmIHRhcmdl dD0nSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcnIC8+LAogICAgICAgICAgd2hpY2ggaXMg YmFzZWQgdXBvbiB0aGUKCSAgQXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFCTkYpIDx4cmVm IHRhcmdldD0nUkZDNTIzNCcgLz4KCSAgbm90YXRpb24uICBBZGRpdGlvbmFsbHksIHRoZSBmb2xs b3dpbmcgcnVsZXMgYXJlIGluY2x1ZGVkIGZyb20KCSAgSFRUUC8xLjEsIFBhcnQgNyA8eHJlZiB0 YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz46CgkgIGI2NHRva2VuLCBhdXRoLXBh cmFtLCBhbmQgcmVhbG07IGZyb20KCSAgSFRUUC8xLjEsIFBhcnQgMSA8eHJlZiB0YXJnZXQ9J0kt RC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nJyAvPjoKCSAgcXVvdGVkLXN0cmluZzsgYW5kIGZy b20KCSAgVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpIDx4cmVmIHRhcmdldD0nUkZD Mzk4NicgLz46CgkgIFVSSS1SZWZlcmVuY2UuCiAgICAgICAgPC90PgogICAgICAgIDx0PgogICAg ICAgICAgVW5sZXNzIG90aGVyd2lzZSBub3RlZCwgYWxsIHRoZSBwcm90b2NvbCBwYXJhbWV0ZXIg bmFtZXMgYW5kIHZhbHVlcyBhcmUgY2FzZSBzZW5zaXRpdmUuCiAgICAgICAgPC90PgogICAgICA8 L3NlY3Rpb24+CgogICAgICA8c2VjdGlvbiB0aXRsZT0nVGVybWlub2xvZ3knPgogICAgICAgIDx0 PgogICAgICAgICAgPGxpc3Qgc3R5bGU9J2hhbmdpbmcnPgogICAgICAgICAgICA8dCBoYW5nVGV4 dD0iQmVhcmVyIFRva2VuIj4KICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAg QSBzZWN1cml0eSB0b2tlbiB3aXRoIHRoZSBwcm9wZXJ0eSB0aGF0IGFueSBwYXJ0eSBpbgogICAg ICAgICAgICAgIHBvc3Nlc3Npb24gb2YgdGhlIHRva2VuIChhICJiZWFyZXIiKSBjYW4gdXNlIHRo ZSB0b2tlbgogICAgICAgICAgICAgIGluIGFueSB3YXkgdGhhdCBhbnkgb3RoZXIgcGFydHkgaW4g cG9zc2Vzc2lvbiBvZiBpdCBjYW4uCiAgICAgICAgICAgICAgVXNpbmcgYSBiZWFyZXIgdG9rZW4g ZG9lcyBub3QgcmVxdWlyZSBhIGJlYXJlciB0byBwcm92ZQogICAgICAgICAgICAgIHBvc3Nlc3Np b24gb2YgY3J5cHRvZ3JhcGhpYyBrZXkgbWF0ZXJpYWwKICAgICAgICAgICAgICAocHJvb2Ytb2Yt cG9zc2Vzc2lvbikuCiAgICAgICAgICAgIDwvdD4KICAgICAgICAgIDwvbGlzdD4KICAgICAgICA8 L3Q+CiAgICAgICAgPHQ+CiAgICAgICAgICBBbGwgb3RoZXIgdGVybXMgYXJlIGFzIGRlZmluZWQg aW4KCSAgT0F1dGggMi4wIEF1dGhvcml6YXRpb24gPHhyZWYgdGFyZ2V0PSJJLUQuaWV0Zi1vYXV0 aC12MiIgLz4uCiAgICAgICAgPC90PgogICAgICA8L3NlY3Rpb24+CgogICAgICA8c2VjdGlvbiB0 aXRsZT0nT3ZlcnZpZXcnPgogICAgICAgIDx0PgogICAgICAgICAgT0F1dGggcHJvdmlkZXMgYSBt ZXRob2QgZm9yIGNsaWVudHMgdG8gYWNjZXNzIGEgcHJvdGVjdGVkIHJlc291cmNlIG9uIGJlaGFs ZiBvZiBhCiAgICAgICAgICByZXNvdXJjZSBvd25lci4gSW4gdGhlIGdlbmVyYWwgY2FzZSwKCSAg YmVmb3JlIGEgY2xpZW50IGNhbiBhY2Nlc3MgYSBwcm90ZWN0ZWQgcmVzb3VyY2UsIGl0IG11c3Qg Zmlyc3Qgb2J0YWluCiAgICAgICAgICBhbiBhdXRob3JpemF0aW9uIGdyYW50IGZyb20gdGhlIHJl c291cmNlIG93bmVyIGFuZCB0aGVuIGV4Y2hhbmdlIHRoZSBhdXRob3JpemF0aW9uIGdyYW50IGZv cgogICAgICAgICAgYW4gYWNjZXNzIHRva2VuLgoJICBUaGUgYWNjZXNzIHRva2VuIHJlcHJlc2Vu dHMgdGhlIGdyYW50J3Mgc2NvcGUsIGR1cmF0aW9uLCBhbmQKCSAgb3RoZXIgYXR0cmlidXRlcyBn cmFudGVkIGJ5IHRoZSBhdXRob3JpemF0aW9uIGdyYW50LiBUaGUKCSAgY2xpZW50IGFjY2Vzc2Vz IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UgYnkgcHJlc2VudGluZyB0aGUKCSAgYWNjZXNzIHRva2Vu IHRvIHRoZSByZXNvdXJjZSBzZXJ2ZXIuCgkgIEluIHNvbWUgY2FzZXMsIGEgY2xpZW50IGNhbiBk aXJlY3RseSBwcmVzZW50IGl0cyBvd24KCSAgY3JlZGVudGlhbHMgdG8gYW4gYXV0aG9yaXphdGlv biBzZXJ2ZXIgdG8gb2J0YWluIGFuIGFjY2VzcwoJICB0b2tlbiB3aXRob3V0IGhhdmluZyB0byBm aXJzdCBvYnRhaW4gYW4gYXV0aG9yaXphdGlvbiBncmFudCBmcm9tIGEKCSAgcmVzb3VyY2Ugb3du ZXIuCiAgICAgICAgPC90PgogICAgICAgIDx0PgogICAgICAgICAgVGhlIGFjY2VzcyB0b2tlbiBw cm92aWRlcyBhbiBhYnN0cmFjdGlvbiwgcmVwbGFjaW5nIGRpZmZlcmVudCBhdXRob3JpemF0aW9u CiAgICAgICAgICBjb25zdHJ1Y3RzIChlLmcuIHVzZXJuYW1lIGFuZCBwYXNzd29yZCwgYXNzZXJ0 aW9uKSBmb3IgYSBzaW5nbGUgdG9rZW4gdW5kZXJzdG9vZCBieSB0aGUKICAgICAgICAgIHJlc291 cmNlIHNlcnZlci4gVGhpcyBhYnN0cmFjdGlvbiBlbmFibGVzIGlzc3VpbmcgYWNjZXNzIHRva2Vu cyB2YWxpZCBmb3IgYSBzaG9ydCB0aW1lCiAgICAgICAgICBwZXJpb2QsIGFzIHdlbGwgYXMgcmVt b3ZpbmcgdGhlIHJlc291cmNlIHNlcnZlcidzIG5lZWQgdG8gdW5kZXJzdGFuZCBhIHdpZGUgcmFu Z2Ugb2YKICAgICAgICAgIGF1dGhlbnRpY2F0aW9uIHNjaGVtZXMuCiAgICAgICAgPC90PgogICAg ICAgIDxmaWd1cmUgdGl0bGU9J0Fic3RyYWN0IFByb3RvY29sIEZsb3cnIGFuY2hvcj0nRmlndXJl LTEnPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBWystLS0tLS0tLSsgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfC0tKEEpLSBBdXRo b3JpemF0aW9uIFJlcXVlc3QgLT58ICAgUmVzb3VyY2UgICAgfAp8ICAgICAgICB8ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIHwgICAgIE93bmVyICAgICB8CnwgICAgICAgIHw8LShCKS0t IEF1dGhvcml6YXRpb24gR3JhbnQgLS0tfCAgICAgICAgICAgICAgIHwKfCAgICAgICAgfCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8Cnwg ICAgICAgIHwgICAgICAgIEF1dGhvcml6YXRpb24gR3JhbnQgJiAgKy0tLS0tLS0tLS0tLS0tLSsK fCAgICAgICAgfC0tKEMpLS0tIENsaWVudCBDcmVkZW50aWFscyAtLT58IEF1dGhvcml6YXRpb24g fAp8IENsaWVudCB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIFNlcnZlciAg ICB8CnwgICAgICAgIHw8LShEKS0tLS0tIEFjY2VzcyBUb2tlbiAtLS0tLS0tfCAgICAgICAgICAg ICAgIHwKfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0t LS0tLS0tKwp8ICAgICAgICB8CnwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfC0tKEUpLS0tLS0gQWNjZXNzIFRva2VuIC0t LS0tLT58ICAgIFJlc291cmNlICAgfAp8ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHwgICAgIFNlcnZlciAgICB8CnwgICAgICAgIHw8LShGKS0tLSBQcm90ZWN0ZWQgUmVz b3VyY2UgLS0tfCAgICAgICAgICAgICAgIHwKKy0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tK11dPgogICAgICAgICAgPC9hcnR3b3JrPgogICAg ICAgIDwvZmlndXJlPgogICAgICAgIDx0PgogICAgICAgICAgVGhlIGFic3RyYWN0IGZsb3cgaWxs dXN0cmF0ZWQgaW4gPHhyZWYgdGFyZ2V0PSdGaWd1cmUtMScgLz4gZGVzY3JpYmVzIHRoZSBvdmVy YWxsCiAgICAgICAgICBPQXV0aCAyLjAgcHJvdG9jb2wgYXJjaGl0ZWN0dXJlLiBUaGUgZm9sbG93 aW5nIHN0ZXBzIGFyZSBzcGVjaWZpZWQgd2l0aGluIHRoaXMKICAgICAgICAgIGRvY3VtZW50OgoK ICAgICAgICAgIDxsaXN0PgogICAgICAgICAgICA8dD4KICAgICAgICAgICAgICBFKSBUaGUgY2xp ZW50IG1ha2VzIGEgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3QgdG8gdGhlIHJlc291cmNlIHNl cnZlciBieSBwcmVzZW50aW5nCiAgICAgICAgICAgICAgdGhlIGFjY2VzcyB0b2tlbi4KICAgICAg ICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAgICAgICAgICAgICBGKSBUaGUgcmVzb3VyY2Ug c2VydmVyIHZhbGlkYXRlcyB0aGUgYWNjZXNzIHRva2VuLCBhbmQgaWYgdmFsaWQsIHNlcnZlcyB0 aGUgcmVxdWVzdC4KICAgICAgICAgICAgPC90PgogICAgICAgICAgPC9saXN0PgogICAgICAgIDwv dD4KICAgICAgPC9zZWN0aW9uPgogICAgPC9zZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxlPSdB dXRoZW50aWNhdGVkIFJlcXVlc3RzJz4KICAgICAgPHQ+CglUaGlzIHNlY3Rpb24gZGVmaW5lcyB0 aHJlZQoJbWV0aG9kcyBvZiBzZW5kaW5nIGJlYXJlciBhY2Nlc3MgdG9rZW5zIGluIHJlc291cmNl IHJlcXVlc3RzCgl0byByZXNvdXJjZSBzZXJ2ZXJzLiAgQ2xpZW50cyBNVVNUIE5PVCB1c2UgbW9y ZSB0aGFuIG9uZQoJbWV0aG9kIHRvIHRyYW5zbWl0IHRoZSB0b2tlbiBpbiBlYWNoIHJlcXVlc3Qu CiAgICAgIDwvdD4KCiAgICAgIDxzZWN0aW9uIHRpdGxlPSdBdXRob3JpemF0aW9uIFJlcXVlc3Qg SGVhZGVyIEZpZWxkJyBhbmNob3I9J2F1dGh6LWhlYWRlcic+CiAgICAgICAgPHQ+CgkgIFdoZW4g c2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSA8c3BhbngKCSAgc3R5bGU9J3ZlcmInPkF1 dGhvcml6YXRpb248L3NwYW54PiByZXF1ZXN0IGhlYWRlciBmaWVsZAoJICBkZWZpbmVkIGJ5Cgkg IEhUVFAvMS4xLCBQYXJ0IDcgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgn IC8+LAoJICB0aGUKCSAgY2xpZW50IHVzZXMgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+QmVhcmVy PC9zcGFueD4KCSAgYXV0aGVudGljYXRpb24gc2NoZW1lIHRvIHRyYW5zbWl0IHRoZSBhY2Nlc3Mg dG9rZW4uCiAgICAgICAgPC90PgogICAgICAgIDxmaWd1cmU+CiAgICAgICAgICA8cHJlYW1ibGU+ CiAgICAgICAgICAgIEZvciBleGFtcGxlOgogICAgICAgICAgPC9wcmVhbWJsZT4KICAgICAgICAg IDxhcnR3b3JrPgo8IVtDREFUQVtHRVQgL3Jlc291cmNlIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5l eGFtcGxlLmNvbQpBdXRob3JpemF0aW9uOiBCZWFyZXIgdkY5ZGZ0NHFtVF1dPgogICAgICAgICAg PC9hcnR3b3JrPgogICAgICAgIDwvZmlndXJlPgogICAgICAgIDx0PgogICAgICAgICAgVGhlIDxz cGFueCBzdHlsZT0ndmVyYic+QXV0aG9yaXphdGlvbjwvc3Bhbng+IGhlYWRlciBmaWVsZCB1c2Vz IHRoZSBmcmFtZXdvcmsgZGVmaW5lZCBieQogICAgICAgICAgSFRUUC8xLjEsIFBhcnQgNyA8eHJl ZiB0YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4KCSAgYXMgZm9sbG93czoKICAg ICAgICA8L3Q+CiAgICAgICAgPGZpZ3VyZT4KICAgICAgICAgIDxhcnR3b3JrPgo8IVtDREFUQVtj cmVkZW50aWFscyA9ICJCZWFyZXIiIDEqU1AgYjY0dG9rZW5dXT4KICAgICAgICAgIDwvYXJ0d29y az4KICAgICAgICA8L2ZpZ3VyZT4KCTx0PgoJICBUaGUgYjY0dG9rZW4gc3ludGF4IHdhcyBjaG9z ZW4gb3ZlciB0aGUgYWx0ZXJuYXRpdmUKCSAgI2F1dGgtcGFyYW0gc3ludGF4IGFsc28gZGVmaW5l ZCBieQoJICBIVFRQLzEuMSwgUGFydCA3IDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1w Ny1hdXRoJyAvPgoJICBib3RoIGZvciBzaW1wbGljaXR5CgkgIGFuZCBmb3IgY29tcGF0aWJpbGl0 eSB3aXRoIGV4aXN0aW5nIGltcGxlbWVudGF0aW9ucy4KCSAgSWYgYWRkaXRpb25hbCBwYXJhbWV0 ZXJzIGFyZSBuZWVkZWQgaW4gdGhlIGZ1dHVyZSwgYQoJICBkaWZmZXJlbnQgc2NoZW1lIHdvdWxk IG5lZWQgdG8gYmUgZGVmaW5lZC4KCTwvdD4KCTx0PgoJICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1 dGhlbnRpY2F0ZWQgcmVxdWVzdHMgd2l0aCBhIGJlYXJlcgoJICB0b2tlbiB1c2luZyB0aGUgPHNw YW54IHN0eWxlPSd2ZXJiJz5BdXRob3JpemF0aW9uPC9zcGFueD4KCSAgcmVxdWVzdCBoZWFkZXIg ZmllbGQgd2l0aCB0aGUgPHNwYW54CgkgIHN0eWxlPSd2ZXJiJz5CZWFyZXI8L3NwYW54PiBIVFRQ IGF1dGhvcml6YXRpb24gc2NoZW1lLgoJICBSZXNvdXJjZSBzZXJ2ZXJzIE1VU1Qgc3VwcG9ydCB0 aGlzIG1ldGhvZC4KCTwvdD4KICAgICAgPC9zZWN0aW9uPgoKICAgICAgPHNlY3Rpb24gdGl0bGU9 J0Zvcm0tRW5jb2RlZCBCb2R5IFBhcmFtZXRlcicgYW5jaG9yPSdib2R5LXBhcmFtJz4KICAgICAg ICA8dD4KICAgICAgICAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBIVFRQ IHJlcXVlc3QKICAgICAgICAgIGVudGl0eS1ib2R5LCB0aGUgY2xpZW50IGFkZHMgdGhlIGFjY2Vz cyB0b2tlbiB0byB0aGUgcmVxdWVzdAogICAgICAgICAgYm9keSB1c2luZyB0aGUgPHNwYW54IHN0 eWxlPSd2ZXJiJz5hY2Nlc3NfdG9rZW48L3NwYW54PgogICAgICAgICAgcGFyYW1ldGVyLiAgVGhl IGNsaWVudCBNVVNUIE5PVCB1c2UgdGhpcyBtZXRob2QgdW5sZXNzCgkgIGFsbCBvZiB0aGUgZm9s bG93aW5nIGNvbmRpdGlvbnMgYXJlIG1ldDoKICAgICAgICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xz Jz4KICAgICAgICAgICAgPHQ+CiAgICAgICAgICAgICAgVGhlIEhUVFAgcmVxdWVzdCBlbnRpdHkt Ym9keSBpcyBzaW5nbGUtcGFydC4KICAgICAgICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAg ICAgICAgICAgICBUaGUgZW50aXR5LWJvZHkgZm9sbG93cyB0aGUgZW5jb2RpbmcgcmVxdWlyZW1l bnRzIG9mIHRoZQogICAgICAgICAgICAgIDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGljYXRpb24v eC13d3ctZm9ybS11cmxlbmNvZGVkPC9zcGFueD4gY29udGVudC10eXBlIGFzCiAgICAgICAgICAg ICAgZGVmaW5lZCBieQoJICAgICAgSFRNTCA0LjAxIDx4cmVmIHRhcmdldD0nVzNDLlJFQy1odG1s NDAxLTE5OTkxMjI0JyAvPi4KICAgICAgICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAgICAg ICAgICAgICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1oZWFkZXIgaW5jbHVkZXMgdGhlIDxzcGFu eCBzdHlsZT0ndmVyYic+Q29udGVudC1UeXBlPC9zcGFueD4KICAgICAgICAgICAgICBoZWFkZXIg ZmllbGQgc2V0IHRvIDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGljYXRpb24veC13d3ctZm9ybS11 cmxlbmNvZGVkPC9zcGFueD4uCiAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAgPHQ+CiAgICAg ICAgICAgICAgVGhlIEhUVFAgcmVxdWVzdCBtZXRob2QgaXMgb25lIGZvciB3aGljaCB0aGUgcmVx dWVzdAogICAgICAgICAgICAgIGJvZHkgaGFzIGRlZmluZWQgc2VtYW50aWNzLiAgSW4gcGFydGlj dWxhciwKICAgICAgICAgICAgICB0aGlzIG1lYW5zIHRoYXQgdGhlIDxzcGFueCBzdHlsZT0ndmVy Yic+R0VUPC9zcGFueD4KICAgICAgICAgICAgICBtZXRob2QgTVVTVCBOT1QgYmUgdXNlZC4KICAg ICAgICAgICAgPC90PgoJICAgIDx0PgoJICAgICAgVGhlIGNvbnRlbnQgdG8gYmUgZW5jb2RlZCBp biB0aGUgZW50aXR5LWJvZHkgTVVTVAoJICAgICAgY29uc2lzdCBlbnRpcmVseSBvZiBBU0NJSSBj aGFyYWN0ZXJzLgoJICAgIDwvdD4KICAgICAgICAgIDwvbGlzdD4KICAgICAgICA8L3Q+CiAgICAg ICAgPHQ+CiAgICAgICAgICBUaGUgZW50aXR5LWJvZHkgTUFZIGluY2x1ZGUgb3RoZXIgcmVxdWVz dC1zcGVjaWZpYwogICAgICAgICAgcGFyYW1ldGVycywgaW4gd2hpY2ggY2FzZSwgdGhlIDxzcGFu eAogICAgICAgICAgc3R5bGU9J3ZlcmInPmFjY2Vzc190b2tlbjwvc3Bhbng+IHBhcmFtZXRlciBN VVNUIGJlIHByb3Blcmx5CiAgICAgICAgICBzZXBhcmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVj aWZpYyBwYXJhbWV0ZXJzIHVzaW5nIDxzcGFueAogICAgICAgICAgc3R5bGU9J3ZlcmInPiZhbXA7 PC9zcGFueD4gY2hhcmFjdGVyKHMpIChBU0NJSSBjb2RlIDM4KS4KICAgICAgICA8L3Q+CiAgICAg ICAgPGZpZ3VyZT4KICAgICAgICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGUs IHRoZSBjbGllbnQgbWFrZXMgdGhlIGZvbGxvd2luZyBIVFRQIHJlcXVlc3QgdXNpbmcgdHJhbnNw b3J0LWxheWVyCiAgICAgICAgICAgIHNlY3VyaXR5OgogICAgICAgICAgPC9wcmVhbWJsZT4KICAg ICAgICAgIDxhcnR3b3JrPgo8IVtDREFUQVtQT1NUIC9yZXNvdXJjZSBIVFRQLzEuMQpIb3N0OiBz ZXJ2ZXIuZXhhbXBsZS5jb20KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVy bGVuY29kZWQKCmFjY2Vzc190b2tlbj12RjlkZnQ0cW1UXV0+CiAgICAgICAgICA8L2FydHdvcms+ CiAgICAgICAgPC9maWd1cmU+Cgk8dD4KCSAgVGhlIDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGlj YXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkPC9zcGFueD4KCSAgbWV0aG9kIFNIT1VMRCBOT1Qg YmUgdXNlZCBleGNlcHQgaW4gYXBwbGljYXRpb24gY29udGV4dHMKCSAgd2hlcmUgcGFydGljaXBh dGluZyBicm93c2VycyBkbyBub3QgaGF2ZSBhY2Nlc3MgdG8gdGhlCgkgIDxzcGFueCBzdHlsZT0n dmVyYic+QXV0aG9yaXphdGlvbjwvc3Bhbng+IHJlcXVlc3QgaGVhZGVyCgkgIGZpZWxkLiAgUmVz b3VyY2Ugc2VydmVycyBNQVkgc3VwcG9ydCB0aGlzIG1ldGhvZC4KCTwvdD4KICAgICAgPC9zZWN0 aW9uPgoKICAgICAgPHNlY3Rpb24gdGl0bGU9J1VSSSBRdWVyeSBQYXJhbWV0ZXInIGFuY2hvcj0n cXVlcnktcGFyYW0nPgogICAgICAgIDx0PgogICAgICAgICAgV2hlbiBzZW5kaW5nIHRoZSBhY2Nl c3MgdG9rZW4gaW4gdGhlIEhUVFAgcmVxdWVzdCBVUkksIHRoZSBjbGllbnQgYWRkcyB0aGUgYWNj ZXNzCiAgICAgICAgICB0b2tlbiB0byB0aGUgcmVxdWVzdCBVUkkgcXVlcnkgY29tcG9uZW50IGFz IGRlZmluZWQgYnkKCSAgVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpIDx4cmVmIHRh cmdldD0nUkZDMzk4NicgLz4KCSAgdXNpbmcKICAgICAgICAgIHRoZSA8c3Bhbnggc3R5bGU9J3Zl cmInPmFjY2Vzc190b2tlbjwvc3Bhbng+IHBhcmFtZXRlci4KICAgICAgICA8L3Q+CiAgICAgICAg PGZpZ3VyZT4KICAgICAgICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGUsIHRo ZSBjbGllbnQgbWFrZXMgdGhlIGZvbGxvd2luZyBIVFRQIHJlcXVlc3QgdXNpbmcgdHJhbnNwb3J0 LWxheWVyCiAgICAgICAgICAgIHNlY3VyaXR5OgogICAgICAgICAgPC9wcmVhbWJsZT4KICAgICAg ICAgIDxhcnR3b3JrPgo8IVtDREFUQVtHRVQgL3Jlc291cmNlP2FjY2Vzc190b2tlbj12RjlkZnQ0 cW1UIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbV1dPgogICAgICAgICAgPC9hcnR3 b3JrPgogICAgICAgIDwvZmlndXJlPgogICAgICAgIDx0PgogICAgICAgICAgVGhlIEhUVFAgcmVx dWVzdCBVUkkgcXVlcnkgY2FuIGluY2x1ZGUgb3RoZXIKICAgICAgICAgIHJlcXVlc3Qtc3BlY2lm aWMgcGFyYW1ldGVycywgaW4gd2hpY2ggY2FzZSwgdGhlIDxzcGFueAogICAgICAgICAgc3R5bGU9 J3ZlcmInPmFjY2Vzc190b2tlbjwvc3Bhbng+IHBhcmFtZXRlciBNVVNUIGJlIHByb3Blcmx5CiAg ICAgICAgICBzZXBhcmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVz aW5nIDxzcGFueAogICAgICAgICAgc3R5bGU9J3ZlcmInPiZhbXA7PC9zcGFueD4gY2hhcmFjdGVy KHMpIChBU0NJSSBjb2RlIDM4KS4KICAgICAgICA8L3Q+CiAgICAgICAgPGZpZ3VyZT4KICAgICAg ICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGU6CiAgICAgICAgICA8L3ByZWFt YmxlPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBW2h0dHBzOi8vc2VydmVyLmV4YW1wbGUu Y29tL3Jlc291cmNlP3g9eSZhY2Nlc3NfdG9rZW49dkY5ZGZ0NHFtVCZwPXFdXT4KICAgICAgICAg IDwvYXJ0d29yaz4KICAgICAgICA8L2ZpZ3VyZT4KCTx0PgoJICBCZWNhdXNlIG9mIHRoZSBzZWN1 cml0eSB3ZWFrbmVzc2VzIGFzc29jaWF0ZWQgd2l0aCB0aGUgVVJJCgkgIG1ldGhvZCAoc2VlIDx4 cmVmIHRhcmdldD0ic2VjLWNvbiIgLz4pLCBpbmNsdWRpbmcgdGhlIGhpZ2gKCSAgbGlrZWxpaG9v ZCB0aGF0IHRoZSBVUkwgY29udGFpbmluZyB0aGUgYWNjZXNzIHRva2VuIHdpbGwgYmUKCSAgbG9n Z2VkLCBpdCBTSE9VTEQgTk9UIGJlIHVzZWQgdW5sZXNzIGl0IGlzIGltcG9zc2libGUgdG8KCSAg dHJhbnNwb3J0IHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhlIDxzcGFueAoJICBzdHlsZT0ndmVyYic+ QXV0aG9yaXphdGlvbjwvc3Bhbng+IHJlcXVlc3QgaGVhZGVyIGZpZWxkIG9yCgkgIHRoZSBIVFRQ IHJlcXVlc3QgZW50aXR5LWJvZHkuICBSZXNvdXJjZSBzZXJ2ZXJzIE1BWSBzdXBwb3J0CgkgIHRo aXMgbWV0aG9kLgoJPC90PgogICAgICA8L3NlY3Rpb24+CgogICAgPC9zZWN0aW9uPgoKICAgIDxz ZWN0aW9uIHRpdGxlPSdUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQn IGFuY2hvcj0nYXV0aG4taGVhZGVyJz4KICAgICAgPHQ+CglJZiB0aGUgcHJvdGVjdGVkIHJlc291 cmNlIHJlcXVlc3QgZG9lcyBub3QgaW5jbHVkZQoJYXV0aGVudGljYXRpb24gY3JlZGVudGlhbHMg b3IgZG9lcyBub3QgY29udGFpbiBhbiBhY2Nlc3MKCXRva2VuIHRoYXQgZW5hYmxlcyBhY2Nlc3Mg dG8gdGhlIHByb3RlY3RlZCByZXNvdXJjZSwKCXRoZSByZXNvdXJjZSBzZXJ2ZXIgTVVTVCBpbmNs dWRlIHRoZSBIVFRQIDxzcGFueAoJc3R5bGU9J3ZlcmInPldXVy1BdXRoZW50aWNhdGU8L3NwYW54 PiByZXNwb25zZSBoZWFkZXIgZmllbGQ7CglpdCBNQVkgaW5jbHVkZSBpdCBpbiByZXNwb25zZSB0 byBvdGhlciBjb25kaXRpb25zIGFzIHdlbGwuCglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5XV1ct QXV0aGVudGljYXRlPC9zcGFueD4gaGVhZGVyCglmaWVsZCB1c2VzIHRoZSBmcmFtZXdvcmsgZGVm aW5lZCBieQoJSFRUUC8xLjEsIFBhcnQgNyA8eHJlZiB0YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMt cDctYXV0aCcgLz4KCWFzIGZvbGxvd3M6CiAgICAgIDwvdD4KICAgICAgPGZpZ3VyZT4KCTxhcnR3 b3JrPgo8IVtDREFUQVtjaGFsbGVuZ2UgICAgICAgPSAiQmVhcmVyIiBbIDEqU1AgMSNwYXJhbSBd CgpwYXJhbSAgICAgICAgICAgPSByZWFsbSAvIHNjb3BlIC8KICAgICAgICAgICAgICAgICAgZXJy b3IgLyBlcnJvci1kZXNjIC8gZXJyb3ItdXJpIC8KICAgICAgICAgICAgICAgICAgYXV0aC1wYXJh bQoKc2NvcGUgICAgICAgICAgID0gInNjb3BlIiAiPSIgcXVvdGVkLXN0cmluZwplcnJvciAgICAg ICAgICAgPSAiZXJyb3IiICI9IiBxdW90ZWQtc3RyaW5nCmVycm9yLWRlc2MgICAgICA9ICJlcnJv cl9kZXNjcmlwdGlvbiIgIj0iIHF1b3RlZC1zdHJpbmcKZXJyb3ItdXJpICAgICAgID0gImVycm9y X3VyaSIgIj0iIHF1b3RlZC1zdHJpbmddXT4KCTwvYXJ0d29yaz4KICAgICAgPC9maWd1cmU+CiAg ICAgIDx0PgoJQSA8c3Bhbnggc3R5bGU9J3ZlcmInPnJlYWxtPC9zcGFueD4gYXR0cmlidXRlIE1B WSBiZSBpbmNsdWRlZAoJdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24gaW4gdGhl IG1hbm5lciBkZXNjcmliZWQgaW4KCUhUVFAvMS4xLCBQYXJ0IDcgPHhyZWYgdGFyZ2V0PSdJLUQu aWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+LgoJVGhlIDxzcGFueCBzdHlsZT0ndmVyYic+cmVhbG08 L3NwYW54PiBhdHRyaWJ1dGUgTVVTVCBOT1QgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLgoJVGhlIDxz cGFueCBzdHlsZT0ndmVyYic+cmVhbG08L3NwYW54PiB2YWx1ZSBpcyBpbnRlbmRlZCBmb3IKCXBy b2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5vdCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8KCWVuZCB1 c2Vycy4KICAgICAgPC90PgoKICAgICAgPHQ+CglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29w ZTwvc3Bhbng+IGF0dHJpYnV0ZSBpcyBhIHNwYWNlLWRlbGltaXRlZCBsaXN0IG9mIHNjb3BlIHZh bHVlcwoJaW5kaWNhdGluZyB0aGUgcmVxdWlyZWQgc2NvcGUgb2YgdGhlIGFjY2VzcyB0b2tlbiBm b3IgYWNjZXNzaW5nIHRoZSByZXF1ZXN0ZWQgcmVzb3VyY2UuCglJbiBzb21lIGNhc2VzLCB0aGUg PHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IHZhbHVlCgl3aWxsIGJlIHVzZWQgd2hl biByZXF1ZXN0aW5nIGEgbmV3IGFjY2VzcyB0b2tlbiB3aXRoCglzdWZmaWNpZW50IHNjb3BlIG9m IGFjY2VzcyB0byB1dGlsaXplIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCglUaGUgPHNwYW54IHN0 eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IGF0dHJpYnV0ZSBNVVNUIE5PVCBhcHBlYXIgbW9yZSB0 aGFuIG9uY2UuCglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IHZhbHVlIGlz IGludGVuZGVkIGZvcgoJcHJvZ3JhbW1hdGljIHVzZSBhbmQgaXMgbm90IG1lYW50IHRvIGJlIGRp c3BsYXllZCB0bwoJZW5kIHVzZXJzLgogICAgICA8L3Q+CiAgICAgIDx0PgoJSWYgdGhlIHByb3Rl Y3RlZCByZXNvdXJjZSByZXF1ZXN0IGluY2x1ZGVkIGFuIGFjY2VzcyB0b2tlbiBhbmQgZmFpbGVk IGF1dGhlbnRpY2F0aW9uLCB0aGUKCXJlc291cmNlIHNlcnZlciBTSE9VTEQgaW5jbHVkZSB0aGUg PHNwYW54IHN0eWxlPSd2ZXJiJz5lcnJvcjwvc3Bhbng+IGF0dHJpYnV0ZSB0byBwcm92aWRlCgl0 aGUgY2xpZW50IHdpdGggdGhlIHJlYXNvbiB3aHkgdGhlIGFjY2VzcyByZXF1ZXN0IHdhcyBkZWNs aW5lZC4gVGhlIHBhcmFtZXRlciB2YWx1ZSBpcwoJZGVzY3JpYmVkIGluIDx4cmVmIHRhcmdldD0n cmVzb3VyY2UtZXJyb3ItY29kZXMnIC8+LgoJSW4gYWRkaXRpb24sIHRoZSByZXNvdXJjZSBzZXJ2 ZXIgTUFZIGluY2x1ZGUgdGhlIDxzcGFueAoJc3R5bGU9J3ZlcmInPmVycm9yX2Rlc2NyaXB0aW9u PC9zcGFueD4gYXR0cmlidXRlIHRvIHByb3ZpZGUKCWRldmVsb3BlcnMgYSBodW1hbi1yZWFkYWJs ZSBleHBsYW5hdGlvbiB0aGF0IGlzIG5vdCBtZWFudAoJdG8gYmUgZGlzcGxheWVkIHRvIGVuZCB1 c2Vycy4KCUl0IGFsc28gTUFZIGluY2x1ZGUKCXRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPmVycm9y X3VyaTwvc3Bhbng+IGF0dHJpYnV0ZSB3aXRoCglhbiBhYnNvbHV0ZSBVUkkgaWRlbnRpZnlpbmcg YSBodW1hbi1yZWFkYWJsZSB3ZWIgcGFnZSBleHBsYWluaW5nIHRoZSBlcnJvci4KCVRoZSA8c3Bh bnggc3R5bGU9J3ZlcmInPmVycm9yPC9zcGFueD4sIDxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3Jf ZGVzY3JpcHRpb248L3NwYW54PiwgYW5kCgk8c3Bhbnggc3R5bGU9J3ZlcmInPmVycm9yX3VyaTwv c3Bhbng+IGF0dHJpYnV0ZXMgTVVTVCBOT1QgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLgogICAgICA8 L3Q+CiAgICAgIDx0PgoJUHJvZHVjZXJzIG9mIDxzcGFueCBzdHlsZT0ndmVyYic+c2NvcGU8L3Nw YW54PiBzdHJpbmdzIE1VU1QKCU5PVCB1c2UgY2hhcmFjdGVycyBvdXRzaWRlIHRoZSBzZXQgJXgy MSAvICV4MjMtNUIgLyAleDVELTdFCglmb3IgcmVwcmVzZW50aW5nIHRoZSBzY29wZSB2YWx1ZXMg YW5kICV4MjAgZm9yIHRoZSBkZWxpbWl0ZXIuCglQcm9kdWNlcnMgb2YgPHNwYW54IHN0eWxlPSd2 ZXJiJz5lcnJvcjwvc3Bhbng+IGFuZCA8c3BhbngKCXN0eWxlPSd2ZXJiJz5lcnJvcl9kZXNjcmlw dGlvbjwvc3Bhbng+IHN0cmluZ3MgTVVTVCBOT1QgdXNlCgljaGFyYWN0ZXJzIG91dHNpZGUgdGhl IHNldCAleDIwLTIxIC8gJXgyMy01QiAvICV4NUQtN0UgZm9yCglyZXByZXNlbnRpbmcgdGhlc2Ug dmFsdWVzLgoJUHJvZHVjZXJzIG9mIDxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3ItdXJpPC9zcGFu eD4gc3RyaW5ncwoJTVVTVCBOT1QgdXNlIGNoYXJhY3RlcnMgb3V0c2lkZSB0aGUgc2V0ICV4MjEg LyAleDIzLTVCIC8KCSV4NUQtN0UgZm9yIHJlcHJlc2VudGluZyB0aGVzZSB2YWx1ZXMuICBGdXJ0 aGVybW9yZSwKCTxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3ItdXJpPC9zcGFueD4gc3RyaW5ncyBN VVNUIGNvbmZvcm0KCXRvIHRoZSBVUkktUmVmZXJlbmNlIHN5bnRheC4KCUluIGFsbCB0aGVzZSBj YXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwgYXMKCXNlbmRlcnMgYXJlIHBy b2hpYml0ZWQgZnJvbSB1c2luZyB0aGUgJTVDICgnXCcpIGNoYXJhY3Rlci4KICAgICAgPC90Pgog ICAgICA8ZmlndXJlPgoJPHByZWFtYmxlPgoJICBGb3IgZXhhbXBsZSwgaW4gcmVzcG9uc2UgdG8g YSBwcm90ZWN0ZWQgcmVzb3VyY2UgcmVxdWVzdCB3aXRob3V0IGF1dGhlbnRpY2F0aW9uOgoJPC9w cmVhbWJsZT4KCTxhcnR3b3JrPgo8IVtDREFUQVtIVFRQLzEuMSA0MDEgVW5hdXRob3JpemVkCldX Vy1BdXRoZW50aWNhdGU6IEJlYXJlciByZWFsbT0iZXhhbXBsZSJdXT4KICAgICAgICAgIDwvYXJ0 d29yaz4KICAgICAgICA8L2ZpZ3VyZT4KICAgICAgICA8ZmlndXJlPgogICAgICAgICAgPHByZWFt YmxlPgogICAgICAgICAgICBBbmQgaW4gcmVzcG9uc2UgdG8gYSBwcm90ZWN0ZWQgcmVzb3VyY2Ug cmVxdWVzdCB3aXRoIGFuIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHQgdXNpbmcgYW4KICAgICAgICAg ICAgZXhwaXJlZCBhY2Nlc3MgdG9rZW46CiAgICAgICAgICA8L3ByZWFtYmxlPgogICAgICAgICAg PGFydHdvcms+CjwhW0NEQVRBW0hUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKV1dXLUF1dGhlbnRp Y2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIiwKICAgICAgICAgICAgICAgICAgZXJyb3I9Imlu dmFsaWRfdG9rZW4iLAogICAgICAgICAgICAgICAgICBlcnJvcl9kZXNjcmlwdGlvbj0iVGhlIGFj Y2VzcyB0b2tlbiBleHBpcmVkIl1dPgoJPC9hcnR3b3JrPgogICAgICA8L2ZpZ3VyZT4KCiAgICAg IDxzZWN0aW9uIHRpdGxlPSdFcnJvciBDb2RlcycgYW5jaG9yPSdyZXNvdXJjZS1lcnJvci1jb2Rl cyc+Cgk8dD4KCSAgV2hlbiBhIHJlcXVlc3QgZmFpbHMsIHRoZSByZXNvdXJjZSBzZXJ2ZXIgcmVz cG9uZHMgdXNpbmcgdGhlIGFwcHJvcHJpYXRlIEhUVFAgc3RhdHVzCgkgIGNvZGUgKHR5cGljYWxs eSwgNDAwLCA0MDEsIDQwMywgb3IgNDA1KSwKCSAgYW5kIGluY2x1ZGVzIG9uZSBvZiB0aGUgZm9s bG93aW5nIGVycm9yIGNvZGVzIGluCgkgIHRoZSByZXNwb25zZToKCgkgIDxsaXN0IHN0eWxlPSdo YW5naW5nJyBoYW5nSW5kZW50PSc2Jz4KCSAgICA8dCBoYW5nVGV4dD0naW52YWxpZF9yZXF1ZXN0 Jz4KCSAgICAgIDx2c3BhY2UgLz4KCSAgICAgIFRoZSByZXF1ZXN0IGlzIG1pc3NpbmcgYSByZXF1 aXJlZCBwYXJhbWV0ZXIsIGluY2x1ZGVzIGFuIHVuc3VwcG9ydGVkIHBhcmFtZXRlciBvcgoJICAg ICAgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIHRoZSBzYW1lIHBhcmFtZXRlciwgdXNlcyBtb3Jl IHRoYW4gb25lIG1ldGhvZCBmb3IKCSAgICAgIGluY2x1ZGluZyBhbiBhY2Nlc3MgdG9rZW4sIG9y IGlzIG90aGVyd2lzZSBtYWxmb3JtZWQuIFRoZSByZXNvdXJjZSBzZXJ2ZXIgU0hPVUxECgkgICAg ICByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAwIChCYWQgUmVxdWVzdCkgc3RhdHVzIGNvZGUuCgkg ICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSdpbnZhbGlkX3Rva2VuJz4KCSAgICAgIDx2c3BhY2Ug Lz4KCSAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZWQgaXMgZXhwaXJlZCwgcmV2b2tlZCwg bWFsZm9ybWVkLCBvciBpbnZhbGlkIGZvciBvdGhlcgoJICAgICAgcmVhc29ucy4gVGhlIHJlc291 cmNlIFNIT1VMRCByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAxIChVbmF1dGhvcml6ZWQpIHN0YXR1 cwoJICAgICAgY29kZS4gVGhlIGNsaWVudCBNQVkgcmVxdWVzdCBhIG5ldyBhY2Nlc3MgdG9rZW4g YW5kIHJldHJ5IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UKCSAgICAgIHJlcXVlc3QuCgkgICAgPC90 PgoJICAgIDx0IGhhbmdUZXh0PSdpbnN1ZmZpY2llbnRfc2NvcGUnPgoJICAgICAgPHZzcGFjZSAv PgoJICAgICAgVGhlIHJlcXVlc3QgcmVxdWlyZXMgaGlnaGVyIHByaXZpbGVnZXMgdGhhbiBwcm92 aWRlZCBieSB0aGUgYWNjZXNzIHRva2VuLiBUaGUKCSAgICAgIHJlc291cmNlIHNlcnZlciBTSE9V TEQgcmVzcG9uZCB3aXRoIHRoZSBIVFRQIDQwMyAoRm9yYmlkZGVuKSBzdGF0dXMgY29kZSBhbmQg TUFZCgkgICAgICBpbmNsdWRlIHRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPnNjb3BlPC9zcGFueD4g YXR0cmlidXRlIHdpdGggdGhlIHNjb3BlIG5lY2Vzc2FyeSB0bwoJICAgICAgYWNjZXNzIHRoZSBw cm90ZWN0ZWQgcmVzb3VyY2UuCgkgICAgPC90PgoJICA8L2xpc3Q+Cgk8L3Q+Cgk8dD4KCSAgSWYg dGhlIHJlcXVlc3QgbGFja3MgYW55IGF1dGhlbnRpY2F0aW9uIGluZm9ybWF0aW9uIChpLmUuIHRo ZSBjbGllbnQgd2FzIHVuYXdhcmUKCSAgYXV0aGVudGljYXRpb24gaXMgbmVjZXNzYXJ5IG9yIGF0 dGVtcHRlZCB1c2luZyBhbiB1bnN1cHBvcnRlZCBhdXRoZW50aWNhdGlvbiBtZXRob2QpLAoJICB0 aGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBOT1QgaW5jbHVkZSBhbiBlcnJvciBjb2RlIG9yIG90 aGVyIGVycm9yIGluZm9ybWF0aW9uLgoJPC90PgoJPGZpZ3VyZT4KCSAgPHByZWFtYmxlPgoJICAg IEZvciBleGFtcGxlOgoJICA8L3ByZWFtYmxlPgoJICA8YXJ0d29yaz4KPCFbQ0RBVEFbSFRUUC8x LjEgNDAxIFVuYXV0aG9yaXplZApXV1ctQXV0aGVudGljYXRlOiBCZWFyZXIgcmVhbG09ImV4YW1w bGUiXV0+CgkgIDwvYXJ0d29yaz4KCTwvZmlndXJlPgogICAgICA8L3NlY3Rpb24+CgogICAgPC9z ZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxlPSdTZWN1cml0eSBDb25zaWRlcmF0aW9ucycgYW5j aG9yPSJzZWMtY29uIj4KCiAgICAgIDx0PgoJVGhpcyBzZWN0aW9uIGRlc2NyaWJlcyB0aGUgcmVs ZXZhbnQgc2VjdXJpdHkgdGhyZWF0cyByZWdhcmRpbmcKCXRva2VuIGhhbmRsaW5nIHdoZW4gdXNp bmcgYmVhcmVyIHRva2VucyBhbmQgZGVzY3JpYmVzIGhvdyB0bwoJbWl0aWdhdGUgdGhlc2UgdGhy ZWF0cy4KICAgICAgPC90PgoKICAgICAgPHNlY3Rpb24gdGl0bGU9IlNlY3VyaXR5IFRocmVhdHMi IGFuY2hvcj0idGhyZWF0cyI+CgoJPHQ+CgkgIFRoZSBmb2xsb3dpbmcgbGlzdCBwcmVzZW50cyBz ZXZlcmFsIGNvbW1vbiB0aHJlYXRzIGFnYWluc3QKCSAgcHJvdG9jb2xzIHV0aWxpemluZyBzb21l IGZvcm0gb2YgdG9rZW5zLiBUaGlzIGxpc3Qgb2YKCSAgdGhyZWF0cyBpcyBiYXNlZCBvbgoJICBO SVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzIDx4cmVmIHRhcmdldD0iTklTVDgwMC02MyIv Pi4KCSAgU2luY2UgdGhpcyBkb2N1bWVudCBidWlsZHMgb24gdGhlCgkgIE9BdXRoIDIuMCBzcGVj aWZpY2F0aW9uLCB3ZSBleGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0aHJlYXRzCgkgIHRoYXQgYXJl IGRlc2NyaWJlZCB0aGVyZSBvciBpbiByZWxhdGVkIGRvY3VtZW50cy4KCTwvdD4KCgk8dD4KCSAg PGxpc3Qgc3R5bGU9ImhhbmdpbmciPgoJICAgIDx0IGhhbmdUZXh0PSJUb2tlbiBtYW51ZmFjdHVy ZS9tb2RpZmljYXRpb246Ij4KCSAgICAgIEFuIGF0dGFja2VyIG1heSBnZW5lcmF0ZSBhIGJvZ3Vz IHRva2VuIG9yIG1vZGlmeSB0aGUKCSAgICAgIHRva2VuIGNvbnRlbnRzIChzdWNoIGFzIHRoZSBh dXRoZW50aWNhdGlvbiBvciBhdHRyaWJ1dGUKCSAgICAgIHN0YXRlbWVudHMpIG9mIGFuIGV4aXN0 aW5nIHRva2VuLCBjYXVzaW5nIHRoZSByZXNvdXJjZQoJICAgICAgc2VydmVyIHRvIGdyYW50IGlu YXBwcm9wcmlhdGUgYWNjZXNzIHRvIHRoZSBjbGllbnQuCgkgICAgICBGb3IgZXhhbXBsZSwgYW4g YXR0YWNrZXIgbWF5IG1vZGlmeSB0aGUgdG9rZW4gdG8gZXh0ZW5kCgkgICAgICB0aGUgdmFsaWRp dHkgcGVyaW9kOyBhIG1hbGljaW91cyBjbGllbnQgbWF5IG1vZGlmeSB0aGUKCSAgICAgIGFzc2Vy dGlvbiB0byBnYWluIGFjY2VzcyB0byBpbmZvcm1hdGlvbiB0aGF0IHRoZXkKCSAgICAgIHNob3Vs ZCBub3QgYmUgYWJsZSB0byB2aWV3LgoJICAgIDwvdD4KCSAgICA8dCBoYW5nVGV4dD0iVG9rZW4g ZGlzY2xvc3VyZToiPgoJICAgICAgVG9rZW5zIG1heSBjb250YWluIGF1dGhlbnRpY2F0aW9uIGFu ZCBhdHRyaWJ1dGUKCSAgICAgIHN0YXRlbWVudHMgdGhhdCBpbmNsdWRlIHNlbnNpdGl2ZSBpbmZv cm1hdGlvbi4KCSAgICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9IlRva2VuIHJlZGlyZWN0OiI+Cgkg ICAgICBBbiBhdHRhY2tlciB1c2VzIGEgdG9rZW4gZ2VuZXJhdGVkIGZvciBjb25zdW1wdGlvbiBi eSAKCSAgICAgIG9uZSByZXNvdXJjZSBzZXJ2ZXIgdG8gZ2FpbiBhY2Nlc3MgdG8gYSBkaWZmZXJl bnQKCSAgICAgIHJlc291cmNlIHNlcnZlciB0aGF0IG1pc3Rha2VubHkgYmVsaWV2ZXMgdGhlIHRv a2VuIHRvIGJlCgkgICAgICBmb3IgaXQuCgkgICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSJUb2tl biByZXBsYXk6Ij4KCSAgICAgIEFuIGF0dGFja2VyIGF0dGVtcHRzIHRvIHVzZSBhIHRva2VuIHRo YXQgaGFzIGFscmVhZHkKCSAgICAgIGJlZW4gdXNlZCB3aXRoIHRoYXQgcmVzb3VyY2Ugc2VydmVy IGluIHRoZSBwYXN0LgoJICAgIDwvdD4KCSAgPC9saXN0PiAKCTwvdD4KICAgICAgPC9zZWN0aW9u PiAKCiAgICAgIDxzZWN0aW9uIHRpdGxlPSJUaHJlYXQgTWl0aWdhdGlvbiIgYW5jaG9yPSJtaXRp Z2F0aW9uIj4gCgoJPHQ+CgkgIEEgbGFyZ2UgcmFuZ2Ugb2YgdGhyZWF0cyBjYW4gYmUgbWl0aWdh dGVkIGJ5IHByb3RlY3RpbmcgdGhlCgkgIGNvbnRlbnRzIG9mIHRoZSB0b2tlbiBieSB1c2luZyBh IGRpZ2l0YWwgc2lnbmF0dXJlIG9yIGEKCSAgTWVzc2FnZSBBdXRoZW50aWNhdGlvbiBDb2RlIChN QUMpLgoJICBBbHRlcm5hdGl2ZWx5LCBhIGJlYXJlciB0b2tlbiBjYW4gY29udGFpbiBhIHJlZmVy ZW5jZSB0bwoJICBhdXRob3JpemF0aW9uIGluZm9ybWF0aW9uLCByYXRoZXIgdGhhbiBlbmNvZGlu ZyB0aGUKCSAgaW5mb3JtYXRpb24gZGlyZWN0bHkuIFN1Y2ggcmVmZXJlbmNlcyBNVVNUIGJlIGlu ZmVhc2libGUgZm9yCgkgIGFuIGF0dGFja2VyIHRvIGd1ZXNzOyB1c2luZyBhIHJlZmVyZW5jZSBt YXkgcmVxdWlyZSBhbiBleHRyYQoJICBpbnRlcmFjdGlvbiBiZXR3ZWVuIGEgc2VydmVyIGFuZCB0 aGUgdG9rZW4gaXNzdWVyIHRvIHJlc29sdmUKCSAgdGhlIHJlZmVyZW5jZSB0byB0aGUgYXV0aG9y aXphdGlvbiBpbmZvcm1hdGlvbi4KCSAgVGhlIG1lY2hhbmljcyBvZiBzdWNoIGFuIGludGVyYWN0 aW9uIGFyZSBub3QgZGVmaW5lZCBieSB0aGlzCgkgIHNwZWNpZmljYXRpb24uCgk8L3Q+Cgk8dD4K CSAgVGhpcyBkb2N1bWVudCBkb2VzIG5vdCBzcGVjaWZ5IHRoZSBlbmNvZGluZyBvciB0aGUgY29u dGVudHMKCSAgb2YgdGhlIHRva2VuOyBoZW5jZSBkZXRhaWxlZCByZWNvbW1lbmRhdGlvbnMgYWJv dXQgdGhlIG1lYW5zCgkgIG9mIGd1YXJhbnRlZWluZyB0b2tlbiBpbnRlZ3JpdHkgcHJvdGVjdGlv biBhcmUgb3V0c2lkZSB0aGUKCSAgc2NvcGUgb2YgdGhpcyBkb2N1bWVudC4gIFRoZSB0b2tlbiBp bnRlZ3JpdHkgcHJvdGVjdGlvbiBNVVNUCgkgIGJlIHN1ZmZpY2llbnQgdG8gcHJldmVudCB0aGUg dG9rZW4gZnJvbSBiZWluZyBtb2RpZmllZC4KCTwvdD4KCTx0PgoJICBUbyBkZWFsIHdpdGggdG9r ZW4gcmVkaXJlY3QsIGl0IGlzIGltcG9ydGFudCBmb3IgdGhlCgkgIGF1dGhvcml6YXRpb24gc2Vy dmVyIHRvIGluY2x1ZGUgdGhlIGlkZW50aXR5IG9mIHRoZSBpbnRlbmRlZAoJICByZWNpcGllbnRz ICh0aGUgYXVkaWVuY2UpLCB0eXBpY2FsbHkgYSBzaW5nbGUgcmVzb3VyY2UKCSAgc2VydmVyIChv ciBhIGxpc3Qgb2YgcmVzb3VyY2Ugc2VydmVycyksIGluIHRoZSB0b2tlbi4KCSAgUmVzdHJpY3Rp bmcgdGhlIHVzZSBvZiB0aGUgdG9rZW4gdG8gYSBzcGVjaWZpYyBzY29wZSBpcyBhbHNvCgkgIFJF Q09NTUVOREVELgoJPC90PgoJPHQ+CgkgIFRoZSBhdXRob3JpemF0aW9uIHNlcnZlciBNVVNUIGlt cGxlbWVudCBUTFMuCgkgIFdoaWNoIHZlcnNpb24ocykgb3VnaHQgdG8gYmUgaW1wbGVtZW50ZWQg d2lsbCB2YXJ5IG92ZXIKCSAgdGltZSwgYW5kIGRlcGVuZCBvbiB0aGUgd2lkZXNwcmVhZCBkZXBs b3ltZW50IGFuZCBrbm93bgoJICBzZWN1cml0eSB2dWxuZXJhYmlsaXRpZXMgYXQgdGhlIHRpbWUg b2YgaW1wbGVtZW50YXRpb24uCgkgIEF0IHRoZSB0aW1lIG9mIHRoaXMgd3JpdGluZywKCSAgVExT IHZlcnNpb24gMS4yIDx4cmVmIHRhcmdldD0nUkZDNTI0NicgLz4KCSAgaXMgdGhlIG1vc3QgcmVj ZW50IHZlcnNpb24sIGJ1dCBoYXMgdmVyeSBsaW1pdGVkIGFjdHVhbAoJICBkZXBsb3ltZW50LCBh bmQgbWlnaHQgbm90IGJlIHJlYWRpbHkgYXZhaWxhYmxlIGluCgkgIGltcGxlbWVudGF0aW9uIHRv b2xraXRzLgoJICBUTFMgdmVyc2lvbiAxLjAgPHhyZWYgdGFyZ2V0PSdSRkMyMjQ2JyAvPgoJICBp cyB0aGUgbW9zdCB3aWRlbHkgZGVwbG95ZWQgdmVyc2lvbiwgYW5kIHdpbGwgZ2l2ZSB0aGUKCSAg YnJvYWRlc3QgaW50ZXJvcGVyYWJpbGl0eS4KCTwvdD4KCTx0PgoJICBUbyBwcm90ZWN0IGFnYWlu c3QgdG9rZW4gZGlzY2xvc3VyZSwgY29uZmlkZW50aWFsaXR5CgkgIHByb3RlY3Rpb24gTVVTVCBi ZSBhcHBsaWVkIHVzaW5nCgkgIFRMUyA8eHJlZiB0YXJnZXQ9J1JGQzUyNDYnIC8+CgkgIHdpdGgg YSBjaXBoZXJzdWl0ZSB0aGF0IHByb3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQKCSAgaW50ZWdy aXR5IHByb3RlY3Rpb24uICBUaGlzCgkgIHJlcXVpcmVzIHRoYXQgdGhlIGNvbW11bmljYXRpb24g aW50ZXJhY3Rpb24gYmV0d2VlbiB0aGUKCSAgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXphdGlvbiBz ZXJ2ZXIsIGFzIHdlbGwgYXMgdGhlCgkgIGludGVyYWN0aW9uIGJldHdlZW4gdGhlIGNsaWVudCBh bmQgdGhlIHJlc291cmNlIHNlcnZlciwKCSAgdXRpbGl6ZSBjb25maWRlbnRpYWxpdHkgYW5kIGlu dGVncml0eSBwcm90ZWN0aW9uLgoJICBTaW5jZSBUTFMgaXMgbWFuZGF0b3J5IHRvCgkgIGltcGxl bWVudCBhbmQgdG8gdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0aW9uLCBpdCBpcyB0aGUKCSAgcHJl ZmVycmVkIGFwcHJvYWNoIGZvciBwcmV2ZW50aW5nIHRva2VuIGRpc2Nsb3N1cmUgdmlhIHRoZQoJ ICBjb21tdW5pY2F0aW9uIGNoYW5uZWwuIEZvciB0aG9zZSBjYXNlcyB3aGVyZSB0aGUgY2xpZW50 CgkgIGlzIHByZXZlbnRlZCBmcm9tIG9ic2VydmluZyB0aGUgY29udGVudHMgb2YgdGhlIHRva2Vu LCB0b2tlbgoJICBlbmNyeXB0aW9uIE1VU1QgYmUgYXBwbGllZCBpbiBhZGRpdGlvbiB0byB0aGUg dXNhZ2Ugb2YgVExTCgkgIHByb3RlY3Rpb24uCgkgIEFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWlu c3QgdG9rZW4gZGlzY2xvc3VyZSwgdGhlIGNsaWVudAoJICBNVVNUIHZhbGlkYXRlIHRoZSBUTFMg Y2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcgcmVxdWVzdHMKCSAgdG8gcHJvdGVjdGVkIHJl c291cmNlcy4KCTwvdD4KCTx0PgoJICBDb29raWVzIGFyZSB0eXBpY2FsbHkgdHJhbnNtaXR0ZWQg aW4gdGhlIGNsZWFyLiAgVGh1cywgYW55CgkgIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGVt IGlzIGF0IHJpc2sgb2YgZGlzY2xvc3VyZS4KCSAgVGhlcmVmb3JlLCBiZWFyZXIgdG9rZW5zIE1V U1QgTk9UIGJlIHN0b3JlZCBpbiBjb29raWVzIHRoYXQKCSAgY2FuIGJlIHNlbnQgaW4gdGhlIGNs ZWFyLgoJPC90PgoJPHQ+CgkgIEluIHNvbWUgZGVwbG95bWVudHMsIGluY2x1ZGluZyB0aG9zZSB1 dGlsaXppbmcgbG9hZAoJICBiYWxhbmNlcnMsIHRoZSBUTFMgY29ubmVjdGlvbiB0byB0aGUgcmVz b3VyY2Ugc2VydmVyCgkgIHRlcm1pbmF0ZXMgcHJpb3IgdG8gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhh dCBwcm92aWRlcyB0aGUKCSAgcmVzb3VyY2UuICBUaGlzIGNvdWxkIGxlYXZlIHRoZSB0b2tlbiB1 bnByb3RlY3RlZCBiZXR3ZWVuCgkgIHRoZSBmcm9udCBlbmQgc2VydmVyIHdoZXJlIHRoZSBUTFMg Y29ubmVjdGlvbiB0ZXJtaW5hdGVzIGFuZAoJICB0aGUgYmFjayBlbmQgc2VydmVyIHRoYXQgcHJv dmlkZXMgdGhlIHJlc291cmNlLiAgSW4gc3VjaAoJICBkZXBsb3ltZW50cywgc3VmZmljaWVudCBt ZWFzdXJlcyBNVVNUIGJlIGVtcGxveWVkIHRvIGVuc3VyZQoJICBjb25maWRlbnRpYWxpdHkgb2Yg dGhlIHRva2VuIGJldHdlZW4gdGhlIGZyb250IGVuZCBhbmQKCSAgYmFjayBlbmQgc2VydmVyczsg ZW5jcnlwdGlvbiBvZiB0aGUgdG9rZW4gaXMgb25lIHBvc3NpYmxlCgkgIHN1Y2ggbWVhc3VyZS4K CTwvdD4KCTx0PgoJICBUbyBkZWFsIHdpdGggdG9rZW4gY2FwdHVyZSBhbmQgcmVwbGF5LAoJICB0 aGUgZm9sbG93aW5nIHJlY29tbWVuZGF0aW9ucyBhcmUKCSAgbWFkZTogRmlyc3QsIHRoZSBsaWZl dGltZSBvZiB0aGUgdG9rZW4gTVVTVCBiZSBsaW1pdGVkOwoJICBvbmUgbWVhbnMgb2YgYWNoaWV2 aW5nIHRoaXMgaXMgYnkKCSAgcHV0dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5zaWRlIHRo ZSBwcm90ZWN0ZWQgcGFydCBvZgoJICB0aGUgdG9rZW4uICBOb3RlIHRoYXQgdXNpbmcgc2hvcnQt bGl2ZWQgKG9uZSBob3VyIG9yIGxlc3MpCgkgIHRva2VucyByZWR1Y2VzIHRoZSBpbXBhY3Qgb2Yg dGhlbSBiZWluZwoJICBsZWFrZWQuICBTZWNvbmQsIGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9u IG9mIHRoZSBleGNoYW5nZXMKCSAgYmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXph dGlvbiBzZXJ2ZXIgYW5kIGJldHdlZW4KCSAgdGhlIGNsaWVudCBhbmQgdGhlIHJlc291cmNlIHNl cnZlciBNVVNUIGJlIGFwcGxpZWQuCgkgIEFzIGEKCSAgY29uc2VxdWVuY2UsIG5vIGVhdmVzZHJv cHBlciBhbG9uZyB0aGUgY29tbXVuaWNhdGlvbiBwYXRoIGlzCgkgIGFibGUgdG8gb2JzZXJ2ZSB0 aGUgdG9rZW4gZXhjaGFuZ2UuIENvbnNlcXVlbnRseSwgc3VjaCBhbgoJICBvbi1wYXRoIGFkdmVy c2FyeSBjYW5ub3QgcmVwbGF5IHRoZSB0b2tlbi4KCSAgRnVydGhlcm1vcmUsIHdoZW4KCSAgcHJl c2VudGluZyB0aGUgdG9rZW4gdG8gYSByZXNvdXJjZSBzZXJ2ZXIsIHRoZSBjbGllbnQgTVVTVAoJ ICB2ZXJpZnkgdGhlIGlkZW50aXR5IG9mIHRoYXQgcmVzb3VyY2Ugc2VydmVyLCBhcyBwZXIKCSAg UmVwcmVzZW50YXRpb24gYW5kIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRp b24gU2VydmljZQoJICBJZGVudGl0eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtleSBJbmZyYXN0 cnVjdHVyZSBVc2luZyBYLjUwOSAoUEtJWCkKCSAgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0 IG9mIFRyYW5zcG9ydCBMYXllciBTZWN1cml0eSAoVExTKQoJICA8eHJlZiB0YXJnZXQ9IlJGQzYx MjUiIC8+LgoJICBOb3RlIHRoYXQgdGhlCgkgIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMg Y2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcKCSAgdGhlc2UgcmVxdWVzdHMgdG8gcHJvdGVj dGVkIHJlc291cmNlcy4gIFByZXNlbnRpbmcgdGhlIHRva2VuCgkgIHRvIGFuIHVuYXV0aGVudGlj YXRlZCBhbmQgdW5hdXRob3JpemVkIHJlc291cmNlIHNlcnZlciBvcgoJICBmYWlsaW5nIHRvIHZh bGlkYXRlIHRoZSBjZXJ0aWZpY2F0ZSBjaGFpbiB3aWxsIGFsbG93CgkgIGFkdmVyc2FyaWVzIHRv IHN0ZWFsIHRoZSB0b2tlbiBhbmQgZ2FpbiB1bmF1dGhvcml6ZWQgYWNjZXNzCgkgIHRvIHByb3Rl Y3RlZCByZXNvdXJjZXMuCgk8L3Q+CiAgICAgIDwvc2VjdGlvbj4gCiAKICAgICAgPHNlY3Rpb24g dGl0bGU9IlN1bW1hcnkgb2YgUmVjb21tZW5kYXRpb25zIj4KCTx0PgoJICA8bGlzdCBzdHlsZT0i aGFuZ2luZyI+CgkgICAgPHQgaGFuZ1RleHQ9IlNhZmVndWFyZCBiZWFyZXIgdG9rZW5zOiI+Cgkg ICAgICBDbGllbnQgaW1wbGVtZW50YXRpb25zIE1VU1QgZW5zdXJlIHRoYXQgYmVhcmVyIHRva2Vu cwoJICAgICAgYXJlIG5vdCBsZWFrZWQgdG8gdW5pbnRlbmRlZCBwYXJ0aWVzLCBhcyB0aGV5IHdp bGwgYmUKCSAgICAgIGFibGUgdG8gdXNlIHRoZW0gdG8gZ2FpbiBhY2Nlc3MgdG8gcHJvdGVjdGVk IHJlc291cmNlcy4KCSAgICAgIFRoaXMgaXMgdGhlIHByaW1hcnkgc2VjdXJpdHkgY29uc2lkZXJh dGlvbiB3aGVuIHVzaW5nCgkgICAgICBiZWFyZXIgdG9rZW5zIGFuZCB1bmRlcmxpZXMgYWxsIHRo ZSBtb3JlCgkgICAgICBzcGVjaWZpYyByZWNvbW1lbmRhdGlvbnMgdGhhdCBmb2xsb3cuCgkgICAg PC90PgoJICAgIDx0IGhhbmdUZXh0PSJWYWxpZGF0ZSBTU0wgY2VydGlmaWNhdGUgY2hhaW5zOiI+ CgkgICAgICBUaGUgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFp biB3aGVuCgkgICAgICBtYWtpbmcgcmVxdWVzdHMgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4gIEZh aWxpbmcgdG8gZG8KCSAgICAgIHNvIG1heSBlbmFibGUgRE5TIGhpamFja2luZyBhdHRhY2tzIHRv IHN0ZWFsIHRoZSB0b2tlbgoJICAgICAgYW5kIGdhaW4gdW5pbnRlbmRlZCBhY2Nlc3MuCgkgICAg PC90PgoJICAgIDx0IGhhbmdUZXh0PSJBbHdheXMgdXNlIFRMUyAoaHR0cHMpOiI+CgkgICAgICBD bGllbnRzIE1VU1QgYWx3YXlzIHVzZQoJICAgICAgVExTIDx4cmVmIHRhcmdldD0nUkZDNTI0Nicg Lz4KCSAgICAgIChodHRwcykgb3IgZXF1aXZhbGVudCB0cmFuc3BvcnQgc2VjdXJpdHkgd2hlbiBt YWtpbmcgcmVxdWVzdHMKCSAgICAgIHdpdGggYmVhcmVyIHRva2Vucy4gIEZhaWxpbmcgdG8gZG8g c28gZXhwb3NlcyB0aGUgdG9rZW4KCSAgICAgIHRvIG51bWVyb3VzIGF0dGFja3MgdGhhdCBjb3Vs ZCBnaXZlIGF0dGFja2VycyB1bmludGVuZGVkCgkgICAgICBhY2Nlc3MuCgkgICAgPC90PgoJICAg IDx0IGhhbmdUZXh0PSJEb24ndCBzdG9yZSBiZWFyZXIgdG9rZW5zIGluIGNvb2tpZXM6Ij4KCSAg ICAgIEltcGxlbWVudGF0aW9ucyBNVVNUIE5PVCBzdG9yZSBiZWFyZXIgdG9rZW5zIHdpdGhpbgoJ ICAgICAgY29va2llcyB0aGF0IGNhbiBiZSBzZW50IGluIHRoZSBjbGVhciAod2hpY2ggaXMgdGhl CgkgICAgICBkZWZhdWx0IHRyYW5zbWlzc2lvbiBtb2RlIGZvciBjb29raWVzKS4KCSAgICAgIElt cGxlbWVudGF0aW9ucyB0aGF0IGRvIHN0b3JlIGJlYXJlciB0b2tlbnMgaW4gY29va2llcwoJICAg ICAgTVVTVCB0YWtlIHByZWNhdXRpb25zIGFnYWluc3QgY3Jvc3Mgc2l0ZSByZXF1ZXN0IGZvcmdl cnkuCgkgICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSJJc3N1ZSBzaG9ydC1saXZlZCBiZWFyZXIg dG9rZW5zOiI+CgkgICAgICBUb2tlbiBzZXJ2ZXJzIFNIT1VMRCBpc3N1ZSBzaG9ydC1saXZlZCAo b25lIGhvdXIgb3IKCSAgICAgIGxlc3MpIGJlYXJlciB0b2tlbnMsIHBhcnRpY3VsYXJseSB3aGVu IGlzc3VpbmcgdG9rZW5zIHRvCgkgICAgICBjbGllbnRzIHRoYXQgcnVuIHdpdGhpbiBhIHdlYiBi cm93c2VyIG9yIG90aGVyCgkgICAgICBlbnZpcm9ubWVudHMgd2hlcmUgaW5mb3JtYXRpb24gbGVh a2FnZSBtYXkgb2NjdXIuICBVc2luZwoJICAgICAgc2hvcnQtbGl2ZWQgYmVhcmVyIHRva2VucyBj YW4gcmVkdWNlIHRoZSBpbXBhY3Qgb2YgdGhlbQoJICAgICAgYmVpbmcgbGVha2VkLgoJICAgIDwv dD4KCSAgICA8dCBoYW5nVGV4dD0iSXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnM6Ij4KCSAgICAg IFRva2VuIHNlcnZlcnMgU0hPVUxEIGlzc3VlIGJlYXJlciB0b2tlbnMgdGhhdCBjb250YWluIGFu IGF1ZGllbmNlCgkgICAgICByZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1c2UgdG8gdGhlIGlu dGVuZGVkIHJlbHlpbmcKCSAgICAgIHBhcnR5IG9yIHNldCBvZiByZWx5aW5nIHBhcnRpZXMuCgkg ICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSJEb24ndCBwYXNzIGJlYXJlciB0b2tlbnMgaW4gcGFn ZSBVUkxzOiI+CgkgICAgICBCZWFyZXIgdG9rZW5zIFNIT1VMRCBOT1QgYmUgcGFzc2VkIGluIHBh Z2UgVVJMcyAoZm9yCgkgICAgICBleGFtcGxlIGFzIHF1ZXJ5IHN0cmluZyBwYXJhbWV0ZXJzKS4g SW5zdGVhZCwgYmVhcmVyCgkgICAgICB0b2tlbnMgU0hPVUxEIGJlIHBhc3NlZCBpbiBIVFRQIG1l c3NhZ2UgaGVhZGVycyBvcgoJICAgICAgbWVzc2FnZSBib2RpZXMgZm9yIHdoaWNoIGNvbmZpZGVu dGlhbGl0eSBtZWFzdXJlcyBhcmUKCSAgICAgIHRha2VuLiBCcm93c2Vycywgd2ViIHNlcnZlcnMs IGFuZCBvdGhlciBzb2Z0d2FyZSBtYXkgbm90CgkgICAgICBhZGVxdWF0ZWx5IHNlY3VyZSBVUkxz IGluIHRoZSBicm93c2VyIGhpc3RvcnksIHdlYgoJICAgICAgc2VydmVyIGxvZ3MsIGFuZCBvdGhl ciBkYXRhIHN0cnVjdHVyZXMuIElmIGJlYXJlciB0b2tlbnMKCSAgICAgIGFyZSBwYXNzZWQgaW4g cGFnZSBVUkxzLCBhdHRhY2tlcnMgbWlnaHQgYmUgYWJsZSB0bwoJICAgICAgc3RlYWwgdGhlbSBm cm9tIHRoZSBoaXN0b3J5IGRhdGEsIGxvZ3MsIG9yIG90aGVyCgkgICAgICB1bnNlY3VyZWQgbG9j YXRpb25zLgoJICAgIDwvdD4KCSAgPC9saXN0PgoJPC90PgogICAgICA8L3NlY3Rpb24+CiAgICA8 L3NlY3Rpb24+CgogICAgPHNlY3Rpb24gdGl0bGU9J0lBTkEgQ29uc2lkZXJhdGlvbnMnPiAgIAoK ICAgICAgPHNlY3Rpb24gdGl0bGU9J09BdXRoIEFjY2VzcyBUb2tlbiBUeXBlIFJlZ2lzdHJhdGlv bic+CiAgICAgICAgPHQ+CiAgICAgICAgICBUaGlzIHNwZWNpZmljYXRpb24gcmVnaXN0ZXJzIHRo ZSBmb2xsb3dpbmcgYWNjZXNzIHRva2VuIHR5cGUgaW4gdGhlIE9BdXRoIEFjY2VzcyBUb2tlbgog ICAgICAgICAgVHlwZSBSZWdpc3RyeS4KICAgICAgICA8L3Q+CgogICAgICAgIDxzZWN0aW9uIHRp dGxlPSdUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUnPgogICAgICAgICAgPHQ+ CiAgICAgICAgICAgIDxsaXN0IHN0eWxlPSdoYW5naW5nJz4KICAgICAgICAgICAgICA8dCBoYW5n VGV4dD0nVHlwZSBuYW1lOic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAg ICAgICBCZWFyZXIKICAgICAgICAgICAgICA8L3Q+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9 J0FkZGl0aW9uYWwgVG9rZW4gRW5kcG9pbnQgUmVzcG9uc2UgUGFyYW1ldGVyczonPgogICAgICAg ICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAgICAgICAgKG5vbmUpCiAgICAgICAgICAgICAg PC90PgogICAgICAgICAgICAgIDx0IGhhbmdUZXh0PSdIVFRQIEF1dGhlbnRpY2F0aW9uIFNjaGVt ZShzKTonPgogICAgICAgICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAgICAgICAgQmVhcmVy CiAgICAgICAgICAgICAgPC90PgogICAgICAgICAgICAgIDx0IGhhbmdUZXh0PSdDaGFuZ2UgY29u dHJvbGxlcjonPgogICAgICAgICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAgICAgICAgSUVU RgogICAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAgICA8dCBoYW5nVGV4dD0nU3BlY2lmaWNh dGlvbiBkb2N1bWVudChzKTonPgogICAgICAgICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAg ICAgICAgW1sgdGhpcyBkb2N1bWVudCBdXQogICAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAg PC9saXN0PgogICAgICAgICAgPC90PgogICAgICAgIDwvc2VjdGlvbj4KICAgICAgPC9zZWN0aW9u PgoKICAgICAgPHNlY3Rpb24gdGl0bGU9J0F1dGhlbnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyYXRp b24nPgogICAgICAgIDx0PgogICAgICAgICAgVGhpcyBzcGVjaWZpY2F0aW9uIHJlZ2lzdGVycyB0 aGUgZm9sbG93aW5nIGF1dGhlbnRpY2F0aW9uCiAgICAgICAgICBzY2hlbWUgaW4gdGhlIEF1dGhl bnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZpbmVkIGluCiAgICAgICAgICBIVFRQLzEuMSwg UGFydCA3IDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KICAgICAg ICA8L3Q+CgogICAgICAgIDxzZWN0aW9uIHRpdGxlPSdUaGUgIkJlYXJlciIgQXV0aGVudGljYXRp b24gU2NoZW1lJz4KICAgICAgICAgIDx0PgogICAgICAgICAgICA8bGlzdCBzdHlsZT0naGFuZ2lu Zyc+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9J0F1dGhlbnRpY2F0aW9uIFNjaGVtZSBOYW1l Oic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAgICBCZWFyZXIKICAg ICAgICAgICAgICA8L3Q+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9J1BvaW50ZXIgdG8gc3Bl Y2lmaWNhdGlvbiB0ZXh0Oic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAg ICAgICBbWyB0aGlzIGRvY3VtZW50IF1dCiAgICAgICAgICAgICAgPC90PgogICAgICAgICAgICAg IDx0IGhhbmdUZXh0PSdOb3RlcyAob3B0aW9uYWwpOic+CiAgICAgICAgICAgICAgICA8dnNwYWNl IC8+CiAgICAgICAgICAgICAgICAobm9uZSkKICAgICAgICAgICAgICA8L3Q+CiAgICAgICAgICAg IDwvbGlzdD4KICAgICAgICAgIDwvdD4KICAgICAgICA8L3NlY3Rpb24+CiAgICAgIDwvc2VjdGlv bj4KCiAgICA8L3NlY3Rpb24+IAoKICA8L21pZGRsZT4KCiAgPGJhY2s+CgogICAgPHJlZmVyZW5j ZXMgdGl0bGU9J05vcm1hdGl2ZSBSZWZlcmVuY2VzJz4KCiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0 dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuMjEx OS54bWwnID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1 YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuMjI0Ni54bWwnID8+CiAgICAgIDw/cmZjIGlu Y2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5j ZS5SRkMuMzk4Ni54bWwnID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3Vy Y2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuNTIzNC54bWwnID8+CiAgICAg IDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1s L3JlZmVyZW5jZS5SRkMuNTI0Ni54bWwnID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94 bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuNjEyNS54bWwn ID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9y ZmMvYmlieG1sNC9yZWZlcmVuY2UuVzNDLlJFQy1odG1sNDAxLTE5OTkxMjI0LnhtbCcgPz4KCiAg ICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmli eG1sMy9yZWZlcmVuY2UuSS1ELmRyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmctMTcueG1s Jz8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9y ZmMvYmlieG1sMy9yZWZlcmVuY2UuSS1ELmRyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3Lnht bCc/PgogICAgICA8P3JmYyBpbmNsdWRlPSdodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMv cmZjL2JpYnhtbDMvcmVmZXJlbmNlLkktRC5kcmFmdC1pZXRmLW9hdXRoLXYyLTIyLnhtbCcgPz4K CiAgICA8L3JlZmVyZW5jZXM+CgogICAgPHJlZmVyZW5jZXMgdGl0bGU9IkluZm9ybWF0aXZlIFJl ZmVyZW5jZXMiPgoKICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcv cHVibGljL3JmYy9iaWJ4bWwvcmVmZXJlbmNlLlJGQy4yNjE2LnhtbCcgPz4KICAgICAgPD9yZmMg aW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwvcmVmZXJl bmNlLlJGQy4yNjE3LnhtbCcgPz4KCiAgICAgIDxyZWZlcmVuY2UgYW5jaG9yPSJOSVNUODAwLTYz Ij4KICAgICAgICA8ZnJvbnQ+CiAgICAgICAgICA8dGl0bGU+TklTVCBTcGVjaWFsIFB1YmxpY2F0 aW9uIDgwMC02My0xLCBJTkZPUk1BVElPTiBTRUNVUklUWTwvdGl0bGU+CiAgICAgICAgICA8YXV0 aG9yIGZ1bGxuYW1lPSJXaWxsaWFtIEUuIEJ1cnIiIGluaXRpYWxzPSJXLiIgc3VybmFtZT0iQnVy ciI+CiAgICAgICAgICAgIDxvcmdhbml6YXRpb24+TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAg ICAgPC9hdXRob3I+CiAgICAgICAgICA8YXV0aG9yIGZ1bGxuYW1lPSJEb25uYSBGLiBEb2Rzb24i IGluaXRpYWxzPSJELiIgc3VybmFtZT0iRG9kc29uIj4KICAgICAgICAgICAgPG9yZ2FuaXphdGlv bj5OSVNUPC9vcmdhbml6YXRpb24+CiAgICAgICAgICA8L2F1dGhvcj4KICAgICAgICAgIDxhdXRo b3IgZnVsbG5hbWU9IlJheSBBLiBQZXJsbmVyIiBpbml0aWFscz0iUi4iIHN1cm5hbWU9IlBlcmxu ZXIiPgogICAgICAgICAgICA8b3JnYW5pemF0aW9uPk5JU1Q8L29yZ2FuaXphdGlvbj4KICAgICAg ICAgIDwvYXV0aG9yPgogICAgICAgICAgPGF1dGhvciBmdWxsbmFtZT0iVy4gVGltb3RoeSBQb2xr IiBpbml0aWFscz0iVC4iIHN1cm5hbWU9IlBvbGsiPgogICAgICAgICAgICA8b3JnYW5pemF0aW9u Pk5JU1Q8L29yZ2FuaXphdGlvbj4KICAgICAgICAgIDwvYXV0aG9yPgogICAgICAgICAgPGF1dGhv ciBmdWxsbmFtZT0iU2FyYmFyaSBHdXB0YSIgaW5pdGlhbHM9IlMuIiBzdXJuYW1lPSJHdXB0YSI+ CiAgICAgICAgICAgIDxvcmdhbml6YXRpb24+TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAgICAg PC9hdXRob3I+CiAgICAgICAgICA8YXV0aG9yIGZ1bGxuYW1lPSJFbWFkIEEuIE5hYmJ1cyIgaW5p dGlhbHM9IkUuIiBzdXJuYW1lPSJOYWJidXMiPgogICAgICAgICAgICA8b3JnYW5pemF0aW9uPk5J U1Q8L29yZ2FuaXphdGlvbj4KICAgICAgICAgIDwvYXV0aG9yPgogICAgICAgICAgPGRhdGUgbW9u dGg9IkRlY2VtYmVyIiB5ZWFyPSIyMDA4Ii8+CiAgICAgICAgPC9mcm9udD4KICAgICAgICA8Zm9y bWF0IHRhcmdldD0iaHR0cDovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL1B1YnNEcmFmdHMu aHRtbCNTUC04MDAtNjMtUmV2LiUyMDEiIHR5cGU9IkhUTUwiLz4KICAgICAgPC9yZWZlcmVuY2U+ CgogICAgPC9yZWZlcmVuY2VzPiAKCiAgICA8c2VjdGlvbiB0aXRsZT0nQWNrbm93bGVkZ2VtZW50 cyc+CiAgICAgIDx0PgogICAgICAgIFRoZSBmb2xsb3dpbmcgcGVvcGxlIGNvbnRyaWJ1dGVkIHRv IHByZWxpbWluYXJ5IHZlcnNpb25zIG9mIHRoaXMgZG9jdW1lbnQ6CiAgICAgICAgQmxhaW5lIENv b2sgKEJUKSwgQnJpYW4gRWF0b24gKEdvb2dsZSksIFlhcm9uIFkuIEdvbGFuZCAoTWljcm9zb2Z0 KSwgQnJlbnQgR29sZG1hbiAoRmFjZWJvb2spLAogICAgICAgIFJhZmZpIEtyaWtvcmlhbiAoVHdp dHRlciksIEx1a2UgU2hlcGFyZCAoRmFjZWJvb2spLCBhbmQgQWxsZW4gVG9tIChZYWhvbyEpLiBU aGUgY29udGVudCBhbmQKICAgICAgICBjb25jZXB0cyB3aXRoaW4gYXJlIGEgcHJvZHVjdCBvZiB0 aGUgT0F1dGggY29tbXVuaXR5LCB0aGUgV1JBUCBjb21tdW5pdHksIGFuZCB0aGUgT0F1dGggV29y a2luZwogICAgICAgIEdyb3VwLgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIFRoZSBPQXV0 aCBXb3JraW5nIEdyb3VwIGhhcyBkb3plbnMgb2YgdmVyeSBhY3RpdmUgY29udHJpYnV0b3JzIHdo byBwcm9wb3NlZCBpZGVhcyBhbmQKICAgICAgICB3b3JkaW5nIGZvciB0aGlzIGRvY3VtZW50LCBp bmNsdWRpbmc6CglNaWNoYWVsIEFkYW1zLCBBbWFuZGEgQW5nYW5lcywgQW5kcmV3IEFybm90dCwg RGlyayBCYWxmYW56LAoJSm9obiBCcmFkbGV5LCBCcmlhbiBDYW1wYmVsbCwgTGVhaCBDdWx2ZXIs IEJpbGwgZGUgaMOTcmEsCglCcmlhbiBFbGxpbiwgSWdvciBGYXluYmVyZywgU3RlcGhlbiBGYXJy ZWxsLCBHZW9yZ2UgRmxldGNoZXIsCglUaW0gRnJlZW1hbiwgRXZhbiBHaWxiZXJ0LCBZYXJvbiBZ LiBHb2xhbmQsIFRob21hcyBIYXJkam9ubywKCUp1c3RpbiBIYXJ0LCBQaGlsIEh1bnQsIEpvaG4g S2VtcCwgRXJhbiBIYW1tZXItTGFoYXYsCglDaGFzZW4gTGUgSGFyYSwgQmFycnkgTGVpYmEsIE1p Y2hhZWwgQi4gSm9uZXMsCglUb3JzdGVuIExvZGRlcnN0ZWR0LCBFdmUgTWFsZXIsIEphbWVzIE1h bmdlciwgTGF1cmVuY2UgTWlhbywKCVdpbGxpYW0gSi4gTWlsbHMsIENodWNrIE1vcnRpbW9yZSwg QW50aG9ueSBOYWRhbGluLAoJSnVsaWFuIFJlc2Noa2UsIEp1c3RpbiBSaWNoZXIsIFBldGVyIFNh aW50LUFuZHJlLCBOYXQgU2FraW11cmEsCglSb2IgU2F5cmUsIE1hcml1cyBTY3VydGVzY3UsIE5h aXRpayBTaGFoLCBKdXN0aW4gU21pdGgsCglKZXJlbXkgU3VyaWVsLCBDaHJpc3RpYW4gU3TDvGJu ZXIsIFBhdWwgVGFyamFuLAoJSGFubmVzIFRzY2hvZmVuaWcsIEZyYW5rbGluIFRzZSwgYW5kIFNo YW5lIFdlZWRlbi4KICAgICAgPC90PgogICAgPC9zZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxl PSdEb2N1bWVudCBIaXN0b3J5Jz4KICAgICAgPHQ+CiAgICAgICAgW1sgdG8gYmUgcmVtb3ZlZCBi eSB0aGUgUkZDIGVkaXRvciBiZWZvcmUgcHVibGljYXRpb24gYXMgYW4gUkZDIF1dCiAgICAgIDwv dD4KICAgICAgPHQ+CiAgICAgICAgLTE1CiAgICAgICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJ ICA8dD4KCSAgICBDbGFyaWZpZWQgdGhhdCBmb3JtLWVuY29kZWQgY29udGVudCBtdXN0IGNvbnNp c3QgZW50aXJlbHkKCSAgICBvZiBBU0NJSSBjaGFyYWN0ZXJzLgoJICA8L3Q+CgkgIDx0PgoJICAg IEFkZGVkIFRMUyB2ZXJzaW9uIHJlcXVpcmVtZW50cy4KCSAgPC90PgoJICA8dD4KCSAgICBBcHBs aWVkIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMgc3VnZ2VzdGVkIGJ5IE1hcmsKCSAgICBOb3R0aW5n aGFtIGR1cmluZyB0aGUgQVBQUyBhcmVhIHJldmlldy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4K ICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMTQKICAgICAgICA8bGlzdCBzdHlsZT0nc3lt Ym9scyc+CgkgIDx0PgoJICAgIENoYW5nZXMgbWFkZSBpbiByZXNwb25zZSB0byByZXZpZXcgY29t bWVudHMgYnkgU2VjdXJpdHkKCSAgICBBcmVhIERpcmVjdG9yIFN0ZXBoZW4gRmFycmVsbC4gIFNw ZWNpZmljYWxseToKCSAgPC90PgoJICA8dD4KCSAgICBTdHJlbmd0aGVuZWQgd2FybmluZ3MgYWJv dXQgcGFzc2luZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYQoJICAgIHF1ZXJ5IHBhcmFtZXRlciBhbmQg bW9yZSBwcmVjaXNlbHkgZGVzY3JpYmVkIHRoZQoJICAgIGxpbWl0YXRpb25zIHBsYWNlZCB1cG9u IHRoZSB1c2Ugb2YgdGhpcyBtZXRob2QuCgkgIDwvdD4KCSAgPHQ+CgkgICAgQ2xhcmlmaWVkIHRo YXQgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+cmVhbG08L3NwYW54PgoJICAgIGF0dHJpYnV0ZSBN QVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24KCSAgICBpbiB0 aGUgbWFubmVyIGRlc2NyaWJlZCBpbgoJICAgIEhUVFAvMS4xLCBQYXJ0IDcgPHhyZWYgdGFyZ2V0 PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+LgoJICA8L3Q+CgkgIDx0PgoJICAgIE5vcm1h dGl2ZWx5IHN0YXRlZCB0aGF0ICJ0aGUgdG9rZW4gaW50ZWdyaXR5IHByb3RlY3Rpb24KCSAgICBN VVNUIGJlIHN1ZmZpY2llbnQgdG8gcHJldmVudCB0aGUgdG9rZW4gZnJvbSBiZWluZwoJICAgIG1v ZGlmaWVkIi4KCSAgPC90PgoJICA8dD4KCSAgICBBZGRlZCBzdGF0ZW1lbnQgdGhhdCAiVExTIGlz IG1hbmRhdG9yeSB0byBpbXBsZW1lbnQgYW5kCgkgICAgdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0 aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoJICA8L3Q+CgkgIDx0PgoJICAgIFN0YXRlZCB0aGF0 IFRMUyBNVVNUIGJlIHVzZWQgd2l0aCAiYSBjaXBoZXJzdWl0ZSB0aGF0CgkgICAgcHJvdmlkZXMg Y29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiIuCgkgIDwvdD4KCSAgPHQ+ CgkgICAgQWRkZWQgIkFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9rZW4gZGlzY2xvc3Vy ZSwgdGhlCgkgICAgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFp biB3aGVuIG1ha2luZwoJICAgIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMiIHRvIHRo ZSBUaHJlYXQgTWl0aWdhdGlvbgoJICAgIHNlY3Rpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgQ2xh cmlmaWVkIHRoYXQgcHV0dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5zaWRlIHRoZQoJICAg IHByb3RlY3RlZCBwYXJ0IG9mIHRoZSB0b2tlbiBpcyBvbmUgbWVhbnMsIGJ1dCBub3QgdGhlIG9u bHkKCSAgICBtZWFucywgb2YgbGltaXRpbmcgdGhlIGxpZmV0aW1lIG9mIHRoZSB0b2tlbi4KCSAg PC90PgoJICA8dD4KCSAgICBEcm9wcGVkIHRoZSBjb25mdXNpbmcgcGhyYXNlICJmb3IgaW5zdGFu Y2UsIHRocm91Z2ggdGhlCgkgICAgdXNlIG9mIFRMUyIgZnJvbSB0aGUgc2VudGVuY2UgYWJvdXQg Y29uZmlkZW50aWFsaXR5CgkgICAgcHJvdGVjdGlvbiBvZiB0aGUgZXhjaGFuZ2VzLgoJICA8L3Q+ CgkgIDx0PgoJICAgIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRlbnRpdHkgdmVyaWZpY2F0aW9u LCByYXRoZXIgdGhhbgoJICAgIFJGQyAyODE4LgoJICA8L3Q+CgkgIDx0PgoJICAgIFN0YXRlZCB0 aGF0IHRoZSB0b2tlbiBNVVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVuIGZyb250IGVuZAoJICAgIGFu ZCBiYWNrIGVuZCBzZXJ2ZXJzIHdoZW4gdGhlIFRMUyBjb25uZWN0aW9uIHRlcm1pbmF0ZXMgYXQK CSAgICBhIGZyb250IGVuZCBzZXJ2ZXIgdGhhdCBpcyBkaXN0aW5jdCBmcm9tIHRoZSBhY3R1YWwg c2VydmVyCgkgICAgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2UuCgkgIDwvdD4KCSAgPHQ+Cgkg ICAgU3RhdGVkIHRoYXQgYmVhcmVyIHRva2VucyBNVVNUIG5vdCBiZSBzdG9yZWQgaW4gY29va2ll cwoJICAgIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyIGluIHRoZSBUaHJlYXQgTWl0aWdh dGlvbgoJICAgIHNlY3Rpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVwbGFjZWQgc29sZSByZW1h aW5pbmcgcmVmZXJlbmNlIHRvIDx4cmVmIHRhcmdldD0nUkZDMjYxNicgLz4gd2l0aAoJICAgIEhU VFBiaXMgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZycgLz4KCSAg ICByZWZlcmVuY2UuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVwbGFjZWQgYWxsIHJlZmVyZW5jZXMg d2hlcmUgdGhlIHJlZmVyZW5jZSBpcyB1c2VkIGFzIGlmCgkgICAgaXQgd2VyZSBwYXJ0IG9mIHRo ZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBieQoJICAgIFtJLUQud2hhdGV2ZXJdIikgd2l0 aCBvbmVzIHdoZXJlIHRoZSBzcGVjaWZpY2F0aW9uIG5hbWUgaXMKCSAgICB1c2VkLCBmb2xsb3dl ZCBieSB0aGUgcmVmZXJlbmNlIChzdWNoIGFzICJkZWZpbmVkIGJ5CgkgICAgV2hhdGV2ZXIgW0kt RC53aGF0ZXZlcl0iKS4KCSAgPC90PgoJICA8dD4KCSAgICBPdGhlciBvbi1ub3JtYXRpdmUgZWRp dG9yaWFsIGltcHJvdmVtZW50cy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90Pgog ICAgICA8dD4KICAgICAgICAtMTMKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0 PgoJICAgIEF0IHRoZSByZXF1ZXN0IG9mIEhhbm5lcyBUc2Nob2ZlbmlnLCBtYWRlIEFCTkYgY2hh bmdlcyB0bwoJICAgIG1ha2UgaXQgY2xlYXIgdGhhdCBubyBzcGVjaWFsIFdXVy1BdXRoZW50aWNh dGUgcmVzcG9uc2UKCSAgICBoZWFkZXIgZmllbGQgcGFyc2VycyBhcmUgbmVlZGVkLiAgVGhlIDxz cGFueAoJICAgIHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+LCA8c3BhbngKCSAgICBzdHlsZT0n dmVyYic+ZXJyb3ItZGVzY3JpcHRpb248L3NwYW54PiwgYW5kIDxzcGFueAoJICAgIHN0eWxlPSd2 ZXJiJz5lcnJvci11cmk8L3NwYW54PiBwYXJhbWV0ZXJzIGFyZSBhbGwgbm93CgkgICAgZGVmaW5l ZCBhcyBxdW90ZWQtc3RyaW5nIGluIHRoZSBBQk5GIChhcyA8c3BhbngKCSAgICBzdHlsZT0ndmVy Yic+ZXJyb3I8L3NwYW54PiBhbHJlYWR5IHdhcykuICBSZXN0cmljdGlvbnMgb24KCSAgICB0aGVz ZSB2YWx1ZXMgdGhhdCB3ZXJlIGZvcm1lcmx5IGRlc2NyaWJlZCBpbiB0aGUgQUJORnMgYXJlCgkg ICAgbm93IGRlc2NyaWJlZCBpbiBub3JtYXRpdmUgdGV4dCBpbnN0ZWFkLgoJICA8L3Q+CiAgICAg ICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIC0xMgogICAgICAgIDxsaXN0 IHN0eWxlPSdzeW1ib2xzJz4KCSAgPHQ+CgkgICAgTWFkZSBub24tbm9ybWF0aXZlIGVkaXRvcmlh bCBjaGFuZ2VzIHRoYXQgSGFubmVzCgkgICAgVHNjaG9mZW5pZyByZXF1ZXN0ZWQgYmUgYXBwbGll ZCBwcmlvciB0byBmb3J3YXJkaW5nIHRoZQoJICAgIHNwZWNpZmljYXRpb24gdG8gdGhlIElFU0cu CgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgcmF0aW9uYWxlIGZvciB0aGUgY2hvaWNlIG9mIHRo ZSBiNjR0b2tlbiBzeW50YXguCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgcmF0aW9uYWxlIHN0 YXRpbmcgdGhhdCByZWNlaXZlcnMgYXJlIGZyZWUgdG8gcGFyc2UKCSAgICB0aGUgPHNwYW54IHN0 eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IGF0dHJpYnV0ZSB1c2luZyBhCgkgICAgc3RhbmRhcmQg cXVvdGVkLXN0cmluZyBwYXJzZXIsIHNpbmNlIGl0IHdpbGwgY29ycmVjdGx5CgkgICAgcHJvY2Vz cyBhbGwgbGVnYWwgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+CgkgICAgdmFsdWVz LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIGFkZGl0aW9uYWwgYWN0aXZlIHdvcmtpbmcgZ3Jv dXAgY29udHJpYnV0b3JzIHRvIHRoZQoJICAgIEFja25vd2xlZGdlbWVudHMgc2VjdGlvbi4KCSAg PC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMTEKICAg ICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIFJlcGxhY2VkIHVzZXMgb2Yg Jmx0OyImZ3Q7IHdpdGggRFFVT1RFIHRvIHBhc3MgQUJORiBzeW50YXggY2hlY2suCgkgIDwvdD4K ICAgICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTEwCiAgICAgICAg PGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJICA8dD4KCSAgICBSZW1vdmVkIHRoZSAjYXV0aC1wYXJh bSBvcHRpb24gZnJvbSBBdXRob3JpemF0aW9uIGhlYWRlcgoJICAgIHN5bnRheCAobGVhdmluZyBv bmx5IHRoZSBiNjR0b2tlbiBzeW50YXgpLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlc3RyaWN0ZWQg dGhlIDxzcGFueCBzdHlsZT0ndmVyYic+c2NvcGU8L3NwYW54PiB2YWx1ZQoJICAgIGNoYXJhY3Rl ciBzZXQgdG8gJXgyMSAvICV4MjMtNUIgLyAleDVELTdFIChwcmludGFibGUgQVNDSUkKCSAgICBj aGFyYWN0ZXJzIGV4Y2x1ZGluZyBkb3VibGUtcXVvdGUgYW5kIGJhY2tzbGFzaCkuCgkgICAgSW5k aWNhdGVkIHRoYXQgc2NvcGUgaXMgaW50ZW5kZWQgZm9yIHByb2dyYW1tYXRpYyB1c2UgYW5kCgkg ICAgaXMgbm90IG1lYW50IHRvIGJlIGRpc3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIDwvdD4KCSAg PHQ+CgkgICAgUmVzdHJpY3RlZCB0aGUgY2hhcmFjdGVyIHNldCBmb3IgPHNwYW54CgkgICAgc3R5 bGU9J3ZlcmInPmVycm9yX2Rlc2NyaXB0aW9uPC9zcGFueD4gc3RyaW5ncyB0byBTUCAvCgkgICAg VkNIQVIgYW5kIGluZGljYXRlZCB0aGF0IHRoZXkgYXJlIG5vdCBtZWFudCB0byBiZQoJICAgIGRp c3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIDwvdD4KCSAgPHQ+CgkgICAgSW5jbHVkZWQgbW9yZSBk ZXNjcmlwdGlvbiBpbiB0aGUgQWJzdHJhY3QsIHNpbmNlIEhhbm5lcwoJICAgIFRzY2hvZmVuaWcg aW5kaWNhdGVkIHRoYXQgdGhlIFJGQyBlZGl0b3Igd291bGQgcmVxdWlyZQoJICAgIHRoaXMuCgkg IDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFuZ2VkICJBY2Nlc3MgR3JhbnQiIHRv ICJBdXRob3JpemF0aW9uIEdyYW50IiwgYXMgd2FzCiAgICAgICAgICAgIGRvbmUgaW4gdGhlIGNv cmUgc3BlYy4KCSAgPC90PgoJICA8dD4KCSAgICBTaW1wbGlmaWVkIHRoZSBpbnRyb2R1Y3Rpb24g dG8gdGhlIEF1dGhlbnRpY2F0ZWQgUmVxdWVzdHMKCSAgICBzZWN0aW9uLgoJICA8L3Q+CiAgICAg ICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIC0wOQogICAgICAgIDxsaXN0 IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgIDx0PgogICAgICAgICAgICBJbmNvcnBvcmF0ZWQg d29ya2luZyBncm91cCBsYXN0IGNhbGwgY29tbWVudHMuICBTcGVjaWZpYyBjaGFuZ2VzIHdlcmU6 CgkgIDwvdD4KCSAgPHQ+CgkgICAgVXNlIGRlZmluaXRpb25zIGZyb20gPHhyZWYKCSAgICB0YXJn ZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4gcmF0aGVyIHRoYW4gPHhyZWYKCSAgICB0 YXJnZXQ9J1JGQzI2MTcnIC8+LgoJICA8L3Q+CgkgIDx0PgoJICAgIFVwZGF0ZSBjcmVkZW50aWFs cyBkZWZpbml0aW9uIHRvIGNvbmZvcm0gdG8gPHhyZWYKCSAgICB0YXJnZXQ9J0ktRC5pZXRmLWh0 dHBiaXMtcDctYXV0aCcgLz4uCgkgIDwvdD4KCSAgPHQ+CgkgICAgRnVydGhlciBjbGFyaWZpZWQg dGhhdCBxdWVyeSBwYXJhbWV0ZXJzIG1heSBvY2N1ciBpbiBhbnkgb3JkZXIuCgkgIDwvdD4KCSAg PHQ+CgkgICAgU3BlY2lmeSB0aGF0IGVycm9yX2Rlc2NyaXB0aW9uIGlzIFVURi04IGVuY29kZWQK CSAgICAobWF0Y2hpbmcgdGhlIGNvcmUgc3BlY2lmaWNhdGlvbikuCgkgIDwvdD4KCSAgPHQ+Cgkg ICAgUmVnaXN0ZXJlZCAiQmVhcmVyIiBBdXRoZW50aWNhdGlvbiBTY2hlbWUgaW4KCSAgICBBdXRo ZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cnkgZGVmaW5lZCBieQoJICAgIDx4cmVmIHRhcmdldD0n SS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KCSAgPC90PgogICAgICAgICAgPHQ+CiAgICAg ICAgICAgIFVwZGF0ZWQgcmVmZXJlbmNlcyB0byBvYXV0aC12MiwgaHR0cGJpcy1wMS1tZXNzYWdp bmcsIGFuZAogICAgICAgICAgICBodHRwYmlzLXA3LWF1dGggZHJhZnRzLgoJICA8L3Q+CgkgIDx0 PgoJICAgIE90aGVyIHdvcmRpbmcgaW1wcm92ZW1lbnRzIG5vdCBpbnRyb2R1Y2luZyBub3JtYXRp dmUgY2hhbmdlcy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4K ICAgICAgICAtMDgKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4K ICAgICAgICAgICAgVXBkYXRlZCByZWZlcmVuY2VzIHRvIG9hdXRoLXYyIGFuZCBIVFRQYmlzIGRy YWZ0cy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAg ICAtMDcKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4KICAgICAg ICAgICAgQWRkZWQgbWlzc2luZyBjb21tYSBpbiBlcnJvciByZXNwb25zZSBleGFtcGxlLgoJICA8 L3Q+CiAgICAgICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIC0wNgogICAg ICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFu Z2VkIHBhcmFtZXRlciBuYW1lIDxzcGFueAogICAgICAgICAgICBzdHlsZT0idmVyYiI+YmVhcmVy X3Rva2VuPC9zcGFueD4gdG8gPHNwYW54CiAgICAgICAgICAgIHN0eWxlPSJ2ZXJiIj5hY2Nlc3Nf dG9rZW48L3NwYW54PiwgcGVyIHdvcmtpbmcgZ3JvdXAKICAgICAgICAgICAgY29uc2Vuc3VzLgoJ ICA8L3Q+CgkgIDx0PgoJICAgIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgPHNwYW54Cgkg ICAgc3R5bGU9InZlcmIiPmludmFsaWRfcmVxdWVzdDwvc3Bhbng+IGVycm9yIGNvZGUgZnJvbSBI VFRQCgkgICAgNDAxIChVbmF1dGhvcml6ZWQpIGJhY2sgdG8gSFRUUCA0MDAgKEJhZCBSZXF1ZXN0 KSwgcGVyCgkgICAgaW5wdXQgZnJvbSBIVFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCSAgPC90 PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDUKICAgICAg ICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIFJlbW92ZWQgT0F1dGggRXJyb3Jz IFJlZ2lzdHJ5LCBwZXIgZGVzaWduIHRlYW0gaW5wdXQuCgkgIDwvdD4KCSAgPHQ+CgkgICAgQ2hh bmdlZCBIVFRQIHN0YXR1cyBjb2RlIGZvciA8c3BhbngKCSAgICBzdHlsZT0idmVyYiI+aW52YWxp ZF9yZXF1ZXN0PC9zcGFueD4gZXJyb3IgY29kZSBmcm9tIEhUVFAKCSAgICA0MDAgKEJhZCBSZXF1 ZXN0KSB0byBIVFRQIDQwMSAoVW5hdXRob3JpemVkKSB0byBtYXRjaCBIVFRQCgkgICAgdXNhZ2Ug W1sgY2hhbmdlIHBlbmRpbmcgd29ya2luZyBncm91cCBjb25zZW5zdXMgXV0uCgkgIDwvdD4KCSAg PHQ+CgkgICAgQWRkZWQgbWlzc2luZyBxdW90YXRpb24gbWFya3MgaW4gZXJyb3ItdXJpIGRlZmlu aXRpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgbm90ZSB0byBhZGQgbGFuZ3VhZ2UgYW5k IGVuY29kaW5nIGluZm9ybWF0aW9uIHRvCgkgICAgZXJyb3JfZGVzY3JpcHRpb24gaWYgdGhlIGNv cmUgc3BlY2lmaWNhdGlvbiBkb2VzLgoJICA8L3Q+CgkgIDx0PgoJICAgIEV4cGxpY2l0bHkgcmVm ZXJlbmNlIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikKCSAgICBkZWZpbmVk IGluIDx4cmVmIHRhcmdldD0nUkZDNTIzNCcgLz4uCgkgIDwvdD4KCSAgPHQ+CgkgICAgVXNlIGF1 dGgtcGFyYW0gaW5zdGVhZCBvZiByZXBlYXRpbmcgaXRzIGRlZmluaXRpb24sIHdoaWNoCgkgICAg aXMgKCB0b2tlbiAiPSIgKCB0b2tlbiAvIHF1b3RlZC1zdHJpbmcgKSApLgoJICA8L3Q+CgkgIDx0 PgoJICAgIENsYXJpZnkgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgYWJvdXQgaW5jbHVkaW5nIGFu CgkgICAgYXVkaWVuY2UgcmVzdHJpY3Rpb24gaW4gdGhlIHRva2VuIGFuZCBpbmNsdWRlIGEKCSAg ICByZWNvbW1lbmRhdGlvbiB0byBpc3N1ZSBzY29wZWQgYmVhcmVyIHRva2VucyBpbiB0aGUKCSAg ICBzdW1tYXJ5IG9mIHJlY29tbWVuZGF0aW9ucy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAg ICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDQKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9s cyc+CgkgIDx0PgoJICAgIEVkaXRzIHJlc3BvbmRpbmcgdG8gd29ya2luZyBncm91cCBsYXN0IGNh bGwgZmVlZGJhY2sgb24KCSAgICAtMDMuICBTcGVjaWZpYyBlZGl0cyBlbnVtZXJhdGVkIGJlbG93 LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIEJlYXJlciBUb2tlbiBkZWZpbml0aW9uIGluIFRl cm1pbm9sb2d5IHNlY3Rpb24uCgkgIDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFu Z2VkIHBhcmFtZXRlciBuYW1lIDxzcGFueAogICAgICAgICAgICBzdHlsZT0idmVyYiI+b2F1dGhf dG9rZW48L3NwYW54PiB0byA8c3BhbngKICAgICAgICAgICAgc3R5bGU9InZlcmIiPmJlYXJlcl90 b2tlbjwvc3Bhbng+LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIHJlYWxtIHBhcmFtZXRlciB0 byA8c3BhbngKCSAgICBzdHlsZT0ndmVyYic+V1dXLUF1dGhlbnRpY2F0ZTwvc3Bhbng+IHJlc3Bv bnNlIHRvIGNvbXBseQoJICAgIHdpdGggPHhyZWYgdGFyZ2V0PSdSRkMyNjE3JyAvPi4KCSAgPC90 PgoJICA8dD4KCSAgICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFyYW0gXSIgZnJvbSA8c3BhbngK CSAgICBzdHlsZT0idmVyYiI+Y3JlZGVudGlhbHM8L3NwYW54PiBkZWZpbml0aW9uIHNpbmNlIGl0 IGRpZAoJICAgIG5vdCBjb21wbHkgd2l0aCB0aGUgQUJORiBpbiA8eHJlZgoJICAgIHRhcmdldD0n SS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KCSAgPC90PgoJICA8dD4KCSAgICBSZW1vdmVk IHJlc3RyaWN0aW9uIHRoYXQgdGhlIDxzcGFueAoJICAgIHN0eWxlPSJ2ZXJiIj5iZWFyZXJfdG9r ZW48L3NwYW54PiAoZm9ybWVybHkgPHNwYW54CgkgICAgc3R5bGU9InZlcmIiPm9hdXRoX3Rva2Vu PC9zcGFueD4pIHBhcmFtZXRlciBiZSB0aGUgbGFzdAoJICAgIHBhcmFtZXRlciBpbiB0aGUgZW50 aXR5LWJvZHkgYW5kIHRoZSBIVFRQIHJlcXVlc3QgVVJJCgkgICAgcXVlcnkuCgkgIDwvdD4KCSAg PHQ+CgkgICAgRG8gbm90IHJlcXVpcmUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBpbiBhIHJl cGx5IHRvIGEKCSAgICBtYWxmb3JtZWQgcmVxdWVzdCwgYXMgYW4gSFRUUCA0MDAgQmFkIFJlcXVl c3QgcmVzcG9uc2UKCSAgICB3aXRob3V0IGEgV1dXLUF1dGhlbnRpY2F0ZSBoZWFkZXIgaXMgbGlr ZWx5IHRoZSByaWdodAoJICAgIHJlc3BvbnNlIGluIHNvbWUgY2FzZXMgb2YgbWFsZm9ybWVkIHJl cXVlc3RzLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlbW92ZWQgT0F1dGggUGFyYW1ldGVycyByZWdp c3RyeSBleHRlbnNpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgTnVtZXJvdXMgZWRpdG9yaWFsIGlt cHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgd29ya2luZyBncm91cAoJICAgIG1lbWJlcnMuCgkgIDwv dD4KICAgICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTAzCiAgICAg ICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJICA8dD4KCSAgICBSZXN0b3JlZCB0aGUgV1dXLUF1 dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIKCSAgICBmdW5jdGlvbmFsaXR5IGRlbGV0ZWQgZnJv bSB0aGUgZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gaW4KCSAgICBkcmFmdCAxMiBiYXNlZCB1cG9u IHRoZSBzcGVjaWZpY2F0aW9uIHRleHQgZnJvbSBkcmFmdCAxMS4KCSAgPC90PgoJICA8dD4KCSAg ICBBdWdtZW50ZWQgdGhlIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0cnkgYnkgYWRkaW5nIHR3bwoJ ICAgIGFkZGl0aW9uYWwgcGFyYW1ldGVyIHVzYWdlIGxvY2F0aW9uczogInJlc291cmNlIHJlcXVl c3QiCgkgICAgYW5kICJyZXNvdXJjZSByZXNwb25zZSIuCgkgIDwvdD4KICAgICAgICAgIDx0Pgog ICAgICAgICAgICBSZWdpc3RlcmVkIHRoZSAib2F1dGhfdG9rZW4iIE9BdXRoIHBhcmFtZXRlciB3 aXRoIHVzYWdlCiAgICAgICAgICAgIGxvY2F0aW9uICJyZXNvdXJjZSByZXF1ZXN0Ii4KICAgICAg ICAgIDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBSZWdpc3RlcmVkIHRoZSAiZXJyb3Ii IE9BdXRoIHBhcmFtZXRlci4KICAgICAgICAgIDwvdD4KCSAgPHQ+CgkgICAgQ3JlYXRlZCB0aGUg T0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVyZWQgZXJyb3JzLgoJICA8L3Q+CgkgIDx0 PgoJICAgIENoYW5nZWQgdGhlICJPQXV0aDIiIE9BdXRoIGFjY2VzcyB0b2tlbiB0eXBlIG5hbWUg dG8KCSAgICAiQmVhcmVyIi4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAg ICA8dD4KICAgICAgICAtMDIKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAg ICA8dD4KICAgICAgICAgICAgSW5jb3Jwb3JhdGVkIGZlZWRiYWNrIHJlY2VpdmVkIG9uIGRyYWZ0 IDAxLiAgTW9zdCBjaGFuZ2VzCiAgICAgICAgICAgIHdlcmUgdG8gdGhlIHNlY3VyaXR5IGNvbnNp ZGVyYXRpb25zIHNlY3Rpb24uICBObyBub3JtYXRpdmUKICAgICAgICAgICAgY2hhbmdlcyB3ZXJl IG1hZGUuICBTcGVjaWZpYyBjaGFuZ2VzIGluY2x1ZGVkOgogICAgICAgICAgPC90PgoJICA8dD4K CSAgICBDaGFuZ2VkIHRlcm1pbm9sb2d5IGZyb20gInRva2VuIHJldXNlIiB0byAidG9rZW4gY2Fw dHVyZQoJICAgIGFuZCByZXBsYXkiLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlbW92ZWQgc2VudGVu Y2UgIkVuY3J5cHRpbmcgdGhlIHRva2VuIGNvbnRlbnRzIGlzIGFub3RoZXIKCSAgICBhbHRlcm5h dGl2ZSIgZnJvbSB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgc2luY2UgaXQgd2FzCgkgICAg cmVkdW5kYW50IGFuZCBwb3RlbnRpYWxseSBjb25mdXNpbmcuCgkgIDwvdD4KCSAgPHQ+CgkgICAg Q29ycmVjdGVkIHNvbWUgcmVmZXJlbmNlcyB0byAicmVzb3VyY2Ugc2VydmVyIiB0byBiZQoJICAg ICJhdXRob3JpemF0aW9uIHNlcnZlciIgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLgoJ ICA8L3Q+CgkgIDx0PgoJICAgIEdlbmVyYWxpemVkIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGxh bmd1YWdlIGFib3V0CgkgICAgb2J0YWluaW5nIGNvbnNlbnQgb2YgdGhlIHJlc291cmNlIG93bmVy LgoJICA8L3Q+CgkgIDx0PgoJICAgIEJyb2FkZW5lZCBzY29wZSBvZiBzZWN1cml0eSBjb25zaWRl cmF0aW9ucyBkZXNjcmlwdGlvbiBmb3IKCSAgICByZWNvbW1lbmRhdGlvbiAiRG9uJ3QgcGFzcyBi ZWFyZXIgdG9rZW5zIGluIHBhZ2UgVVJMcyIuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVtb3ZlZCB1 bnVzZWQgcmVmZXJlbmNlIHRvIE9BdXRoIDEuMC4KCSAgPC90PgoJICA8dD4KCSAgICBVcGRhdGVk IHJlZmVyZW5jZSB0byBmcmFtZXdvcmsgc3BlY2lmaWNhdGlvbiBhbmQgdXBkYXRlZAoJICAgIERh dmlkIFJlY29yZG9uJ3MgZS1tYWlsIGFkZHJlc3MuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVtb3Zl ZCBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyB0ZXh0IG9uIGF1dGhlbnRpY2F0aW5nCgkgICAgY2xp ZW50cy4KCSAgPC90PgoJICA8dD4KCSAgICBSZWdpc3RlcmVkIHRoZSAiT0F1dGgyIiBPQXV0aCBh Y2Nlc3MgdG9rZW4gdHlwZSBhbmQKCSAgICAib2F1dGhfdG9rZW4iIHBhcmFtZXRlci4KCSAgPC90 PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDEKICAgICAg ICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4KICAgICAgICAgICAgRmlyc3Qg cHVibGljIGRyYWZ0LCB3aGljaCBpbmNvcnBvcmF0ZXMgZmVlZGJhY2sgcmVjZWl2ZWQKICAgICAg ICAgICAgb24gLTAwIGluY2x1ZGluZyBlbmhhbmNlZCBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBj b250ZW50LgogICAgICAgICAgICBUaGlzIHZlcnNpb24gaXMgaW50ZW5kZWQgdG8gYWNjb21wYW55 IE9BdXRoIDIuMCBkcmFmdCAxMS4KICAgICAgICAgIDwvdD4KICAgICAgICA8L2xpc3Q+CiAgICAg IDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTAwCiAgICAgICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMn PgogICAgICAgICAgPHQ+CiAgICAgICAgICAgIEluaXRpYWwgZHJhZnQgYmFzZWQgb24gcHJlbGlt aW5hcnkgdmVyc2lvbiBvZiBPQXV0aCAyLjAgZHJhZnQgMTEuCiAgICAgICAgICA8L3Q+CiAgICAg ICAgPC9saXN0PgogICAgICA8L3Q+CiAgICA8L3NlY3Rpb24+ICAgICAKCiAgPC9iYWNrPgoKPC9y ZmM+Cg== --_007_4E1F6AAD24975D4BA5B16804296739435F75F103TK5EX14MBXC283r_-- From julian.reschke@gmx.de Mon Dec 12 09:07:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C301721F8B84 for ; Mon, 12 Dec 2011 09:07:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.974 X-Spam-Level: X-Spam-Status: No, score=-104.974 tagged_above=-999 required=5 tests=[AWL=-2.375, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zk1E7Slj02Rz for ; Mon, 12 Dec 2011 09:07:46 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id D32E621F8B7E for ; Mon, 12 Dec 2011 09:07:45 -0800 (PST) Received: (qmail invoked by alias); 12 Dec 2011 17:07:44 -0000 Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp025) with SMTP; 12 Dec 2011 18:07:44 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/8WwcWPwr8T58cxBbtSgfksVvaFV63cTsb4q3IzM Rc37kKg07LC3xg Message-ID: <4EE634DE.4000902@gmx.de> Date: Mon, 12 Dec 2011 18:07:42 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Mark Nottingham , "oauth@ietf.org" Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 17:07:46 -0000 Mike, On 2011-12-12 17:51, Mike Jones wrote: > ... > This parameter definition was a result of significant working group > discussion and reflects a solid consensus position. Using the quoted > ... I have to object to this summary. If there was consensus, it was rough at best. Essentially, the two of us disagreed, and nobody else said anything. So I'd characterize the current text as the editor's preference, not any kind of WG consensus. Further note that the current text is at odds with recommendations from a spec it normatively references (HTTPbis P7), so this issue will come up again during IETF Last Call. Best regards, Julian From Michael.Jones@microsoft.com Mon Dec 12 09:29:21 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D2C421F8BC4 for ; Mon, 12 Dec 2011 09:29:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.099 X-Spam-Level: X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AWL=-0.501, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF+A07vq8ivF for ; Mon, 12 Dec 2011 09:29:20 -0800 (PST) Received: from VA3EHSOBE005.bigfish.com (va3ehsobe005.messaging.microsoft.com [216.32.180.31]) by ietfa.amsl.com (Postfix) with ESMTP id A0FBA21F8A62 for ; Mon, 12 Dec 2011 09:29:19 -0800 (PST) Received: from mail163-va3-R.bigfish.com (10.7.14.252) by VA3EHSOBE005.bigfish.com (10.7.40.25) with Microsoft SMTP Server id 14.1.225.23; Mon, 12 Dec 2011 17:29:16 +0000 Received: from mail163-va3 (localhost [127.0.0.1]) by mail163-va3-R.bigfish.com (Postfix) with ESMTP id 8118B70035A; Mon, 12 Dec 2011 17:29:16 +0000 (UTC) X-SpamScore: -43 X-BigFish: VS-43(zz9371I936eKc85fh542M1432N98dKzz1202hzz8275ch1033IL8275bh8275dh186Mz2fh2a8h668h839h34h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail163-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC101.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail163-va3 (localhost.localdomain [127.0.0.1]) by mail163-va3 (MessageSwitch) id 1323710954916449_26744; Mon, 12 Dec 2011 17:29:14 +0000 (UTC) Received: from VA3EHSMHS016.bigfish.com (unknown [10.7.14.252]) by mail163-va3.bigfish.com (Postfix) with ESMTP id D80AD2C0046; Mon, 12 Dec 2011 17:29:14 +0000 (UTC) Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS016.bigfish.com (10.7.99.26) with Microsoft SMTP Server (TLS) id 14.1.225.22; Mon, 12 Dec 2011 17:29:12 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0247.005; Mon, 12 Dec 2011 09:28:54 -0800 From: Mike Jones To: Julian Reschke Thread-Topic: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 Thread-Index: Acy47iNp13oTBlqgSku13D4DVT123QARXncAABBmrxA= Date: Mon, 12 Dec 2011 17:28:54 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE634DE.4000902@gmx.de> In-Reply-To: <4EE634DE.4000902@gmx.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/mixed; boundary="_003_4E1F6AAD24975D4BA5B16804296739435F75F275TK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: Mark Nottingham , "oauth@ietf.org" Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 17:29:21 -0000 --_003_4E1F6AAD24975D4BA5B16804296739435F75F275TK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Julian, you should reread the (substantial) mailing list threads on this to= pic. As an example demonstrating the consensus, I've attached a pair of me= ssages from a thread on this topic in which several people supported the in= put restriction to preclude character quoting. For instance, in this thread Eran Hammer-Lahav wrote: "All I agree with is= to limit the scope character-set in the v2 spec to the subset of ASCII all= owed in HTTP header quoted-string, excluding " and \ so no escaping is need= ed, ever." You'll also find that all of these people then explicitly agreed with this = restriction: John Bradley William Mills Phil Hunt Mike Jones I believe that there were others as well. Therefore, it is inaccurate to c= haracterize this consensus decision as "essentially, the two of us disagree= d". Best wishes, -- Mike -----Original Message----- From: Julian Reschke [mailto:julian.reschke@gmx.de]=20 Sent: Monday, December 12, 2011 9:08 AM To: Mike Jones Cc: Mark Nottingham; Stephen Farrell; oauth@ietf.org Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-o= auth-v2-bearer-14 Mike, On 2011-12-12 17:51, Mike Jones wrote: > ... > This parameter definition was a result of significant working group=20 > discussion and reflects a solid consensus position. Using the quoted > ... I have to object to this summary. If there was consensus, it was rough at b= est. Essentially, the two of us disagreed, and nobody else said anything. So I'd= characterize the current text as the editor's preference, not any kind of = WG consensus. Further note that the current text is at odds with recommendations from a s= pec it normatively references (HTTPbis P7), so this issue will come up agai= n during IETF Last Call. Best regards, Julian --_003_4E1F6AAD24975D4BA5B16804296739435F75F275TK5EX14MBXC283r_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 12 Dec 2011 17:28:50 GMT"; modification-date="Mon, 12 Dec 2011 17:28:50 GMT" Received: from mail111-db3-R.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.1.339.2; Mon, 17 Oct 2011 15:25:37 -0700 Received: from mail111-db3 (localhost.localdomain [127.0.0.1]) by mail111-db3-R.bigfish.com (Postfix) with ESMTP id 33C9AD2029C; Mon, 17 Oct 2011 22:25:36 +0000 (UTC) Received: from mail111-db3 (localhost.localdomain [127.0.0.1]) by mail111-db3 (MessageSwitch) id 1318890334466583_16135; Mon, 17 Oct 2011 22:25:34 +0000 (UTC) Received: from DB3EHSMHS009.bigfish.com (unknown [10.3.81.248]) by mail111-db3.bigfish.com (Postfix) with ESMTP id 6C82BAC004F; Mon, 17 Oct 2011 22:25:34 +0000 (UTC) Received: from mail.ietf.org (12.22.58.30) by DB3EHSMHS009.bigfish.com (10.3.87.109) with Microsoft SMTP Server id 14.1.225.22; Mon, 17 Oct 2011 22:25:34 +0000 Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E392611E8095; Mon, 17 Oct 2011 15:25:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E33D111E8082 for ; Mon, 17 Oct 2011 15:25:30 -0700 (PDT) Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WE3rXlLMBCAy for ; Mon, 17 Oct 2011 15:25:30 -0700 (PDT) Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id E007811E8073 for ; Mon, 17 Oct 2011 15:25:29 -0700 (PDT) Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 17 Oct 2011 15:25:29 -0700 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.243]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.01.0339.002; Mon, 17 Oct 2011 15:25:28 -0700 From: Mike Jones To: William Mills , John Bradley , Eran Hammer-Lahav CC: OAuth WG Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions Thread-Index: AQHMjRuyT8ezuMUHOEqywykvH4awjA== Sender: "oauth-bounces@ietf.org" Date: Mon, 17 Oct 2011 22:25:26 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435C2479E0@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435C23C5A6@TK5EX14MBXC284.redmond.corp.microsoft.com><7A22B287-CC99-4FD7-84DF-8FF5DA871FC6@gmx.net><4E1F6AAD24975D4BA5B16804296739435C23CAFE@TK5EX14MBXC284.redmond.corp.microsoft.com><89BE3D9D-AB1D-44B2-BA7D-0C0D74BCA885@gmx.net> <4E1F6AAD24975D4BA5B16804296739435C23CC9D@TK5EX14MBXC284.redmond.corp.microsoft.com> <999913AB42CC9341B05A99BBF358718DAABC44@FIESEXC035.nsn-intra.net> <4E1F6AAD24975D4BA5B16804296739435C23EA6A@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9AB561.5060904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C23F5B6@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9B1BA6.2060704@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723452604B908A@P3PW5EX1MB01.EX1.SECURESERVER.NET>, <9E5660BC-C797-454B-B2AF-48AB3E886AC7@ve7jtb.com> <62D2DE5D-AEBE-4A75-9C36-7A51E63DC7C3@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E723452604B9102@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4DF35A25-989C-4BE4-8ACD-35 20DDB8BDE9@gmx.net> <90C41DD21FB7C64BB94121FBBC2E723452604B9197@P3PW5EX1MB01.EX1.SECURESERVER.NET> <0AE463C6-254C-4776-A6EC-08DBE3F8A7F1@ve7jtb.com> <1318884797.81519.YahooMailNeo@web31813.mail.mud.yahoo.com> List-Help: List-Subscribe: , List-Unsubscribe: , In-Reply-To: <1318884797.81519.YahooMailNeo@web31813.mail.mud.yahoo.com> Accept-Language: en-US Content-Language: en-US X-MS-Exchange-Organization-AuthSource: TK5EX14MLTC104.redmond.corp.microsoft.com X-MS-Has-Attach: yes X-Auto-Response-Suppress: All X-MS-TNEF-Correlator: received-spf: pass (mail111-db3: domain of ietf.org designates 12.22.58.30 as permitted sender) client-ip=12.22.58.30; envelope-from=oauth-bounces@ietf.org; helo=mail.ietf.org ;ail.ietf.org ; x-originating-ip: [157.54.51.37] list-archive: x-bigfish: vp x-sender-lookup: Y x-fb-ss: 0,0,0, x-spamscore: 0 x-spam-status: No, score=-9.803 tagged_above=-999 required=5 tests=[AWL=0.795, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] x-spam-level: x-virus-scanned: amavisd-new at amsl.com x-beenthere: oauth@ietf.org x-mailman-version: 2.1.12 errors-to: oauth-bounces@ietf.org list-id: OAUTH WG dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1318890332; bh=PWf72wdlEVXFvsOdy676HheGuwOsxZyQ/XUnQlbunUk=; h=From:To:Date:Message-ID:References:In-Reply-To:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=YIdrxPoEt/Y/4YyZL//b8achucLVVQzM8UGCYHOGUML005nSGNU5uZ5Xe5diOsfRu jIxps9aYnHPDLCjOMYAxjdVe/pSakTxR1V9lx9JccL/ztYnu7G9E1gbjQXK3jdZOLp 2rWji2u+LEBY+8q3u4jCqz2N7l5Jj6zSZGf6Weyk= list-post: delivered-to: oauth@ietfa.amsl.com x-original-to: oauth@ietfa.amsl.com x-spam-score: -9.803 x-spam-flag: NO Content-Type: multipart/mixed; boundary="_004_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_" MIME-Version: 1.0 --_004_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_ Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_" --_000_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable +1 From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of W= illiam Mills Sent: Monday, October 17, 2011 1:53 PM To: John Bradley; Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Propos= ed Resolutions +1 _____ From: John Bradley > To: Eran Hammer-Lahav > Cc: OAuth WG > Sent: Monday, October 17, 2011 12:13 PM Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Propos= ed Resolutions +1 On 2011-10-17, at 11:53 AM, Eran Hammer-Lahav wrote: > All I agree with is to limit the scope character-set in the v2 spec to th= e subset of ASCII allowed in HTTP header quoted-string, excluding " and \ s= o no escaping is needed, ever. > > EHL > >> -----Original Message----- >> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] >> Sent: Monday, October 17, 2011 8:25 AM >> To: Eran Hammer-Lahav >> Cc: Hannes Tschofenig; John Bradley; Richer, Justin P.; OAuth WG >> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >> Proposed Resolutions >> >> It is good that we have an agreement among a few people that more text >> needs to be provided in the core specification on the issue of the scope >> element. >> >> Now, there is still the question of what the text should say. The questi= ons >> from my earlier mails are therefore still applicable and need an answer. >> >> Ciao >> Hannes >> >> On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote: >> >>> I agree. >>> >>> EHL >>> >>>> -----Original Message----- >>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com= ] >>>> Sent: Monday, October 17, 2011 6:07 AM >>>> To: Richer, Justin P. >>>> Cc: Eran Hammer-Lahav; OAuth WG >>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>> >>>> The scopes cross all of the profiles. >>>> >>>> I expect that restricting the character sets for bearer tokens, MAC, >>>> and other future variants should be dealt with in those profiles. >>>> >>>> Without restricting scope in core, we leave the possibility of coming >>>> up with different rules in different profiles e.g. MAC vs Bearer. >>>> >>>> It is probably best to have one rule in core that works across all the >> profiles. >>>> >>>> John B. >>>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote: >>>> >>>>> I think the limit makes sense, but then are tokens limited by the >>>>> same >>>> rules? They need to live in all the same places (query parameters, >>>> headers, >>>> forms) that scopes do and would be subject to the same kinds of >>>> encoding woes that scopes will. Or am I missing something obvious as >>>> to why this isn't a problem for tokens (both bearer tokens and the >>>> public part of MAC tokens) but is a problem for scope strings? >>>>> >>>>> -- Justin >>>>> ________________________________________ >>>>> From: oauth-bounces@ietf.org [oauth-bo= unces@ietf.org] on behalf of >>>>> John Bradley [ve7jtb@ve7jtb.com] >>>>> Sent: Sunday, October 16, 2011 8:11 PM >>>>> To: Eran Hammer-Lahav >>>>> Cc: OAuth WG >>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>>> >>>>> Restricting it now in the core spec is going to save a lot of headach= es >> later. >>>>> >>>>> John B. >>>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote: >>>>> >>>>>> It's an open question for the list. >>>>>> >>>>>> EHL >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de] >>>>>>> Sent: Sunday, October 16, 2011 11:00 AM >>>>>>> To: Mike Jones >>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth >>>>>>> WG; Eran Hammer-Lahav >>>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues >>>>>>> & Proposed Resolutions >>>>>>> >>>>>>> On 2011-10-16 18:44, Mike Jones wrote: >>>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide >>>>>>>> range of >>>>>>> characters in scope was unintentional. The design was limited to >>>>>>> allow simple ASCII strings and URIs." >>>>>>>> ... >>>>>>> >>>>>>> I see. Thanks. >>>>>>> >>>>>>> Is this going to be clarified in -23? >>>>>>> >>>>>>> Best regards, Julian >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_ Content-Type: text/html; charset="us-ascii" Content-ID: <796D2BDD34BD8B499D0F8BBED6A46ECE@microsoft.com> Content-Transfer-Encoding: quoted-printable

+1<= /p>

 <= /p>

From: oauth-bo= unces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills
Sent: Monday, October 17, 2011 1:53 PM
To: John Bradley; Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &= amp; Proposed Resolutions

 

+1

 

<= span style=3D"font-size:10.0pt;font-family:"Arial","sans-ser= if";color:black">From: John Bradley = <ve7jtb@ve7jtb.com>
To: Eran Hammer-Lahav <era= n@hueniverse.com>
Cc: OAuth WG <oauth@ietf.org>
Sent: Monday, October 17, 2011 12:13 PM
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &= amp; Proposed Resolutions

+1

On 2011-10-17, at 11:53 AM, Eran Hammer-Lahav wrote:

> All I agree with is to limit the scope character-set in the v2 spec to= the subset of ASCII allowed in HTTP header quoted-string, excluding "= and \ so no escaping is needed, ever.
>
> EHL
>
>> -----Original Message-----
>> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
>> Sent: Monday, October 17, 2011 8:25 AM
>> To: Eran Hammer-Lahav
>> Cc: Hannes Tschofenig; John Bradley; Richer, Justin P.; OAuth WG >> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues= &
>> Proposed Resolutions
>>
>> It is good that we have an agreement among a few people that more = text
>> needs to be provided in the core specification on the issue of the= scope
>> element.
>>
>> Now, there is still the question of what the text should say. The = questions
>> from my earlier mails are therefore still applicable and need an a= nswer.
>>
>> Ciao
>> Hannes
>>
>> On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote:
>>
>>> I agree.
>>>
>>> EHL
>>>
>>>> -----Original Message-----
>>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
>>>> Sent: Monday, October 17, 2011 6:07 AM
>>>> To: Richer, Justin P.
>>>> Cc: Eran Hammer-Lahav; OAuth WG
>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Ope= n Issues &
>>>> Proposed Resolutions
>>>>
>>>> The scopes cross all of the profiles.
>>>>
>>>> I expect that restricting the character sets for bearer to= kens, MAC,
>>>> and other future variants should be dealt with in those pr= ofiles.
>>>>
>>>> Without restricting scope in core, we leave the possibilit= y of coming
>>>> up with different rules in different profiles e.g. MAC vs = Bearer.
>>>>
>>>> It is probably best to have one rule in core that works ac= ross all the
>> profiles.
>>>>
>>>> John B.
>>>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote:
>>>>
>>>>> I think the limit makes sense, but then are tokens lim= ited by the
>>>>> same
>>>> rules? They need to live in all the same places (query par= ameters,
>>>> headers,
>>>> forms) that scopes do and would be subject to the same kin= ds of
>>>> encoding woes that scopes will. Or am I missing something = obvious as
>>>> to why this isn't a problem for tokens (both bearer tokens= and the
>>>> public part of MAC tokens) but is a problem for scope stri= ngs?
>>>>>
>>>>> -- Justin
>>>>> ________________________________________
>>>>> From: oauth-= bounces@ietf.org [oauth-bounc= es@ietf.org] on behalf of
>>>>> John Bradley [ve7= jtb@ve7jtb.com]
>>>>> Sent: Sunday, October 16, 2011 8:11 PM
>>>>> To: Eran Hammer-Lahav
>>>>> Cc: OAuth WG
>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09:= Open Issues &
>>>> Proposed Resolutions
>>>>>
>>>>> Restricting it now in the core spec is going to save a= lot of headaches
>> later.
>>>>>
>>>>> John B.
>>>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote: >>>>>
>>>>>> It's an open question for the list.
>>>>>>
>>>>>> EHL
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>>>>>>> Sent: Sunday, October 16, 2011 11:00 AM
>>>>>>> To: Mike Jones
>>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hanne= s Tschofenig; OAuth
>>>>>>> WG; Eran Hammer-Lahav
>>>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-be= arer-09: Open Issues
>>>>>>> & Proposed Resolutions
>>>>>>>
>>>>>>> On 2011-10-16 18:44, Mike Jones wrote:
>>>>>>>> As Eran wrote on 9/30, "The fact that= the v2 spec allows a wide
>>>>>>>> range of
>>>>>>> characters in scope was unintentional. The des= ign was limited to
>>>>>>> allow simple ASCII strings and URIs."
>>>>>>>> ...
>>>>>>>
>>>>>>> I see. Thanks.
>>>>>>>
>>>>>>> Is this going to be clarified in -23?
>>>>>>>
>>>>>>> Best regards, Julian
>>>>>> _______________________________________________ >>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

--_000_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_-- --_004_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_ Content-Type: text/plain; name="ATT00001.txt" Content-Description: ATT00001.txt Content-Disposition: attachment; filename="ATT00001.txt"; size=130; creation-date="Mon, 17 Oct 2011 22:25:38 GMT"; modification-date="Mon, 17 Oct 2011 22:25:38 GMT" Content-ID: <704A9A451FC5FC4C9981C660CB015638@microsoft.com> Content-Transfer-Encoding: base64 X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1h aWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmcNCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v bGlzdGluZm8vb2F1dGgNCg== --_004_4E1F6AAD24975D4BA5B16804296739435C2479E0TK5EX14MBXC283r_-- --_003_4E1F6AAD24975D4BA5B16804296739435F75F275TK5EX14MBXC283r_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 12 Dec 2011 17:28:52 GMT"; modification-date="Mon, 12 Dec 2011 17:28:52 GMT" Received: from mail35-va3-R.bigfish.com (157.54.51.80) by mail.microsoft.com (157.54.80.48) with Microsoft SMTP Server (TLS) id 14.1.339.2; Mon, 17 Oct 2011 15:42:58 -0700 Received: from mail35-va3 (localhost.localdomain [127.0.0.1]) by mail35-va3-R.bigfish.com (Postfix) with ESMTP id 1CDD02D0377; Mon, 17 Oct 2011 22:42:58 +0000 (UTC) Received: from mail35-va3 (localhost.localdomain [127.0.0.1]) by mail35-va3 (MessageSwitch) id 1318891289747216_3584; Mon, 17 Oct 2011 22:41:29 +0000 (UTC) Received: from VA3EHSMHS036.bigfish.com (unknown [10.7.14.245]) by mail35-va3.bigfish.com (Postfix) with ESMTP id 6D8FD14181FB; Mon, 17 Oct 2011 22:40:20 +0000 (UTC) Received: from mail.ietf.org (12.22.58.30) by VA3EHSMHS036.bigfish.com (10.7.99.46) with Microsoft SMTP Server id 14.1.225.22; Mon, 17 Oct 2011 22:40:17 +0000 Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76B7C11E80A6; Mon, 17 Oct 2011 15:40:16 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57B811E80A2 for ; Mon, 17 Oct 2011 15:40:15 -0700 (PDT) Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiBnR7pla483 for ; Mon, 17 Oct 2011 15:40:14 -0700 (PDT) Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id BA74011E8095 for ; Mon, 17 Oct 2011 15:40:14 -0700 (PDT) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p9HMeBPU006012 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 17 Oct 2011 22:40:13 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p9HMS3Yi016929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 17 Oct 2011 22:28:04 GMT Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p9HMe6K4027562 for ; Mon, 17 Oct 2011 17:40:06 -0500 Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 17 Oct 2011 15:40:05 -0700 From: Phil Hunt To: OAuth WG Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions Thread-Index: AQHMjR4e5ny7ca4oWUyTbIjgN3/d4A== Sender: "oauth-bounces@ietf.org" Date: Mon, 17 Oct 2011 22:40:04 +0000 Message-ID: <3D1B8F29-2FB1-43E9-92D9-C3837ECBB2D2@oracle.com> References: <4E1F6AAD24975D4BA5B16804296739435C23C5A6@TK5EX14MBXC284.redmond.corp.microsoft.com><7A22B287-CC99-4FD7-84DF-8FF5DA871FC6@gmx.net><4E1F6AAD24975D4BA5B16804296739435C23CAFE@TK5EX14MBXC284.redmond.corp.microsoft.com><89BE3D9D-AB1D-44B2-BA7D-0C0D74BCA885@gmx.net> <4E1F6AAD24975D4BA5B16804296739435C23CC9D@TK5EX14MBXC284.redmond.corp.microsoft.com> <999913AB42CC9341B05A99BBF358718DAABC44@FIESEXC035.nsn-intra.net> <4E1F6AAD24975D4BA5B16804296739435C23EA6A@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9AB561.5060904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C23F5B6@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9B1BA6.2060704@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723452604B908A@P3PW5EX1MB01.EX1.SECURESERVER.NET>, <9E5660BC-C797-454B-B2AF-48AB3E886AC7@ve7jtb.com> <62D2DE5D-AEBE-4A75-9C36-7A51E63DC7C3@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E723452604B9102@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4DF35A25-989C-4BE4-8ACD-3! 520DDB8BDE9@gmx.net> <90C41DD21FB7C64BB94121FBBC2E723452604B9197@P3PW5EX1MB01.EX1.SECURESERVER.NET> List-Help: List-Subscribe: , List-Unsubscribe: , In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452604B9197@P3PW5EX1MB01.EX1.SECURESERVER.NET> Content-Language: en-US X-MS-Exchange-Organization-AuthSource: TK5EX14HUBC105.redmond.corp.microsoft.com X-MS-Has-Attach: X-Auto-Response-Suppress: All X-MS-TNEF-Correlator: received-spf: pass (mail35-va3: domain of ietf.org designates 12.22.58.30 as permitted sender) client-ip=12.22.58.30; envelope-from=oauth-bounces@ietf.org; helo=mail.ietf.org ;ail.ietf.org ; list-archive: x-bigfish: vp x-sender-lookup: Y x-fb-ss: 13, x-spamscore: 0 x-spam-status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] x-spam-level: x-virus-scanned: amavisd-new at amsl.com x-beenthere: oauth@ietf.org x-mailman-version: 2.1.12 errors-to: oauth-bounces@ietf.org list-id: OAUTH WG dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1318891216; bh=GaakH8icLYnesodQzK7EGb7lNm9P64izSgpZVYnCAC0=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=UJthkwPO6k8FFLj9uUIf06xoEwWvTj3KWpKRjy6BqTRX5bS3zR0bnt99Zz9UgbosC KIkLi5Sf3l97gh3kibJ8+ofw9w65g6/nd9E4bzAGcMHaA2Nu/YaNG3AoECxgGx3HPw pGPQuBRLkGhvmCeai1efjavUUIvOSBEKl+l6E3Pg= list-post: delivered-to: oauth@ietfa.amsl.com x-original-to: oauth@ietfa.amsl.com x-spam-score: -6.599 x-source-ip: ucsinet22.oracle.com [156.151.31.94] x-ct-refid: str=0001.0A090209.4E9CAECE.001D,ss=1,re=0.000,fgs=0 x-spam-flag: NO Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 +1 Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-10-17, at 11:53 AM, Eran Hammer-Lahav wrote: > All I agree with is to limit the scope character-set in the v2 spec to th= e subset of ASCII allowed in HTTP header quoted-string, excluding " and \ s= o no escaping is needed, ever. > > EHL > >> -----Original Message----- >> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] >> Sent: Monday, October 17, 2011 8:25 AM >> To: Eran Hammer-Lahav >> Cc: Hannes Tschofenig; John Bradley; Richer, Justin P.; OAuth WG >> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >> Proposed Resolutions >> >> It is good that we have an agreement among a few people that more text >> needs to be provided in the core specification on the issue of the scope >> element. >> >> Now, there is still the question of what the text should say. The questi= ons >> from my earlier mails are therefore still applicable and need an answer. >> >> Ciao >> Hannes >> >> On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote: >> >>> I agree. >>> >>> EHL >>> >>>> -----Original Message----- >>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >>>> Sent: Monday, October 17, 2011 6:07 AM >>>> To: Richer, Justin P. >>>> Cc: Eran Hammer-Lahav; OAuth WG >>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>> >>>> The scopes cross all of the profiles. >>>> >>>> I expect that restricting the character sets for bearer tokens, MAC, >>>> and other future variants should be dealt with in those profiles. >>>> >>>> Without restricting scope in core, we leave the possibility of coming >>>> up with different rules in different profiles e.g. MAC vs Bearer. >>>> >>>> It is probably best to have one rule in core that works across all the >> profiles. >>>> >>>> John B. >>>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote: >>>> >>>>> I think the limit makes sense, but then are tokens limited by the >>>>> same >>>> rules? They need to live in all the same places (query parameters, >>>> headers, >>>> forms) that scopes do and would be subject to the same kinds of >>>> encoding woes that scopes will. Or am I missing something obvious as >>>> to why this isn't a problem for tokens (both bearer tokens and the >>>> public part of MAC tokens) but is a problem for scope strings? >>>>> >>>>> -- Justin >>>>> ________________________________________ >>>>> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of >>>>> John Bradley [ve7jtb@ve7jtb.com] >>>>> Sent: Sunday, October 16, 2011 8:11 PM >>>>> To: Eran Hammer-Lahav >>>>> Cc: OAuth WG >>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>>> >>>>> Restricting it now in the core spec is going to save a lot of headach= es >> later. >>>>> >>>>> John B. >>>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote: >>>>> >>>>>> It's an open question for the list. >>>>>> >>>>>> EHL >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de] >>>>>>> Sent: Sunday, October 16, 2011 11:00 AM >>>>>>> To: Mike Jones >>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth >>>>>>> WG; Eran Hammer-Lahav >>>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues >>>>>>> & Proposed Resolutions >>>>>>> >>>>>>> On 2011-10-16 18:44, Mike Jones wrote: >>>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide >>>>>>>> range of >>>>>>> characters in scope was unintentional. The design was limited to >>>>>>> allow simple ASCII strings and URIs." >>>>>>>> ... >>>>>>> >>>>>>> I see. Thanks. >>>>>>> >>>>>>> Is this going to be clarified in -23? >>>>>>> >>>>>>> Best regards, Julian >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_003_4E1F6AAD24975D4BA5B16804296739435F75F275TK5EX14MBXC283r_-- From julian.reschke@gmx.de Mon Dec 12 09:41:51 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5598821F8BE4 for ; Mon, 12 Dec 2011 09:41:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.861 X-Spam-Level: X-Spam-Status: No, score=-104.861 tagged_above=-999 required=5 tests=[AWL=-2.262, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nuds0ZNrHP7B for ; Mon, 12 Dec 2011 09:41:50 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 5FD5621F8BDC for ; Mon, 12 Dec 2011 09:41:50 -0800 (PST) Received: (qmail invoked by alias); 12 Dec 2011 17:41:48 -0000 Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp014) with SMTP; 12 Dec 2011 18:41:48 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/qf7BLa7/qOyUkJrBdhGH1Slwnjh+O9b0XqrjrMU AOLKqbLyAx5GbD Message-ID: <4EE63CD8.60704@gmx.de> Date: Mon, 12 Dec 2011 18:41:44 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE634DE.4000902@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Mark Nottingham , "oauth@ietf.org" Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 17:41:51 -0000 On 2011-12-12 18:28, Mike Jones wrote: > Julian, you should reread the (substantial) mailing list threads on this topic. As an example demonstrating the consensus, I've attached a pair of messages from a thread on this topic in which several people supported the input restriction to preclude character quoting. > > For instance, in this thread Eran Hammer-Lahav wrote: "All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever." > > You'll also find that all of these people then explicitly agreed with this restriction: > John Bradley > William Mills > Phil Hunt > Mike Jones > > I believe that there were others as well. Therefore, it is inaccurate to characterize this consensus decision as "essentially, the two of us disagreed". Mike, I'm not disagreeing with the decision not to allow "\" in the value. What I'm disagreeing with is writing the ABNF in a way that will make it likely for implementers to special-case OAuth parameters when they should not. The syntax of WWW-Authenticate is defined by HTTP. You *can* profile what senders can put into OAuth-specific parameters, but profiling what consumers need to parse is dangerous. Don't. Just use the generic grammar. Best regards, Julian From leifj@mnt.se Mon Dec 12 10:30:13 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EB0921F8888 for ; Mon, 12 Dec 2011 10:30:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.907 X-Spam-Level: X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[AWL=0.295, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWwTgOKyq4xf for ; Mon, 12 Dec 2011 10:30:12 -0800 (PST) Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 36A3421F8880 for ; Mon, 12 Dec 2011 10:30:11 -0800 (PST) Received: by laah2 with SMTP id h2so1479064laa.31 for ; Mon, 12 Dec 2011 10:30:09 -0800 (PST) Received: by 10.152.133.210 with SMTP id pe18mr345790lab.19.1323714609543; Mon, 12 Dec 2011 10:30:09 -0800 (PST) Received: from [10.0.0.232] (ua-83-227-179-169.cust.bredbandsbolaget.se. [83.227.179.169]) by mx.google.com with ESMTPS id nw10sm17419856lab.4.2011.12.12.10.30.05 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 12 Dec 2011 10:30:07 -0800 (PST) References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> <4EDB726E.2060900@gmail.com> <6A17C741-8F1F-44A6-8E20-52A58272C2BE@mnt.se> <1323624449.41873.YahooMailNeo@web31812.mail.mud.yahoo.com> In-Reply-To: <1323624449.41873.YahooMailNeo@web31812.mail.mud.yahoo.com> Mime-Version: 1.0 (iPad Mail 8L1) Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary=Apple-Mail-9--337343302 Message-Id: X-Mailer: iPad Mail (8L1) From: Leif Johansson Date: Mon, 12 Dec 2011 19:32:00 +0100 To: William Mills Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 18:30:13 -0000 --Apple-Mail-9--337343302 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Exactly 11 dec 2011 kl. 18:27 skrev William Mills : > They are only compatible in the sense that they share the same security ch= aracteristics. >=20 > From: Leif Johansson > To: Paul Madsen =20 > Cc: "oauth@ietf.org" =20 > Sent: Sunday, December 11, 2011 3:28 AM > Subject: Re: [OAUTH-WG] Mandatory-to-implement token type >=20 > As an implementor of a toolkit let me offer this: the only use/requirement= of mac that I've seen is for backwards compat with 1.0a.=20 >=20 >=20 >=20 > 4 dec 2011 kl. 14:15 skrev Paul Madsen : >=20 >> Commercial OAuth authorization servers are neither 'toolkits' nor 'purpos= e built code' - not used to build OAuth clients/servers but yet required to s= upport more variety in deployments than a single purpose built server. >>=20 >> But, that variety is driven by customer demand, and none of ours (yet?) h= ave demanded MAC. If and when that demand comes, we will add support.=20 >>=20 >> To stipulate MAC as MTI would in no way reflect what the market wants. An= d 'interop' nobody wants is not meaningful interop. >>=20 >> paul >>=20 >> On 12/3/11 4:37 PM, Barry Leiba wrote: >>>=20 >>> Stephen says: >>>> On 12/02/2011 03:20 AM, Barry Leiba wrote: >>>>> Maybe what would work best is some text that suggests what I say >>>>> above: that toolkits intended for use in implementing OAuth services >>>>> in general... implement [X and/or Y], and that code written for a >>>>> specific environment implement what makes sense for that environment. >>>>> It seems to me that to require any particular implementation in the >>>>> latter case is arbitrary and counter-productive, and doesn't help >>>>> anything interoperate. Whereas general-purpose toolkits that >>>>> implement everything DO help interop. >>>> That'd work just fine for me. >>> OK, so here's what I suggest... I propose adding a new section 7.2, thus= : >>>=20 >>> ----------------------------------- >>> 7.2 Access Token Implementation Considerations >>>=20 >>> Access token types have to be mutually understood among the >>> authorization server, the resource server, and the client -- the >>> access token issues the token, the resource server validates it, and >>> the client is required to understand the type, as noted in section >>> 7.1, above. Because of that, interoperability of program code >>> developed separately depends upon the token types that are supported >>> in the code. >>>=20 >>> Toolkits that are intended for general use (for building other clients >>> and/or servers), therefore, SHOULD implement as many token types as >>> practical, to ensure that programs developed with those toolkits are >>> able to use the token types they need. In particular, all general-use >>> toolkits MUST implement bearer tokens [...ref...] and MAC tokens >>> [...ref...]. >>>=20 >>> Purpose-built code, built without such toolkits, has somewhat more >>> flexibility, as its developers know the specific environment they're >>> developing for. There's clearly little point to including code to >>> support a particular token type when it's known in advance that the >>> type in question will never be used in the intended deployment. >>> Developers of purpose-built code are encouraged to consider future >>> extensions and to plan ahead for changes in circumstances, and might >>> still want to include support for multiple token types. That said, >>> the choice of token-type support for such purpose-built code is left >>> to the developers and their specific requirements. >>> ----------------------------------- >>>=20 >>> I think that expresses a reasonable compromise that might actually be >>> followed and might actually do some good. Comments? Can we go with >>> this and close this issue? (And, sorry, I've been a Bad Chair, and >>> haven't put this in the tracker.) >>>=20 >>> Barry >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --Apple-Mail-9--337343302 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Exactly



11 de= c 2011 kl. 18:27 skrev William Mills <wmills@yahoo-inc.com>:

= They are only compatible in the sense that they share the same security char= acteristics.

From: Leif Johansson <leifj@mnt.se>
To: Paul Madsen <paul.madse= n@gmail.com>
Cc:= "oauth@ietf.org" <oauth@ietf.org>
Sent: Sunday, December 11, 2011 3:28 AM
Subject: Re: [OAUTH-WG] Mandatory-to-imp= lement token type
As an implementor of a toolkit let me off= er this: the only use/requirement of mac that I've seen is for backwards com= pat with 1.0a. 



4 dec 2011 kl. 14:15 skrev Pa= ul Madsen <paul.madsen@gmail.com>:

Commercial OAuth authorization servers are neither 'toolkits' nor 'purpose built code' - not used to build OAuth clients/servers but yet required to support more variety in deployments than a single purpose built server.

But, that variety is driven by customer demand, and none of ours (yet?) have demanded MAC. If and when that demand comes, we will add support.

To stipulate MAC as MTI would in no way reflect what the market wants. And 'interop' nobody wants is not meaningful interop.

paul

On 12/3/11 4:37 PM, Barry Leiba wrote: 
Stephen says:

On 12/02/2011 03:20 AM, Barry Leiba wrote:

Maybe what would work best is some text that suggests what I s=
ay
above: that toolkits intended for use in implementing OAuth services
in general... implement [X and/or Y], and that code written for a
specific environment implement what makes sense for that environment.
It seems to me that to require any particular implementation in the
latter case is arbitrary and counter-productive, and doesn't help
anything interoperate.  Whereas general-purpose toolkits that
implement everything DO help interop.

That'd work just fine for me.

OK, so here's what I suggest... I propose adding a new section 7.=
2, thus:

-----------------------------------
7.2 Access Token Implementation Considerations

Access token types have to be mutually understood among the
authorization server, the resource server, and the client -- the
access token issues the token, the resource server validates it, and
the client is required to understand the type, as noted in section
7.1, above.  Because of that, interoperability of program code
developed separately depends upon the token types that are supported
in the code.

Toolkits that are intended for general use (for building other clients
and/or servers), therefore, SHOULD implement as many token types as
practical, to ensure that programs developed with those toolkits are
able to use the token types they need.  In particular, all general-use
toolkits MUST implement bearer tokens [...ref...] and MAC tokens
[...ref...].

Purpose-built code, built without such toolkits, has somewhat more
flexibility, as its developers know the specific environment they're
developing for.  There's clearly little point to including code to
support a particular token type when it's known in advance that the
type in question will never be used in the intended deployment.
Developers of purpose-built code are encouraged to consider future
extensions and to plan ahead for changes in circumstances, and might
still want to include support for multiple token types.  That said,
the choice of token-type support for such purpose-built code is left
to the developers and their specific requirements.
-----------------------------------

I think that expresses a reasonable compromise that might actually be
followed and might actually do some good.  Comments?  Can we go with
this and close this issue?  (And, sorry, I've been a Bad Chair, and
haven't put this in the tracker.)

Barry
_______________________________________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.o=
rg/mailman/listinfo/oauth
=20
____________________= ___________________________
OAuth mailing list
OAuth@ietf.o= rg
https://www.ietf.org/mailman/listinfo/oauth

_________________________________= ______________
OAuth mailing list
OAuth@ietf= .org
https:= //www.ietf.org/mailman/listinfo/oauth


= --Apple-Mail-9--337343302-- From Michael.Jones@microsoft.com Mon Dec 12 16:51:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BD511E8073 for ; Mon, 12 Dec 2011 16:51:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.973 X-Spam-Level: X-Spam-Status: No, score=-3.973 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1AC9mul2AMM for ; Mon, 12 Dec 2011 16:51:47 -0800 (PST) Received: from AM1EHSOBE003.bigfish.com (am1ehsobe003.messaging.microsoft.com [213.199.154.206]) by ietfa.amsl.com (Postfix) with ESMTP id 628A021F851A for ; Mon, 12 Dec 2011 16:51:46 -0800 (PST) Received: from mail30-am1-R.bigfish.com (10.3.201.254) by AM1EHSOBE003.bigfish.com (10.3.204.23) with Microsoft SMTP Server id 14.1.225.23; Tue, 13 Dec 2011 00:51:42 +0000 Received: from mail30-am1 (localhost [127.0.0.1]) by mail30-am1-R.bigfish.com (Postfix) with ESMTP id B2FE15803F1 for ; Tue, 13 Dec 2011 00:51:42 +0000 (UTC) X-SpamScore: -4 X-BigFish: VS-4(zzc85fh4015Lzz1202hzz8275bh8275dhz2fh2a8h668h839h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI X-FB-SS: 13, Received-SPF: pass (mail30-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail30-am1 (localhost.localdomain [127.0.0.1]) by mail30-am1 (MessageSwitch) id 1323737502511498_23351; Tue, 13 Dec 2011 00:51:42 +0000 (UTC) Received: from AM1EHSMHS017.bigfish.com (unknown [10.3.201.254]) by mail30-am1.bigfish.com (Postfix) with ESMTP id 78717700047 for ; Tue, 13 Dec 2011 00:51:42 +0000 (UTC) Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS017.bigfish.com (10.3.207.155) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 13 Dec 2011 00:51:41 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0247.005; Mon, 12 Dec 2011 16:51:42 -0800 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: Using OAuth error_code to glean information from the server Thread-Index: Acy5GRQ8DCUDRcpaSEuLOrJymTfgmAAF5PRw Date: Tue, 13 Dec 2011 00:51:41 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <8DA2949DB77C2547B14546D35E22A20002D328EC@CH1PRD0302MB127.namprd03.prod.outlook.com> In-Reply-To: <8DA2949DB77C2547B14546D35E22A20002D328EC@CH1PRD0302MB127.namprd03.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F75FBF7TK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: [OAUTH-WG] Using OAuth error_code to glean information from the server X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 00:51:47 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F75FBF7TK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I recently received an inquiry regarding invalid_client vs. invalid_grant. = It seems that there is a potential information disclosure in the specifica= tion with respect to how these error codes are used: invalid_client Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. invalid_grant The provided authorization grant (e.g. authorization code, resource owner credentials, client credentials) is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. If one uses invalid_client when the client is unknown and invalid_grant whe= n the client credentials are invalid, then an attacker could deduce whether= or not a particular client exists. First, do people agree that this is a potential information leak and that t= he leak is meaningful? If so, what mitigation might be suggested? For ins= tance, might a server choose to use a single error code for both (and poten= tially other) cases? Thanks, -- Mike --_000_4E1F6AAD24975D4BA5B16804296739435F75FBF7TK5EX14MBXC283r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I recently received an in= quiry regarding invalid_client vs. invalid_grant.  It seems that there= is a potential information disclosure in the specification with respect to how these error codes are used:

 

= invalid_client

=            &nb= sp;   Client authentication failed (e.g. unknown client, no

=            &nb= sp;   client authentication included, or unsupported

=            &nb= sp;   authentication method).  The authorization server MAY<= o:p>

=            &nb= sp;   return an HTTP 401 (Unauthorized) status code to indicate

=            &nb= sp;   which HTTP authentication schemes are supported.  If t= he

=            &nb= sp;   client attempted to authenticate via the "Authorizatio= n"

=            &nb= sp;   request header field, the authorization server MUST

=            &nb= sp;   respond with an HTTP 401 (Unauthorized) status code, and

=            &nb= sp;   include the "WWW-Authenticate" response header fi= eld

=            &nb= sp;   matching the authentication scheme used by the client.= 

invalid_grant
           =
;    The provided authorization grant (e.g. authorization
           =
;    code, resource owner credentials, client credentials) is<=
/span>
           =
;    invalid, expired, revoked, does not match the redirecti=
on
           =
;    URI used in the authorization request, or was issued to=

           =
;    another client.

 <= /p>

If one uses invalid_clien= t when the client is unknown and invalid_grant when the client credentials = are invalid, then an attacker could deduce whether or not a particular client exists.

 <= /p>

First, do people agree th= at this is a potential information leak and that the leak is meaningful?&nb= sp; If so, what mitigation might be suggested?  For instance, might a server choose to use a single error code for both (and potentially= other) cases?

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     Thanks,

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

--_000_4E1F6AAD24975D4BA5B16804296739435F75FBF7TK5EX14MBXC283r_-- From wmills@yahoo-inc.com Mon Dec 12 17:47:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D73521F8880 for ; Mon, 12 Dec 2011 17:47:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.426 X-Spam-Level: X-Spam-Status: No, score=-17.426 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Q+ytUnqZSUy for ; Mon, 12 Dec 2011 17:47:02 -0800 (PST) Received: from nm15-vm0.bullet.mail.ac4.yahoo.com (nm15-vm0.bullet.mail.ac4.yahoo.com [98.139.52.236]) by ietfa.amsl.com (Postfix) with SMTP id 40FBB21F84FB for ; Mon, 12 Dec 2011 17:47:02 -0800 (PST) Received: from [98.139.52.197] by nm15.bullet.mail.ac4.yahoo.com with NNFMP; 13 Dec 2011 01:46:55 -0000 Received: from [98.139.52.140] by tm10.bullet.mail.ac4.yahoo.com with NNFMP; 13 Dec 2011 01:46:54 -0000 Received: from [127.0.0.1] by omp1023.mail.ac4.yahoo.com with NNFMP; 13 Dec 2011 01:46:54 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 947166.72833.bm@omp1023.mail.ac4.yahoo.com Received: (qmail 98999 invoked by uid 60001); 13 Dec 2011 01:46:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1323740814; bh=Tf3rA7FgZ6fzcWPKs0dUbbCYgobvA2QkgTcUHCIKKFQ=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=S+I/IeUxD0x8Tlu10CuXeegDAGcRsXV9zetTiSxHWWDw4nDpv+aNFUTzddLQ1zexPV11WqWO5eZxCro35RWJvGOqfSflkyy3lEbuLqgs4XsuIu8/Y5QmYw0B8u+NEItho18/TQsttUHYEeAYkvQ9nAXRmGzdfWnsnDh8Lwi0liE= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=V1Yi/mDtNJO5FrqR238mTWkj5Rx1itam4crh0JhtqCkSU+QrYwlcrPqQ6H+fM8aU0tbtPkLMqkDbxGuZoeouDgdoc1LFHFCSR30sZ3lPtXBzj2gB0YXnf95dZX3PmDlkstF+sBFb0B1+yXC0iQ4HMrcQSMg6pNBSKO9zb2jLH20=; X-YMail-OSG: p96UtzsVM1kas6XakJnkIi2QmSTgrSfQ_KDpni87.eYROE5 EiyIrpOY58tB5ltG2_OoRtzkIst1jlZUBEvsFf7X8o5e0SB3e6V7XwBmnYEC gmCSDhXuikvz97Ca1BiyGF1YBANSqRlamSq8kxXYVY1ZaqJ24xZxxLYc0jd. ZRn494mS_e3uZ.d41NY.gijBn5GThpbW5npuIcPaixFACpcGg7E54UIE0A27 DA7dkpzBMHuOpT8Qs8qn4vLwEjcBX5VhoiHMxymsJK6a_0vT_NzdEsaQHRnf r0fy088aNJKGbadvXxxMGBe3drV4AT1FH3FWfsK9jNv67vE7E4VoFOns043F 7DiZTe5kySu123dPrbDMLELHlr33h2FjHiYfCzYrP4pigu5uuLQwMQSurwTn 1BgzyRmEVVRmKJ9x1ZsmPHTgj4iLUhtY8jNE- Received: from [209.131.62.113] by web31816.mail.mud.yahoo.com via HTTP; Mon, 12 Dec 2011 17:46:54 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: <8DA2949DB77C2547B14546D35E22A20002D328EC@CH1PRD0302MB127.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> Message-ID: <1323740814.90630.YahooMailNeo@web31816.mail.mud.yahoo.com> Date: Mon, 12 Dec 2011 17:46:54 -0800 (PST) From: William Mills To: Mike Jones , "oauth@ietf.org" In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1238014912-1519221104-1323740814=:90630" Subject: Re: [OAUTH-WG] Using OAuth error_code to glean information from the server X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 01:47:03 -0000 ---1238014912-1519221104-1323740814=:90630 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I don't think the leak of client IDs is a big issue, in any cleartext proto= col you can just sniff them.=A0 We don't mandate SSL on the protected resou= rces.=0A=0A=0AAnyone relying on ClientID for a stronger assurance will want= to be using SSL and an unguessable ID anyway.=0A=0A=0A=0A_________________= _______________=0A From: Mike Jones =0ATo: "oa= uth@ietf.org" =0ASent: Monday, December 12, 2011 4:51 PM= =0ASubject: [OAUTH-WG] Using OAuth error_code to glean information from the= server=0A =0A=0A =0AI recently received an inquiry regarding invalid_clien= t vs. invalid_grant. =A0It seems that there is a potential information disc= losure in the specification with respect to how these error codes are used:= =0A=A0=0Ainvalid_client=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Client= authentication failed (e.g. unknown client, no=0A=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0 client authentication included, or unsupported=0A=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 authentication method).=A0 The authori= zation server MAY=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 return an HT= TP 401 (Unauthorized) status code to indicate=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 which HTTP authentication schemes are supported.=A0 If the= =0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 client attempted to authentic= ate via the "Authorization"=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 re= quest header field, the authorization server MUST=0A=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 respond with an HTTP 401 (Unauthorized) status code, = and=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 include the "WWW-Authentic= ate" response header field=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 mat= ching the authentication scheme used by the client.=0Ainvalid_grant=0A=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 The provided authorization grant (e= .g. authorization=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 code, resour= ce owner credentials, client credentials) is=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 invalid, expired, revoked, does not match the redirection= =0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 URI used in the authorization= request, or was issued to=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 ano= ther client.=0A=A0=0AIf one uses invalid_client when the client is unknown = and invalid_grant when the client credentials are invalid, then an attacker= could deduce whether or not a particular client exists.=0A=A0=0AFirst, do = people agree that this is a potential information leak and that the leak is= meaningful?=A0 If so, what mitigation might be suggested?=A0 For instance,= might a server choose to use a single error code for both (and potentially= other) cases?=0A=A0=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Thanks,=0A=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0 -- Mike=0A=A0=0A___________________________________________= ____=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/l= istinfo/oauth ---1238014912-1519221104-1323740814=:90630 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
I don't think the leak of client IDs is a big issue, in any cleartext pro= tocol you can just sniff them.  We don't mandate SSL on the protected = resources.

Anyone re= lying on ClientID for a stronger assurance will want to be using SSL and an= unguessable ID anyway.

From: Mike Jones <Michael.Jones= @microsoft.com>
To:= "oauth@ietf.org" <oauth@ietf.org>
Sent: Monday, December 12, 2011 4:51 PM
Subject: [OAUTH-WG] Using OAuth error_= code to glean information from the server
=0A
=0A=0A =0A =0A=0A=0A
=0A=0A
I recently received an in= quiry regarding invalid_client vs. invalid_grant.  It seems that there= is a potential information disclosure in the specification with=0A respect= to how these error codes are used:
=0A
&= nbsp;
=0A
invalid_client
=0A
    &= nbsp;          Client authenti= cation failed (e.g.=0Aunknown client, no
=0A
  &nb= sp;            clien= t authentication included, or unsupported
=0A
         &n= bsp;     authentication method).  The authorizatio= n server MAY
=0A
 &nbs= p;             = return an HTTP 401 (Unauthorized) status code to indicate
=0A<= div class=3D"yiv999268650MsoNormal" style=3D"margin-left:.5in;">      &nbs= p;        which HTTP authentication sche= mes are supported.  If the
=0A
           =     client attempted to authenticate via the "Authorization"=
=0A
   &nbs= p;           request head= er field, the authorization server MUST
=0A
         &nbs= p;     respond with an HTTP 401 (Unauthorized) status c= ode, and
=0A
  &n= bsp;            incl= ude the "WWW-Authenticate" response header field
=0A
        &= nbsp;      matching the authentication scheme used= by the client.
=0A
invalid_grant
=0A
      &nb=
sp;        The provided authorization gr=
ant (e.g. authorization
=0A
        =
       code, resource owner credentials, client credentials) is
= =0A
 &nbs=
p;             =
invalid, expired, revoked, does not match the redirection
=0A<= pre style=3D"margin-left:.5in;">  &n= bsp;            URI = used in the authorization request, or was issued to =0A
   &n=
bsp;           another cl=
ient.
=0A
 
=0A
If one us= es invalid_client when the client is unknown and invalid_grant when the cli= ent credentials are invalid, then an attacker could deduce whether or not= =0A a particular client exists.
=0A
  =0A
First, do people agree that this is a potential informatio= n leak and that the leak is meaningful?  If so, what mitigation might = be suggested?  For instance,=0A might a server choose to use a single = error code for both (and potentially other) cases?
=0A
 
=0A
      &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;   Thanks,
=0A
    =             &nb= sp;            =             &nb= sp;            =       -- Mike
=0A
 
=0A
=0A
=0A=0A

______________________________= _________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.o= rg/mailman/listinfo/oauth


---1238014912-1519221104-1323740814=:90630-- From eran@hueniverse.com Mon Dec 12 18:33:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9F421F8485 for ; Mon, 12 Dec 2011 18:33:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.52 X-Spam-Level: X-Spam-Status: No, score=-2.52 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bi3L2cmVpnFW for ; Mon, 12 Dec 2011 18:33:21 -0800 (PST) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 6DB0821F84A8 for ; Mon, 12 Dec 2011 18:33:16 -0800 (PST) Received: (qmail 10534 invoked from network); 13 Dec 2011 02:33:15 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.46) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 13 Dec 2011 02:33:15 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Mon, 12 Dec 2011 19:33:15 -0700 From: Eran Hammer-Lahav To: Mike Jones , "oauth@ietf.org" Date: Mon, 12 Dec 2011 19:33:10 -0700 Thread-Topic: [OAUTH-WG] Using OAuth error_code to glean information from the server Thread-Index: Acy5GRQ8DCUDRcpaSEuLOrJymTfgmAAF5PRwAAOQbdA= Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C7C78@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <8DA2949DB77C2547B14546D35E22A20002D328EC@CH1PRD0302MB127.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723452856C7C78P3PW5EX1MB01E_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] Using OAuth error_code to glean information from the server X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 02:33:23 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E723452856C7C78P3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable 'Client credentials' needs to be removed from invalid_grant. It is not appr= opriate. Use invalid_client all the way to a fully authenticate client. ANY failure = to authenticate the client should result in invalid_client. Use unauthorized_client for an authenticate client which is not permitted t= o use this grant type. There are no other issues with an invalid grant rela= ted to client credentials. I'll drop it from the e.g. list. EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= ike Jones Sent: Monday, December 12, 2011 4:52 PM To: oauth@ietf.org Subject: [OAUTH-WG] Using OAuth error_code to glean information from the se= rver I recently received an inquiry regarding invalid_client vs. invalid_grant. = It seems that there is a potential information disclosure in the specifica= tion with respect to how these error codes are used: invalid_client Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. invalid_grant The provided authorization grant (e.g. authorization code, resource owner credentials, client credentials) is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. If one uses invalid_client when the client is unknown and invalid_grant whe= n the client credentials are invalid, then an attacker could deduce whether= or not a particular client exists. First, do people agree that this is a potential information leak and that t= he leak is meaningful? If so, what mitigation might be suggested? For ins= tance, might a server choose to use a single error code for both (and poten= tially other) cases? Thanks, -- Mike --_000_90C41DD21FB7C64BB94121FBBC2E723452856C7C78P3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

‘Cl= ient credentials’ needs to be removed from invalid_grant. It is not a= ppropriate.

 

Use invalid_client all the way to= a fully authenticate client. ANY failure to authenticate the client should= result in invalid_client.

 

Use unauthorized_c= lient for an authenticate client which is not permitted to use this grant t= ype. There are no other issues with an invalid grant related to client cred= entials.

 =

I’ll drop it from the e.g. lis= t.

 

EHL

 

&nb= sp;

 

From: oauth-bounces@ietf.org [mail= to:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: M= onday, December 12, 2011 4:52 PM
To: oauth@ietf.org
Subject= : [OAUTH-WG] Using OAuth error_code to glean information from the serve= r

 

I recently received an inquiry regarding inva= lid_client vs. invalid_grant.  It seems that there is a potential info= rmation disclosure in the specification with respect to how these error cod= es are used:

 

invalid_client

&= nbsp;           &nbs= p;  Client authentication failed (e.g. unknown client, no

 &nbs= p;             = client authentication included, or unsupported

  &= nbsp;            aut= hentication method).  The authorization server MAY

= &nbs= p;            &= nbsp; return an HTTP 401 (Unauthorized) status code to indicate<= /span>

            = ;   which HTTP authentication schemes are supported.  If the=

          = ;     client attempted to authenticate via the "Au= thorization"

       =         request header field, the author= ization server MUST

      &nbs= p;        respond with an HTTP 401 (Unau= thorized) status code, and

     &n= bsp;         include the "WWW-= Authenticate" response header field

   &= nbsp;           matching = the authentication scheme used by the client.

invalid_grant
    &n=
bsp;          The provided aut=
horization grant (e.g. authorization
 =
;            &n=
bsp; code, resource owner credentials, client credentials) is
           &n= bsp;   invalid, expired, revoked, does not match the redirection<= o:p>
       =
        URI used in the authorization re=
quest, or was issued to
   =
            another =
client.

 

If one uses invalid_client when the= client is unknown and invalid_grant when the client credentials are invali= d, then an attacker could deduce whether or not a particular client exists.=

 <= /p>

First, do people agree that this is a potent= ial information leak and that the leak is meaningful?  If so, what mit= igation might be suggested?  For instance, might a server choose to us= e a single error code for both (and potentially other) cases?

 

         &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;            Tha= nks,

   &nb= sp;            =             &nb= sp;            =             &nb= sp;      -- Mike

 

= --_000_90C41DD21FB7C64BB94121FBBC2E723452856C7C78P3PW5EX1MB01E_-- From sweeden@au1.ibm.com Mon Dec 12 19:11:26 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A589321F8532 for ; Mon, 12 Dec 2011 19:11:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5b8JRGIWbY1 for ; Mon, 12 Dec 2011 19:11:15 -0800 (PST) Received: from e23smtp01.au.ibm.com (e23smtp01.au.ibm.com [202.81.31.143]) by ietfa.amsl.com (Postfix) with ESMTP id 5162521F851F for ; Mon, 12 Dec 2011 19:11:14 -0800 (PST) Received: from /spool/local by e23smtp01.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 13 Dec 2011 03:06:36 +1000 Received: from d23relay03.au.ibm.com ([202.81.31.245]) by e23smtp01.au.ibm.com ([202.81.31.207]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 13 Dec 2011 03:06:33 +1000 Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay03.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pBD3B0Et4669620; Tue, 13 Dec 2011 14:11:03 +1100 Received: from d23av02.au.ibm.com (loopback [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pBD3B04A001976; Tue, 13 Dec 2011 14:11:00 +1100 Received: from d23ml004.au.ibm.com (d23ml004.au.ibm.com [9.190.250.23]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id pBD3B0ce001969; Tue, 13 Dec 2011 14:11:00 +1100 In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <8DA2949DB77C2547B14546D35E22A20002D328EC@CH1PRD0302MB127.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F75FBF7@TK5EX14MBXC283.redmond.corp.microsoft.com> X-KeepSent: EDA06529:6C841E9C-4A257965:000A00B5; type=4; name=$KeepSent To: Mike Jones X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010 Message-ID: From: Shane B Weeden Date: Tue, 13 Dec 2011 13:10:52 +1000 X-MIMETrack: Serialize by Router on d23ml004/23/M/IBM(Release 8.5.2FP1HF437 | June 7, 2011) at 13/12/2011 14:14:59 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII x-cbid: 11121217-1618-0000-0000-0000004F1F42 Cc: "oauth@ietf.org" , oauth-bounces@ietf.org Subject: Re: [OAUTH-WG] Using OAuth error_code to glean information from the server X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 03:11:26 -0000 I don't think one can presume that client identifiers are any kind of secret particularly given that for web-based flows they are transmitted in browser redirects. The "meaningful"-ness of the information is debatable as on the other hand security best practices generally support the idea that the less an attacker can ascertain from error messages the better. From: Mike Jones To: "oauth@ietf.org" Date: 13/12/2011 10:56 AM Subject: [OAUTH-WG] Using OAuth error_code to glean information from the server Sent by: oauth-bounces@ietf.org I recently received an inquiry regarding invalid_client vs. invalid_grant. It seems that there is a potential information disclosure in the specification with respect to how these error codes are used: invalid_client Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. invalid_grant The provided authorization grant (e.g. authorization code, resource owner credentials, client credentials) is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. If one uses invalid_client when the client is unknown and invalid_grant when the client credentials are invalid, then an attacker could deduce whether or not a particular client exists. First, do people agree that this is a potential information leak and that the leak is meaningful? If so, what mitigation might be suggested? For instance, might a server choose to use a single error code for both (and potentially other) cases? Thanks, -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From hardjono@mit.edu Tue Dec 13 08:23:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F08921F8492 for ; Tue, 13 Dec 2011 08:23:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBSGl9o-jADV for ; Tue, 13 Dec 2011 08:23:23 -0800 (PST) Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 3AFC621F843A for ; Tue, 13 Dec 2011 08:23:18 -0800 (PST) X-AuditID: 1209190e-b7f8f6d0000008fc-4f-4ee77bf55f2f Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 8B.D0.02300.5FB77EE4; Tue, 13 Dec 2011 11:23:17 -0500 (EST) Received: from outgoing-exchange-1.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id pBDGNHOl011891 for ; Tue, 13 Dec 2011 11:23:17 -0500 Received: from OC11EXEDGE4.EXCHANGE.MIT.EDU (OC11EXEDGE4.EXCHANGE.MIT.EDU [18.9.3.27]) by outgoing-exchange-1.mit.edu (8.13.8/8.12.4) with ESMTP id pBDGNFet027780 for ; Tue, 13 Dec 2011 11:23:16 -0500 Received: from W92EXHUB15.exchange.mit.edu (18.7.73.26) by OC11EXEDGE4.EXCHANGE.MIT.EDU (18.9.3.27) with Microsoft SMTP Server (TLS) id 14.1.289.1; Tue, 13 Dec 2011 11:23:08 -0500 Received: from OC11EXPO24.exchange.mit.edu ([169.254.1.210]) by W92EXHUB15.exchange.mit.edu ([18.7.73.26]) with mapi id 14.01.0289.001; Tue, 13 Dec 2011 11:23:15 -0500 From: Thomas Hardjono To: "oauth (oauth@ietf.org)" Thread-Topic: Reminder: tomorrow Webinar on UMA / OAUTH (December 14th at 10AM-PST) Thread-Index: Acy5s4PJdQjX8AzESXGUoWq4h0tn4g== Date: Tue, 13 Dec 2011 16:23:15 +0000 Message-ID: <5E393DF26B791A428E5F003BB6C5342A0416D1@OC11EXPO24.exchange.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [66.30.208.11] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKKsWRmVeSWpSXmKPExsUixCmqrPu1+rmfwfor3BYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxqPjx1kLLnJWvJgwi6WBsZuji5GTQ0LARKLp3wImCFtM4sK9 9WwgtpDAPkaJLV+Uuhi5gOyrjBJ90/azQjh3GCW23t3OCOFsZ5SYufgYlLOaUeJ701pWkH42 AQ2Jc7/3soPYIgK6Eqs/9YLZwgJBEp+PLwLaxwEUD5dYczMOokRPYmHvahaQMIuAqsS2T1wg YV6BAImty/8wgtiMQNd9P7UG7FJmAXGJW0/mQ10tKLFo9h5mmA/+7XrIBjJGQkBBomdKHkS5 jsSC3Z/YIGxtiWULXzNDjBeUODnzCcsERrFZSKbOQtIyC0nLLCQtCxhZVjHKpuRW6eYmZuYU pybrFicn5uWlFuka6+VmluilppRuYgTHjiTfDsavB5UOMQpwMCrx8DqseOYnxJpYVlyZe4hR koNJSZT3fdVzPyG+pPyUyozE4oz4otKc1OJDjBIczEoivEkGQDnelMTKqtSifJiUNAeLkjhv 7a6HfkIC6YklqdmpqQWpRTBZGQ4OJQnebyBDBYtS01Mr0jJzShDSTBycIMN5gIZrVoMMLy5I zC3OTIfIn2JUlBLnvQnSLACSyCjNg+uFpbZXjOJArwhD3M0DTItw3a+ABjMBDY5LeQIyuCQR ISXVwFh4f239OrMYh0V75q31VmPtf5h+0ajP+5eQVJr7f86f3wNCN1S0LF/0NsW5UPJlCq/H s8kRNz91r/X+csOnrT/2WMJXlna74uyAPazlm9uW1Zga3qi7M8FSxez/Aisdx0+b7+Rd5+g8 9l33h+W0idHfL5XF7Hdj3P3w+tdfXSc3B//nCM3846vEUpyRaKjFXFScCADFLMBQSAMAAA== Subject: [OAUTH-WG] Reminder: tomorrow Webinar on UMA / OAUTH (December 14th at 10AM-PST) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 16:23:24 -0000 Folks, Just a gentle reminder of the UMA/OAUTH Webinar tomorrow Dec 14th. /thomas/ __________________________________________ -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of T= homas Hardjono Sent: Thursday, December 01, 2011 1:08 PM To: oauth (oauth@ietf.org) Subject: [OAUTH-WG] Webinar on UMA / OAUTH (December 14th at 10AM-PST) Folks, FYI there will be a free UMA webinar on December 14 (Wed) at 10AM-Pacific. = It will include some info/demo by implementers. The registration link is at the following site: http://kantarainitiative.org/confluence/display/uma/Home -------------------------------------- UMA Webinar on Wednesday, December 14 Don't miss the public webinar to be held on Wednesday, December 14 at 10am = PT! Register ahead of time here. Spaces are limited, so don't delay! (The w= ebinar will also be recorded for later viewing.) See the [UMA calendar] for= timezone translation help. -------------------------------------- /thomas/ __________________________________________ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From Michael.Jones@microsoft.com Wed Dec 14 07:26:19 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9D8521F8B5A for ; Wed, 14 Dec 2011 07:26:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.348 X-Spam-Level: X-Spam-Status: No, score=-5.348 tagged_above=-999 required=5 tests=[AWL=1.250, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96nLc8hNw6Ga for ; Wed, 14 Dec 2011 07:26:17 -0800 (PST) Received: from TX2EHSOBE009.bigfish.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6DF21F8B58 for ; Wed, 14 Dec 2011 07:26:17 -0800 (PST) Received: from mail147-tx2-R.bigfish.com (10.9.14.251) by TX2EHSOBE009.bigfish.com (10.9.40.29) with Microsoft SMTP Server id 14.1.225.23; Wed, 14 Dec 2011 15:26:19 +0000 Received: from mail147-tx2 (localhost [127.0.0.1]) by mail147-tx2-R.bigfish.com (Postfix) with ESMTP id 62BF52402DE for ; Wed, 14 Dec 2011 15:26:20 +0000 (UTC) X-SpamScore: -19 X-BigFish: VS-19(zzc85fhzz1202hzz1033IL8275eh8275bh8275dha1495iz2fh2a8h668h839h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail147-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC101.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail147-tx2 (localhost.localdomain [127.0.0.1]) by mail147-tx2 (MessageSwitch) id 1323876377963200_8839; Wed, 14 Dec 2011 15:26:17 +0000 (UTC) Received: from TX2EHSMHS007.bigfish.com (unknown [10.9.14.240]) by mail147-tx2.bigfish.com (Postfix) with ESMTP id E34D520049 for ; Wed, 14 Dec 2011 15:26:17 +0000 (UTC) Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS007.bigfish.com (10.9.99.107) with Microsoft SMTP Server (TLS) id 14.1.225.22; Wed, 14 Dec 2011 15:26:10 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0247.005; Wed, 14 Dec 2011 07:26:00 -0800 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: SWD, JWT, JWS, JWE, JWK, and OAuth JWT Profile specs updated Thread-Index: Acy6dK45izXMgjgrRpWpMzeRb+EDoA== Date: Wed, 14 Dec 2011 15:26:00 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7625B7@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.34] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F7625B7TK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: [OAUTH-WG] SWD, JWT, JWS, JWE, JWK, and OAuth JWT Profile specs updated X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2011 15:26:19 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F7625B7TK5EX14MBXC283r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable New versions of the SWD, JWT, JWS, JWE, JWK, and OAuth JWT Profile specs ha= ve been posted. They address a number of comments received on the JOSE lis= t and at the JOSE WG meeting in Taipei and make a number of clarifications,= corrections, and editorial improvements. The only breaking change made was to use short names in the JWK spec, as su= ggested during the WG meeting in Taipei, since JWK Key Object values are us= ed as JWE Ephemeral Public Keys, and so compactness matters. This also req= uired corresponding changes in the JWE spec. This checkin moves the definitions of the "prn" (principal) and "jti" (JSON= Token ID) claims from other specs into the JWT spec, as both of these clai= ms enable general token functionality that is likely to be used in many con= texts. This checkin is intended to be the last set of individual submissions of th= e JWS, JWE, and JWK drafts before they are refactored and submitted to the = JOSE WG as working group drafts. The primary changes requested by the JOSE= WG but not yet done are to break the algorithm profiles and identifiers ou= t into a new spec and to rework the terminology in the signature spec to us= e different terms for digital signature and HMAC integrity operations. See the Document History sections of each document for a detailed descripti= on of the changes made. These documents are available at: * http://tools.ietf.org/html/draft-jones-simple-web-discovery-02 * http://tools.ietf.org/html/draft-jones-json-web-token-07 * http://tools.ietf.org/html/draft-jones-json-web-signature-04 * http://tools.ietf.org/html/draft-jones-json-web-encryption-02 * http://tools.ietf.org/html/draft-jones-json-web-key-03 * http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03 HTML-formatted versions are available at: * http://self-issued.info/docs/draft-jones-simple-web-discovery-02.h= tml * http://self-issued.info/docs/draft-jones-json-web-token-07.html * http://self-issued.info/docs/draft-jones-json-web-signature-04.htm= l * http://self-issued.info/docs/draft-jones-json-web-encryption-02.ht= ml * http://self-issued.info/docs/draft-jones-json-web-key-03.html * http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-03.html Special thanks to Jim Schaad for his detailed comments on the JWS and JWE s= pecs, many of which were incorporated into these drafts. -- Mike --_000_4E1F6AAD24975D4BA5B16804296739435F7625B7TK5EX14MBXC283r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

New versions of the SWD, JWT, JWS, JWE, JWK, and OAu= th JWT Profile specs have been posted.  They address a number of comme= nts received on the JOSE list and at the JOSE WG meeting in Taipei and make= a number of clarifications, corrections, and editorial improvements.

 

The only breaking change made was to use short names= in the JWK spec, as suggested during the WG meeting in Taipei, since JWK K= ey Object values are used as JWE Ephemeral Public Keys, and so compactness = matters.  This also required corresponding changes in the JWE spec.

 

This checkin moves the definitions of the “prn= ” (principal) and “jti” (JSON Token ID) claims from other= specs into the JWT spec, as both of these claims enable general token func= tionality that is likely to be used in many contexts.

 

This checkin is intended to be the last set of indiv= idual submissions of the JWS, JWE, and JWK drafts before they are refactore= d and submitted to the JOSE WG as working group drafts.  The primary c= hanges requested by the JOSE WG but not yet done are to break the algorithm profiles and identifiers out into a ne= w spec and to rework the terminology in the signature spec to use different= terms for digital signature and HMAC integrity operations.

 

See the Document History sections of each document f= or a detailed description of the changes made.  These documents are av= ailable at:

·        http://tools.ietf.org/html/draft-jones-simpl= e-web-discovery-02

·        http://tools.ietf.org/html/draft-jones-json-web-to= ken-07

·        http://tools.ietf.org/html/draft-jones-json-we= b-signature-04

·        http://tools.ietf.org/html/draft-jones-json-w= eb-encryption-02

·        http://tools.ietf.org/html/draft-jones-json-web-key-= 03

·        http://tools.ietf.org/html/draft-jones-oauth-jwt= -bearer-03

HTML-formatted versions are available at:=

·        http://self-issued.info/docs/draft-jo= nes-simple-web-discovery-02.html

·        http://self-issued.info/docs/draft-jones-js= on-web-token-07.html

·        http://self-issued.info/docs/draft-jone= s-json-web-signature-04.html

·        http://self-issued.info/docs/draft-jon= es-json-web-encryption-02.html

·        http://self-issued.info/docs/draft-jones-json= -web-key-03.html

·        http://self-issued.info/docs/draft-jones-= oauth-jwt-bearer-03.html

 

Special thanks to Jim Schaad for his detailed commen= ts on the JWS and JWE specs, many of which were incorporated into these dra= fts.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739435F7625B7TK5EX14MBXC283r_-- From Michael.Jones@microsoft.com Wed Dec 14 18:13:21 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B5221F84AD for ; Wed, 14 Dec 2011 18:13:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tn9ttVE5Dkvu for ; Wed, 14 Dec 2011 18:13:20 -0800 (PST) Received: from DB3EHSOBE003.bigfish.com (db3ehsobe003.messaging.microsoft.com [213.199.154.141]) by ietfa.amsl.com (Postfix) with ESMTP id BC3BA21F8ADC for ; Wed, 14 Dec 2011 18:13:16 -0800 (PST) Received: from mail38-db3-R.bigfish.com (10.3.81.248) by DB3EHSOBE003.bigfish.com (10.3.84.23) with Microsoft SMTP Server id 14.1.225.23; Thu, 15 Dec 2011 02:13:16 +0000 Received: from mail38-db3 (localhost [127.0.0.1]) by mail38-db3-R.bigfish.com (Postfix) with ESMTP id 91E76300475; Thu, 15 Dec 2011 02:13:18 +0000 (UTC) X-SpamScore: -38 X-BigFish: VS-38(zzbb2dI9371Ic89bh1be0I1447M1b0bM542Mc857hzz1202hzz8275ch1033IL8275bh8275dhz2fh793h2a8h668h839h34h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail38-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC105.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail38-db3 (localhost.localdomain [127.0.0.1]) by mail38-db3 (MessageSwitch) id 1323915197344955_30428; Thu, 15 Dec 2011 02:13:17 +0000 (UTC) Received: from DB3EHSMHS002.bigfish.com (unknown [10.3.81.246]) by mail38-db3.bigfish.com (Postfix) with ESMTP id 3E66F700042; Thu, 15 Dec 2011 02:13:17 +0000 (UTC) Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS002.bigfish.com (10.3.87.102) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 15 Dec 2011 02:13:11 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0247.005; Wed, 14 Dec 2011 18:13:07 -0800 From: Mike Jones To: Mark Nottingham , Stephen Farrell , Hannes Tschofenig , Barry Leiba Thread-Topic: OK to post OAuth Bearer draft 15? Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEg== Date: Thu, 15 Dec 2011 02:13:06 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.34] Content-Type: multipart/mixed; boundary="_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: "oauth@ietf.org" Subject: [OAUTH-WG] OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 02:13:21 -0000 --_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_" --_000_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TWFyaywgU3RlcGhlbiwgSGFubmVzLCBhbmQgQmFycnksDQoNCkFueSBvYmplY3Rpb25zIHRvIHBv c3RpbmcgdGhlIHVwZGF0ZWQgQmVhcmVyIGRyYWZ0IGluY29ycG9yYXRpbmcgdGhlIHJlc3VsdHMg b2YgdGhlIEFQUFMgQXJlYSByZXZpZXcgYW5kIHRoZSBUTFMgcmVxdWlyZW1lbnRzPw0KDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt LSBNaWtlDQoNCkZyb206IE1pa2UgSm9uZXMNClNlbnQ6IE1vbmRheSwgRGVjZW1iZXIgMTIsIDIw MTEgODo1MSBBTQ0KVG86IE1hcmsgTm90dGluZ2hhbTsgJ1N0ZXBoZW4gRmFycmVsbCc7IG9hdXRo QGlldGYub3JnDQpTdWJqZWN0OiBSRTogW09BVVRILVdHXSBGVzogW2FwcHMtZGlzY3Vzc10gQVBQ UyBBcmVhIHJldmlldyBvZiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNA0KDQoNClRoYW5r cyBmb3IgdGhlIGRldGFpbGVkIHJldmlldywgTWFyay4NCg0KDQoNClByZWxpbWluYXJ5IGRyYWZ0 IDE1IG9mIHRoZSBPQXV0aCBCZWFyZXIgc3BlY2lmaWNhdGlvbiBpcyBhdHRhY2hlZC4gIEl0IHJl c29sdmVzIHRoZSBmb3JtIGVuY29kaW5nIGlzc3VlcyByYWlzZWQgYnkgSnVsaWFuIFJlc2Noa2Ug aW4gdGhlIG1hbm5lciBkaXNjdXNzZWQgYXQgdGhlIHdvcmtpbmcgZ3JvdXAgbWVldGluZyBpbiBU YWlwZWksIGluY29ycG9yYXRlcyB0aGUgY29uc2Vuc3VzIHRleHQgb24gVExTIHZlcnNpb24gcmVx dWlyZW1lbnRzLCBhbmQgY29udGFpbnMgc2V2ZXJhbCBpbXByb3ZlbWVudHMgc3VnZ2VzdGVkIGJ5 IE1hcmsgTm90dGluZ2hhbSBkdXJpbmcgQVBQUyBhcmVhIHJldmlldy4NCg0KDQoNCk1hcmssIGNv bW1lbnRzIG9uIGFsbCB5b3VyIHByb3Bvc2VkIGNoYW5nZXMgZm9sbG93IGJlbG93Og0KDQoNCg0K KiBTZWN0aW9uIDIuMyBVUkkgUXVlcnkgUGFyYW1ldGVyDQoNCg0KDQpUaGlzIHNlY3Rpb24gZWZm ZWN0aXZlbHkgcmVzZXJ2ZXMgYSBVUkkgcXVlcnkgcGFyYW1ldGVyIGZvciB0aGUgZHJhZnQncyB1 c2UuIFRoaXMgc2hvdWxkIG5vdCBiZSBkb25lIGxpZ2h0bHksIHNpbmNlIHRoaXMgd291bGQgYmUg YSBwcmVjZWRlbnQgZm9yIHRoZSBJRVRGIGVuY3JvYWNoaW5nIHVwb24gYSBzZXJ2ZXIncyBVUklz IChkb25lIHByZXZpb3VzbHkgaW4gUkZDNTc4NSwgYnV0IGluIGEgbXVjaCBtb3JlIGxpbWl0ZWQg ZmFzaGlvbiwgYXMgYSB0YWN0aWMgdG8gcHJldmVudCBmdXJ0aGVyLCB1bmNvbnRyb2xsZWQgZW5j cm9hY2htZW50KS4NCg0KDQoNCkdpdmVuIHRoYXQgdGhlIGRyYWZ0IGFscmVhZHkgZGlzY291cmFn ZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hhbmlzbSwgSSdkIHJlY29tbWVuZCBkcm9wcGluZyBpdCBh bHRvZ2V0aGVyLiBJZiB0aGUgV29ya2luZyBHcm91cCB3aXNoZXMgaXQgdG8gcmVtYWluLCB0aGlz IGlzc3VlcyBzaG91bGQgYmUgdmV0dGVkIGJvdGggdGhyb3VnaCB0aGUgQVBQUyBhcmVhIGFuZCB0 aGUgVzNDIGxpYWlzb24uDQoNCg0KDQooVGhlIHNhbWUgY3JpdGljaXNtIGNvdWxkIGJlIGxldmVs ZWQgYXQgU2VjdGlvbiAyLjIgRm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyLCBidXQgdGhhdCBh dCBsZWFzdCBpc24ndCBzdXJmYWNlZCBpbiBhbiBpZGVudGlmaWVyKQ0KDQoNCg0KVGhlcmUgYXJl IHNvbWUgY29udGV4dHMsIGVzcGVjaWFsbHkgbGltaXRlZCBicm93c2VycyBhbmQvb3IgZGV2ZWxv cG1lbnQgZW52aXJvbm1lbnRzLCB3aGVyZSBxdWVyeSBwYXJhbWV0ZXJzIGFyZSB1c2FibGUgYnV0 IHRoZSBvdGhlciBtZXRob2RzIGFyZSBub3QuICBUaHVzLCB0aGUgcXVlcnkgcGFyYW1ldGVyIG1l dGhvZCBtdXN0IGJlIHJldGFpbmVkLiAgQWxzbywgSnVzdGluIFJpY2h0ZXLigJlzIGNvbW1lbnRz IGRlc2NyaWJpbmcgdGhlIHZhbHVlIHRvIGhpbSBvZiB0aGUgcXVlcnkgcGFyYW1ldGVyIG1ldGhv ZCBhcmUgcGVydGluZW50OiAg4oCcQSBVUkwgd2l0aCBhbGwgcGFyYW1ldGVycyBpbmNsdWRpbmcg YXV0aG9yaXphdGlvbiBpcyBhIHBvd2VyZnVsIGFydGlmYWN0IHdoaWNoIGNhbiBiZSBwYXNzZWQg YXJvdW5kIGJldHdlZW4gc3lzdGVtcyBhcyBhIHVuaXTigJ0uDQoNCg0KDQpBcyB0byB1c2luZyBh IHN0YW5kYXJkIHBhcmFtZXRlciBuYW1lLCB0aGlzIGlzIGVzc2VudGlhbCBmb3IgaW50ZXJvcGVy YWJpbGl0eS4gIEl0IGlzIG5vdCDigJxyZXNlcnZlZOKAnSBpbiBhbnkgY29udGV4dHMgb3RoZXIg dGhhbiB3aGVuIHRoZSBCZWFyZXIgc3BlYyBpcyBlbXBsb3llZCwgd2hpY2ggaXMgYSB2b2x1bnRh cnkgYWN0IGJ5IGJvdGggcGFydGllcy4gIFRodXMsIHRoaXMgcG9zZXMgbm8gdW5kdWUgYnVyZGVu cyBvciBuYW1lc3BhY2UgcmVzdHJpY3Rpb25zIG9uIGltcGxlbWVudGF0aW9ucyBpbiBwcmFjdGlj ZS4NCg0KDQoNCkZpbmFsbHksIHlvdeKAmWxsIGZpbmQgdGhhdCBPQXV0aCAxLjAgW1JGQyA1ODQ5 PGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzU4NDk+XSBzaW1pbGFybHkgZGVmaW5lZCwg bm90IG9uZSwgYnV0IHR3byBzdGFuZGFyZCBxdWVyeSBwYXJhbWV0ZXIgdmFsdWVzOiAgb2F1dGhf dG9rZW4gYW5kIG9hdXRoX3ZlcmlmaWVyLiAgQXMgdGhpcyBkaWRu4oCZdCBjYXVzZSBhbnkgcHJv YmxlbXMgaW4gcHJhY3RpY2UgdGhlbiwgSeKAmW0gc3VyZSB0aGF0IGRlZmluaW5nIGFuIGFjY2Vz c190b2tlbiBwYXJhbWV0ZXIgd2l0aGluIHRoZSBCZWFyZXIgc3BlYyBmb3IgaW50ZXJvcGVyYWJp bGl0eSBwdXJwb3NlcyB3b27igJl0IGNhdXNlIGEgcHJvYmxlbSBlaXRoZXIuDQoNCg0KDQoqIFNl Y3Rpb24gMyBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQNCg0KDQoN ClRoZSBkcmFmdCByZWZlcmVuY2VzIHRoZSBxdW90ZWQtc3RyaW5nIEFCTkYgZnJvbSBIVFRQLCBi dXQgY2hhbmdlcyBpdHMgcHJvY2Vzc2luZyBpbiBhIGxhdGVyIHBhcmFncmFwaDoNCg0KDQoNCiIi IkluIGFsbCB0aGVzZSBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwgYXMg c2VuZGVycyBhcmUgcHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFjdGVy LiIiIg0KDQoNCg0KVGhpcyBpcyBhdCBiZXN0IHN1cnByaXNpbmcgKGFzIG1hbnkgcmVhZGVycyB3 aWxsIHJlYXNvbmFibHkgc3VybWlzZSB0aGF0IHVzaW5nIHRoZSBxdW90ZWQtc3RyaW5nIEFCTkYg aW1wbGllcyB0aGF0IHRoZSBzYW1lIGNvZGUgY2FuIGJlIHVzZWQpLg0KDQpQbGVhc2UgZWl0aGVy IHVzZSBxdW90ZWQtc3RyaW5nIGFzIGRlZmluZWQgKGkuZS4sIHdpdGggZXNjYXBpbmcpLg0KDQoN Cg0KVGhpcyBwYXJhbWV0ZXIgZGVmaW5pdGlvbiB3YXMgYSByZXN1bHQgb2Ygc2lnbmlmaWNhbnQg d29ya2luZyBncm91cCBkaXNjdXNzaW9uIGFuZCByZWZsZWN0cyBhIHNvbGlkIGNvbnNlbnN1cyBw b3NpdGlvbi4gIFVzaW5nIHRoZSBxdW90ZWQgc3RyaW5nIEJORiBtYWtlcyBpdCBjbGVhciwgcGVy IEp1bGlhbiBSZXNjaGtl4oCZcyBzdWdnZXN0aW9ucywgdGhhdCBnZW5lcmljIHBhcmFtZXRlciBw YXJzaW5nIGNvZGUgY2FuIGJlIHNhZmVseSB1c2VkLiAgV2hlcmVhcyBwcm9oaWJpdGluZyB0aGUg dXNlIG9mIGJhY2tzbGFzaCBxdW90aW5nIGJ5IHNlbmRlcnMgYWxzbyBtYWtlcyBpdCBjbGVhciB0 aGF0IGN1c3RvbSBpbXBsZW1lbnRhdGlvbnMgY2FuIGRpcmVjdGx5IHV0aWxpemUgdGhlIHBhcmFt ZXRlciB2YWx1ZXMgYXMgdHJhbnNtaXR0ZWQgd2l0aG91dCBwZXJmb3JtaW5nIGFueSBxdW90ZSBw cm9jZXNzaW5nLg0KDQoNCg0KSW4gc2hvcnQsIHRoZSBzcGVjIGRvZXNu4oCZdCBjaGFuZ2UgdGhl IHByb2Nlc3Npbmcgb2YgcXVvdGVkIHN0cmluZ3MuICBJdCBzaW1wbHkgcmVzdHJpY3RzIHRoZSBz ZXQgb2YgbGVnYWwgaW5wdXQgY2hhcmFjdGVycyB3aXRoaW4gdGhlIHF1b3RlZCBzdHJpbmdzLg0K DQoNCg0KKiBTZWN0aW9uIDE6IEludHJvZHVjdGlvbg0KDQoNCg0KVGhlIGludHJvZHVjdGlvbiBl eHBsYWlucyBvYXV0aCwgYnV0IGl0IGRvZXNuJ3QgZnVsbHkgZXhwbGFpbiB0aGUgcmVsYXRpb25z aGlwIG9mIHRoaXMgc3BlY2lmaWNhdGlvbiB0byBPQXV0aCAyLjAuIEUuZy4sIGNhbiBpdCBiZSB1 c2VkIGluZGVwZW5kZW50bHkgZnJvbSB0aGUgcmVzdCBvZiBPQXV0aD8gTGlrZXdpc2UsIHRoZSBv dmVydmlldyAoc2VjdGlvbg0KDQoxLjMpIHNlZW1zIG1vcmUgc3BlY2lmaWMgdG8gdGhlIE9BdXRo IHNwZWNpZmljYXRpb24gdGhhbiB0aGlzIGRvY3VtZW50Lg0KDQpBcyBJIHJlYWQgaXQsIHRoaXMg bWVjaGFuaXNtIGNvdWxkIGJlIHVzZWQgZm9yIEFOWSBiZWFyZXIgdG9rZW4sIG5vdCBqdXN0IG9u ZSBnZW5lcmF0ZWQgdGhyb3VnaCBPQXV0aCBmbG93cy4NCg0KDQoNCklmIGl0IGlzIGluZGVlZCBt b3JlIGdlbmVyYWwsIEknZCByZWNvbW1lbmQgbWluaW1pc2luZyB0aGUgZGlzY3Vzc2lvbiBvZiBP QXV0aCwgcGVyaGFwcyBldmVuIHJlbW92aW5nIGl0IGZyb20gdGhlIGRvY3VtZW50IHRpdGxlLg0K DQoNCg0KUGVyIHlvdXIgc3VnZ2VzdGlvbiwgSeKAmXZlIG1hZGUgaXQgY2xlYXIgaW4gdGhlIGlu dHJvZHVjdGlvbiB0aGF0IGJlYXJlciB0b2tlbnMgZnJvbSBhbnkgc291cmNlIGNhbiBiZSB1c2Vk IHRvIGFjY2VzcyBhc3NvY2lhdGVkIHByb3RlY3RlZCByZXNvdXJjZXMuICBUaGUgbmV3IGxhbmd1 YWdlIGluIHRoZSBpbnRyb2R1Y3Rpb24gaXM6DQoNCg0KDQrigJxUaGlzIHNwZWNpZmljYXRpb24g ZGVmaW5lcyB0aGUgdXNlIG9mIGJlYXJlciB0b2tlbnMgb3ZlciBIVFRQLzEuMSBbSeKAkUQuaWV0 ZuKAkWh0dHBiaXPigJFwMeKAkW1lc3NhZ2luZ10gdXNpbmcgVExTIFtSRkM1MjQ2XSB0byBhY2Nl c3MgcHJvdGVjdGVkIHJlc291cmNlcy4g4oCmIFdoaWxlIGRlc2lnbmVkIGZvciB1c2Ugd2l0aCBh Y2Nlc3MgdG9rZW5zIHJlc3VsdGluZyBmcm9tIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFtJ4oCR RC5pZXRm4oCRb2F1dGjigJF2Ml0gZmxvd3MgdG8gYWNjZXNzIE9BdXRoIHByb3RlY3RlZCByZXNv dXJjZXMsIHRoaXMgc3BlY2lmaWNhdGlvbiBhY3R1YWxseSBkZWZpbmVzIGEgZ2VuZXJhbCBIVFRQ IGF1dGhvcml6YXRpb24gbWV0aG9kIHRoYXQgY2FuIGJlIHVzZWQgd2l0aCBiZWFyZXIgdG9rZW5z IGZyb20gYW55IHNvdXJjZSB0byBhY2Nlc3MgYW55IHJlc291cmNlcyBwcm90ZWN0ZWQgYnkgdGhv c2UgYmVhcmVyIHRva2Vucy7igJ0NCg0KDQoNCiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0aGVudGlj YXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZA0KDQoNCg0KVGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBh IHJlYWxtIGFuZCBhIHNjb3BlIGlzIG5vdCBleHBsYWluZWQuIEFyZSB0aGUgZnVuY3Rpb25hbGx5 IGVxdWl2YWxlbnQsIGp1c3QgYSBzaW5nbGUgdmFsdWUgdnMuIGEgbGlzdD8NCg0KDQoNClJlYWxt IGlzIGFzIGRlZmluZWQgYnkgSFRUUGJpcy4gIEl0IHNheXMgdGhhdCDigJxUaGUgcmVhbG0gdmFs dWUgaXMgYSBzdHJpbmcsIGdlbmVyYWxseSBhc3NpZ25lZCBieSB0aGUgb3JpZ2luIHNlcnZlciwg d2hpY2ggY2FuIGhhdmUgYWRkaXRpb25hbCBzZW1hbnRpY3Mgc3BlY2lmaWMgdG8gdGhlIGF1dGhl bnRpY2F0aW9uIHNjaGVtZS7igJ0gIFRoZSBCZWFyZXIgc3BlY2lmaWNhdGlvbiBpbnRlbnRpb25h bGx5IGFkZHMgbm8gZXh0cmEgc2VtYW50aWNzIHRvIHRoZSByZWFsbSBkZWZpbml0aW9uLiAgV2hl cmVhcyB0aGUgc2NvcGUgcGFyYW1ldGVyIGlzIGRlZmluZWQgYXMgYW4gb3JkZXItaW5kZXBlbmRl bnQgc3BhY2Utc2VwYXJhdGVkIGxpc3Qgb2Ygc2NvcGUgdmFsdWVzLiAgVGhlIGNvbnRleHR1YWwg bWVhbmluZyBvZiBib3RoIHRoZSByZWFsbSBhbmQgc2NvcGUgcGFyYW1ldGVycyBpcyBkZXBsb3lt ZW50LWRlcGVuZGVudC4NCg0KDQoNCkRvIHlvdSByZWFsbHkgaW50ZW5kIHRvIGRpc2FsbG93ICph bGwqIGV4dGVuc2lvbiBwYXJhbWV0ZXJzIG9uIHRoZSBjaGFsbGVuZ2U/DQoNCg0KDQpZZXMuICBU aGVyZSB3YXMgYW4gZXhwbGljaXQgd29ya2luZyBncm91cCBjb25zZW5zdXMgZGVjaXNpb24gdG8g ZG8gc28uDQoNCg0KDQpBbHNvLCB0aGUgc2NvcGUsIGVycm9yLCBlcnJvcl9kZXNjcmlwdGlvbiBh bmQgZXJyb3JfdXJpIHBhcmFtZXRlcnMgYWxsIHNwZWNpZnkgb25seSBhIHF1b3RlZC1zdHJpbmcg c2VyaWFsaXNhdGlvbi4gSFRUUGJpcyBzdHJvbmdseSBzdWdnZXN0cyB0aGF0IG5ldyBzY2hlbWVz IGFsbG93IGJvdGggZm9ybXMsIGJlY2F1c2UgaW1wbGVtZW50YXRpb24gZXhwZXJpZW5jZSBoYXMg c2hvd24gdGhhdCBpbXBsZW1lbnRhdGlvbnMgd2lsbCBsaWtlbHkgc3VwcG9ydCBib3RoLCBubyBt YXR0ZXIgaG93IGRlZmluZWQ7IHRoaXMgaW1wcm92ZXMgaW50ZXJvcGVyYWJpbGl0eSAoc2VlIHA3 IDIuMy4xKS4NCg0KDQoNCk9uY2UgYWdhaW4sIHRoZSBjdXJyZW50IHRleHQgcmVmbGVjdHMgYSBj b25zZW5zdXMgZGVjaXNpb24gb2YgdGhlIHdvcmtpbmcgZ3JvdXAuICBJdCB3YXMgdmlld2VkIHRo YXQgcmVxdWlyaW5nIHN1cHBvcnQgZm9yIG11bHRpcGxlIHdheXMgb2YgZG9pbmcgdGhlIHNhbWUg dGhpbmcgdW5uZWNlc3NhcmlseSBjb21wbGljYXRlZCBpbXBsZW1lbnRhdGlvbnMgd2l0aG91dCBh bnkgY29tcGVuc2F0aW5nIGJlbmVmaXQ7IGJldHRlciB0byBzdXBwb3J0IG9uZSBzeW50YXggZm9y IGVhY2ggc2VtYW50aWMgb3BlcmF0aW9uIGFuZCByZXF1aXJlIGFsbCBpbXBsZW1lbnRhdGlvbnMg dG8gdXNlIGl0Lg0KDQoNCg0KRmluYWxseSwgdGhlIGVycm9yX2Rlc2NyaXB0aW9uIHBhcmFtZXRl ciBjYW4gY2Fycnkgb25seSBBU0NJSSBjaGFyYWN0ZXJzLiBXaGlsZSBJIHVuZGVyc3RhbmQgYSB0 cmFkZW9mZiBoYXMgYmVlbiBtYWRlIGhlcmUgKGFuZCwgaW4gbXkganVkZ2VtZW50LCBhbiBhcHBy b3ByaWF0ZSBvbmUpLCBpdCdzIGFwcHJvcHJpYXRlIHRvIGhpZ2hsaWdodCB0aGlzIGluIHJldmll dy4NCg0KDQoNCk5vdGVkDQoNCg0KDQoqIEdlbmVyYWwNCg0KDQoNClRoZSBkcmFmdCBjdXJyZW50 bHkgZG9lc24ndCBtZW50aW9uIHdoZXRoZXIgQmVhcmVyIGlzIHN1aXRhYmxlIGZvciB1c2UgYXMg YSBwcm94eSBhdXRoZW50aWNhdGlvbiBzY2hlbWUuIEkgc3VzcGVjdCBpdCAqbWF5KjsgaXQgd291 bGQgYmUgd29ydGggZGlzY3Vzc2luZyB0aGlzIHdpdGggc29tZSBwcm94eSBpbXBsZW1lbnRlcnMg dG8gZ2F1Z2UgdGhlaXIgaW50ZXJlc3QgKGUuZy4sIFNxdWlkKS4NCg0KDQoNCldobyB3b3VsZCB5 b3UgcmVjb21tZW5kIHJldmlldyB0aGUgZHJhZnQgZnJvbSB0aGlzIHBlcnNwZWN0aXZlPw0KDQoN Cg0KRmluYWxseSwgTWFyaywgSSBhcHBsaWVkIGFsbCB0aGUgZWRpdG9yaWFsIHN1Z2dlc3Rpb25z IHlvdSBtYWRlLiAgVGhhbmtzIGZvciB0aG9zZS4NCg0KDQoNCk1hcmssIFN0ZXBoZW4sIGFuZCBj aGFpcnMsIHBsZWFzZSBsZXQgbWUga25vdyB3aGV0aGVyIHRvIG5vdyBwb3N0IHRoaXMgZHJhZnQg YXMgYW4gYWN0dWFsIHN1Ym1pc3Npb24uDQoNCg0KDQogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MgYWxsLA0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBN aWtlDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogb2F1dGgtYm91bmNl c0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZz4gW21haWx0bzpvYXV0aC1i b3VuY2VzQGlldGYub3JnXTxtYWlsdG86W21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXT4g T24gQmVoYWxmIE9mIFRzY2hvZmVuaWcsIEhhbm5lcyAoTlNOIC0gRkkvRXNwb28pDQpTZW50OiBX ZWRuZXNkYXksIE5vdmVtYmVyIDIzLCAyMDExIDExOjUxIFBNDQpUbzogb2F1dGhAaWV0Zi5vcmc8 bWFpbHRvOm9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogW09BVVRILVdHXSBGVzogW2FwcHMtZGlz Y3Vzc10gQVBQUyBBcmVhIHJldmlldyBvZiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNA0K DQoNCg0KRllJDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KDQpGcm9tOiBhcHBz LWRpc2N1c3MtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0 Zi5vcmc+DQoNClttYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0Zi5vcmddPG1haWx0bzpb bWFpbHRvOmFwcHMtZGlzY3Vzcy1ib3VuY2VzQGlldGYub3JnXT4gT24gQmVoYWxmIE9mIGV4dCBN YXJrIE5vdHRpbmdoYW0NCg0KU2VudDogVGh1cnNkYXksIE5vdmVtYmVyIDI0LCAyMDExIDg6MjIg QU0NCg0KVG86IElFVEYgQXBwcyBEaXNjdXNzOyBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci5h bGxAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmFsbEBpZXRmLm9y Zz4NCg0KQ2M6IFRoZSBJRVNHDQoNClN1YmplY3Q6IFthcHBzLWRpc2N1c3NdIEFQUFMgQXJlYSBy ZXZpZXcgb2YNCg0KZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQNCg0KDQoNCkkgaGF2ZSBi ZWVuIHNlbGVjdGVkIGFzIHRoZSBBcHBsaWNhdGlvbnMgQXJlYSBSZXZpZXcgVGVhbSByZXZpZXdl ciBmb3IgdGhpcyBkcmFmdCAoZm9yIGJhY2tncm91bmQgb24gYXBwcy1yZXZpZXcsIHBsZWFzZSBz ZWUgPGh0dHA6Ly93d3cuYXBwcy5pZXRmLm9yZy9jb250ZW50L2FwcGxpY2F0aW9ucy1hcmVhLXJl dmlldy10ZWFtPikuDQoNCg0KDQpQbGVhc2UgcmVzb2x2ZSB0aGVzZSBjb21tZW50cyBhbG9uZyB3 aXRoIGFueSBvdGhlciBMYXN0IENhbGwgY29tbWVudHMgeW91IG1heSByZWNlaXZlLiBQbGVhc2Ug d2FpdCBmb3IgZGlyZWN0aW9uIGZyb20geW91ciBkb2N1bWVudCBzaGVwaGVyZCBvciBBRCBiZWZv cmUgcG9zdGluZyBhIG5ldyB2ZXJzaW9uIG9mIHRoZSBkcmFmdC4NCg0KDQoNCkRvY3VtZW50OiBk cmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNA0KDQpUaXRsZTogT0F1dGggMi4wIEJlYXJlciBU b2tlbnMNCg0KUmV2aWV3ZXI6IE1hcmsgTm90dGluZ2hhbQ0KDQpSZXZpZXcgRGF0ZTogMjQvMTEv MjAxMQ0KDQoNCg0KU3VtbWFyeTogVGhpcyBkcmFmdCBpcyBhbG1vc3QgcmVhZHkgZm9yIHB1Ymxp Y2F0aW9uIGFzIGEgUHJvcG9zZWQgU3RhbmRhcmQsIGJ1dCBoYXMgYSBmZXcgaXNzdWVzIHRoYXQg c2hvdWxkIGJlIGZpeGVkLg0KDQoNCg0KTWFqb3IgSXNzdWVzDQoNCi0tLS0tLS0tLS0tLQ0KDQoN Cg0KKiBTZWN0aW9uIDIuMyBVUkkgUXVlcnkgUGFyYW1ldGVyDQoNCg0KDQpUaGlzIHNlY3Rpb24g ZWZmZWN0aXZlbHkgcmVzZXJ2ZXMgYSBVUkkgcXVlcnkgcGFyYW1ldGVyIGZvciB0aGUgZHJhZnQn cyB1c2UuIFRoaXMgc2hvdWxkIG5vdCBiZSBkb25lIGxpZ2h0bHksIHNpbmNlIHRoaXMgd291bGQg YmUgYSBwcmVjZWRlbnQgZm9yIHRoZSBJRVRGIGVuY3JvYWNoaW5nIHVwb24gYSBzZXJ2ZXIncyBV UklzIChkb25lIHByZXZpb3VzbHkgaW4gUkZDNTc4NSwgYnV0IGluIGEgbXVjaCBtb3JlIGxpbWl0 ZWQgZmFzaGlvbiwgYXMgYSB0YWN0aWMgdG8gcHJldmVudCBmdXJ0aGVyLCB1bmNvbnRyb2xsZWQg ZW5jcm9hY2htZW50KS4NCg0KDQoNCkdpdmVuIHRoYXQgdGhlIGRyYWZ0IGFscmVhZHkgZGlzY291 cmFnZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hhbmlzbSwgSSdkIHJlY29tbWVuZCBkcm9wcGluZyBp dCBhbHRvZ2V0aGVyLiBJZiB0aGUgV29ya2luZyBHcm91cCB3aXNoZXMgaXQgdG8gcmVtYWluLCB0 aGlzIGlzc3VlcyBzaG91bGQgYmUgdmV0dGVkIGJvdGggdGhyb3VnaCB0aGUgQVBQUyBhcmVhIGFu ZCB0aGUgVzNDIGxpYWlzb24uDQoNCg0KDQooVGhlIHNhbWUgY3JpdGljaXNtIGNvdWxkIGJlIGxl dmVsZWQgYXQgU2VjdGlvbiAyLjIgRm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyLCBidXQgdGhh dCBhdCBsZWFzdCBpc24ndCBzdXJmYWNlZCBpbiBhbiBpZGVudGlmaWVyKQ0KDQoNCg0KKiBTZWN0 aW9uIDMgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkDQoNCg0KDQpU aGUgZHJhZnQgcmVmZXJlbmNlcyB0aGUgcXVvdGVkLXN0cmluZyBBQk5GIGZyb20gSFRUUCwgYnV0 IGNoYW5nZXMgaXRzIHByb2Nlc3NpbmcgaW4gYSBsYXRlciBwYXJhZ3JhcGg6DQoNCg0KDQoiIiJJ biBhbGwgdGhlc2UgY2FzZXMsIG5vIGNoYXJhY3RlciBxdW90aW5nIHdpbGwgb2NjdXIsIGFzIHNl bmRlcnMgYXJlIHByb2hpYml0ZWQgZnJvbSB1c2luZyB0aGUgJTVDICgnXCcpIGNoYXJhY3Rlci4i IiINCg0KDQoNClRoaXMgaXMgYXQgYmVzdCBzdXJwcmlzaW5nIChhcyBtYW55IHJlYWRlcnMgd2ls bCByZWFzb25hYmx5IHN1cm1pc2UgdGhhdCB1c2luZyB0aGUgcXVvdGVkLXN0cmluZyBBQk5GIGlt cGxpZXMgdGhhdCB0aGUgc2FtZSBjb2RlIGNhbiBiZSB1c2VkKS4NCg0KUGxlYXNlIGVpdGhlciB1 c2UgcXVvdGVkLXN0cmluZyBhcyBkZWZpbmVkIChpLmUuLCB3aXRoIGVzY2FwaW5nKS4NCg0KDQoN Cg0KDQpNaW5vciBJc3N1ZXMNCg0KLS0tLS0tLS0tLS0tDQoNCg0KDQoqIFNlY3Rpb24gMTogSW50 cm9kdWN0aW9uDQoNCg0KDQpUaGUgaW50cm9kdWN0aW9uIGV4cGxhaW5zIG9hdXRoLCBidXQgaXQg ZG9lc24ndCBmdWxseSBleHBsYWluIHRoZSByZWxhdGlvbnNoaXAgb2YgdGhpcyBzcGVjaWZpY2F0 aW9uIHRvIE9BdXRoIDIuMC4gRS5nLiwgY2FuIGl0IGJlIHVzZWQgaW5kZXBlbmRlbnRseSBmcm9t IHRoZSByZXN0IG9mIE9BdXRoPyBMaWtld2lzZSwgdGhlIG92ZXJ2aWV3IChzZWN0aW9uDQoNCjEu Mykgc2VlbXMgbW9yZSBzcGVjaWZpYyB0byB0aGUgT0F1dGggc3BlY2lmaWNhdGlvbiB0aGFuIHRo aXMgZG9jdW1lbnQuDQoNCkFzIEkgcmVhZCBpdCwgdGhpcyBtZWNoYW5pc20gY291bGQgYmUgdXNl ZCBmb3IgQU5ZIGJlYXJlciB0b2tlbiwgbm90IGp1c3Qgb25lIGdlbmVyYXRlZCB0aHJvdWdoIE9B dXRoIGZsb3dzLg0KDQoNCg0KSWYgaXQgaXMgaW5kZWVkIG1vcmUgZ2VuZXJhbCwgSSdkIHJlY29t bWVuZCBtaW5pbWlzaW5nIHRoZSBkaXNjdXNzaW9uIG9mIE9BdXRoLCBwZXJoYXBzIGV2ZW4gcmVt b3ZpbmcgaXQgZnJvbSB0aGUgZG9jdW1lbnQgdGl0bGUuDQoNCg0KDQoqIFNlY3Rpb24gMyBUaGUg V1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQNCg0KDQoNClRoZSBkaWZmZXJl bmNlIGJldHdlZW4gYSByZWFsbSBhbmQgYSBzY29wZSBpcyBub3QgZXhwbGFpbmVkLiBBcmUgdGhl IGZ1bmN0aW9uYWxseSBlcXVpdmFsZW50LCBqdXN0IGEgc2luZ2xlIHZhbHVlIHZzLiBhIGxpc3Q/ DQoNCg0KDQpEbyB5b3UgcmVhbGx5IGludGVuZCB0byBkaXNhbGxvdyAqYWxsKiBleHRlbnNpb24g cGFyYW1ldGVycyBvbiB0aGUgY2hhbGxlbmdlPw0KDQoNCg0KQWxzbywgdGhlIHNjb3BlLCBlcnJv ciwgZXJyb3JfZGVzY3JpcHRpb24gYW5kIGVycm9yX3VyaSBwYXJhbWV0ZXJzIGFsbCBzcGVjaWZ5 IG9ubHkgYSBxdW90ZWQtc3RyaW5nIHNlcmlhbGlzYXRpb24uIEhUVFBiaXMgc3Ryb25nbHkgc3Vn Z2VzdHMgdGhhdCBuZXcgc2NoZW1lcyBhbGxvdyBib3RoIGZvcm1zLCBiZWNhdXNlIGltcGxlbWVu dGF0aW9uIGV4cGVyaWVuY2UgaGFzIHNob3duIHRoYXQgaW1wbGVtZW50YXRpb25zIHdpbGwgbGlr ZWx5IHN1cHBvcnQgYm90aCwgbm8gbWF0dGVyIGhvdyBkZWZpbmVkOyB0aGlzIGltcHJvdmVzIGlu dGVyb3BlcmFiaWxpdHkgKHNlZSBwNyAyLjMuMSkuDQoNCg0KDQpGaW5hbGx5LCB0aGUgZXJyb3Jf ZGVzY3JpcHRpb24gcGFyYW1ldGVyIGNhbiBjYXJyeSBvbmx5IEFTQ0lJIGNoYXJhY3RlcnMuIFdo aWxlIEkgdW5kZXJzdGFuZCBhIHRyYWRlb2ZmIGhhcyBiZWVuIG1hZGUgaGVyZSAoYW5kLCBpbiBt eSBqdWRnZW1lbnQsIGFuIGFwcHJvcHJpYXRlIG9uZSksIGl0J3MgYXBwcm9wcmlhdGUgdG8gaGln aGxpZ2h0IHRoaXMgaW4gcmV2aWV3Lg0KDQoNCg0KKiBHZW5lcmFsDQoNCg0KDQpUaGUgZHJhZnQg Y3VycmVudGx5IGRvZXNuJ3QgbWVudGlvbiB3aGV0aGVyIEJlYXJlciBpcyBzdWl0YWJsZSBmb3Ig dXNlIGFzIGEgcHJveHkgYXV0aGVudGljYXRpb24gc2NoZW1lLiBJIHN1c3BlY3QgaXQgKm1heSo7 IGl0IHdvdWxkIGJlIHdvcnRoIGRpc2N1c3NpbmcgdGhpcyB3aXRoIHNvbWUgcHJveHkgaW1wbGVt ZW50ZXJzIHRvIGdhdWdlIHRoZWlyIGludGVyZXN0IChlLmcuLCBTcXVpZCkuDQoNCg0KDQoNCg0K Tml0cw0KDQotLS0tDQoNCg0KDQoqIFNlY3Rpb24gMi4xIEF1dGhvcml6YXRpb24gUmVxdWVzdCBI ZWFkZXIgRmllbGQNCg0KDQoNCiJzaW1wbGljaXR5IHJlYXNvbnMiIC0tPiAic2ltcGxpY2l0eSIN Cg0KDQoNCiJJZiBhZGRpdGlvbmFsIHBhcmFtZXRlcnMgYXJlIGRlc2lyZWQgaW4gdGhlIGZ1dHVy ZSwgYSBkaWZmZXJlbnQgc2NoZW1lIGNvdWxkIGJlIGRlZmluZWQuIiAtLT4gIklmIGFkZGl0aW9u YWwgcGFyYW1ldGVycyBhcmUgbmVlZGVkIGluIHRoZSBmdXR1cmUsIGEgZGlmZmVyZW50IHNjaGVt ZSB3b3VsZCBuZWVkIHRvIGJlIGRlZmluZWQuIg0KDQoNCg0KKiBTZWN0aW9uIDMgVGhlIFdXVy1B dXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkDQoNCg0KDQpUaGUgcmVxdWlyZW1lbnQg dGhhdCBhIHJlc291cmNlIHNlcnZlciBNVVNUIGluY2x1ZGUgdGhlIEhUVFAgV1dXLUF1dGhlbnRp Y2F0ZSByZXNwb25zZSBoZWFkZXIgZmllbGQgaXMgb2RkOyByZWFsbHkgdGhpcyBpcyBhdCB0aGUg ZGlzY3JldGlvbiBvZiB0aGUgc2VydmVyLiBJcyBpdCByZWFsbHkgbmVjZXNzYXJ5IHRvIHVzZSBh IGNvbmZvcm1hbmNlIHJlcXVpcmVtZW50IGhlcmU/DQoNCg0KDQpVUkktcmVmZXJlbmNlIC0tPiBV UkktUmVmZXJlbmNlDQoNCg0KDQoqIFNlY3Rpb24gMy4xIEVycm9yIENvZGVzDQoNCg0KDQo0MDUg YmVsb25ncyBpbiB0aGUgbGlzdCBvZiB0eXBpY2FsbHkgYXBwcm9wcmlhdGUgc3RhdHVzIGNvZGVz IGFzIHdlbGwuDQoNCg0KDQoNCg0KS2luZCByZWdhcmRzLA0KDQoNCg0KLS0NCg0KTWFyayBOb3R0 aW5naGFtICAgaHR0cDovL3d3dy5tbm90Lm5ldC8NCg0KDQoNCg0KDQoNCg0KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KYXBwcy1kaXNjdXNzIG1haWxp bmcgbGlzdA0KDQphcHBzLWRpc2N1c3NAaWV0Zi5vcmc8bWFpbHRvOmFwcHMtZGlzY3Vzc0BpZXRm Lm9yZz4NCg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9hcHBzLWRpc2N1 c3MNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0K T0F1dGggbWFpbGluZyBsaXN0DQoNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9y Zz4NCg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQoNCg== --_000_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Ik1TIEdvdGhpYyI7DQoJcGFub3NlLTE6MiAxMSA2IDkgNyAyIDUgOCAyIDQ7fQ0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiTVMgR290aGljIjsNCglwYW5vc2UtMToyIDExIDYgOSA3IDIgNSA4 IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJ cGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWls eToiXEBNUyBHb3RoaWMiOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDcgMiA1IDggMiA0O30NCi8qIFN0 eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9y bWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTox MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQphOmxpbmssIHNw YW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0K CXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlu a0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4 dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLk1zb1BsYWluVGV4dCwgbGkuTXNvUGxhaW5UZXh0 LCBkaXYuTXNvUGxhaW5UZXh0DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUt bGluazoiUGxhaW4gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAw MDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi SFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N CnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFy Z2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZv bnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRD aGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglm b250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uUGxhaW5UZXh0Q2hhcg0KCXttc28tc3R5 bGUtbmFtZToiUGxhaW4gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNv LXN0eWxlLWxpbms6IlBsYWluIFRleHQiOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24g VGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJh bGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4u RW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsO30NCnNwYW4uRW1haWxTdHls ZTI0DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxp YnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXtt c28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdv cmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4w aW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48 L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0i ZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9 ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8 L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8 ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPk1hcmssIFN0ZXBoZW4sIEhhbm5lcywgYW5kIEJhcnJ5LDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+QW55IG9iamVjdGlvbnMgdG8gcG9zdGlu ZyB0aGUgdXBkYXRlZCBCZWFyZXIgZHJhZnQgaW5jb3Jwb3JhdGluZyB0aGUgcmVzdWx0cyBvZiB0 aGUgQVBQUyBBcmVhIHJldmlldyBhbmQgdGhlIFRMUyByZXF1aXJlbWVudHM/PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9y ZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGlu IDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IE1pa2Ug Sm9uZXMNCjxicj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIERlY2VtYmVyIDEyLCAyMDExIDg6NTEg QU08YnI+DQo8Yj5Ubzo8L2I+IE1hcmsgTm90dGluZ2hhbTsgJ1N0ZXBoZW4gRmFycmVsbCc7IG9h dXRoQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbT0FVVEgtV0ddIEZXOiBbYXBw cy1kaXNjdXNzXSBBUFBTIEFyZWEgcmV2aWV3IG9mIGRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVy LTE0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhh bmtzIGZvciB0aGUgZGV0YWlsZWQgcmV2aWV3LCBNYXJrLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5QcmVsaW1pbmFyeSBkcmFmdCAxNSBvZiB0aGUgT0F1dGggQmVhcmVyIHNwZWNpZmlj YXRpb24gaXMgYXR0YWNoZWQuJm5ic3A7IEl0IHJlc29sdmVzIHRoZSBmb3JtIGVuY29kaW5nIGlz c3VlcyByYWlzZWQgYnkgSnVsaWFuIFJlc2Noa2UgaW4gdGhlIG1hbm5lciBkaXNjdXNzZWQgYXQg dGhlIHdvcmtpbmcgZ3JvdXAgbWVldGluZyBpbiBUYWlwZWksIGluY29ycG9yYXRlcyB0aGUgY29u c2Vuc3VzIHRleHQgb24gVExTDQogdmVyc2lvbiByZXF1aXJlbWVudHMsIGFuZCBjb250YWlucyBz ZXZlcmFsIGltcHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgTWFyayBOb3R0aW5naGFtIGR1cmluZyBB UFBTIGFyZWEgcmV2aWV3LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5NYXJrLCBjb21t ZW50cyBvbiBhbGwgeW91ciBwcm9wb3NlZCBjaGFuZ2VzIGZvbGxvdyBiZWxvdzo8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiogU2VjdGlvbiAy LjMgVVJJIFF1ZXJ5IFBhcmFtZXRlcjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlRoaXMgc2VjdGlv biBlZmZlY3RpdmVseSByZXNlcnZlcyBhIFVSSSBxdWVyeSBwYXJhbWV0ZXIgZm9yIHRoZSBkcmFm dCdzIHVzZS4gVGhpcyBzaG91bGQgbm90IGJlIGRvbmUgbGlnaHRseSwgc2luY2UgdGhpcyB3b3Vs ZCBiZSBhIHByZWNlZGVudCBmb3IgdGhlIElFVEYgZW5jcm9hY2hpbmcgdXBvbiBhIHNlcnZlcidz IFVSSXMgKGRvbmUgcHJldmlvdXNseSBpbg0KIFJGQzU3ODUsIGJ1dCBpbiBhIG11Y2ggbW9yZSBs aW1pdGVkIGZhc2hpb24sIGFzIGEgdGFjdGljIHRvIHByZXZlbnQgZnVydGhlciwgdW5jb250cm9s bGVkIGVuY3JvYWNobWVudCkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+R2l2ZW4gdGhhdCB0aGUg ZHJhZnQgYWxyZWFkeSBkaXNjb3VyYWdlcyB0aGUgdXNlIG9mIHRoaXMgbWVjaGFuaXNtLCBJJ2Qg cmVjb21tZW5kIGRyb3BwaW5nIGl0IGFsdG9nZXRoZXIuIElmIHRoZSBXb3JraW5nIEdyb3VwIHdp c2hlcyBpdCB0byByZW1haW4sIHRoaXMgaXNzdWVzIHNob3VsZCBiZSB2ZXR0ZWQgYm90aCB0aHJv dWdoIHRoZSBBUFBTIGFyZWEgYW5kDQogdGhlIFczQyBsaWFpc29uLjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0 Oi41aW4iPihUaGUgc2FtZSBjcml0aWNpc20gY291bGQgYmUgbGV2ZWxlZCBhdCBTZWN0aW9uIDIu MiBGb3JtLUVuY29kZWQgQm9keSBQYXJhbWV0ZXIsIGJ1dCB0aGF0IGF0IGxlYXN0IGlzbid0IHN1 cmZhY2VkIGluIGFuIGlkZW50aWZpZXIpPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlRo ZXJlIGFyZSBzb21lIGNvbnRleHRzLCBlc3BlY2lhbGx5IGxpbWl0ZWQgYnJvd3NlcnMgYW5kL29y IGRldmVsb3BtZW50IGVudmlyb25tZW50cywgd2hlcmUgcXVlcnkgcGFyYW1ldGVycyBhcmUgdXNh YmxlIGJ1dCB0aGUgb3RoZXIgbWV0aG9kcyBhcmUgbm90LiZuYnNwOyBUaHVzLCB0aGUgcXVlcnkg cGFyYW1ldGVyIG1ldGhvZCBtdXN0IGJlIHJldGFpbmVkLiZuYnNwOyBBbHNvLCBKdXN0aW4gUmlj aHRlcuKAmXMgY29tbWVudHMNCiBkZXNjcmliaW5nIHRoZSB2YWx1ZSB0byBoaW0gb2YgdGhlIHF1 ZXJ5IHBhcmFtZXRlciBtZXRob2QgYXJlIHBlcnRpbmVudDogJm5ic3A74oCcQSBVUkwgd2l0aCBh bGwgcGFyYW1ldGVycyBpbmNsdWRpbmcgYXV0aG9yaXphdGlvbiBpcyBhIHBvd2VyZnVsIGFydGlm YWN0IHdoaWNoIGNhbiBiZSBwYXNzZWQgYXJvdW5kIGJldHdlZW4gc3lzdGVtcyBhcyBhIHVuaXTi gJ0uDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+QXMgdG8gdXNpbmcgYSBzdGFuZGFy ZCBwYXJhbWV0ZXIgbmFtZSwgdGhpcyBpcyBlc3NlbnRpYWwgZm9yIGludGVyb3BlcmFiaWxpdHku Jm5ic3A7IEl0IGlzIG5vdCDigJxyZXNlcnZlZOKAnSBpbiBhbnkgY29udGV4dHMgb3RoZXIgdGhh biB3aGVuIHRoZSBCZWFyZXIgc3BlYyBpcyBlbXBsb3llZCwgd2hpY2ggaXMgYSB2b2x1bnRhcnkg YWN0IGJ5IGJvdGggcGFydGllcy4mbmJzcDsgVGh1cywgdGhpcyBwb3NlcyBubyB1bmR1ZSBidXJk ZW5zDQogb3IgbmFtZXNwYWNlIHJlc3RyaWN0aW9ucyBvbiBpbXBsZW1lbnRhdGlvbnMgaW4gcHJh Y3RpY2UuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZpbmFsbHksIHlvdeKAmWxsIGZp bmQgdGhhdCBPQXV0aCAxLjAgWzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3Jm YzU4NDkiPlJGQyA1ODQ5PC9hPl0gc2ltaWxhcmx5IGRlZmluZWQsIG5vdCBvbmUsIGJ1dCB0d28g c3RhbmRhcmQgcXVlcnkgcGFyYW1ldGVyIHZhbHVlczombmJzcDsgb2F1dGhfdG9rZW4gYW5kIG9h dXRoX3ZlcmlmaWVyLiZuYnNwOyBBcyB0aGlzIGRpZG7igJl0IGNhdXNlIGFueSBwcm9ibGVtcw0K IGluIHByYWN0aWNlIHRoZW4sIEnigJltIHN1cmUgdGhhdCBkZWZpbmluZyBhbiBhY2Nlc3NfdG9r ZW4gcGFyYW1ldGVyIHdpdGhpbiB0aGUgQmVhcmVyIHNwZWMgZm9yIGludGVyb3BlcmFiaWxpdHkg cHVycG9zZXMgd29u4oCZdCBjYXVzZSBhIHByb2JsZW0gZWl0aGVyLjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+KiBTZWN0aW9uIDMgVGhlIFdX Vy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+VGhlIGRyYWZ0IHJlZmVyZW5jZXMgdGhlIHF1b3RlZC1zdHJpbmcgQUJORiBmcm9tIEhUVFAs IGJ1dCBjaGFuZ2VzIGl0cyBwcm9jZXNzaW5nIGluIGEgbGF0ZXIgcGFyYWdyYXBoOjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPiZxdW90OyZxdW90OyZxdW90O0luIGFsbCB0aGVzZSBjYXNlcywgbm8g Y2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwgYXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZCBm cm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFjdGVyLiZxdW90OyZxdW90OyZxdW90OzxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9 Im1hcmdpbi1sZWZ0Oi41aW4iPlRoaXMgaXMgYXQgYmVzdCBzdXJwcmlzaW5nIChhcyBtYW55IHJl YWRlcnMgd2lsbCByZWFzb25hYmx5IHN1cm1pc2UgdGhhdCB1c2luZyB0aGUgcXVvdGVkLXN0cmlu ZyBBQk5GIGltcGxpZXMgdGhhdCB0aGUgc2FtZSBjb2RlIGNhbiBiZSB1c2VkKS48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5Q bGVhc2UgZWl0aGVyIHVzZSBxdW90ZWQtc3RyaW5nIGFzIGRlZmluZWQgKGkuZS4sIHdpdGggZXNj YXBpbmcpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGlzIHBhcmFtZXRlciBkZWZp bml0aW9uIHdhcyBhIHJlc3VsdCBvZiBzaWduaWZpY2FudCB3b3JraW5nIGdyb3VwIGRpc2N1c3Np b24gYW5kIHJlZmxlY3RzIGEgc29saWQgY29uc2Vuc3VzIHBvc2l0aW9uLiZuYnNwOyBVc2luZyB0 aGUgcXVvdGVkIHN0cmluZyBCTkYgbWFrZXMgaXQgY2xlYXIsIHBlciBKdWxpYW4gUmVzY2hrZeKA mXMgc3VnZ2VzdGlvbnMsIHRoYXQgZ2VuZXJpYyBwYXJhbWV0ZXIgcGFyc2luZyBjb2RlDQogY2Fu IGJlIHNhZmVseSB1c2VkLiZuYnNwOyBXaGVyZWFzIHByb2hpYml0aW5nIHRoZSB1c2Ugb2YgYmFj a3NsYXNoIHF1b3RpbmcgYnkgc2VuZGVycyBhbHNvIG1ha2VzIGl0IGNsZWFyIHRoYXQgY3VzdG9t IGltcGxlbWVudGF0aW9ucyBjYW4gZGlyZWN0bHkgdXRpbGl6ZSB0aGUgcGFyYW1ldGVyIHZhbHVl cyBhcyB0cmFuc21pdHRlZCB3aXRob3V0IHBlcmZvcm1pbmcgYW55IHF1b3RlIHByb2Nlc3Npbmcu PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkluIHNob3J0LCB0aGUgc3BlYyBkb2VzbuKA mXQgY2hhbmdlIHRoZSBwcm9jZXNzaW5nIG9mIHF1b3RlZCBzdHJpbmdzLiZuYnNwOyBJdCBzaW1w bHkgcmVzdHJpY3RzIHRoZSBzZXQgb2YgbGVnYWwgaW5wdXQgY2hhcmFjdGVycyB3aXRoaW4gdGhl IHF1b3RlZCBzdHJpbmdzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFy Z2luLWxlZnQ6LjVpbiI+KiBTZWN0aW9uIDE6IEludHJvZHVjdGlvbjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0 Oi41aW4iPlRoZSBpbnRyb2R1Y3Rpb24gZXhwbGFpbnMgb2F1dGgsIGJ1dCBpdCBkb2Vzbid0IGZ1 bGx5IGV4cGxhaW4gdGhlIHJlbGF0aW9uc2hpcCBvZiB0aGlzIHNwZWNpZmljYXRpb24gdG8gT0F1 dGggMi4wLiBFLmcuLCBjYW4gaXQgYmUgdXNlZCBpbmRlcGVuZGVudGx5IGZyb20gdGhlIHJlc3Qg b2YgT0F1dGg/IExpa2V3aXNlLCB0aGUgb3ZlcnZpZXcgKHNlY3Rpb248bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4xLjMpIHNl ZW1zIG1vcmUgc3BlY2lmaWMgdG8gdGhlIE9BdXRoIHNwZWNpZmljYXRpb24gdGhhbiB0aGlzIGRv Y3VtZW50LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPkFzIEkgcmVhZCBpdCwgdGhpcyBtZWNoYW5pc20gY291bGQgYmUgdXNl ZCBmb3IgQU5ZIGJlYXJlciB0b2tlbiwgbm90IGp1c3Qgb25lIGdlbmVyYXRlZCB0aHJvdWdoIE9B dXRoIGZsb3dzLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHls ZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+SWYgaXQgaXMgaW5kZWVkIG1vcmUg Z2VuZXJhbCwgSSdkIHJlY29tbWVuZCBtaW5pbWlzaW5nIHRoZSBkaXNjdXNzaW9uIG9mIE9BdXRo LCBwZXJoYXBzIGV2ZW4gcmVtb3ZpbmcgaXQgZnJvbSB0aGUgZG9jdW1lbnQgdGl0bGUuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlBlciB5b3VyIHN1Z2dlc3Rpb24sIEnigJl2ZSBtYWRl IGl0IGNsZWFyIGluIHRoZSBpbnRyb2R1Y3Rpb24gdGhhdCBiZWFyZXIgdG9rZW5zIGZyb20gYW55 IHNvdXJjZSBjYW4gYmUgdXNlZCB0byBhY2Nlc3MgYXNzb2NpYXRlZCBwcm90ZWN0ZWQgcmVzb3Vy Y2VzLiZuYnNwOyBUaGUgbmV3IGxhbmd1YWdlIGluIHRoZSBpbnRyb2R1Y3Rpb24gaXM6PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPuKAnFRoaXMgc3BlY2lmaWNhdGlvbiBkZWZpbmVzIHRo ZSB1c2Ugb2YgYmVhcmVyIHRva2VucyBvdmVyIEhUVFAvMS4xIFtJPHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPkQuaWV0ZjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtNUyBHb3RoaWMmcXVvdDsiPuKAkTwvc3Bhbj5odHRwYmlzPHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPnAx PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFu Pm1lc3NhZ2luZ10NCiB1c2luZyBUTFMgW1JGQzUyNDZdIHRvIGFjY2VzcyBwcm90ZWN0ZWQgcmVz b3VyY2VzLiDigKYgV2hpbGUgZGVzaWduZWQgZm9yIHVzZSB3aXRoIGFjY2VzcyB0b2tlbnMgcmVz dWx0aW5nIGZyb20gT0F1dGggMi4wIEF1dGhvcml6YXRpb24gW0k8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7TVMgR290aGljJnF1b3Q7Ij7igJE8L3NwYW4+RC5pZXRmPHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPm9hdXRoPHNwYW4g c3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPnYyXQ0K IGZsb3dzIHRvIGFjY2VzcyBPQXV0aCBwcm90ZWN0ZWQgcmVzb3VyY2VzLCB0aGlzIHNwZWNpZmlj YXRpb24gYWN0dWFsbHkgZGVmaW5lcyBhIGdlbmVyYWwgSFRUUCBhdXRob3JpemF0aW9uIG1ldGhv ZCB0aGF0IGNhbiBiZSB1c2VkIHdpdGggYmVhcmVyIHRva2VucyBmcm9tIGFueSBzb3VyY2UgdG8g YWNjZXNzIGFueSByZXNvdXJjZXMgcHJvdGVjdGVkIGJ5IHRob3NlIGJlYXJlciB0b2tlbnMu4oCd PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4q IFNlY3Rpb24gMyBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQ8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDou NWluIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj5UaGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGEgcmVhbG0gYW5kIGEg c2NvcGUgaXMgbm90IGV4cGxhaW5lZC4gQXJlIHRoZSBmdW5jdGlvbmFsbHkgZXF1aXZhbGVudCwg anVzdCBhIHNpbmdsZSB2YWx1ZSB2cy4gYSBsaXN0Pw0KPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPlJlYWxtIGlzIGFzIGRlZmluZWQgYnkgSFRUUGJpcy4mbmJzcDsgSXQgc2F5cyB0aGF0 IOKAnFRoZSByZWFsbSB2YWx1ZSBpcyBhIHN0cmluZywgZ2VuZXJhbGx5IGFzc2lnbmVkIGJ5IHRo ZSBvcmlnaW4gc2VydmVyLCB3aGljaCBjYW4gaGF2ZSBhZGRpdGlvbmFsIHNlbWFudGljcyBzcGVj aWZpYyB0byB0aGUgYXV0aGVudGljYXRpb24gc2NoZW1lLuKAnSZuYnNwOyBUaGUgQmVhcmVyIHNw ZWNpZmljYXRpb24gaW50ZW50aW9uYWxseQ0KIGFkZHMgbm8gZXh0cmEgc2VtYW50aWNzIHRvIHRo ZSByZWFsbSBkZWZpbml0aW9uLiZuYnNwOyBXaGVyZWFzIHRoZSBzY29wZSBwYXJhbWV0ZXIgaXMg ZGVmaW5lZCBhcyBhbiBvcmRlci1pbmRlcGVuZGVudCBzcGFjZS1zZXBhcmF0ZWQgbGlzdCBvZiBz Y29wZSB2YWx1ZXMuJm5ic3A7IFRoZSBjb250ZXh0dWFsIG1lYW5pbmcgb2YgYm90aCB0aGUgcmVh bG0gYW5kIHNjb3BlIHBhcmFtZXRlcnMgaXMgZGVwbG95bWVudC1kZXBlbmRlbnQuPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5EbyB5b3UgcmVh bGx5IGludGVuZCB0byBkaXNhbGxvdyAqYWxsKiBleHRlbnNpb24gcGFyYW1ldGVycyBvbiB0aGUg Y2hhbGxlbmdlPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5ZZXMuJm5ic3A7IFRoZXJl IHdhcyBhbiBleHBsaWNpdCB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBkZWNpc2lvbiB0byBkbyBz by48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i PkFsc28sIHRoZSBzY29wZSwgZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uIGFuZCBlcnJvcl91cmkg cGFyYW1ldGVycyBhbGwgc3BlY2lmeSBvbmx5IGEgcXVvdGVkLXN0cmluZyBzZXJpYWxpc2F0aW9u LiBIVFRQYmlzIHN0cm9uZ2x5IHN1Z2dlc3RzIHRoYXQgbmV3IHNjaGVtZXMgYWxsb3cgYm90aCBm b3JtcywgYmVjYXVzZSBpbXBsZW1lbnRhdGlvbiBleHBlcmllbmNlDQogaGFzIHNob3duIHRoYXQg aW1wbGVtZW50YXRpb25zIHdpbGwgbGlrZWx5IHN1cHBvcnQgYm90aCwgbm8gbWF0dGVyIGhvdyBk ZWZpbmVkOyB0aGlzIGltcHJvdmVzIGludGVyb3BlcmFiaWxpdHkgKHNlZSBwNyAyLjMuMSkuDQo8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+T25jZSBhZ2FpbiwgdGhlIGN1cnJlbnQgdGV4 dCByZWZsZWN0cyBhIGNvbnNlbnN1cyBkZWNpc2lvbiBvZiB0aGUgd29ya2luZyBncm91cC4mbmJz cDsgSXQgd2FzIHZpZXdlZCB0aGF0IHJlcXVpcmluZyBzdXBwb3J0IGZvciBtdWx0aXBsZSB3YXlz IG9mIGRvaW5nIHRoZSBzYW1lIHRoaW5nIHVubmVjZXNzYXJpbHkgY29tcGxpY2F0ZWQgaW1wbGVt ZW50YXRpb25zIHdpdGhvdXQgYW55IGNvbXBlbnNhdGluZyBiZW5lZml0Ow0KIGJldHRlciB0byBz dXBwb3J0IG9uZSBzeW50YXggZm9yIGVhY2ggc2VtYW50aWMgb3BlcmF0aW9uIGFuZCByZXF1aXJl IGFsbCBpbXBsZW1lbnRhdGlvbnMgdG8gdXNlIGl0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+RmluYWxseSwgdGhlIGVycm9yX2Rlc2NyaXB0 aW9uIHBhcmFtZXRlciBjYW4gY2Fycnkgb25seSBBU0NJSSBjaGFyYWN0ZXJzLiBXaGlsZSBJIHVu ZGVyc3RhbmQgYSB0cmFkZW9mZiBoYXMgYmVlbiBtYWRlIGhlcmUgKGFuZCwgaW4gbXkganVkZ2Vt ZW50LCBhbiBhcHByb3ByaWF0ZSBvbmUpLCBpdCdzIGFwcHJvcHJpYXRlIHRvIGhpZ2hsaWdodCB0 aGlzIGluIHJldmlldy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Tm90ZWQ8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiogR2VuZXJh bDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1s ZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIg c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlRoZSBkcmFmdCBjdXJyZW50bHkgZG9lc24ndCBtZW50 aW9uIHdoZXRoZXIgQmVhcmVyIGlzIHN1aXRhYmxlIGZvciB1c2UgYXMgYSBwcm94eSBhdXRoZW50 aWNhdGlvbiBzY2hlbWUuIEkgc3VzcGVjdCBpdCAqbWF5KjsgaXQgd291bGQgYmUgd29ydGggZGlz Y3Vzc2luZyB0aGlzIHdpdGggc29tZSBwcm94eSBpbXBsZW1lbnRlcnMgdG8gZ2F1Z2UgdGhlaXIg aW50ZXJlc3QNCiAoZS5nLiwgU3F1aWQpLiA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ V2hvIHdvdWxkIHlvdSByZWNvbW1lbmQgcmV2aWV3IHRoZSBkcmFmdCBmcm9tIHRoaXMgcGVyc3Bl Y3RpdmU/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZpbmFsbHksIE1hcmssIEkgYXBw bGllZCBhbGwgdGhlIGVkaXRvcmlhbCBzdWdnZXN0aW9ucyB5b3UgbWFkZS4mbmJzcDsgVGhhbmtz IGZvciB0aG9zZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+TWFyaywgU3RlcGhlbiwg YW5kIGNoYWlycywgcGxlYXNlIGxldCBtZSBrbm93IHdoZXRoZXIgdG8gbm93IHBvc3QgdGhpcyBk cmFmdCBhcyBhbiBhY3R1YWwgc3VibWlzc2lvbi48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IFRoYW5rcyBhbGwsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxicj4NCkZyb206IDxhIGhyZWY9Im1haWx0 bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIj5vYXV0aC1ib3VuY2VzQGlldGYub3JnPC9hPiA8YSBo cmVmPSJtYWlsdG86W21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSI+DQpbbWFpbHRvOm9h dXRoLWJvdW5jZXNAaWV0Zi5vcmddPC9hPiBPbiBCZWhhbGYgT2YgVHNjaG9mZW5pZywgSGFubmVz IChOU04gLSBGSS9Fc3Bvbyk8YnI+DQpTZW50OiBXZWRuZXNkYXksIE5vdmVtYmVyIDIzLCAyMDEx IDExOjUxIFBNPGJyPg0KVG86IDxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+b2F1dGhA aWV0Zi5vcmc8L2E+PGJyPg0KU3ViamVjdDogW09BVVRILVdHXSBGVzogW2FwcHMtZGlzY3Vzc10g QVBQUyBBcmVhIHJldmlldyBvZiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNDxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5GWUk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPkZyb206IDxhIGhyZWY9Im1haWx0bzphcHBzLWRpc2N1c3MtYm91bmNlc0BpZXRm Lm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUi PmFwcHMtZGlzY3Vzcy1ib3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxhIGhyZWY9Im1haWx0bzpbbWFpbHRvOmFwcHMtZGlz Y3Vzcy1ib3VuY2VzQGlldGYub3JnXSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4 dC1kZWNvcmF0aW9uOm5vbmUiPlttYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0Zi5vcmdd PC9zcGFuPjwvYT4gT24gQmVoYWxmIE9mIGV4dCBNYXJrIE5vdHRpbmdoYW08bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlNlbnQ6IFRodXJzZGF5LCBOb3ZlbWJlciAyNCwg MjAxMSA4OjIyIEFNPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5Ubzog SUVURiBBcHBzIERpc2N1c3M7IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLW9hdXRoLXYyLWJl YXJlci5hbGxAaWV0Zi5vcmciPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1k ZWNvcmF0aW9uOm5vbmUiPmRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmFsbEBpZXRmLm9yZzwv c3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5DYzogVGhl IElFU0c8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlN1YmplY3Q6IFth cHBzLWRpc2N1c3NdIEFQUFMgQXJlYSByZXZpZXcgb2Y8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPmRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPkkgaGF2ZSBiZWVuIHNlbGVjdGVkIGFzIHRoZSBBcHBsaWNhdGlv bnMgQXJlYSBSZXZpZXcgVGVhbSByZXZpZXdlciBmb3IgdGhpcyBkcmFmdCAoZm9yIGJhY2tncm91 bmQgb24gYXBwcy1yZXZpZXcsIHBsZWFzZSBzZWUgJmx0OzxhIGhyZWY9Imh0dHA6Ly93d3cuYXBw cy5pZXRmLm9yZy9jb250ZW50L2FwcGxpY2F0aW9ucy1hcmVhLXJldmlldy10ZWFtIj48c3BhbiBz dHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cDovL3d3dy5h cHBzLmlldGYub3JnL2NvbnRlbnQvYXBwbGljYXRpb25zLWFyZWEtcmV2aWV3LXRlYW08L3NwYW4+ PC9hPiZndDspLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5QbGVhc2UgcmVzb2x2ZSB0 aGVzZSBjb21tZW50cyBhbG9uZyB3aXRoIGFueSBvdGhlciBMYXN0IENhbGwgY29tbWVudHMgeW91 IG1heSByZWNlaXZlLiBQbGVhc2Ugd2FpdCBmb3IgZGlyZWN0aW9uIGZyb20geW91ciBkb2N1bWVu dCBzaGVwaGVyZCBvciBBRCBiZWZvcmUgcG9zdGluZyBhIG5ldyB2ZXJzaW9uIG9mIHRoZSBkcmFm dC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+RG9jdW1lbnQ6IGRyYWZ0LWlldGYtb2F1 dGgtdjItYmVhcmVyLTE0PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5U aXRsZTogT0F1dGggMi4wIEJlYXJlciBUb2tlbnM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPlJldmlld2VyOiBNYXJrIE5vdHRpbmdoYW08bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPlJldmlldyBEYXRlOiAyNC8xMS8yMDExPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPlN1bW1hcnk6IFRoaXMgZHJhZnQgaXMgYWxtb3N0IHJlYWR5IGZv ciBwdWJsaWNhdGlvbiBhcyBhIFByb3Bvc2VkIFN0YW5kYXJkLCBidXQgaGFzIGEgZmV3IGlzc3Vl cyB0aGF0IHNob3VsZCBiZSBmaXhlZC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+TWFq b3IgSXNzdWVzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLS0tLS0t LS0tLS08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+KiBTZWN0aW9uIDIuMyBVUkkgUXVl cnkgUGFyYW1ldGVyPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlRoaXMgc2VjdGlvbiBl ZmZlY3RpdmVseSByZXNlcnZlcyBhIFVSSSBxdWVyeSBwYXJhbWV0ZXIgZm9yIHRoZSBkcmFmdCdz IHVzZS4gVGhpcyBzaG91bGQgbm90IGJlIGRvbmUgbGlnaHRseSwgc2luY2UgdGhpcyB3b3VsZCBi ZSBhIHByZWNlZGVudCBmb3IgdGhlIElFVEYgZW5jcm9hY2hpbmcgdXBvbiBhIHNlcnZlcidzIFVS SXMgKGRvbmUgcHJldmlvdXNseSBpbiBSRkM1Nzg1LCBidXQgaW4gYSBtdWNoIG1vcmUNCiBsaW1p dGVkIGZhc2hpb24sIGFzIGEgdGFjdGljIHRvIHByZXZlbnQgZnVydGhlciwgdW5jb250cm9sbGVk IGVuY3JvYWNobWVudCkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkdpdmVuIHRoYXQg dGhlIGRyYWZ0IGFscmVhZHkgZGlzY291cmFnZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hhbmlzbSwg SSdkIHJlY29tbWVuZCBkcm9wcGluZyBpdCBhbHRvZ2V0aGVyLiBJZiB0aGUgV29ya2luZyBHcm91 cCB3aXNoZXMgaXQgdG8gcmVtYWluLCB0aGlzIGlzc3VlcyBzaG91bGQgYmUgdmV0dGVkIGJvdGgg dGhyb3VnaCB0aGUgQVBQUyBhcmVhIGFuZCB0aGUgVzNDIGxpYWlzb24uPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPihUaGUgc2FtZSBjcml0aWNpc20gY291bGQgYmUgbGV2ZWxlZCBhdCBT ZWN0aW9uIDIuMiBGb3JtLUVuY29kZWQgQm9keSBQYXJhbWV0ZXIsIGJ1dCB0aGF0IGF0IGxlYXN0 IGlzbid0IHN1cmZhY2VkIGluIGFuIGlkZW50aWZpZXIpPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIEhlYWRlciBG aWVsZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGUgZHJhZnQgcmVmZXJlbmNlcyB0 aGUgcXVvdGVkLXN0cmluZyBBQk5GIGZyb20gSFRUUCwgYnV0IGNoYW5nZXMgaXRzIHByb2Nlc3Np bmcgaW4gYSBsYXRlciBwYXJhZ3JhcGg6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZx dW90OyZxdW90OyZxdW90O0luIGFsbCB0aGVzZSBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcg d2lsbCBvY2N1ciwgYXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMg KCdcJykgY2hhcmFjdGVyLiZxdW90OyZxdW90OyZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5UaGlzIGlzIGF0IGJlc3Qgc3VycHJpc2luZyAoYXMgbWFueSByZWFkZXJzIHdpbGwg cmVhc29uYWJseSBzdXJtaXNlIHRoYXQgdXNpbmcgdGhlIHF1b3RlZC1zdHJpbmcgQUJORiBpbXBs aWVzIHRoYXQgdGhlIHNhbWUgY29kZSBjYW4gYmUgdXNlZCkuPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij5QbGVhc2UgZWl0aGVyIHVzZSBxdW90ZWQtc3RyaW5nIGFzIGRl ZmluZWQgKGkuZS4sIHdpdGggZXNjYXBpbmcpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk1pbm9yIElz c3VlczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+LS0tLS0tLS0tLS0t PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiogU2VjdGlvbiAxOiBJbnRyb2R1Y3Rpb248 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhlIGludHJvZHVjdGlvbiBleHBsYWlucyBv YXV0aCwgYnV0IGl0IGRvZXNuJ3QgZnVsbHkgZXhwbGFpbiB0aGUgcmVsYXRpb25zaGlwIG9mIHRo aXMgc3BlY2lmaWNhdGlvbiB0byBPQXV0aCAyLjAuIEUuZy4sIGNhbiBpdCBiZSB1c2VkIGluZGVw ZW5kZW50bHkgZnJvbSB0aGUgcmVzdCBvZiBPQXV0aD8gTGlrZXdpc2UsIHRoZSBvdmVydmlldyAo c2VjdGlvbjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+MS4zKSBzZWVt cyBtb3JlIHNwZWNpZmljIHRvIHRoZSBPQXV0aCBzcGVjaWZpY2F0aW9uIHRoYW4gdGhpcyBkb2N1 bWVudC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkFzIEkgcmVhZCBp dCwgdGhpcyBtZWNoYW5pc20gY291bGQgYmUgdXNlZCBmb3IgQU5ZIGJlYXJlciB0b2tlbiwgbm90 IGp1c3Qgb25lIGdlbmVyYXRlZCB0aHJvdWdoIE9BdXRoIGZsb3dzLg0KPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPklmIGl0IGlzIGluZGVlZCBtb3JlIGdlbmVyYWwsIEknZCByZWNvbW1l bmQgbWluaW1pc2luZyB0aGUgZGlzY3Vzc2lvbiBvZiBPQXV0aCwgcGVyaGFwcyBldmVuIHJlbW92 aW5nIGl0IGZyb20gdGhlIGRvY3VtZW50IHRpdGxlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4qIFNlY3Rpb24gMyBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmll bGQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBh IHJlYWxtIGFuZCBhIHNjb3BlIGlzIG5vdCBleHBsYWluZWQuIEFyZSB0aGUgZnVuY3Rpb25hbGx5 IGVxdWl2YWxlbnQsIGp1c3QgYSBzaW5nbGUgdmFsdWUgdnMuIGEgbGlzdD8NCjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij5EbyB5b3UgcmVhbGx5IGludGVuZCB0byBkaXNhbGxvdyAqYWxs KiBleHRlbnNpb24gcGFyYW1ldGVycyBvbiB0aGUgY2hhbGxlbmdlPzxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij5BbHNvLCB0aGUgc2NvcGUsIGVycm9yLCBlcnJvcl9kZXNjcmlwdGlvbiBh bmQgZXJyb3JfdXJpIHBhcmFtZXRlcnMgYWxsIHNwZWNpZnkgb25seSBhIHF1b3RlZC1zdHJpbmcg c2VyaWFsaXNhdGlvbi4gSFRUUGJpcyBzdHJvbmdseSBzdWdnZXN0cyB0aGF0IG5ldyBzY2hlbWVz IGFsbG93IGJvdGggZm9ybXMsIGJlY2F1c2UgaW1wbGVtZW50YXRpb24gZXhwZXJpZW5jZSBoYXMg c2hvd24gdGhhdCBpbXBsZW1lbnRhdGlvbnMNCiB3aWxsIGxpa2VseSBzdXBwb3J0IGJvdGgsIG5v IG1hdHRlciBob3cgZGVmaW5lZDsgdGhpcyBpbXByb3ZlcyBpbnRlcm9wZXJhYmlsaXR5IChzZWUg cDcgMi4zLjEpLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZpbmFsbHksIHRoZSBl cnJvcl9kZXNjcmlwdGlvbiBwYXJhbWV0ZXIgY2FuIGNhcnJ5IG9ubHkgQVNDSUkgY2hhcmFjdGVy cy4gV2hpbGUgSSB1bmRlcnN0YW5kIGEgdHJhZGVvZmYgaGFzIGJlZW4gbWFkZSBoZXJlIChhbmQs IGluIG15IGp1ZGdlbWVudCwgYW4gYXBwcm9wcmlhdGUgb25lKSwgaXQncyBhcHByb3ByaWF0ZSB0 byBoaWdobGlnaHQgdGhpcyBpbiByZXZpZXcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiogR2VuZXJhbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGUgZHJhZnQgY3VycmVu dGx5IGRvZXNuJ3QgbWVudGlvbiB3aGV0aGVyIEJlYXJlciBpcyBzdWl0YWJsZSBmb3IgdXNlIGFz IGEgcHJveHkgYXV0aGVudGljYXRpb24gc2NoZW1lLiBJIHN1c3BlY3QgaXQgKm1heSo7IGl0IHdv dWxkIGJlIHdvcnRoIGRpc2N1c3NpbmcgdGhpcyB3aXRoIHNvbWUgcHJveHkgaW1wbGVtZW50ZXJz IHRvIGdhdWdlIHRoZWlyIGludGVyZXN0IChlLmcuLCBTcXVpZCkuDQo8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij5OaXRzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLS0tPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiogU2VjdGlvbiAyLjEgQXV0aG9yaXphdGlvbiBS ZXF1ZXN0IEhlYWRlciBGaWVsZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mcXVvdDtz aW1wbGljaXR5IHJlYXNvbnMmcXVvdDsgLS0mZ3Q7ICZxdW90O3NpbXBsaWNpdHkmcXVvdDs8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+JnF1b3Q7SWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJz IGFyZSBkZXNpcmVkIGluIHRoZSBmdXR1cmUsIGEgZGlmZmVyZW50IHNjaGVtZSBjb3VsZCBiZSBk ZWZpbmVkLiZxdW90OyAtLSZndDsgJnF1b3Q7SWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJzIGFyZSBu ZWVkZWQgaW4gdGhlIGZ1dHVyZSwgYSBkaWZmZXJlbnQgc2NoZW1lIHdvdWxkIG5lZWQgdG8gYmUg ZGVmaW5lZC4mcXVvdDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+KiBTZWN0aW9uIDMg VGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPlRoZSByZXF1aXJlbWVudCB0aGF0IGEgcmVzb3VyY2Ugc2VydmVyIE1V U1QgaW5jbHVkZSB0aGUgSFRUUCBXV1ctQXV0aGVudGljYXRlIHJlc3BvbnNlIGhlYWRlciBmaWVs ZCBpcyBvZGQ7IHJlYWxseSB0aGlzIGlzIGF0IHRoZSBkaXNjcmV0aW9uIG9mIHRoZSBzZXJ2ZXIu IElzIGl0IHJlYWxseSBuZWNlc3NhcnkgdG8gdXNlIGEgY29uZm9ybWFuY2UgcmVxdWlyZW1lbnQg aGVyZT88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VVJJLXJlZmVyZW5jZSAtLSZndDsg VVJJLVJlZmVyZW5jZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4qIFNlY3Rpb24gMy4x IEVycm9yIENvZGVzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjQwNSBiZWxvbmdzIGlu IHRoZSBsaXN0IG9mIHR5cGljYWxseSBhcHByb3ByaWF0ZSBzdGF0dXMgY29kZXMgYXMgd2VsbC48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij5LaW5kIHJlZ2FyZHMsPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPi0tPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5NYXJrIE5v dHRpbmdoYW0mbmJzcDsmbmJzcDsgPGEgaHJlZj0iaHR0cDovL3d3dy5tbm90Lm5ldC8iPjxzcGFu IHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwOi8vd3d3 Lm1ub3QubmV0Lzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+YXBwcy1kaXNjdXNzIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PGEgaHJlZj0ibWFpbHRvOmFwcHMtZGlzY3Vzc0BpZXRmLm9yZyI+PHNw YW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmFwcHMtZGlz Y3Vzc0BpZXRmLm9yZzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2Fw cHMtZGlzY3VzcyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u Om5vbmUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vYXBwcy1kaXNjdXNz PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5PQXV0aCBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9y ZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPk9B dXRoQGlldGYub3JnPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1 dGgiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5o dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9zcGFuPjwvYT48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_-- --_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: text/html; name="draft-ietf-oauth-v2-bearer-15 preliminary.html" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.html Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.html"; size=76941; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:06:10 GMT" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL2h0bWw0L2xvb3NlLmR0ZCI+CjxodG1sIGxhbmc9 ImVuIj48aGVhZD48dGl0bGU+VGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sOiBC ZWFyZXIgVG9rZW5zPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPgo8bWV0YSBuYW1lPSJkZXNjcmlwdGlvbiIg Y29udGVudD0iVGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sOiBCZWFyZXIgVG9r ZW5zIj4KPG1ldGEgbmFtZT0iZ2VuZXJhdG9yIiBjb250ZW50PSJ4bWwycmZjIHYxLjM2IChodHRw Oi8veG1sLnJlc291cmNlLm9yZy8pIj4KPHN0eWxlIHR5cGU9J3RleHQvY3NzJz48IS0tCiAgICAg ICAgYm9keSB7CiAgICAgICAgICAgICAgICBmb250LWZhbWlseTogdmVyZGFuYSwgY2hhcmNvYWws IGhlbHZldGljYSwgYXJpYWwsIHNhbnMtc2VyaWY7CiAgICAgICAgICAgICAgICBmb250LXNpemU6 IHNtYWxsOyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjogI0ZGRjsKICAgICAgICAgICAg ICAgIG1hcmdpbjogMmVtOwogICAgICAgIH0KICAgICAgICBoMSwgaDIsIGgzLCBoNCwgaDUsIGg2 IHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBoZWx2ZXRpY2EsIG1vbmFjbywgIk1TIFNh bnMgU2VyaWYiLCBhcmlhbCwgc2Fucy1zZXJpZjsKICAgICAgICAgICAgICAgIGZvbnQtd2VpZ2h0 OiBib2xkOyBmb250LXN0eWxlOiBub3JtYWw7CiAgICAgICAgfQogICAgICAgIGgxIHsgY29sb3I6 ICM5MDA7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB0ZXh0LWFsaWduOiByaWdodDsg fQogICAgICAgIGgzIHsgY29sb3I6ICMzMzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50 OyB9CgogICAgICAgIHRkLlJGQ2J1ZyB7CiAgICAgICAgICAgICAgICBmb250LXNpemU6IHgtc21h bGw7IHRleHQtZGVjb3JhdGlvbjogbm9uZTsKICAgICAgICAgICAgICAgIHdpZHRoOiAzMHB4OyBo ZWlnaHQ6IDMwcHg7IHBhZGRpbmctdG9wOiAycHg7CiAgICAgICAgICAgICAgICB0ZXh0LWFsaWdu OiBqdXN0aWZ5OyB2ZXJ0aWNhbC1hbGlnbjogbWlkZGxlOwogICAgICAgICAgICAgICAgYmFja2dy b3VuZC1jb2xvcjogIzAwMDsKICAgICAgICB9CiAgICAgICAgdGQuUkZDYnVnIHNwYW4uUkZDIHsK ICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBtb25hY28sIGNoYXJjb2FsLCBnZW5ldmEsICJN UyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCB2ZXJkYW5hLCBzYW5zLXNlcmlmOwogICAgICAgICAg ICAgICAgZm9udC13ZWlnaHQ6IGJvbGQ7IGNvbG9yOiAjNjY2OwogICAgICAgIH0KICAgICAgICB0 ZC5SRkNidWcgc3Bhbi5ob3RUZXh0IHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBjaGFy Y29hbCwgbW9uYWNvLCBnZW5ldmEsICJNUyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCB2ZXJkYW5h LCBzYW5zLXNlcmlmOwogICAgICAgICAgICAgICAgZm9udC13ZWlnaHQ6IG5vcm1hbDsgdGV4dC1h bGlnbjogY2VudGVyOyBjb2xvcjogI0ZGRjsKICAgICAgICB9CgogICAgICAgIHRhYmxlLlRPQ2J1 ZyB7IHdpZHRoOiAzMHB4OyBoZWlnaHQ6IDE1cHg7IH0KICAgICAgICB0ZC5UT0NidWcgewogICAg ICAgICAgICAgICAgdGV4dC1hbGlnbjogY2VudGVyOyB3aWR0aDogMzBweDsgaGVpZ2h0OiAxNXB4 OwogICAgICAgICAgICAgICAgY29sb3I6ICNGRkY7IGJhY2tncm91bmQtY29sb3I6ICM5MDA7CiAg ICAgICAgfQogICAgICAgIHRkLlRPQ2J1ZyBhIHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5 OiBtb25hY28sIGNoYXJjb2FsLCBnZW5ldmEsICJNUyBTYW5zIFNlcmlmIiwgaGVsdmV0aWNhLCBz YW5zLXNlcmlmOwogICAgICAgICAgICAgICAgZm9udC13ZWlnaHQ6IGJvbGQ7IGZvbnQtc2l6ZTog eC1zbWFsbDsgdGV4dC1kZWNvcmF0aW9uOiBub25lOwogICAgICAgICAgICAgICAgY29sb3I6ICNG RkY7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OwogICAgICAgIH0KCiAgICAgICAgdGQu aGVhZGVyIHsKICAgICAgICAgICAgICAgIGZvbnQtZmFtaWx5OiBhcmlhbCwgaGVsdmV0aWNhLCBz YW5zLXNlcmlmOyBmb250LXNpemU6IHgtc21hbGw7CiAgICAgICAgICAgICAgICB2ZXJ0aWNhbC1h bGlnbjogdG9wOyB3aWR0aDogMzMlOwogICAgICAgICAgICAgICAgY29sb3I6ICNGRkY7IGJhY2tn cm91bmQtY29sb3I6ICM2NjY7CiAgICAgICAgfQogICAgICAgIHRkLmF1dGhvciB7IGZvbnQtd2Vp Z2h0OiBib2xkOyBmb250LXNpemU6IHgtc21hbGw7IG1hcmdpbi1sZWZ0OiA0ZW07IH0KICAgICAg ICB0ZC5hdXRob3ItdGV4dCB7IGZvbnQtc2l6ZTogeC1zbWFsbDsgfQoKICAgICAgICAvKiBpbmZv IGNvZGUgZnJvbSBTYW50YUtsYXVzcyBhdCBodHRwOi8vd3d3Lm1hZGFib3V0c3R5bGUuY29tL3Rv b2x0aXAyLmh0bWwgKi8KICAgICAgICBhLmluZm8gewogICAgICAgICAgICAgICAgLyogVGhpcyBp cyB0aGUga2V5LiAqLwogICAgICAgICAgICAgICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgICAg ICAgICAgICAgei1pbmRleDogMjQ7CiAgICAgICAgICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5v bmU7CiAgICAgICAgfQogICAgICAgIGEuaW5mbzpob3ZlciB7CiAgICAgICAgICAgICAgICB6LWlu ZGV4OiAyNTsKICAgICAgICAgICAgICAgIGNvbG9yOiAjRkZGOyBiYWNrZ3JvdW5kLWNvbG9yOiAj OTAwOwogICAgICAgIH0KICAgICAgICBhLmluZm8gc3BhbiB7IGRpc3BsYXk6IG5vbmU7IH0KICAg ICAgICBhLmluZm86aG92ZXIgc3Bhbi5pbmZvIHsKICAgICAgICAgICAgICAgIC8qIFRoZSBzcGFu IHdpbGwgZGlzcGxheSBqdXN0IG9uIDpob3ZlciBzdGF0ZS4gKi8KICAgICAgICAgICAgICAgIGRp c3BsYXk6IGJsb2NrOwogICAgICAgICAgICAgICAgcG9zaXRpb246IGFic29sdXRlOwogICAgICAg ICAgICAgICAgZm9udC1zaXplOiBzbWFsbGVyOwogICAgICAgICAgICAgICAgdG9wOiAyZW07IGxl ZnQ6IC01ZW07IHdpZHRoOiAxNWVtOwogICAgICAgICAgICAgICAgcGFkZGluZzogMnB4OyBib3Jk ZXI6IDFweCBzb2xpZCAjMzMzOwogICAgICAgICAgICAgICAgY29sb3I6ICM5MDA7IGJhY2tncm91 bmQtY29sb3I6ICNFRUU7CiAgICAgICAgICAgICAgICB0ZXh0LWFsaWduOiBsZWZ0OwogICAgICAg IH0KCiAgICAgICAgYSB7IGZvbnQtd2VpZ2h0OiBib2xkOyB9CiAgICAgICAgYTpsaW5rICAgIHsg Y29sb3I6ICM5MDA7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB9CiAgICAgICAgYTp2 aXNpdGVkIHsgY29sb3I6ICM2MzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50OyB9CiAg ICAgICAgYTphY3RpdmUgIHsgY29sb3I6ICM2MzM7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFy ZW50OyB9CgogICAgICAgIHAgeyBtYXJnaW4tbGVmdDogMmVtOyBtYXJnaW4tcmlnaHQ6IDJlbTsg fQogICAgICAgIHAuY29weXJpZ2h0IHsgZm9udC1zaXplOiB4LXNtYWxsOyB9CiAgICAgICAgcC50 b2MgeyBmb250LXNpemU6IHNtYWxsOyBmb250LXdlaWdodDogYm9sZDsgbWFyZ2luLWxlZnQ6IDNl bTsgfQogICAgICAgIHRhYmxlLnRvYyB7IG1hcmdpbjogMCAwIDAgM2VtOyBwYWRkaW5nOiAwOyBi b3JkZXI6IDA7IHZlcnRpY2FsLWFsaWduOiB0ZXh0LXRvcDsgfQogICAgICAgIHRkLnRvYyB7IGZv bnQtc2l6ZTogc21hbGw7IGZvbnQtd2VpZ2h0OiBib2xkOyB2ZXJ0aWNhbC1hbGlnbjogdGV4dC10 b3A7IH0KCiAgICAgICAgb2wudGV4dCB7IG1hcmdpbi1sZWZ0OiAyZW07IG1hcmdpbi1yaWdodDog MmVtOyB9CiAgICAgICAgdWwudGV4dCB7IG1hcmdpbi1sZWZ0OiAyZW07IG1hcmdpbi1yaWdodDog MmVtOyB9CiAgICAgICAgbGkgICAgICB7IG1hcmdpbi1sZWZ0OiAzZW07IH0KCiAgICAgICAgLyog UkZDLTI2MjkgPHNwYW54PnMgYW5kIDxhcnR3b3JrPnMuICovCiAgICAgICAgZW0gICAgIHsgZm9u dC1zdHlsZTogaXRhbGljOyB9CiAgICAgICAgc3Ryb25nIHsgZm9udC13ZWlnaHQ6IGJvbGQ7IH0K ICAgICAgICBkZm4gICAgeyBmb250LXdlaWdodDogYm9sZDsgZm9udC1zdHlsZTogbm9ybWFsOyB9 CiAgICAgICAgY2l0ZSAgIHsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgZm9udC1zdHlsZTogbm9ybWFs OyB9CiAgICAgICAgdHQgICAgIHsgY29sb3I6ICMwMzY7IH0KICAgICAgICB0dCwgcHJlLCBwcmUg ZGZuLCBwcmUgZW0sIHByZSBjaXRlLCBwcmUgc3BhbiB7CiAgICAgICAgICAgICAgICBmb250LWZh bWlseTogIkNvdXJpZXIgTmV3IiwgQ291cmllciwgbW9ub3NwYWNlOyBmb250LXNpemU6IHNtYWxs OwogICAgICAgIH0KICAgICAgICBwcmUgewogICAgICAgICAgICAgICAgdGV4dC1hbGlnbjogbGVm dDsgcGFkZGluZzogNHB4OwogICAgICAgICAgICAgICAgY29sb3I6ICMwMDA7IGJhY2tncm91bmQt Y29sb3I6ICNDQ0M7CiAgICAgICAgfQogICAgICAgIHByZSBkZm4gIHsgY29sb3I6ICM5MDA7IH0K ICAgICAgICBwcmUgZW0gICB7IGNvbG9yOiAjNjZGOyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZDOyBm b250LXdlaWdodDogbm9ybWFsOyB9CiAgICAgICAgcHJlIC5rZXkgeyBjb2xvcjogIzMzQzsgZm9u dC13ZWlnaHQ6IGJvbGQ7IH0KICAgICAgICBwcmUgLmlkICB7IGNvbG9yOiAjOTAwOyB9CiAgICAg ICAgcHJlIC5zdHIgeyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjogI0NGRjsgfQogICAg ICAgIHByZSAudmFsIHsgY29sb3I6ICMwNjY7IH0KICAgICAgICBwcmUgLnJlcCB7IGNvbG9yOiAj OTA5OyB9CiAgICAgICAgcHJlIC5vdGggeyBjb2xvcjogIzAwMDsgYmFja2dyb3VuZC1jb2xvcjog I0ZDRjsgfQogICAgICAgIHByZSAuZXJyIHsgYmFja2dyb3VuZC1jb2xvcjogI0ZDQzsgfQoKICAg ICAgICAvKiBSRkMtMjYyOSA8dGV4dHRhYmxlPnMuICovCiAgICAgICAgdGFibGUuYWxsLCB0YWJs ZS5mdWxsLCB0YWJsZS5oZWFkZXJzLCB0YWJsZS5ub25lIHsKICAgICAgICAgICAgICAgIGZvbnQt c2l6ZTogc21hbGw7IHRleHQtYWxpZ246IGNlbnRlcjsgYm9yZGVyLXdpZHRoOiAycHg7CiAgICAg ICAgICAgICAgICB2ZXJ0aWNhbC1hbGlnbjogdG9wOyBib3JkZXItY29sbGFwc2U6IGNvbGxhcHNl OwogICAgICAgIH0KICAgICAgICB0YWJsZS5hbGwsIHRhYmxlLmZ1bGwgeyBib3JkZXItc3R5bGU6 IHNvbGlkOyBib3JkZXItY29sb3I6IGJsYWNrOyB9CiAgICAgICAgdGFibGUuaGVhZGVycywgdGFi bGUubm9uZSB7IGJvcmRlci1zdHlsZTogbm9uZTsgfQogICAgICAgIHRoIHsKICAgICAgICAgICAg ICAgIGZvbnQtd2VpZ2h0OiBib2xkOyBib3JkZXItY29sb3I6IGJsYWNrOwogICAgICAgICAgICAg ICAgYm9yZGVyLXdpZHRoOiAycHggMnB4IDNweCAycHg7CiAgICAgICAgfQogICAgICAgIHRhYmxl LmFsbCB0aCwgdGFibGUuZnVsbCB0aCB7IGJvcmRlci1zdHlsZTogc29saWQ7IH0KICAgICAgICB0 YWJsZS5oZWFkZXJzIHRoIHsgYm9yZGVyLXN0eWxlOiBub25lIG5vbmUgc29saWQgbm9uZTsgfQog ICAgICAgIHRhYmxlLm5vbmUgdGggeyBib3JkZXItc3R5bGU6IG5vbmU7IH0KICAgICAgICB0YWJs ZS5hbGwgdGQgewogICAgICAgICAgICAgICAgYm9yZGVyLXN0eWxlOiBzb2xpZDsgYm9yZGVyLWNv bG9yOiAjMzMzOwogICAgICAgICAgICAgICAgYm9yZGVyLXdpZHRoOiAxcHggMnB4OwogICAgICAg IH0KICAgICAgICB0YWJsZS5mdWxsIHRkLCB0YWJsZS5oZWFkZXJzIHRkLCB0YWJsZS5ub25lIHRk IHsgYm9yZGVyLXN0eWxlOiBub25lOyB9CgogICAgICAgIGhyIHsgaGVpZ2h0OiAxcHg7IH0KICAg ICAgICBoci5pbnNlcnQgewogICAgICAgICAgICAgICAgd2lkdGg6IDgwJTsgYm9yZGVyLXN0eWxl OiBub25lOyBib3JkZXItd2lkdGg6IDA7CiAgICAgICAgICAgICAgICBjb2xvcjogI0NDQzsgYmFj a2dyb3VuZC1jb2xvcjogI0NDQzsKICAgICAgICB9Ci0tPjwvc3R5bGU+CjwvaGVhZD4KPGJvZHk+ Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIg Y2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhy ZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPHRhYmxlIHN1 bW1hcnk9ImxheW91dCIgd2lkdGg9IjY2JSIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2Vs bHNwYWNpbmc9IjAiPjx0cj48dGQ+PHRhYmxlIHN1bW1hcnk9ImxheW91dCIgd2lkdGg9IjEwMCUi IGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjIiIGNlbGxzcGFjaW5nPSIxIj4KPHRyPjx0ZCBjbGFz cz0iaGVhZGVyIj5OZXR3b3JrIFdvcmtpbmcgR3JvdXA8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5N LiBKb25lczwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj5JbnRlcm5ldC1EcmFmdDwv dGQ+PHRkIGNsYXNzPSJoZWFkZXIiPk1pY3Jvc29mdDwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0i aGVhZGVyIj5JbnRlbmRlZCBzdGF0dXM6IFN0YW5kYXJkcyBUcmFjazwvdGQ+PHRkIGNsYXNzPSJo ZWFkZXIiPkQuIEhhcmR0PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJoZWFkZXIiPkV4cGlyZXM6 IEp1bmUgMTQsIDIwMTI8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5pbmRlcGVuZGVudDwvdGQ+PC90 cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj4mbmJzcDs8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5E LiBSZWNvcmRvbjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVyIj4mbmJzcDs8L3RkPjx0 ZCBjbGFzcz0iaGVhZGVyIj5GYWNlYm9vazwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iaGVhZGVy Ij4mbmJzcDs8L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIj5EZWNlbWJlciAxMiwgMjAxMTwvdGQ+PC90 cj4KPC90YWJsZT48L3RkPjwvdHI+PC90YWJsZT4KPGgxPjxiciAvPlRoZSBPQXV0aCAyLjAgQXV0 aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVyIFRva2VuczxiciAvPmRyYWZ0LWlldGYtb2F1dGgt djItYmVhcmVyLTE1PC9oMT4KCjxoMz5BYnN0cmFjdDwvaDM+Cgo8cD4KICAgICAgICBUaGlzIHNw ZWNpZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byB1c2UgYmVhcmVyIHRva2VucyBpbiBIVFRQCiAg ICAgICAgcmVxdWVzdHMgdG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90ZWN0ZWQgcmVzb3VyY2VzLiAg QW55IHBhcnR5CiAgICAgICAgaW4gcG9zc2Vzc2lvbiBvZiBhIGJlYXJlciB0b2tlbiAoYSAiYmVh cmVyIikgY2FuIHVzZSBpdCB0byBnZXQKICAgICAgICBhY2Nlc3MgdG8gdGhlIGFzc29jaWF0ZWQg cmVzb3VyY2VzICh3aXRob3V0IGRlbW9uc3RyYXRpbmcgcG9zc2Vzc2lvbgogICAgICAgIG9mIGEg Y3J5cHRvZ3JhcGhpYyBrZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMKICAg ICAgICBuZWVkIHRvIGJlIHByb3RlY3RlZCBmcm9tIGRpc2Nsb3N1cmUgaW4gc3RvcmFnZSBhbmQg aW4gdHJhbnNwb3J0LgogICAgICAKPC9wPgo8aDM+U3RhdHVzIG9mIHRoaXMgTWVtbzwvaDM+Cjxw PgpUaGlzIEludGVybmV0LURyYWZ0IGlzIHN1Ym1pdHRlZCAgaW4gZnVsbApjb25mb3JtYW5jZSB3 aXRoIHRoZSBwcm92aXNpb25zIG9mIEJDUCZuYnNwOzc4IGFuZCBCQ1AmbmJzcDs3OS48L3A+Cjxw PgpJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBF bmdpbmVlcmluZwpUYXNrIEZvcmNlIChJRVRGKS4gIE5vdGUgdGhhdCBvdGhlciBncm91cHMgbWF5 IGFsc28gZGlzdHJpYnV0ZQp3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMuICBU aGUgbGlzdCBvZiBjdXJyZW50CkludGVybmV0LURyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNr ZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJlbnQvLjwvcD4KPHA+CkludGVybmV0LURyYWZ0cyBhcmUg ZHJhZnQgZG9jdW1lbnRzIHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocwphbmQgbWF5 IGJlIHVwZGF0ZWQsIHJlcGxhY2VkLCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1lbnRzIGF0 IGFueSB0aW1lLgpJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMg cmVmZXJlbmNlIG1hdGVyaWFsIG9yIHRvIGNpdGUKdGhlbSBvdGhlciB0aGFuIGFzICZsZHF1bzt3 b3JrIGluIHByb2dyZXNzLiZyZHF1bzs8L3A+CjxwPgpUaGlzIEludGVybmV0LURyYWZ0IHdpbGwg ZXhwaXJlIG9uIEp1bmUgMTQsIDIwMTIuPC9wPgoKPGgzPkNvcHlyaWdodCBOb3RpY2U8L2gzPgo8 cD4KQ29weXJpZ2h0IChjKSAyMDExIElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZp ZWQgYXMgdGhlCmRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2VydmVkLjwvcD4KPHA+ ClRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3Mg TGVnYWwKUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cwooaHR0cDovL3RydXN0 ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24gdGhlIGRhdGUgb2YKcHVibGlj YXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzCmNh cmVmdWxseSwgYXMgdGhleSBkZXNjcmliZSB5b3VyIHJpZ2h0cyBhbmQgcmVzdHJpY3Rpb25zIHdp dGggcmVzcGVjdAp0byB0aGlzIGRvY3VtZW50LiBDb2RlIENvbXBvbmVudHMgZXh0cmFjdGVkIGZy b20gdGhpcyBkb2N1bWVudCBtdXN0CmluY2x1ZGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0 IGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuZSBvZgp0aGUgVHJ1c3QgTGVnYWwgUHJvdmlzaW9u cyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2FycmFudHkgYXMKZGVzY3JpYmVkIGluIHRoZSBT aW1wbGlmaWVkIEJTRCBMaWNlbnNlLjwvcD4KPGEgbmFtZT0idG9jIj48L2E+PGJyIC8+PGhyIC8+ CjxoMz5UYWJsZSBvZiBDb250ZW50czwvaDM+CjxwIGNsYXNzPSJ0b2MiPgo8YSBocmVmPSIjYW5j aG9yMSI+MS48L2E+Jm5ic3A7CkludHJvZHVjdGlvbjxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsm bmJzcDs8YSBocmVmPSIjYW5jaG9yMiI+MS4xLjwvYT4mbmJzcDsKTm90YXRpb25hbCBDb252ZW50 aW9uczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjYW5jaG9yMyI+MS4y LjwvYT4mbmJzcDsKVGVybWlub2xvZ3k8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEg aHJlZj0iI2FuY2hvcjQiPjEuMy48L2E+Jm5ic3A7Ck92ZXJ2aWV3PGJyIC8+CjxhIGhyZWY9IiNh bmNob3I1Ij4yLjwvYT4mbmJzcDsKQXV0aGVudGljYXRlZCBSZXF1ZXN0czxiciAvPgombmJzcDsm bmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjYXV0aHotaGVhZGVyIj4yLjEuPC9hPiZuYnNwOwpB dXRob3JpemF0aW9uIFJlcXVlc3QgSGVhZGVyIEZpZWxkPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzxhIGhyZWY9IiNib2R5LXBhcmFtIj4yLjIuPC9hPiZuYnNwOwpGb3JtLUVuY29kZWQg Qm9keSBQYXJhbWV0ZXI8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI3F1 ZXJ5LXBhcmFtIj4yLjMuPC9hPiZuYnNwOwpVUkkgUXVlcnkgUGFyYW1ldGVyPGJyIC8+CjxhIGhy ZWY9IiNhdXRobi1oZWFkZXIiPjMuPC9hPiZuYnNwOwpUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNw b25zZSBIZWFkZXIgRmllbGQ8YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0i I3Jlc291cmNlLWVycm9yLWNvZGVzIj4zLjEuPC9hPiZuYnNwOwpFcnJvciBDb2RlczxiciAvPgo8 YSBocmVmPSIjc2VjLWNvbiI+NC48L2E+Jm5ic3A7ClNlY3VyaXR5IENvbnNpZGVyYXRpb25zPGJy IC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhyZWY9IiN0aHJlYXRzIj40LjEuPC9hPiZu YnNwOwpTZWN1cml0eSBUaHJlYXRzPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxhIGhy ZWY9IiNtaXRpZ2F0aW9uIj40LjIuPC9hPiZuYnNwOwpUaHJlYXQgTWl0aWdhdGlvbjxiciAvPgom bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjYW5jaG9yNiI+NC4zLjwvYT4mbmJzcDsK U3VtbWFyeSBvZiBSZWNvbW1lbmRhdGlvbnM8YnIgLz4KPGEgaHJlZj0iI2FuY2hvcjciPjUuPC9h PiZuYnNwOwpJQU5BIENvbnNpZGVyYXRpb25zPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OzxhIGhyZWY9IiNhbmNob3I4Ij41LjEuPC9hPiZuYnNwOwpPQXV0aCBBY2Nlc3MgVG9rZW4gVHlw ZSBSZWdpc3RyYXRpb248YnIgLz4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iI2FuY2hvcjkiPjUuMS4xLjwvYT4mbmJzcDsKVGhlICJCZWFy ZXIiIE9BdXRoIEFjY2VzcyBUb2tlbiBUeXBlPGJyIC8+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OzxhIGhyZWY9IiNhbmNob3IxMCI+NS4yLjwvYT4mbmJzcDsKQXV0aGVudGljYXRpb24gU2NoZW1l IFJlZ2lzdHJhdGlvbjxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDs8YSBocmVmPSIjYW5jaG9yMTEiPjUuMi4xLjwvYT4mbmJzcDsKVGhlICJCZWFy ZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZTxiciAvPgo8YSBocmVmPSIjcmZjLnJlZmVyZW5jZXMx Ij42LjwvYT4mbmJzcDsKUmVmZXJlbmNlczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8 YSBocmVmPSIjcmZjLnJlZmVyZW5jZXMxIj42LjEuPC9hPiZuYnNwOwpOb3JtYXRpdmUgUmVmZXJl bmNlczxiciAvPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSIjcmZjLnJlZmVyZW5j ZXMyIj42LjIuPC9hPiZuYnNwOwpJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzPGJyIC8+CjxhIGhyZWY9 IiNhbmNob3IxNCI+QXBwZW5kaXgmbmJzcDtBLjwvYT4mbmJzcDsKQWNrbm93bGVkZ2VtZW50czxi ciAvPgo8YSBocmVmPSIjYW5jaG9yMTUiPkFwcGVuZGl4Jm5ic3A7Qi48L2E+Jm5ic3A7CkRvY3Vt ZW50IEhpc3Rvcnk8YnIgLz4KPGEgaHJlZj0iI3JmYy5hdXRob3JzIj4mIzE2Nzs8L2E+Jm5ic3A7 CkF1dGhvcnMnIEFkZHJlc3NlczxiciAvPgo8L3A+CjxiciBjbGVhcj0iYWxsIiAvPgoKPGEgbmFt ZT0iYW5jaG9yMSI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxs cGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+ PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+ PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjEiPjwvYT48aDM+MS4mbmJz cDsKSW50cm9kdWN0aW9uPC9oMz4KCjxwPgogICAgICAgIE9BdXRoIGVuYWJsZXMgY2xpZW50cyB0 byBhY2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcyBieQogICAgICAgIG9idGFpbmluZyBhbiBhY2Nl c3MgdG9rZW4sIHdoaWNoIGlzIGRlZmluZWQgaW4KCU9BdXRoIDIuMCBBdXRob3JpemF0aW9uIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtb2F1dGgtdjInPltJJiM4MjA5O0QuaWV0ZiYj ODIwOTtvYXV0aCYjODIwOTt2Ml08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+SGFt bWVyLUxhaGF2LCBFLiwgUmVjb3Jkb24sIEQuLCBhbmQgRC4gSGFyZHQsICZsZHF1bztUaGUgT0F1 dGggMi4wIEF1dGhvcml6YXRpb24gUHJvdG9jb2wsJnJkcXVvOyBTZXB0ZW1iZXImbmJzcDsyMDEx Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCWFzICJhIHN0cmluZyByZXByZXNlbnRpbmcgYW4g YWNjZXNzCiAgICAgICAgYXV0aG9yaXphdGlvbiBpc3N1ZWQgdG8gdGhlIGNsaWVudCIsIHJhdGhl ciB0aGFuIHVzaW5nIHRoZQogICAgICAgIHJlc291cmNlIG93bmVyJ3MgY3JlZGVudGlhbHMgZGly ZWN0bHkuCiAgICAgIAo8L3A+CjxwPgogICAgICAgIFRva2VucyBhcmUgaXNzdWVkIHRvIGNsaWVu dHMgYnkgYW4gYXV0aG9yaXphdGlvbiBzZXJ2ZXIgd2l0aCB0aGUgYXBwcm92YWwgb2YKICAgICAg ICB0aGUgcmVzb3VyY2Ugb3duZXIuIFRoZSBjbGllbnQgdXNlcyB0aGUgYWNjZXNzIHRva2VuIHRv IGFjY2VzcyB0aGUgcHJvdGVjdGVkIHJlc291cmNlcwogICAgICAgIGhvc3RlZCBieSB0aGUgcmVz b3VyY2Ugc2VydmVyLiBUaGlzIHNwZWNpZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byBtYWtlIHBy b3RlY3RlZCByZXNvdXJjZQogICAgICAgIHJlcXVlc3RzIHdoZW4gdGhlIE9BdXRoIGFjY2VzcyB0 b2tlbiBpcyBhIGJlYXJlciB0b2tlbi4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgVGhpcyBzcGVj aWZpY2F0aW9uIGRlZmluZXMgdGhlIHVzZSBvZiBiZWFyZXIgdG9rZW5zIG92ZXIKICAgICAgICBI VFRQLzEuMSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2Fn aW5nJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwMSYjODIwOTttZXNzYWdp bmddPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlz LCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJl cm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4x LCBwYXJ0IDE6IFVSSXMsIENvbm5lY3Rpb25zLCBhbmQgTWVzc2FnZSBQYXJzaW5nLCZyZHF1bzsg T2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPgoJdXNpbmcKCVRMUyA8 YSBjbGFzcz0naW5mbycgaHJlZj0nI1JGQzUyNDYnPltSRkM1MjQ2XTxzcGFuPiAoPC9zcGFuPjxz cGFuIGNsYXNzPSdpbmZvJz5EaWVya3MsIFQuIGFuZCBFLiBSZXNjb3JsYSwgJmxkcXVvO1RoZSBU cmFuc3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUykgUHJvdG9jb2wgVmVyc2lvbiAxLjIsJnJkcXVv OyBBdWd1c3QmbmJzcDsyMDA4Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4gdG8gYWNjZXNzIHBy b3RlY3RlZCByZXNvdXJjZXMuCglUTFMgaXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudAogICAgICAg IGFuZCB1c2Ugd2l0aCB0aGlzIHNwZWNpZmljYXRpb247IG90aGVyIHNwZWNpZmljYXRpb25zIG1h eQogICAgICAgIGV4dGVuZCB0aGlzIHNwZWNpZmljYXRpb24gZm9yIHVzZSB3aXRoIG90aGVyIHRy YW5zcG9ydAogICAgICAgIHByb3RvY29scy4KCVdoaWxlIGRlc2lnbmVkIGZvciB1c2Ugd2l0aCBh Y2Nlc3MgdG9rZW5zIHJlc3VsdGluZyBmcm9tCglPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiA8YSBj bGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLW9hdXRoLXYyJz5bSSYjODIwOTtELmlldGYmIzgy MDk7b2F1dGgmIzgyMDk7djJdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkhhbW1l ci1MYWhhdiwgRS4sIFJlY29yZG9uLCBELiwgYW5kIEQuIEhhcmR0LCAmbGRxdW87VGhlIE9BdXRo IDIuMCBBdXRob3JpemF0aW9uIFByb3RvY29sLCZyZHF1bzsgU2VwdGVtYmVyJm5ic3A7MjAxMS48 L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CglmbG93cyB0byBhY2Nlc3MgT0F1dGggcHJvdGVjdGVk IHJlc291cmNlcywgdGhpcwoJc3BlY2lmaWNhdGlvbiBhY3R1YWxseSBkZWZpbmVzIGEgZ2VuZXJh bCBIVFRQIGF1dGhvcml6YXRpb24KCW1ldGhvZCB0aGF0IGNhbiBiZSB1c2VkIHdpdGggYmVhcmVy IHRva2VucyBmcm9tIGFueSBzb3VyY2UKCXRvIGFjY2VzcyBhbnkgcmVzb3VyY2VzIHByb3RlY3Rl ZCBieSB0aG9zZSBiZWFyZXIgdG9rZW5zLgogICAgICAKPC9wPgo8YSBuYW1lPSJhbmNob3IyIj48 L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBj ZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNz PSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90 YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMS4xIj48L2E+PGgzPjEuMS4mbmJzcDsKTm90YXRp b25hbCBDb252ZW50aW9uczwvaDM+Cgo8cD4KICAgICAgICAgIFRoZSBrZXkgd29yZHMgJ01VU1Qn LCAnTVVTVCBOT1QnLCAnUkVRVUlSRUQnLCAnU0hBTEwnLCAnU0hBTEwgTk9UJywgJ1NIT1VMRCcs ICdTSE9VTEQKICAgICAgICAgIE5PVCcsICdSRUNPTU1FTkRFRCcsICdNQVknLCBhbmQgJ09QVElP TkFMJyBpbiB0aGlzIGRvY3VtZW50IGFyZSB0byBiZSBpbnRlcnByZXRlZCBhcwogICAgICAgICAg ZGVzY3JpYmVkIGluCgkgIEtleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3MgdG8gSW5kaWNhdGUgUmVx dWlyZW1lbnQgTGV2ZWxzIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDMjExOSc+W1JGQzIxMTld PHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkJyYWRuZXIsIFMuLCAmbGRxdW87S2V5 IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZSBSZXF1aXJlbWVudCBMZXZlbHMsJnJk cXVvOyBNYXJjaCZuYnNwOzE5OTcuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KICAgICAgICAK PC9wPgo8cD4KICAgICAgICAgIFRoaXMgZG9jdW1lbnQgdXNlcyB0aGUgQXVnbWVudGVkIEJhY2t1 cy1OYXVyIEZvcm0gKEFCTkYpCiAgICAgICAgICBub3RhdGlvbiBvZgoJICBIVFRQLzEuMSwgUGFy dCAxIDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcn PltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3AxJiM4MjA5O21lc3NhZ2luZ108 c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEou LCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVy cy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBh cnQgMTogVVJJcywgQ29ubmVjdGlvbnMsIGFuZCBNZXNzYWdlIFBhcnNpbmcsJnJkcXVvOyBPY3Rv YmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LAogICAgICAgICAgd2hpY2gg aXMgYmFzZWQgdXBvbiB0aGUKCSAgQXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFCTkYpIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjUkZDNTIzNCc+W1JGQzUyMzRdPHNwYW4+ICg8L3NwYW4+PHNw YW4gY2xhc3M9J2luZm8nPkNyb2NrZXIsIEQuIGFuZCBQLiBPdmVyZWxsLCAmbGRxdW87QXVnbWVu dGVkIEJORiBmb3IgU3ludGF4IFNwZWNpZmljYXRpb25zOiBBQk5GLCZyZHF1bzsgSmFudWFyeSZu YnNwOzIwMDguPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPgoJICBub3RhdGlvbi4gIEFkZGl0aW9u YWxseSwgdGhlIGZvbGxvd2luZyBydWxlcyBhcmUgaW5jbHVkZWQgZnJvbQoJICBIVFRQLzEuMSwg UGFydCA3IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJz5b SSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwNyYjODIwOTthdXRoXTxzcGFuPiAo PC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3Vs LCBKLiwgTmllbHNlbiwgSC4sIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBCZXJuZXJzLUxlZSwg VC4sIExhZm9uLCBZLiwgYW5kIEouIFJlc2Noa2UsICZsZHF1bztIVFRQLzEuMSwgcGFydCA3OiBB dXRoZW50aWNhdGlvbiwmcmRxdW87IE9jdG9iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9z cGFuPjwvYT46CgkgIGI2NHRva2VuLCBhdXRoLXBhcmFtLCBhbmQgcmVhbG07IGZyb20KCSAgSFRU UC8xLjEsIFBhcnQgMSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDEt bWVzc2FnaW5nJz5bSSYjODIwOTtELmlldGYmIzgyMDk7aHR0cGJpcyYjODIwOTtwMSYjODIwOTtt ZXNzYWdpbmddPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwg R2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwg UC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hU VFAvMS4xLCBwYXJ0IDE6IFVSSXMsIENvbm5lY3Rpb25zLCBhbmQgTWVzc2FnZSBQYXJzaW5nLCZy ZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPjoKCSAgcXVv dGVkLXN0cmluZzsgYW5kIGZyb20KCSAgVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkp IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDMzk4Nic+W1JGQzM5ODZdPHNwYW4+ICg8L3NwYW4+ PHNwYW4gY2xhc3M9J2luZm8nPkJlcm5lcnMtTGVlLCBULiwgRmllbGRpbmcsIFIuLCBhbmQgTC4g TWFzaW50ZXIsICZsZHF1bztVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6IEdlbmVy aWMgU3ludGF4LCZyZHF1bzsgSmFudWFyeSZuYnNwOzIwMDUuPC9zcGFuPjxzcGFuPik8L3NwYW4+ PC9hPjoKCSAgVVJJLVJlZmVyZW5jZS4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgIFVubGVz cyBvdGhlcndpc2Ugbm90ZWQsIGFsbCB0aGUgcHJvdG9jb2wgcGFyYW1ldGVyIG5hbWVzIGFuZCB2 YWx1ZXMgYXJlIGNhc2Ugc2Vuc2l0aXZlLgogICAgICAgIAo8L3A+CjxhIG5hbWU9ImFuY2hvcjMi PjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAi IGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xh c3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48 L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4xLjIiPjwvYT48aDM+MS4yLiZuYnNwOwpUZXJt aW5vbG9neTwvaDM+Cgo8cD4KICAgICAgICAgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQi PjxkbD4KPGR0PkJlYXJlciBUb2tlbjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAKICAgICAgICAg ICAgICBBIHNlY3VyaXR5IHRva2VuIHdpdGggdGhlIHByb3BlcnR5IHRoYXQgYW55IHBhcnR5IGlu CiAgICAgICAgICAgICAgcG9zc2Vzc2lvbiBvZiB0aGUgdG9rZW4gKGEgImJlYXJlciIpIGNhbiB1 c2UgdGhlIHRva2VuCiAgICAgICAgICAgICAgaW4gYW55IHdheSB0aGF0IGFueSBvdGhlciBwYXJ0 eSBpbiBwb3NzZXNzaW9uIG9mIGl0IGNhbi4KICAgICAgICAgICAgICBVc2luZyBhIGJlYXJlciB0 b2tlbiBkb2VzIG5vdCByZXF1aXJlIGEgYmVhcmVyIHRvIHByb3ZlCiAgICAgICAgICAgICAgcG9z c2Vzc2lvbiBvZiBjcnlwdG9ncmFwaGljIGtleSBtYXRlcmlhbAogICAgICAgICAgICAgIChwcm9v Zi1vZi1wb3NzZXNzaW9uKS4KICAgICAgICAgICAgCjwvZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxw PgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgQWxsIG90aGVyIHRlcm1zIGFyZSBhcyBkZWZp bmVkIGluCgkgIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIDxhIGNsYXNzPSdpbmZvJyBocmVmPScj SS1ELmlldGYtb2F1dGgtdjInPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtvYXV0aCYjODIwOTt2Ml08 c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+SGFtbWVyLUxhaGF2LCBFLiwgUmVjb3Jk b24sIEQuLCBhbmQgRC4gSGFyZHQsICZsZHF1bztUaGUgT0F1dGggMi4wIEF1dGhvcml6YXRpb24g UHJvdG9jb2wsJnJkcXVvOyBTZXB0ZW1iZXImbmJzcDsyMDExLjwvc3Bhbj48c3Bhbj4pPC9zcGFu PjwvYT4uCiAgICAgICAgCjwvcD4KPGEgbmFtZT0iYW5jaG9yNCI+PC9hPjxiciAvPjxociAvPgo8 dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNs YXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVm PSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJm Yy5zZWN0aW9uLjEuMyI+PC9hPjxoMz4xLjMuJm5ic3A7Ck92ZXJ2aWV3PC9oMz4KCjxwPgogICAg ICAgICAgT0F1dGggcHJvdmlkZXMgYSBtZXRob2QgZm9yIGNsaWVudHMgdG8gYWNjZXNzIGEgcHJv dGVjdGVkIHJlc291cmNlIG9uIGJlaGFsZiBvZiBhCiAgICAgICAgICByZXNvdXJjZSBvd25lci4g SW4gdGhlIGdlbmVyYWwgY2FzZSwKCSAgYmVmb3JlIGEgY2xpZW50IGNhbiBhY2Nlc3MgYSBwcm90 ZWN0ZWQgcmVzb3VyY2UsIGl0IG11c3QgZmlyc3Qgb2J0YWluCiAgICAgICAgICBhbiBhdXRob3Jp emF0aW9uIGdyYW50IGZyb20gdGhlIHJlc291cmNlIG93bmVyIGFuZCB0aGVuIGV4Y2hhbmdlIHRo ZSBhdXRob3JpemF0aW9uIGdyYW50IGZvcgogICAgICAgICAgYW4gYWNjZXNzIHRva2VuLgoJICBU aGUgYWNjZXNzIHRva2VuIHJlcHJlc2VudHMgdGhlIGdyYW50J3Mgc2NvcGUsIGR1cmF0aW9uLCBh bmQKCSAgb3RoZXIgYXR0cmlidXRlcyBncmFudGVkIGJ5IHRoZSBhdXRob3JpemF0aW9uIGdyYW50 LiBUaGUKCSAgY2xpZW50IGFjY2Vzc2VzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UgYnkgcHJlc2Vu dGluZyB0aGUKCSAgYWNjZXNzIHRva2VuIHRvIHRoZSByZXNvdXJjZSBzZXJ2ZXIuCgkgIEluIHNv bWUgY2FzZXMsIGEgY2xpZW50IGNhbiBkaXJlY3RseSBwcmVzZW50IGl0cyBvd24KCSAgY3JlZGVu dGlhbHMgdG8gYW4gYXV0aG9yaXphdGlvbiBzZXJ2ZXIgdG8gb2J0YWluIGFuIGFjY2VzcwoJICB0 b2tlbiB3aXRob3V0IGhhdmluZyB0byBmaXJzdCBvYnRhaW4gYW4gYXV0aG9yaXphdGlvbiBncmFu dCBmcm9tIGEKCSAgcmVzb3VyY2Ugb3duZXIuCiAgICAgICAgCjwvcD4KPHA+CiAgICAgICAgICBU aGUgYWNjZXNzIHRva2VuIHByb3ZpZGVzIGFuIGFic3RyYWN0aW9uLCByZXBsYWNpbmcgZGlmZmVy ZW50IGF1dGhvcml6YXRpb24KICAgICAgICAgIGNvbnN0cnVjdHMgKGUuZy4gdXNlcm5hbWUgYW5k IHBhc3N3b3JkLCBhc3NlcnRpb24pIGZvciBhIHNpbmdsZSB0b2tlbiB1bmRlcnN0b29kIGJ5IHRo ZQogICAgICAgICAgcmVzb3VyY2Ugc2VydmVyLiBUaGlzIGFic3RyYWN0aW9uIGVuYWJsZXMgaXNz dWluZyBhY2Nlc3MgdG9rZW5zIHZhbGlkIGZvciBhIHNob3J0IHRpbWUKICAgICAgICAgIHBlcmlv ZCwgYXMgd2VsbCBhcyByZW1vdmluZyB0aGUgcmVzb3VyY2Ugc2VydmVyJ3MgbmVlZCB0byB1bmRl cnN0YW5kIGEgd2lkZSByYW5nZSBvZgogICAgICAgICAgYXV0aGVudGljYXRpb24gc2NoZW1lcy4K ICAgICAgICAKPC9wPjxiciAvPjxociBjbGFzcz0iaW5zZXJ0IiAvPgo8YSBuYW1lPSJGaWd1cmUt MSI+PC9hPgo8ZGl2IHN0eWxlPSdkaXNwbGF5OiB0YWJsZTsgd2lkdGg6IDA7IG1hcmdpbi1sZWZ0 OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+PHByZT4KKy0tLS0tLS0tKyAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8LS0oQSktIEF1dGhv cml6YXRpb24gUmVxdWVzdCAtJmd0O3wgICBSZXNvdXJjZSAgICB8CnwgICAgICAgIHwgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgT3duZXIgICAgIHwKfCAgICAgICAgfCZsdDst KEIpLS0gQXV0aG9yaXphdGlvbiBHcmFudCAtLS18ICAgICAgICAgICAgICAgfAp8ICAgICAgICB8 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCnwgICAgICAg IHwKfCAgICAgICAgfCAgICAgICAgQXV0aG9yaXphdGlvbiBHcmFudCAmYW1wOyAgKy0tLS0tLS0t LS0tLS0tLSsKfCAgICAgICAgfC0tKEMpLS0tIENsaWVudCBDcmVkZW50aWFscyAtLSZndDt8IEF1 dGhvcml6YXRpb24gfAp8IENsaWVudCB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwg ICAgIFNlcnZlciAgICB8CnwgICAgICAgIHwmbHQ7LShEKS0tLS0tIEFjY2VzcyBUb2tlbiAtLS0t LS0tfCAgICAgICAgICAgICAgIHwKfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8CnwgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfC0tKEUpLS0tLS0g QWNjZXNzIFRva2VuIC0tLS0tLSZndDt8ICAgIFJlc291cmNlICAgfAp8ICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIFNlcnZlciAgICB8CnwgICAgICAgIHwmbHQ7 LShGKS0tLSBQcm90ZWN0ZWQgUmVzb3VyY2UgLS0tfCAgICAgICAgICAgICAgIHwKKy0tLS0tLS0t KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwo8L3ByZT48 L2Rpdj48dGFibGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGFs aWduPSJjZW50ZXIiPjx0cj48dGQgYWxpZ249ImNlbnRlciI+PGZvbnQgZmFjZT0ibW9uYWNvLCBN UyBTYW5zIFNlcmlmIiBzaXplPSIxIj48Yj4mbmJzcDtGaWd1cmUmbmJzcDsxOiBBYnN0cmFjdCBQ cm90b2NvbCBGbG93Jm5ic3A7PC9iPjwvZm9udD48YnIgLz48L3RkPjwvdHI+PC90YWJsZT48aHIg Y2xhc3M9Imluc2VydCIgLz4KCjxwPgogICAgICAgICAgVGhlIGFic3RyYWN0IGZsb3cgaWxsdXN0 cmF0ZWQgaW4gPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNGaWd1cmUtMSc+RmlndXJlJm5ic3A7MTxz cGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5BYnN0cmFjdCBQcm90b2NvbCBGbG93PC9z cGFuPjxzcGFuPik8L3NwYW4+PC9hPiBkZXNjcmliZXMgdGhlIG92ZXJhbGwKICAgICAgICAgIE9B dXRoIDIuMCBwcm90b2NvbCBhcmNoaXRlY3R1cmUuIFRoZSBmb2xsb3dpbmcgc3RlcHMgYXJlIHNw ZWNpZmllZCB3aXRoaW4gdGhpcwogICAgICAgICAgZG9jdW1lbnQ6CgogICAgICAgICAgPC9wPgo8 YmxvY2txdW90ZSBjbGFzcz0idGV4dCI+CjxwPgogICAgICAgICAgICAgIEUpIFRoZSBjbGllbnQg bWFrZXMgYSBwcm90ZWN0ZWQgcmVzb3VyY2UgcmVxdWVzdCB0byB0aGUgcmVzb3VyY2Ugc2VydmVy IGJ5IHByZXNlbnRpbmcKICAgICAgICAgICAgICB0aGUgYWNjZXNzIHRva2VuLgogICAgICAgICAg ICAKPC9wPgo8cD4KICAgICAgICAgICAgICBGKSBUaGUgcmVzb3VyY2Ugc2VydmVyIHZhbGlkYXRl cyB0aGUgYWNjZXNzIHRva2VuLCBhbmQgaWYgdmFsaWQsIHNlcnZlcyB0aGUgcmVxdWVzdC4KICAg ICAgICAgICAgCjwvcD4KPC9ibG9ja3F1b3RlPjxwPgogICAgICAgIAo8L3A+CjxhIG5hbWU9ImFu Y2hvcjUiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4yIj48L2E+PGgzPjIuJm5ic3A7CkF1 dGhlbnRpY2F0ZWQgUmVxdWVzdHM8L2gzPgoKPHA+CglUaGlzIHNlY3Rpb24gZGVmaW5lcyB0aHJl ZQoJbWV0aG9kcyBvZiBzZW5kaW5nIGJlYXJlciBhY2Nlc3MgdG9rZW5zIGluIHJlc291cmNlIHJl cXVlc3RzCgl0byByZXNvdXJjZSBzZXJ2ZXJzLiAgQ2xpZW50cyBNVVNUIE5PVCB1c2UgbW9yZSB0 aGFuIG9uZQoJbWV0aG9kIHRvIHRyYW5zbWl0IHRoZSB0b2tlbiBpbiBlYWNoIHJlcXVlc3QuCiAg ICAgIAo8L3A+CjxhIG5hbWU9ImF1dGh6LWhlYWRlciI+PC9hPjxiciAvPjxociAvPgo8dGFibGUg c3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJU T0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9j Ij4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0 aW9uLjIuMSI+PC9hPjxoMz4yLjEuJm5ic3A7CkF1dGhvcml6YXRpb24gUmVxdWVzdCBIZWFkZXIg RmllbGQ8L2gzPgoKPHA+CgkgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSA8 dHQ+QXV0aG9yaXphdGlvbjwvdHQ+IHJlcXVlc3QgaGVhZGVyIGZpZWxkCgkgIGRlZmluZWQgYnkK CSAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBi aXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7cDcmIzgyMDk7 YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0 eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwg QmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8x LjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3Nw YW4+PHNwYW4+KTwvc3Bhbj48L2E+LAoJICB0aGUKCSAgY2xpZW50IHVzZXMgdGhlIDx0dD5CZWFy ZXI8L3R0PgoJICBhdXRoZW50aWNhdGlvbiBzY2hlbWUgdG8gdHJhbnNtaXQgdGhlIGFjY2VzcyB0 b2tlbi4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgICAgRm9yIGV4YW1wbGU6CiAgICAgICAg ICAKPC9wPjxkaXYgc3R5bGU9J2Rpc3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6 IDNlbTsgbWFyZ2luLXJpZ2h0OiBhdXRvJz48cHJlPgpHRVQgL3Jlc291cmNlIEhUVFAvMS4xCkhv c3Q6IHNlcnZlci5leGFtcGxlLmNvbQpBdXRob3JpemF0aW9uOiBCZWFyZXIgdkY5ZGZ0NHFtVAo8 L3ByZT48L2Rpdj4KPHA+CiAgICAgICAgICBUaGUgPHR0PkF1dGhvcml6YXRpb248L3R0PiBoZWFk ZXIgZmllbGQgdXNlcyB0aGUgZnJhbWV3b3JrIGRlZmluZWQgYnkKICAgICAgICAgIEhUVFAvMS4x LCBQYXJ0IDcgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgn PltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9n dWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVl LCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6 IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8 L3NwYW4+PC9hPgoJICBhcyBmb2xsb3dzOgogICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxh eTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8n PjxwcmU+CmNyZWRlbnRpYWxzID0gIkJlYXJlciIgMSpTUCBiNjR0b2tlbgo8L3ByZT48L2Rpdj4K PHA+CgkgIFRoZSBiNjR0b2tlbiBzeW50YXggd2FzIGNob3NlbiBvdmVyIHRoZSBhbHRlcm5hdGl2 ZQoJICAjYXV0aC1wYXJhbSBzeW50YXggYWxzbyBkZWZpbmVkIGJ5CgkgIEhUVFAvMS4xLCBQYXJ0 IDcgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4 MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3Nw YW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEou LCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwg TGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhl bnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+ PC9hPgoJICBib3RoIGZvciBzaW1wbGljaXR5CgkgIGFuZCBmb3IgY29tcGF0aWJpbGl0eSB3aXRo IGV4aXN0aW5nIGltcGxlbWVudGF0aW9ucy4KCSAgSWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJzIGFy ZSBuZWVkZWQgaW4gdGhlIGZ1dHVyZSwgYQoJICBkaWZmZXJlbnQgc2NoZW1lIHdvdWxkIG5lZWQg dG8gYmUgZGVmaW5lZC4KCQo8L3A+CjxwPgoJICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1dGhlbnRp Y2F0ZWQgcmVxdWVzdHMgd2l0aCBhIGJlYXJlcgoJICB0b2tlbiB1c2luZyB0aGUgPHR0PkF1dGhv cml6YXRpb248L3R0PgoJICByZXF1ZXN0IGhlYWRlciBmaWVsZCB3aXRoIHRoZSA8dHQ+QmVhcmVy PC90dD4gSFRUUCBhdXRob3JpemF0aW9uIHNjaGVtZS4KCSAgUmVzb3VyY2Ugc2VydmVycyBNVVNU IHN1cHBvcnQgdGhpcyBtZXRob2QuCgkKPC9wPgo8YSBuYW1lPSJib2R5LXBhcmFtIj48L2E+PGJy IC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3Bh Y2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0Ni dWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4K PGEgbmFtZT0icmZjLnNlY3Rpb24uMi4yIj48L2E+PGgzPjIuMi4mbmJzcDsKRm9ybS1FbmNvZGVk IEJvZHkgUGFyYW1ldGVyPC9oMz4KCjxwPgogICAgICAgICAgV2hlbiBzZW5kaW5nIHRoZSBhY2Nl c3MgdG9rZW4gaW4gdGhlIEhUVFAgcmVxdWVzdAogICAgICAgICAgZW50aXR5LWJvZHksIHRoZSBj bGllbnQgYWRkcyB0aGUgYWNjZXNzIHRva2VuIHRvIHRoZSByZXF1ZXN0CiAgICAgICAgICBib2R5 IHVzaW5nIHRoZSA8dHQ+YWNjZXNzX3Rva2VuPC90dD4KICAgICAgICAgIHBhcmFtZXRlci4gIFRo ZSBjbGllbnQgTVVTVCBOT1QgdXNlIHRoaXMgbWV0aG9kIHVubGVzcwoJICBhbGwgb2YgdGhlIGZv bGxvd2luZyBjb25kaXRpb25zIGFyZSBtZXQ6CiAgICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4 dCI+CjxsaT4KICAgICAgICAgICAgICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1ib2R5IGlzIHNp bmdsZS1wYXJ0LgogICAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAgICAgIFRoZSBlbnRp dHktYm9keSBmb2xsb3dzIHRoZSBlbmNvZGluZyByZXF1aXJlbWVudHMgb2YgdGhlCiAgICAgICAg ICAgICAgPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDwvdHQ+IGNvbnRlbnQt dHlwZSBhcwogICAgICAgICAgICAgIGRlZmluZWQgYnkKCSAgICAgIEhUTUwgNC4wMSA8YSBjbGFz cz0naW5mbycgaHJlZj0nI1czQy5SRUMtaHRtbDQwMS0xOTk5MTIyNCc+W1czQy5SRUMmIzgyMDk7 aHRtbDQwMSYjODIwOTsxOTk5MTIyNF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ SmFjb2JzLCBJLiwgUmFnZ2V0dCwgRC4sIGFuZCBBLiBIb3JzLCAmbGRxdW87SFRNTCA0LjAxIFNw ZWNpZmljYXRpb24sJnJkcXVvOyBEZWNlbWJlciZuYnNwOzE5OTkuPC9zcGFuPjxzcGFuPik8L3Nw YW4+PC9hPi4KICAgICAgICAgICAgCjwvbGk+CjxsaT4KICAgICAgICAgICAgICBUaGUgSFRUUCBy ZXF1ZXN0IGVudGl0eS1oZWFkZXIgaW5jbHVkZXMgdGhlIDx0dD5Db250ZW50LVR5cGU8L3R0Pgog ICAgICAgICAgICAgIGhlYWRlciBmaWVsZCBzZXQgdG8gPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZv cm0tdXJsZW5jb2RlZDwvdHQ+LgogICAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAgICAg IFRoZSBIVFRQIHJlcXVlc3QgbWV0aG9kIGlzIG9uZSBmb3Igd2hpY2ggdGhlIHJlcXVlc3QKICAg ICAgICAgICAgICBib2R5IGhhcyBkZWZpbmVkIHNlbWFudGljcy4gIEluIHBhcnRpY3VsYXIsCiAg ICAgICAgICAgICAgdGhpcyBtZWFucyB0aGF0IHRoZSA8dHQ+R0VUPC90dD4KICAgICAgICAgICAg ICBtZXRob2QgTVVTVCBOT1QgYmUgdXNlZC4KICAgICAgICAgICAgCjwvbGk+CjxsaT4KCSAgICAg IFRoZSBjb250ZW50IHRvIGJlIGVuY29kZWQgaW4gdGhlIGVudGl0eS1ib2R5IE1VU1QKCSAgICAg IGNvbnNpc3QgZW50aXJlbHkgb2YgQVNDSUkgY2hhcmFjdGVycy4KCSAgICAKPC9saT4KPC91bD48 cD4KICAgICAgICAKPC9wPgo8cD4KICAgICAgICAgIFRoZSBlbnRpdHktYm9keSBNQVkgaW5jbHVk ZSBvdGhlciByZXF1ZXN0LXNwZWNpZmljCiAgICAgICAgICBwYXJhbWV0ZXJzLCBpbiB3aGljaCBj YXNlLCB0aGUgPHR0PmFjY2Vzc190b2tlbjwvdHQ+IHBhcmFtZXRlciBNVVNUIGJlIHByb3Blcmx5 CiAgICAgICAgICBzZXBhcmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJz IHVzaW5nIDx0dD4mYW1wOzwvdHQ+IGNoYXJhY3RlcihzKSAoQVNDSUkgY29kZSAzOCkuCiAgICAg ICAgCjwvcD4KPHA+CiAgICAgICAgICAgIEZvciBleGFtcGxlLCB0aGUgY2xpZW50IG1ha2VzIHRo ZSBmb2xsb3dpbmcgSFRUUCByZXF1ZXN0IHVzaW5nIHRyYW5zcG9ydC1sYXllcgogICAgICAgICAg ICBzZWN1cml0eToKICAgICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdp ZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+ClBPU1Qg L3Jlc291cmNlIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbQpDb250ZW50LVR5cGU6 IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAoKYWNjZXNzX3Rva2VuPXZGOWRmdDRx bVQKPC9wcmU+PC9kaXY+CjxwPgoJICBUaGUgPHR0PmFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJs ZW5jb2RlZDwvdHQ+CgkgIG1ldGhvZCBTSE9VTEQgTk9UIGJlIHVzZWQgZXhjZXB0IGluIGFwcGxp Y2F0aW9uIGNvbnRleHRzCgkgIHdoZXJlIHBhcnRpY2lwYXRpbmcgYnJvd3NlcnMgZG8gbm90IGhh dmUgYWNjZXNzIHRvIHRoZQoJICA8dHQ+QXV0aG9yaXphdGlvbjwvdHQ+IHJlcXVlc3QgaGVhZGVy CgkgIGZpZWxkLiAgUmVzb3VyY2Ugc2VydmVycyBNQVkgc3VwcG9ydCB0aGlzIG1ldGhvZC4KCQo8 L3A+CjxhIG5hbWU9InF1ZXJ5LXBhcmFtIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5 PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIg YWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNw O1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uMi4z Ij48L2E+PGgzPjIuMy4mbmJzcDsKVVJJIFF1ZXJ5IFBhcmFtZXRlcjwvaDM+Cgo8cD4KICAgICAg ICAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBIVFRQIHJlcXVlc3QgVVJJ LCB0aGUgY2xpZW50IGFkZHMgdGhlIGFjY2VzcwogICAgICAgICAgdG9rZW4gdG8gdGhlIHJlcXVl c3QgVVJJIHF1ZXJ5IGNvbXBvbmVudCBhcyBkZWZpbmVkIGJ5CgkgIFVuaWZvcm0gUmVzb3VyY2Ug SWRlbnRpZmllciAoVVJJKSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI1JGQzM5ODYnPltSRkMzOTg2 XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5CZXJuZXJzLUxlZSwgVC4sIEZpZWxk aW5nLCBSLiwgYW5kIEwuIE1hc2ludGVyLCAmbGRxdW87VW5pZm9ybSBSZXNvdXJjZSBJZGVudGlm aWVyIChVUkkpOiBHZW5lcmljIFN5bnRheCwmcmRxdW87IEphbnVhcnkmbmJzcDsyMDA1Ljwvc3Bh bj48c3Bhbj4pPC9zcGFuPjwvYT4KCSAgdXNpbmcKICAgICAgICAgIHRoZSA8dHQ+YWNjZXNzX3Rv a2VuPC90dD4gcGFyYW1ldGVyLgogICAgICAgIAo8L3A+CjxwPgogICAgICAgICAgICBGb3IgZXhh bXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93aW5nIEhUVFAgcmVxdWVzdCB1c2luZyB0 cmFuc3BvcnQtbGF5ZXIKICAgICAgICAgICAgc2VjdXJpdHk6CiAgICAgICAgICAKPC9wPjxkaXYg c3R5bGU9J2Rpc3BsYXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsgbWFyZ2lu LXJpZ2h0OiBhdXRvJz48cHJlPgpHRVQgL3Jlc291cmNlP2FjY2Vzc190b2tlbj12RjlkZnQ0cW1U IEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbQo8L3ByZT48L2Rpdj4KPHA+CiAgICAg ICAgICBUaGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeSBjYW4gaW5jbHVkZSBvdGhlcgogICAgICAg ICAgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzLCBpbiB3aGljaCBjYXNlLCB0aGUgPHR0PmFj Y2Vzc190b2tlbjwvdHQ+IHBhcmFtZXRlciBNVVNUIGJlIHByb3Blcmx5CiAgICAgICAgICBzZXBh cmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVzaW5nIDx0dD4mYW1w OzwvdHQ+IGNoYXJhY3RlcihzKSAoQVNDSUkgY29kZSAzOCkuCiAgICAgICAgCjwvcD4KPHA+CiAg ICAgICAgICAgIEZvciBleGFtcGxlOgogICAgICAgICAgCjwvcD48ZGl2IHN0eWxlPSdkaXNwbGF5 OiB0YWJsZTsgd2lkdGg6IDA7IG1hcmdpbi1sZWZ0OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+ PHByZT4KaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vcmVzb3VyY2U/eD15JmFtcDthY2Nlc3Nf dG9rZW49dkY5ZGZ0NHFtVCZhbXA7cD1xCjwvcHJlPjwvZGl2Pgo8cD4KCSAgQmVjYXVzZSBvZiB0 aGUgc2VjdXJpdHkgd2Vha25lc3NlcyBhc3NvY2lhdGVkIHdpdGggdGhlIFVSSQoJICBtZXRob2Qg KHNlZSA8YSBjbGFzcz0naW5mbycgaHJlZj0nI3NlYy1jb24nPlNlY3Rpb24mbmJzcDs0PHNwYW4+ ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPlNlY3VyaXR5IENvbnNpZGVyYXRpb25zPC9zcGFu PjxzcGFuPik8L3NwYW4+PC9hPiksIGluY2x1ZGluZyB0aGUgaGlnaAoJICBsaWtlbGlob29kIHRo YXQgdGhlIFVSTCBjb250YWluaW5nIHRoZSBhY2Nlc3MgdG9rZW4gd2lsbCBiZQoJICBsb2dnZWQs IGl0IFNIT1VMRCBOT1QgYmUgdXNlZCB1bmxlc3MgaXQgaXMgaW1wb3NzaWJsZSB0bwoJICB0cmFu c3BvcnQgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgPHR0PkF1dGhvcml6YXRpb248L3R0PiByZXF1 ZXN0IGhlYWRlciBmaWVsZCBvcgoJICB0aGUgSFRUUCByZXF1ZXN0IGVudGl0eS1ib2R5LiAgUmVz b3VyY2Ugc2VydmVycyBNQVkgc3VwcG9ydAoJICB0aGlzIG1ldGhvZC4KCQo8L3A+CjxhIG5hbWU9 ImF1dGhuLWhlYWRlciI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBj ZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdo dCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8 L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjMiPjwvYT48aDM+My4m bmJzcDsKVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPC9oMz4KCjxw PgoJSWYgdGhlIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IGRvZXMgbm90IGluY2x1ZGUKCWF1 dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIG9yIGRvZXMgbm90IGNvbnRhaW4gYW4gYWNjZXNzCgl0 b2tlbiB0aGF0IGVuYWJsZXMgYWNjZXNzIHRvIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UsCgl0aGUg cmVzb3VyY2Ugc2VydmVyIE1VU1QgaW5jbHVkZSB0aGUgSFRUUCA8dHQ+V1dXLUF1dGhlbnRpY2F0 ZTwvdHQ+IHJlc3BvbnNlIGhlYWRlciBmaWVsZDsKCWl0IE1BWSBpbmNsdWRlIGl0IGluIHJlc3Bv bnNlIHRvIG90aGVyIGNvbmRpdGlvbnMgYXMgd2VsbC4KCVRoZSA8dHQ+V1dXLUF1dGhlbnRpY2F0 ZTwvdHQ+IGhlYWRlcgoJZmllbGQgdXNlcyB0aGUgZnJhbWV3b3JrIGRlZmluZWQgYnkKCUhUVFAv MS4xLCBQYXJ0IDcgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1 dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNw YW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwg TW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMt TGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0 IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFu Pik8L3NwYW4+PC9hPgoJYXMgZm9sbG93czoKICAgICAgCjwvcD48ZGl2IHN0eWxlPSdkaXNwbGF5 OiB0YWJsZTsgd2lkdGg6IDA7IG1hcmdpbi1sZWZ0OiAzZW07IG1hcmdpbi1yaWdodDogYXV0byc+ PHByZT4KY2hhbGxlbmdlICAgICAgID0gIkJlYXJlciIgWyAxKlNQIDEjcGFyYW0gXQoKcGFyYW0g ICAgICAgICAgID0gcmVhbG0gLyBzY29wZSAvCiAgICAgICAgICAgICAgICAgIGVycm9yIC8gZXJy b3ItZGVzYyAvIGVycm9yLXVyaSAvCiAgICAgICAgICAgICAgICAgIGF1dGgtcGFyYW0KCnNjb3Bl ICAgICAgICAgICA9ICJzY29wZSIgIj0iIHF1b3RlZC1zdHJpbmcKZXJyb3IgICAgICAgICAgID0g ImVycm9yIiAiPSIgcXVvdGVkLXN0cmluZwplcnJvci1kZXNjICAgICAgPSAiZXJyb3JfZGVzY3Jp cHRpb24iICI9IiBxdW90ZWQtc3RyaW5nCmVycm9yLXVyaSAgICAgICA9ICJlcnJvcl91cmkiICI9 IiBxdW90ZWQtc3RyaW5nCjwvcHJlPjwvZGl2Pgo8cD4KCUEgPHR0PnJlYWxtPC90dD4gYXR0cmli dXRlIE1BWSBiZSBpbmNsdWRlZAoJdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24g aW4gdGhlIG1hbm5lciBkZXNjcmliZWQgaW4KCUhUVFAvMS4xLCBQYXJ0IDcgPGEgY2xhc3M9J2lu Zm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIw OTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9 J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwg TWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQg Si4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1 bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCVRoZSA8dHQ+ cmVhbG08L3R0PiBhdHRyaWJ1dGUgTVVTVCBOT1QgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLgoJVGhl IDx0dD5yZWFsbTwvdHQ+IHZhbHVlIGlzIGludGVuZGVkIGZvcgoJcHJvZ3JhbW1hdGljIHVzZSBh bmQgaXMgbm90IG1lYW50IHRvIGJlIGRpc3BsYXllZCB0bwoJZW5kIHVzZXJzLgogICAgICAKPC9w Pgo8cD4KCVRoZSA8dHQ+c2NvcGU8L3R0PiBhdHRyaWJ1dGUgaXMgYSBzcGFjZS1kZWxpbWl0ZWQg bGlzdCBvZiBzY29wZSB2YWx1ZXMKCWluZGljYXRpbmcgdGhlIHJlcXVpcmVkIHNjb3BlIG9mIHRo ZSBhY2Nlc3MgdG9rZW4gZm9yIGFjY2Vzc2luZyB0aGUgcmVxdWVzdGVkIHJlc291cmNlLgoJSW4g c29tZSBjYXNlcywgdGhlIDx0dD5zY29wZTwvdHQ+IHZhbHVlCgl3aWxsIGJlIHVzZWQgd2hlbiBy ZXF1ZXN0aW5nIGEgbmV3IGFjY2VzcyB0b2tlbiB3aXRoCglzdWZmaWNpZW50IHNjb3BlIG9mIGFj Y2VzcyB0byB1dGlsaXplIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCglUaGUgPHR0PnNjb3BlPC90 dD4gYXR0cmlidXRlIE1VU1QgTk9UIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KCVRoZSA8dHQ+c2Nv cGU8L3R0PiB2YWx1ZSBpcyBpbnRlbmRlZCBmb3IKCXByb2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5v dCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8KCWVuZCB1c2Vycy4KICAgICAgCjwvcD4KPHA+CglJ ZiB0aGUgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3QgaW5jbHVkZWQgYW4gYWNjZXNzIHRva2Vu IGFuZCBmYWlsZWQgYXV0aGVudGljYXRpb24sIHRoZQoJcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBp bmNsdWRlIHRoZSA8dHQ+ZXJyb3I8L3R0PiBhdHRyaWJ1dGUgdG8gcHJvdmlkZQoJdGhlIGNsaWVu dCB3aXRoIHRoZSByZWFzb24gd2h5IHRoZSBhY2Nlc3MgcmVxdWVzdCB3YXMgZGVjbGluZWQuIFRo ZSBwYXJhbWV0ZXIgdmFsdWUgaXMKCWRlc2NyaWJlZCBpbiA8YSBjbGFzcz0naW5mbycgaHJlZj0n I3Jlc291cmNlLWVycm9yLWNvZGVzJz5TZWN0aW9uJm5ic3A7My4xPHNwYW4+ICg8L3NwYW4+PHNw YW4gY2xhc3M9J2luZm8nPkVycm9yIENvZGVzPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCUlu IGFkZGl0aW9uLCB0aGUgcmVzb3VyY2Ugc2VydmVyIE1BWSBpbmNsdWRlIHRoZSA8dHQ+ZXJyb3Jf ZGVzY3JpcHRpb248L3R0PiBhdHRyaWJ1dGUgdG8gcHJvdmlkZQoJZGV2ZWxvcGVycyBhIGh1bWFu LXJlYWRhYmxlIGV4cGxhbmF0aW9uIHRoYXQgaXMgbm90IG1lYW50Cgl0byBiZSBkaXNwbGF5ZWQg dG8gZW5kIHVzZXJzLgoJSXQgYWxzbyBNQVkgaW5jbHVkZQoJdGhlIDx0dD5lcnJvcl91cmk8L3R0 PiBhdHRyaWJ1dGUgd2l0aAoJYW4gYWJzb2x1dGUgVVJJIGlkZW50aWZ5aW5nIGEgaHVtYW4tcmVh ZGFibGUgd2ViIHBhZ2UgZXhwbGFpbmluZyB0aGUgZXJyb3IuCglUaGUgPHR0PmVycm9yPC90dD4s IDx0dD5lcnJvcl9kZXNjcmlwdGlvbjwvdHQ+LCBhbmQKCTx0dD5lcnJvcl91cmk8L3R0PiBhdHRy aWJ1dGVzIE1VU1QgTk9UIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KICAgICAgCjwvcD4KPHA+CglQ cm9kdWNlcnMgb2YgPHR0PnNjb3BlPC90dD4gc3RyaW5ncyBNVVNUCglOT1QgdXNlIGNoYXJhY3Rl cnMgb3V0c2lkZSB0aGUgc2V0ICV4MjEgLyAleDIzLTVCIC8gJXg1RC03RQoJZm9yIHJlcHJlc2Vu dGluZyB0aGUgc2NvcGUgdmFsdWVzIGFuZCAleDIwIGZvciB0aGUgZGVsaW1pdGVyLgoJUHJvZHVj ZXJzIG9mIDx0dD5lcnJvcjwvdHQ+IGFuZCA8dHQ+ZXJyb3JfZGVzY3JpcHRpb248L3R0PiBzdHJp bmdzIE1VU1QgTk9UIHVzZQoJY2hhcmFjdGVycyBvdXRzaWRlIHRoZSBzZXQgJXgyMC0yMSAvICV4 MjMtNUIgLyAleDVELTdFIGZvcgoJcmVwcmVzZW50aW5nIHRoZXNlIHZhbHVlcy4KCVByb2R1Y2Vy cyBvZiA8dHQ+ZXJyb3ItdXJpPC90dD4gc3RyaW5ncwoJTVVTVCBOT1QgdXNlIGNoYXJhY3RlcnMg b3V0c2lkZSB0aGUgc2V0ICV4MjEgLyAleDIzLTVCIC8KCSV4NUQtN0UgZm9yIHJlcHJlc2VudGlu ZyB0aGVzZSB2YWx1ZXMuICBGdXJ0aGVybW9yZSwKCTx0dD5lcnJvci11cmk8L3R0PiBzdHJpbmdz IE1VU1QgY29uZm9ybQoJdG8gdGhlIFVSSS1SZWZlcmVuY2Ugc3ludGF4LgoJSW4gYWxsIHRoZXNl IGNhc2VzLCBubyBjaGFyYWN0ZXIgcXVvdGluZyB3aWxsIG9jY3VyLCBhcwoJc2VuZGVycyBhcmUg cHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFjdGVyLgogICAgICAKPC9w Pgo8cD4KCSAgRm9yIGV4YW1wbGUsIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291cmNl IHJlcXVlc3Qgd2l0aG91dCBhdXRoZW50aWNhdGlvbjoKCQo8L3A+PGRpdiBzdHlsZT0nZGlzcGxh eTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4tbGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8n PjxwcmU+CkhUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVy IHJlYWxtPSJleGFtcGxlIgo8L3ByZT48L2Rpdj4KPHA+CiAgICAgICAgICAgIEFuZCBpbiByZXNw b25zZSB0byBhIHByb3RlY3RlZCByZXNvdXJjZSByZXF1ZXN0IHdpdGggYW4gYXV0aGVudGljYXRp b24gYXR0ZW1wdCB1c2luZyBhbgogICAgICAgICAgICBleHBpcmVkIGFjY2VzcyB0b2tlbjoKICAg ICAgICAgIAo8L3A+PGRpdiBzdHlsZT0nZGlzcGxheTogdGFibGU7IHdpZHRoOiAwOyBtYXJnaW4t bGVmdDogM2VtOyBtYXJnaW4tcmlnaHQ6IGF1dG8nPjxwcmU+CkhUVFAvMS4xIDQwMSBVbmF1dGhv cml6ZWQKV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIiwKICAgICAgICAg ICAgICAgICAgZXJyb3I9ImludmFsaWRfdG9rZW4iLAogICAgICAgICAgICAgICAgICBlcnJvcl9k ZXNjcmlwdGlvbj0iVGhlIGFjY2VzcyB0b2tlbiBleHBpcmVkIgo8L3ByZT48L2Rpdj4KPGEgbmFt ZT0icmVzb3VyY2UtZXJyb3ItY29kZXMiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9 ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBh bGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7 VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi4zLjEi PjwvYT48aDM+My4xLiZuYnNwOwpFcnJvciBDb2RlczwvaDM+Cgo8cD4KCSAgV2hlbiBhIHJlcXVl c3QgZmFpbHMsIHRoZSByZXNvdXJjZSBzZXJ2ZXIgcmVzcG9uZHMgdXNpbmcgdGhlIGFwcHJvcHJp YXRlIEhUVFAgc3RhdHVzCgkgIGNvZGUgKHR5cGljYWxseSwgNDAwLCA0MDEsIDQwMywgb3IgNDA1 KSwKCSAgYW5kIGluY2x1ZGVzIG9uZSBvZiB0aGUgZm9sbG93aW5nIGVycm9yIGNvZGVzIGluCgkg IHRoZSByZXNwb25zZToKCgkgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4KPGR0 PmludmFsaWRfcmVxdWVzdDwvZHQ+CjxkZD4KCSAgICAgIAoJICAgICAgVGhlIHJlcXVlc3QgaXMg bWlzc2luZyBhIHJlcXVpcmVkIHBhcmFtZXRlciwgaW5jbHVkZXMgYW4gdW5zdXBwb3J0ZWQgcGFy YW1ldGVyIG9yCgkgICAgICBwYXJhbWV0ZXIgdmFsdWUsIHJlcGVhdHMgdGhlIHNhbWUgcGFyYW1l dGVyLCB1c2VzIG1vcmUgdGhhbiBvbmUgbWV0aG9kIGZvcgoJICAgICAgaW5jbHVkaW5nIGFuIGFj Y2VzcyB0b2tlbiwgb3IgaXMgb3RoZXJ3aXNlIG1hbGZvcm1lZC4gVGhlIHJlc291cmNlIHNlcnZl ciBTSE9VTEQKCSAgICAgIHJlc3BvbmQgd2l0aCB0aGUgSFRUUCA0MDAgKEJhZCBSZXF1ZXN0KSBz dGF0dXMgY29kZS4KCSAgICAKPC9kZD4KPGR0PmludmFsaWRfdG9rZW48L2R0Pgo8ZGQ+CgkgICAg ICAKCSAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZWQgaXMgZXhwaXJlZCwgcmV2b2tlZCwg bWFsZm9ybWVkLCBvciBpbnZhbGlkIGZvciBvdGhlcgoJICAgICAgcmVhc29ucy4gVGhlIHJlc291 cmNlIFNIT1VMRCByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAxIChVbmF1dGhvcml6ZWQpIHN0YXR1 cwoJICAgICAgY29kZS4gVGhlIGNsaWVudCBNQVkgcmVxdWVzdCBhIG5ldyBhY2Nlc3MgdG9rZW4g YW5kIHJldHJ5IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UKCSAgICAgIHJlcXVlc3QuCgkgICAgCjwv ZGQ+CjxkdD5pbnN1ZmZpY2llbnRfc2NvcGU8L2R0Pgo8ZGQ+CgkgICAgICAKCSAgICAgIFRoZSBy ZXF1ZXN0IHJlcXVpcmVzIGhpZ2hlciBwcml2aWxlZ2VzIHRoYW4gcHJvdmlkZWQgYnkgdGhlIGFj Y2VzcyB0b2tlbi4gVGhlCgkgICAgICByZXNvdXJjZSBzZXJ2ZXIgU0hPVUxEIHJlc3BvbmQgd2l0 aCB0aGUgSFRUUCA0MDMgKEZvcmJpZGRlbikgc3RhdHVzIGNvZGUgYW5kIE1BWQoJICAgICAgaW5j bHVkZSB0aGUgPHR0PnNjb3BlPC90dD4gYXR0cmlidXRlIHdpdGggdGhlIHNjb3BlIG5lY2Vzc2Fy eSB0bwoJICAgICAgYWNjZXNzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCgkgICAgCjwvZGQ+Cjwv ZGw+PC9ibG9ja3F1b3RlPjxwPgoJCjwvcD4KPHA+CgkgIElmIHRoZSByZXF1ZXN0IGxhY2tzIGFu eSBhdXRoZW50aWNhdGlvbiBpbmZvcm1hdGlvbiAoaS5lLiB0aGUgY2xpZW50IHdhcyB1bmF3YXJl CgkgIGF1dGhlbnRpY2F0aW9uIGlzIG5lY2Vzc2FyeSBvciBhdHRlbXB0ZWQgdXNpbmcgYW4gdW5z dXBwb3J0ZWQgYXV0aGVudGljYXRpb24gbWV0aG9kKSwKCSAgdGhlIHJlc291cmNlIHNlcnZlciBT SE9VTEQgTk9UIGluY2x1ZGUgYW4gZXJyb3IgY29kZSBvciBvdGhlciBlcnJvciBpbmZvcm1hdGlv bi4KCQo8L3A+CjxwPgoJICAgIEZvciBleGFtcGxlOgoJICAKPC9wPjxkaXYgc3R5bGU9J2Rpc3Bs YXk6IHRhYmxlOyB3aWR0aDogMDsgbWFyZ2luLWxlZnQ6IDNlbTsgbWFyZ2luLXJpZ2h0OiBhdXRv Jz48cHJlPgpIVFRQLzEuMSA0MDEgVW5hdXRob3JpemVkCldXVy1BdXRoZW50aWNhdGU6IEJlYXJl ciByZWFsbT0iZXhhbXBsZSIKPC9wcmU+PC9kaXY+CjxhIG5hbWU9InNlYy1jb24iPjwvYT48YnIg Lz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFj aW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1 ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8 YSBuYW1lPSJyZmMuc2VjdGlvbi40Ij48L2E+PGgzPjQuJm5ic3A7ClNlY3VyaXR5IENvbnNpZGVy YXRpb25zPC9oMz4KCjxwPgoJVGhpcyBzZWN0aW9uIGRlc2NyaWJlcyB0aGUgcmVsZXZhbnQgc2Vj dXJpdHkgdGhyZWF0cyByZWdhcmRpbmcKCXRva2VuIGhhbmRsaW5nIHdoZW4gdXNpbmcgYmVhcmVy IHRva2VucyBhbmQgZGVzY3JpYmVzIGhvdyB0bwoJbWl0aWdhdGUgdGhlc2UgdGhyZWF0cy4KICAg ICAgCjwvcD4KPGEgbmFtZT0idGhyZWF0cyI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFy eT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWci IGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJz cDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjQu MSI+PC9hPjxoMz40LjEuJm5ic3A7ClNlY3VyaXR5IFRocmVhdHM8L2gzPgoKPHA+CgkgIFRoZSBm b2xsb3dpbmcgbGlzdCBwcmVzZW50cyBzZXZlcmFsIGNvbW1vbiB0aHJlYXRzIGFnYWluc3QKCSAg cHJvdG9jb2xzIHV0aWxpemluZyBzb21lIGZvcm0gb2YgdG9rZW5zLiBUaGlzIGxpc3Qgb2YKCSAg dGhyZWF0cyBpcyBiYXNlZCBvbgoJICBOSVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjTklTVDgwMC02Myc+W05JU1Q4MDAmIzgyMDk7NjNdPHNwYW4+ ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkJ1cnIsIFcuLCBEb2Rzb24sIEQuLCBQZXJsbmVy LCBSLiwgUG9saywgVC4sIEd1cHRhLCBTLiwgYW5kIEUuIE5hYmJ1cywgJmxkcXVvO05JU1QgU3Bl Y2lhbCBQdWJsaWNhdGlvbiA4MDAtNjMtMSwgSU5GT1JNQVRJT04gU0VDVVJJVFksJnJkcXVvOyBE ZWNlbWJlciZuYnNwOzIwMDguPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgU2luY2UgdGhp cyBkb2N1bWVudCBidWlsZHMgb24gdGhlCgkgIE9BdXRoIDIuMCBzcGVjaWZpY2F0aW9uLCB3ZSBl eGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0aHJlYXRzCgkgIHRoYXQgYXJlIGRlc2NyaWJlZCB0aGVy ZSBvciBpbiByZWxhdGVkIGRvY3VtZW50cy4KCQo8L3A+CjxwPgoJICA8L3A+CjxibG9ja3F1b3Rl IGNsYXNzPSJ0ZXh0Ij48ZGw+CjxkdD5Ub2tlbiBtYW51ZmFjdHVyZS9tb2RpZmljYXRpb246PC9k dD4KPGRkPgoJICAgICAgQW4gYXR0YWNrZXIgbWF5IGdlbmVyYXRlIGEgYm9ndXMgdG9rZW4gb3Ig bW9kaWZ5IHRoZQoJICAgICAgdG9rZW4gY29udGVudHMgKHN1Y2ggYXMgdGhlIGF1dGhlbnRpY2F0 aW9uIG9yIGF0dHJpYnV0ZQoJICAgICAgc3RhdGVtZW50cykgb2YgYW4gZXhpc3RpbmcgdG9rZW4s IGNhdXNpbmcgdGhlIHJlc291cmNlCgkgICAgICBzZXJ2ZXIgdG8gZ3JhbnQgaW5hcHByb3ByaWF0 ZSBhY2Nlc3MgdG8gdGhlIGNsaWVudC4KCSAgICAgIEZvciBleGFtcGxlLCBhbiBhdHRhY2tlciBt YXkgbW9kaWZ5IHRoZSB0b2tlbiB0byBleHRlbmQKCSAgICAgIHRoZSB2YWxpZGl0eSBwZXJpb2Q7 IGEgbWFsaWNpb3VzIGNsaWVudCBtYXkgbW9kaWZ5IHRoZQoJICAgICAgYXNzZXJ0aW9uIHRvIGdh aW4gYWNjZXNzIHRvIGluZm9ybWF0aW9uIHRoYXQgdGhleQoJICAgICAgc2hvdWxkIG5vdCBiZSBh YmxlIHRvIHZpZXcuCgkgICAgCjwvZGQ+CjxkdD5Ub2tlbiBkaXNjbG9zdXJlOjwvZHQ+CjxkZD4K CSAgICAgIFRva2VucyBtYXkgY29udGFpbiBhdXRoZW50aWNhdGlvbiBhbmQgYXR0cmlidXRlCgkg ICAgICBzdGF0ZW1lbnRzIHRoYXQgaW5jbHVkZSBzZW5zaXRpdmUgaW5mb3JtYXRpb24uCgkgICAg CjwvZGQ+CjxkdD5Ub2tlbiByZWRpcmVjdDo8L2R0Pgo8ZGQ+CgkgICAgICBBbiBhdHRhY2tlciB1 c2VzIGEgdG9rZW4gZ2VuZXJhdGVkIGZvciBjb25zdW1wdGlvbiBieSAKCSAgICAgIG9uZSByZXNv dXJjZSBzZXJ2ZXIgdG8gZ2FpbiBhY2Nlc3MgdG8gYSBkaWZmZXJlbnQKCSAgICAgIHJlc291cmNl IHNlcnZlciB0aGF0IG1pc3Rha2VubHkgYmVsaWV2ZXMgdGhlIHRva2VuIHRvIGJlCgkgICAgICBm b3IgaXQuCgkgICAgCjwvZGQ+CjxkdD5Ub2tlbiByZXBsYXk6PC9kdD4KPGRkPgoJICAgICAgQW4g YXR0YWNrZXIgYXR0ZW1wdHMgdG8gdXNlIGEgdG9rZW4gdGhhdCBoYXMgYWxyZWFkeQoJICAgICAg YmVlbiB1c2VkIHdpdGggdGhhdCByZXNvdXJjZSBzZXJ2ZXIgaW4gdGhlIHBhc3QuCgkgICAgCjwv ZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxwPiAKCQo8L3A+CjxhIG5hbWU9Im1pdGlnYXRpb24iPjwv YT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNl bGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9 IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3Rh YmxlPgo8YSBuYW1lPSJyZmMuc2VjdGlvbi40LjIiPjwvYT48aDM+NC4yLiZuYnNwOwpUaHJlYXQg TWl0aWdhdGlvbjwvaDM+Cgo8cD4KCSAgQSBsYXJnZSByYW5nZSBvZiB0aHJlYXRzIGNhbiBiZSBt aXRpZ2F0ZWQgYnkgcHJvdGVjdGluZyB0aGUKCSAgY29udGVudHMgb2YgdGhlIHRva2VuIGJ5IHVz aW5nIGEgZGlnaXRhbCBzaWduYXR1cmUgb3IgYQoJICBNZXNzYWdlIEF1dGhlbnRpY2F0aW9uIENv ZGUgKE1BQykuCgkgIEFsdGVybmF0aXZlbHksIGEgYmVhcmVyIHRva2VuIGNhbiBjb250YWluIGEg cmVmZXJlbmNlIHRvCgkgIGF1dGhvcml6YXRpb24gaW5mb3JtYXRpb24sIHJhdGhlciB0aGFuIGVu Y29kaW5nIHRoZQoJICBpbmZvcm1hdGlvbiBkaXJlY3RseS4gU3VjaCByZWZlcmVuY2VzIE1VU1Qg YmUgaW5mZWFzaWJsZSBmb3IKCSAgYW4gYXR0YWNrZXIgdG8gZ3Vlc3M7IHVzaW5nIGEgcmVmZXJl bmNlIG1heSByZXF1aXJlIGFuIGV4dHJhCgkgIGludGVyYWN0aW9uIGJldHdlZW4gYSBzZXJ2ZXIg YW5kIHRoZSB0b2tlbiBpc3N1ZXIgdG8gcmVzb2x2ZQoJICB0aGUgcmVmZXJlbmNlIHRvIHRoZSBh dXRob3JpemF0aW9uIGluZm9ybWF0aW9uLgoJICBUaGUgbWVjaGFuaWNzIG9mIHN1Y2ggYW4gaW50 ZXJhY3Rpb24gYXJlIG5vdCBkZWZpbmVkIGJ5IHRoaXMKCSAgc3BlY2lmaWNhdGlvbi4KCQo8L3A+ CjxwPgoJICBUaGlzIGRvY3VtZW50IGRvZXMgbm90IHNwZWNpZnkgdGhlIGVuY29kaW5nIG9yIHRo ZSBjb250ZW50cwoJICBvZiB0aGUgdG9rZW47IGhlbmNlIGRldGFpbGVkIHJlY29tbWVuZGF0aW9u cyBhYm91dCB0aGUgbWVhbnMKCSAgb2YgZ3VhcmFudGVlaW5nIHRva2VuIGludGVncml0eSBwcm90 ZWN0aW9uIGFyZSBvdXRzaWRlIHRoZQoJICBzY29wZSBvZiB0aGlzIGRvY3VtZW50LiAgVGhlIHRv a2VuIGludGVncml0eSBwcm90ZWN0aW9uIE1VU1QKCSAgYmUgc3VmZmljaWVudCB0byBwcmV2ZW50 IHRoZSB0b2tlbiBmcm9tIGJlaW5nIG1vZGlmaWVkLgoJCjwvcD4KPHA+CgkgIFRvIGRlYWwgd2l0 aCB0b2tlbiByZWRpcmVjdCwgaXQgaXMgaW1wb3J0YW50IGZvciB0aGUKCSAgYXV0aG9yaXphdGlv biBzZXJ2ZXIgdG8gaW5jbHVkZSB0aGUgaWRlbnRpdHkgb2YgdGhlIGludGVuZGVkCgkgIHJlY2lw aWVudHMgKHRoZSBhdWRpZW5jZSksIHR5cGljYWxseSBhIHNpbmdsZSByZXNvdXJjZQoJICBzZXJ2 ZXIgKG9yIGEgbGlzdCBvZiByZXNvdXJjZSBzZXJ2ZXJzKSwgaW4gdGhlIHRva2VuLgoJICBSZXN0 cmljdGluZyB0aGUgdXNlIG9mIHRoZSB0b2tlbiB0byBhIHNwZWNpZmljIHNjb3BlIGlzIGFsc28K CSAgUkVDT01NRU5ERUQuCgkKPC9wPgo8cD4KCSAgVGhlIGF1dGhvcml6YXRpb24gc2VydmVyIE1V U1QgaW1wbGVtZW50IFRMUy4KCSAgV2hpY2ggdmVyc2lvbihzKSBvdWdodCB0byBiZSBpbXBsZW1l bnRlZCB3aWxsIHZhcnkgb3ZlcgoJICB0aW1lLCBhbmQgZGVwZW5kIG9uIHRoZSB3aWRlc3ByZWFk IGRlcGxveW1lbnQgYW5kIGtub3duCgkgIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdGllcyBhdCB0aGUg dGltZSBvZiBpbXBsZW1lbnRhdGlvbi4KCSAgQXQgdGhlIHRpbWUgb2YgdGhpcyB3cml0aW5nLAoJ ICBUTFMgdmVyc2lvbiAxLjIgPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNSRkM1MjQ2Jz5bUkZDNTI0 Nl08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RGllcmtzLCBULiBhbmQgRS4gUmVz Y29ybGEsICZsZHF1bztUaGUgVHJhbnNwb3J0IExheWVyIFNlY3VyaXR5IChUTFMpIFByb3RvY29s IFZlcnNpb24gMS4yLCZyZHF1bzsgQXVndXN0Jm5ic3A7MjAwOC48L3NwYW4+PHNwYW4+KTwvc3Bh bj48L2E+CgkgIGlzIHRoZSBtb3N0IHJlY2VudCB2ZXJzaW9uLCBidXQgaGFzIHZlcnkgbGltaXRl ZCBhY3R1YWwKCSAgZGVwbG95bWVudCwgYW5kIG1pZ2h0IG5vdCBiZSByZWFkaWx5IGF2YWlsYWJs ZSBpbgoJICBpbXBsZW1lbnRhdGlvbiB0b29sa2l0cy4KCSAgVExTIHZlcnNpb24gMS4wIDxhIGNs YXNzPSdpbmZvJyBocmVmPScjUkZDMjI0Nic+W1JGQzIyNDZdPHNwYW4+ICg8L3NwYW4+PHNwYW4g Y2xhc3M9J2luZm8nPkRpZXJrcywgVC4gYW5kIEMuIEFsbGVuLCAmbGRxdW87VGhlIFRMUyBQcm90 b2NvbCBWZXJzaW9uIDEuMCwmcmRxdW87IEphbnVhcnkmbmJzcDsxOTk5Ljwvc3Bhbj48c3Bhbj4p PC9zcGFuPjwvYT4KCSAgaXMgdGhlIG1vc3Qgd2lkZWx5IGRlcGxveWVkIHZlcnNpb24sIGFuZCB3 aWxsIGdpdmUgdGhlCgkgIGJyb2FkZXN0IGludGVyb3BlcmFiaWxpdHkuCgkKPC9wPgo8cD4KCSAg VG8gcHJvdGVjdCBhZ2FpbnN0IHRva2VuIGRpc2Nsb3N1cmUsIGNvbmZpZGVudGlhbGl0eQoJICBw cm90ZWN0aW9uIE1VU1QgYmUgYXBwbGllZCB1c2luZwoJICBUTFMgPGEgY2xhc3M9J2luZm8nIGhy ZWY9JyNSRkM1MjQ2Jz5bUkZDNTI0Nl08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ RGllcmtzLCBULiBhbmQgRS4gUmVzY29ybGEsICZsZHF1bztUaGUgVHJhbnNwb3J0IExheWVyIFNl Y3VyaXR5IChUTFMpIFByb3RvY29sIFZlcnNpb24gMS4yLCZyZHF1bzsgQXVndXN0Jm5ic3A7MjAw OC48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+CgkgIHdpdGggYSBjaXBoZXJzdWl0ZSB0aGF0IHBy b3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQKCSAgaW50ZWdyaXR5IHByb3RlY3Rpb24uICBUaGlz CgkgIHJlcXVpcmVzIHRoYXQgdGhlIGNvbW11bmljYXRpb24gaW50ZXJhY3Rpb24gYmV0d2VlbiB0 aGUKCSAgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIsIGFzIHdlbGwgYXMgdGhl CgkgIGludGVyYWN0aW9uIGJldHdlZW4gdGhlIGNsaWVudCBhbmQgdGhlIHJlc291cmNlIHNlcnZl ciwKCSAgdXRpbGl6ZSBjb25maWRlbnRpYWxpdHkgYW5kIGludGVncml0eSBwcm90ZWN0aW9uLgoJ ICBTaW5jZSBUTFMgaXMgbWFuZGF0b3J5IHRvCgkgIGltcGxlbWVudCBhbmQgdG8gdXNlIHdpdGgg dGhpcyBzcGVjaWZpY2F0aW9uLCBpdCBpcyB0aGUKCSAgcHJlZmVycmVkIGFwcHJvYWNoIGZvciBw cmV2ZW50aW5nIHRva2VuIGRpc2Nsb3N1cmUgdmlhIHRoZQoJICBjb21tdW5pY2F0aW9uIGNoYW5u ZWwuIEZvciB0aG9zZSBjYXNlcyB3aGVyZSB0aGUgY2xpZW50CgkgIGlzIHByZXZlbnRlZCBmcm9t IG9ic2VydmluZyB0aGUgY29udGVudHMgb2YgdGhlIHRva2VuLCB0b2tlbgoJICBlbmNyeXB0aW9u IE1VU1QgYmUgYXBwbGllZCBpbiBhZGRpdGlvbiB0byB0aGUgdXNhZ2Ugb2YgVExTCgkgIHByb3Rl Y3Rpb24uCgkgIEFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9rZW4gZGlzY2xvc3VyZSwg dGhlIGNsaWVudAoJICBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUgY2hhaW4gd2hl biBtYWtpbmcgcmVxdWVzdHMKCSAgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4KCQo8L3A+CjxwPgoJ ICBDb29raWVzIGFyZSB0eXBpY2FsbHkgdHJhbnNtaXR0ZWQgaW4gdGhlIGNsZWFyLiAgVGh1cywg YW55CgkgIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGVtIGlzIGF0IHJpc2sgb2YgZGlzY2xv c3VyZS4KCSAgVGhlcmVmb3JlLCBiZWFyZXIgdG9rZW5zIE1VU1QgTk9UIGJlIHN0b3JlZCBpbiBj b29raWVzIHRoYXQKCSAgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyLgoJCjwvcD4KPHA+CgkgIElu IHNvbWUgZGVwbG95bWVudHMsIGluY2x1ZGluZyB0aG9zZSB1dGlsaXppbmcgbG9hZAoJICBiYWxh bmNlcnMsIHRoZSBUTFMgY29ubmVjdGlvbiB0byB0aGUgcmVzb3VyY2Ugc2VydmVyCgkgIHRlcm1p bmF0ZXMgcHJpb3IgdG8gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhhdCBwcm92aWRlcyB0aGUKCSAgcmVz b3VyY2UuICBUaGlzIGNvdWxkIGxlYXZlIHRoZSB0b2tlbiB1bnByb3RlY3RlZCBiZXR3ZWVuCgkg IHRoZSBmcm9udCBlbmQgc2VydmVyIHdoZXJlIHRoZSBUTFMgY29ubmVjdGlvbiB0ZXJtaW5hdGVz IGFuZAoJICB0aGUgYmFjayBlbmQgc2VydmVyIHRoYXQgcHJvdmlkZXMgdGhlIHJlc291cmNlLiAg SW4gc3VjaAoJICBkZXBsb3ltZW50cywgc3VmZmljaWVudCBtZWFzdXJlcyBNVVNUIGJlIGVtcGxv eWVkIHRvIGVuc3VyZQoJICBjb25maWRlbnRpYWxpdHkgb2YgdGhlIHRva2VuIGJldHdlZW4gdGhl IGZyb250IGVuZCBhbmQKCSAgYmFjayBlbmQgc2VydmVyczsgZW5jcnlwdGlvbiBvZiB0aGUgdG9r ZW4gaXMgb25lIHBvc3NpYmxlCgkgIHN1Y2ggbWVhc3VyZS4KCQo8L3A+CjxwPgoJICBUbyBkZWFs IHdpdGggdG9rZW4gY2FwdHVyZSBhbmQgcmVwbGF5LAoJICB0aGUgZm9sbG93aW5nIHJlY29tbWVu ZGF0aW9ucyBhcmUKCSAgbWFkZTogRmlyc3QsIHRoZSBsaWZldGltZSBvZiB0aGUgdG9rZW4gTVVT VCBiZSBsaW1pdGVkOwoJICBvbmUgbWVhbnMgb2YgYWNoaWV2aW5nIHRoaXMgaXMgYnkKCSAgcHV0 dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5zaWRlIHRoZSBwcm90ZWN0ZWQgcGFydCBvZgoJ ICB0aGUgdG9rZW4uICBOb3RlIHRoYXQgdXNpbmcgc2hvcnQtbGl2ZWQgKG9uZSBob3VyIG9yIGxl c3MpCgkgIHRva2VucyByZWR1Y2VzIHRoZSBpbXBhY3Qgb2YgdGhlbSBiZWluZwoJICBsZWFrZWQu ICBTZWNvbmQsIGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9uIG9mIHRoZSBleGNoYW5nZXMKCSAg YmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgYW5kIGJldHdl ZW4KCSAgdGhlIGNsaWVudCBhbmQgdGhlIHJlc291cmNlIHNlcnZlciBNVVNUIGJlIGFwcGxpZWQu CgkgIEFzIGEKCSAgY29uc2VxdWVuY2UsIG5vIGVhdmVzZHJvcHBlciBhbG9uZyB0aGUgY29tbXVu aWNhdGlvbiBwYXRoIGlzCgkgIGFibGUgdG8gb2JzZXJ2ZSB0aGUgdG9rZW4gZXhjaGFuZ2UuIENv bnNlcXVlbnRseSwgc3VjaCBhbgoJICBvbi1wYXRoIGFkdmVyc2FyeSBjYW5ub3QgcmVwbGF5IHRo ZSB0b2tlbi4KCSAgRnVydGhlcm1vcmUsIHdoZW4KCSAgcHJlc2VudGluZyB0aGUgdG9rZW4gdG8g YSByZXNvdXJjZSBzZXJ2ZXIsIHRoZSBjbGllbnQgTVVTVAoJICB2ZXJpZnkgdGhlIGlkZW50aXR5 IG9mIHRoYXQgcmVzb3VyY2Ugc2VydmVyLCBhcyBwZXIKCSAgUmVwcmVzZW50YXRpb24gYW5kIFZl cmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRpb24gU2VydmljZQoJICBJZGVudGl0 eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtleSBJbmZyYXN0cnVjdHVyZSBVc2luZyBYLjUwOSAo UEtJWCkKCSAgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0IG9mIFRyYW5zcG9ydCBMYXllciBT ZWN1cml0eSAoVExTKQoJICA8YSBjbGFzcz0naW5mbycgaHJlZj0nI1JGQzYxMjUnPltSRkM2MTI1 XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5TYWludC1BbmRyZSwgUC4gYW5kIEou IEhvZGdlcywgJmxkcXVvO1JlcHJlc2VudGF0aW9uIGFuZCBWZXJpZmljYXRpb24gb2YgRG9tYWlu LUJhc2VkIEFwcGxpY2F0aW9uIFNlcnZpY2UgSWRlbnRpdHkgd2l0aGluIEludGVybmV0IFB1Ymxp YyBLZXkgSW5mcmFzdHJ1Y3R1cmUgVXNpbmcgWC41MDkgKFBLSVgpIENlcnRpZmljYXRlcyBpbiB0 aGUgQ29udGV4dCBvZiBUcmFuc3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUyksJnJkcXVvOyBNYXJj aCZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgTm90ZSB0aGF0IHRoZQoJ ICBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0aGUgVExTIGNlcnRpZmljYXRlIGNoYWluIHdoZW4gbWFr aW5nCgkgIHRoZXNlIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMuICBQcmVzZW50aW5n IHRoZSB0b2tlbgoJICB0byBhbiB1bmF1dGhlbnRpY2F0ZWQgYW5kIHVuYXV0aG9yaXplZCByZXNv dXJjZSBzZXJ2ZXIgb3IKCSAgZmFpbGluZyB0byB2YWxpZGF0ZSB0aGUgY2VydGlmaWNhdGUgY2hh aW4gd2lsbCBhbGxvdwoJICBhZHZlcnNhcmllcyB0byBzdGVhbCB0aGUgdG9rZW4gYW5kIGdhaW4g dW5hdXRob3JpemVkIGFjY2VzcwoJICB0byBwcm90ZWN0ZWQgcmVzb3VyY2VzLgoJCjwvcD4KPGEg bmFtZT0iYW5jaG9yNiI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBj ZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdo dCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8 L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjQuMyI+PC9hPjxoMz40 LjMuJm5ic3A7ClN1bW1hcnkgb2YgUmVjb21tZW5kYXRpb25zPC9oMz4KCjxwPgoJICA8L3A+Cjxi bG9ja3F1b3RlIGNsYXNzPSJ0ZXh0Ij48ZGw+CjxkdD5TYWZlZ3VhcmQgYmVhcmVyIHRva2Vuczo8 L2R0Pgo8ZGQ+CgkgICAgICBDbGllbnQgaW1wbGVtZW50YXRpb25zIE1VU1QgZW5zdXJlIHRoYXQg YmVhcmVyIHRva2VucwoJICAgICAgYXJlIG5vdCBsZWFrZWQgdG8gdW5pbnRlbmRlZCBwYXJ0aWVz LCBhcyB0aGV5IHdpbGwgYmUKCSAgICAgIGFibGUgdG8gdXNlIHRoZW0gdG8gZ2FpbiBhY2Nlc3Mg dG8gcHJvdGVjdGVkIHJlc291cmNlcy4KCSAgICAgIFRoaXMgaXMgdGhlIHByaW1hcnkgc2VjdXJp dHkgY29uc2lkZXJhdGlvbiB3aGVuIHVzaW5nCgkgICAgICBiZWFyZXIgdG9rZW5zIGFuZCB1bmRl cmxpZXMgYWxsIHRoZSBtb3JlCgkgICAgICBzcGVjaWZpYyByZWNvbW1lbmRhdGlvbnMgdGhhdCBm b2xsb3cuCgkgICAgCjwvZGQ+CjxkdD5WYWxpZGF0ZSBTU0wgY2VydGlmaWNhdGUgY2hhaW5zOjwv ZHQ+CjxkZD4KCSAgICAgIFRoZSBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0aGUgVExTIGNlcnRpZmlj YXRlIGNoYWluIHdoZW4KCSAgICAgIG1ha2luZyByZXF1ZXN0cyB0byBwcm90ZWN0ZWQgcmVzb3Vy Y2VzLiAgRmFpbGluZyB0byBkbwoJICAgICAgc28gbWF5IGVuYWJsZSBETlMgaGlqYWNraW5nIGF0 dGFja3MgdG8gc3RlYWwgdGhlIHRva2VuCgkgICAgICBhbmQgZ2FpbiB1bmludGVuZGVkIGFjY2Vz cy4KCSAgICAKPC9kZD4KPGR0PkFsd2F5cyB1c2UgVExTIChodHRwcyk6PC9kdD4KPGRkPgoJICAg ICAgQ2xpZW50cyBNVVNUIGFsd2F5cyB1c2UKCSAgICAgIFRMUyA8YSBjbGFzcz0naW5mbycgaHJl Zj0nI1JGQzUyNDYnPltSRkM1MjQ2XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZvJz5E aWVya3MsIFQuIGFuZCBFLiBSZXNjb3JsYSwgJmxkcXVvO1RoZSBUcmFuc3BvcnQgTGF5ZXIgU2Vj dXJpdHkgKFRMUykgUHJvdG9jb2wgVmVyc2lvbiAxLjIsJnJkcXVvOyBBdWd1c3QmbmJzcDsyMDA4 Ljwvc3Bhbj48c3Bhbj4pPC9zcGFuPjwvYT4KCSAgICAgIChodHRwcykgb3IgZXF1aXZhbGVudCB0 cmFuc3BvcnQgc2VjdXJpdHkgd2hlbiBtYWtpbmcgcmVxdWVzdHMKCSAgICAgIHdpdGggYmVhcmVy IHRva2Vucy4gIEZhaWxpbmcgdG8gZG8gc28gZXhwb3NlcyB0aGUgdG9rZW4KCSAgICAgIHRvIG51 bWVyb3VzIGF0dGFja3MgdGhhdCBjb3VsZCBnaXZlIGF0dGFja2VycyB1bmludGVuZGVkCgkgICAg ICBhY2Nlc3MuCgkgICAgCjwvZGQ+CjxkdD5Eb24ndCBzdG9yZSBiZWFyZXIgdG9rZW5zIGluIGNv b2tpZXM6PC9kdD4KPGRkPgoJICAgICAgSW1wbGVtZW50YXRpb25zIE1VU1QgTk9UIHN0b3JlIGJl YXJlciB0b2tlbnMgd2l0aGluCgkgICAgICBjb29raWVzIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhl IGNsZWFyICh3aGljaCBpcyB0aGUKCSAgICAgIGRlZmF1bHQgdHJhbnNtaXNzaW9uIG1vZGUgZm9y IGNvb2tpZXMpLgoJICAgICAgSW1wbGVtZW50YXRpb25zIHRoYXQgZG8gc3RvcmUgYmVhcmVyIHRv a2VucyBpbiBjb29raWVzCgkgICAgICBNVVNUIHRha2UgcHJlY2F1dGlvbnMgYWdhaW5zdCBjcm9z cyBzaXRlIHJlcXVlc3QgZm9yZ2VyeS4KCSAgICAKPC9kZD4KPGR0Pklzc3VlIHNob3J0LWxpdmVk IGJlYXJlciB0b2tlbnM6PC9kdD4KPGRkPgoJICAgICAgVG9rZW4gc2VydmVycyBTSE9VTEQgaXNz dWUgc2hvcnQtbGl2ZWQgKG9uZSBob3VyIG9yCgkgICAgICBsZXNzKSBiZWFyZXIgdG9rZW5zLCBw YXJ0aWN1bGFybHkgd2hlbiBpc3N1aW5nIHRva2VucyB0bwoJICAgICAgY2xpZW50cyB0aGF0IHJ1 biB3aXRoaW4gYSB3ZWIgYnJvd3NlciBvciBvdGhlcgoJICAgICAgZW52aXJvbm1lbnRzIHdoZXJl IGluZm9ybWF0aW9uIGxlYWthZ2UgbWF5IG9jY3VyLiAgVXNpbmcKCSAgICAgIHNob3J0LWxpdmVk IGJlYXJlciB0b2tlbnMgY2FuIHJlZHVjZSB0aGUgaW1wYWN0IG9mIHRoZW0KCSAgICAgIGJlaW5n IGxlYWtlZC4KCSAgICAKPC9kZD4KPGR0Pklzc3VlIHNjb3BlZCBiZWFyZXIgdG9rZW5zOjwvZHQ+ CjxkZD4KCSAgICAgIFRva2VuIHNlcnZlcnMgU0hPVUxEIGlzc3VlIGJlYXJlciB0b2tlbnMgdGhh dCBjb250YWluIGFuIGF1ZGllbmNlCgkgICAgICByZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1 c2UgdG8gdGhlIGludGVuZGVkIHJlbHlpbmcKCSAgICAgIHBhcnR5IG9yIHNldCBvZiByZWx5aW5n IHBhcnRpZXMuCgkgICAgCjwvZGQ+CjxkdD5Eb24ndCBwYXNzIGJlYXJlciB0b2tlbnMgaW4gcGFn ZSBVUkxzOjwvZHQ+CjxkZD4KCSAgICAgIEJlYXJlciB0b2tlbnMgU0hPVUxEIE5PVCBiZSBwYXNz ZWQgaW4gcGFnZSBVUkxzIChmb3IKCSAgICAgIGV4YW1wbGUgYXMgcXVlcnkgc3RyaW5nIHBhcmFt ZXRlcnMpLiBJbnN0ZWFkLCBiZWFyZXIKCSAgICAgIHRva2VucyBTSE9VTEQgYmUgcGFzc2VkIGlu IEhUVFAgbWVzc2FnZSBoZWFkZXJzIG9yCgkgICAgICBtZXNzYWdlIGJvZGllcyBmb3Igd2hpY2gg Y29uZmlkZW50aWFsaXR5IG1lYXN1cmVzIGFyZQoJICAgICAgdGFrZW4uIEJyb3dzZXJzLCB3ZWIg c2VydmVycywgYW5kIG90aGVyIHNvZnR3YXJlIG1heSBub3QKCSAgICAgIGFkZXF1YXRlbHkgc2Vj dXJlIFVSTHMgaW4gdGhlIGJyb3dzZXIgaGlzdG9yeSwgd2ViCgkgICAgICBzZXJ2ZXIgbG9ncywg YW5kIG90aGVyIGRhdGEgc3RydWN0dXJlcy4gSWYgYmVhcmVyIHRva2VucwoJICAgICAgYXJlIHBh c3NlZCBpbiBwYWdlIFVSTHMsIGF0dGFja2VycyBtaWdodCBiZSBhYmxlIHRvCgkgICAgICBzdGVh bCB0aGVtIGZyb20gdGhlIGhpc3RvcnkgZGF0YSwgbG9ncywgb3Igb3RoZXIKCSAgICAgIHVuc2Vj dXJlZCBsb2NhdGlvbnMuCgkgICAgCjwvZGQ+CjwvZGw+PC9ibG9ja3F1b3RlPjxwPgoJCjwvcD4K PGEgbmFtZT0iYW5jaG9yNyI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0 IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJy aWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJz cDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjUiPjwvYT48aDM+ NS4mbmJzcDsKSUFOQSBDb25zaWRlcmF0aW9uczwvaDM+Cgo8YSBuYW1lPSJhbmNob3I4Ij48L2E+ PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRkaW5nPSIwIiBjZWxs c3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+PHRkIGNsYXNzPSJU T0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3RkPjwvdHI+PC90YWJs ZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4xIj48L2E+PGgzPjUuMS4mbmJzcDsKT0F1dGggQWNj ZXNzIFRva2VuIFR5cGUgUmVnaXN0cmF0aW9uPC9oMz4KCjxwPgogICAgICAgICAgVGhpcyBzcGVj aWZpY2F0aW9uIHJlZ2lzdGVycyB0aGUgZm9sbG93aW5nIGFjY2VzcyB0b2tlbiB0eXBlIGluIHRo ZSBPQXV0aCBBY2Nlc3MgVG9rZW4KICAgICAgICAgIFR5cGUgUmVnaXN0cnkuCiAgICAgICAgCjwv cD4KPGEgbmFtZT0iYW5jaG9yOSI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5 b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWdu PSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0Mm bmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLjUuMS4xIj48 L2E+PGgzPjUuMS4xLiZuYnNwOwpUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNzIFRva2VuIFR5cGU8 L2gzPgoKPHA+CiAgICAgICAgICAgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4K PGR0PlR5cGUgbmFtZTo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg IEJlYXJlcgogICAgICAgICAgICAgIAo8L2RkPgo8ZHQ+QWRkaXRpb25hbCBUb2tlbiBFbmRwb2lu dCBSZXNwb25zZSBQYXJhbWV0ZXJzOjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAgICAg ICAgICAgICAgKG5vbmUpCiAgICAgICAgICAgICAgCjwvZGQ+CjxkdD5IVFRQIEF1dGhlbnRpY2F0 aW9uIFNjaGVtZShzKTo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg IEJlYXJlcgogICAgICAgICAgICAgIAo8L2RkPgo8ZHQ+Q2hhbmdlIGNvbnRyb2xsZXI6PC9kdD4K PGRkPgogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBJRVRGCiAgICAgICAgICAgICAg CjwvZGQ+CjxkdD5TcGVjaWZpY2F0aW9uIGRvY3VtZW50KHMpOjwvZHQ+CjxkZD4KICAgICAgICAg ICAgICAgIAogICAgICAgICAgICAgICAgW1sgdGhpcyBkb2N1bWVudCBdXQogICAgICAgICAgICAg IAo8L2RkPgo8L2RsPjwvYmxvY2txdW90ZT48cD4KICAgICAgICAgIAo8L3A+CjxhIG5hbWU9ImFu Y2hvcjEwIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQiIGNlbGxwYWRk aW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJpZ2h0Ij48dHI+ PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNwOzwvYT48L3Rk PjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4yIj48L2E+PGgzPjUuMi4mbmJz cDsKQXV0aGVudGljYXRpb24gU2NoZW1lIFJlZ2lzdHJhdGlvbjwvaDM+Cgo8cD4KICAgICAgICAg IFRoaXMgc3BlY2lmaWNhdGlvbiByZWdpc3RlcnMgdGhlIGZvbGxvd2luZyBhdXRoZW50aWNhdGlv bgogICAgICAgICAgc2NoZW1lIGluIHRoZSBBdXRoZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cnkg ZGVmaW5lZCBpbgogICAgICAgICAgSFRUUC8xLjEsIFBhcnQgNyA8YSBjbGFzcz0naW5mbycgaHJl Zj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBi aXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+ RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRl ciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNj aGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3Rv YmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+LgogICAgICAgIAo8L3A+Cjxh IG5hbWU9ImFuY2hvcjExIj48L2E+PGJyIC8+PGhyIC8+Cjx0YWJsZSBzdW1tYXJ5PSJsYXlvdXQi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMiIgY2xhc3M9IlRPQ2J1ZyIgYWxpZ249InJp Z2h0Ij48dHI+PHRkIGNsYXNzPSJUT0NidWciPjxhIGhyZWY9IiN0b2MiPiZuYnNwO1RPQyZuYnNw OzwvYT48L3RkPjwvdHI+PC90YWJsZT4KPGEgbmFtZT0icmZjLnNlY3Rpb24uNS4yLjEiPjwvYT48 aDM+NS4yLjEuJm5ic3A7ClRoZSAiQmVhcmVyIiBBdXRoZW50aWNhdGlvbiBTY2hlbWU8L2gzPgoK PHA+CiAgICAgICAgICAgIDwvcD4KPGJsb2NrcXVvdGUgY2xhc3M9InRleHQiPjxkbD4KPGR0PkF1 dGhlbnRpY2F0aW9uIFNjaGVtZSBOYW1lOjwvZHQ+CjxkZD4KICAgICAgICAgICAgICAgIAogICAg ICAgICAgICAgICAgQmVhcmVyCiAgICAgICAgICAgICAgCjwvZGQ+CjxkdD5Qb2ludGVyIHRvIHNw ZWNpZmljYXRpb24gdGV4dDo8L2R0Pgo8ZGQ+CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAg ICAgIFtbIHRoaXMgZG9jdW1lbnQgXV0KICAgICAgICAgICAgICAKPC9kZD4KPGR0Pk5vdGVzIChv cHRpb25hbCk6PC9kdD4KPGRkPgogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAobm9u ZSkKICAgICAgICAgICAgICAKPC9kZD4KPC9kbD48L2Jsb2NrcXVvdGU+PHA+CiAgICAgICAgICAK PC9wPgo8YSBuYW1lPSJyZmMucmVmZXJlbmNlcyI+PC9hPjxiciAvPjxociAvPgo8dGFibGUgc3Vt bWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjIiIGNsYXNzPSJUT0Ni dWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVnIj48YSBocmVmPSIjdG9jIj4m bmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+CjxhIG5hbWU9InJmYy5zZWN0aW9u LjYiPjwvYT48aDM+Ni4mbmJzcDsKUmVmZXJlbmNlczwvaDM+Cgo8YSBuYW1lPSJyZmMucmVmZXJl bmNlczEiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8aDM+Ni4xLiZuYnNwO05vcm1hdGl2ZSBSZWZlcmVuY2VzPC9oMz4KPHRh YmxlIHdpZHRoPSI5OSUiIGJvcmRlcj0iMCI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2 YWxpZ249InRvcCI+PGEgbmFtZT0iSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmciPltJLUQu aWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZ108L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4 dCI+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNp bnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBS ZXNjaGtlLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt aWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZy0xNyI+SFRUUC8xLjEsIHBhcnQgMTogVVJJcywgQ29u bmVjdGlvbnMsIGFuZCBNZXNzYWdlIFBhcnNpbmc8L2E+LCZyZHF1bzsgZHJhZnQtaWV0Zi1odHRw YmlzLXAxLW1lc3NhZ2luZy0xNyAod29yayBpbiBwcm9ncmVzcyksIE9jdG9iZXImbmJzcDsyMDEx ICg8YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRm LWh0dHBiaXMtcDEtbWVzc2FnaW5nLTE3LnR4dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRk IGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5hbWU9IkktRC5pZXRmLWh0dHBi aXMtcDctYXV0aCI+W0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF08L2E+PC90ZD4KPHRkIGNsYXNz PSJhdXRob3ItdGV4dCI+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxz ZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwg WS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1dGgtMTciPkhUVFAvMS4xLCBwYXJ0IDc6IEF1 dGhlbnRpY2F0aW9uPC9hPiwmcmRxdW87IGRyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3ICh3 b3JrIGluIHByb2dyZXNzKSwgT2N0b2JlciZuYnNwOzIwMTEgKDxhIGhyZWY9Imh0dHA6Ly93d3cu aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3LnR4 dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWdu PSJ0b3AiPjxhIG5hbWU9IkktRC5pZXRmLW9hdXRoLXYyIj5bSS1ELmlldGYtb2F1dGgtdjJdPC9h PjwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPkhhbW1lci1MYWhhdiwgRS4sIFJlY29yZG9u LCBELiwgYW5kIEQuIEhhcmR0LCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC12Mi0yMiI+VGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9u IFByb3RvY29sPC9hPiwmcmRxdW87IGRyYWZ0LWlldGYtb2F1dGgtdjItMjIgKHdvcmsgaW4gcHJv Z3Jlc3MpLCBTZXB0ZW1iZXImbmJzcDsyMDExICg8YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3Jn L2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyLnR4dCI+VFhUPC9hPiwgPGEg aHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1vYXV0 aC12Mi0yMi5wZGYiPlBERjwvYT4pLjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRl eHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkMyMTE5Ij5bUkZDMjExOV08L2E+PC90ZD4KPHRk IGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0ibWFpbHRvOnNvYkBoYXJ2YXJkLmVkdSI+QnJh ZG5lciwgUy48L2E+LCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwv cmZjMjExOSI+S2V5IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZSBSZXF1aXJlbWVu dCBMZXZlbHM8L2E+LCZyZHF1bzsgQkNQJm5ic3A7MTQsIFJGQyZuYnNwOzIxMTksIE1hcmNoJm5i c3A7MTk5NyAoPGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjExOS50 eHQiPlRYVDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMv aHRtbC9yZmMyMTE5Lmh0bWwiPkhUTUw8L2E+LCA8YSBocmVmPSJodHRwOi8veG1sLnJlc291cmNl Lm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyMTE5LnhtbCI+WE1MPC9hPikuPC90ZD48L3RyPgo8dHI+ PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5hbWU9IlJGQzIyNDYiPltS RkMyMjQ2XTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJtYWlsdG86 dGRpZXJrc0BjZXJ0aWNvbS5jb20iPkRpZXJrcywgVC48L2E+IGFuZCA8YSBocmVmPSJtYWlsdG86 Y2FsbGVuQGNlcnRpY29tLmNvbSI+Qy4gQWxsZW48L2E+LCAmbGRxdW87PGEgaHJlZj0iaHR0cDov L3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMjI0NiI+VGhlIFRMUyBQcm90b2NvbCBWZXJzaW9uIDEu MDwvYT4sJnJkcXVvOyBSRkMmbmJzcDsyMjQ2LCBKYW51YXJ5Jm5ic3A7MTk5OSAoPGEgaHJlZj0i aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjI0Ni50eHQiPlRYVDwvYT4pLjwvdGQ+ PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJS RkMzOTg2Ij5bUkZDMzk4Nl08L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJl Zj0ibWFpbHRvOnRpbWJsQHczLm9yZyI+QmVybmVycy1MZWUsIFQuPC9hPiwgPGEgaHJlZj0ibWFp bHRvOmZpZWxkaW5nQGdiaXYuY29tIj5GaWVsZGluZywgUi48L2E+LCBhbmQgPGEgaHJlZj0ibWFp bHRvOkxNTUBhY20ub3JnIj5MLiBNYXNpbnRlcjwvYT4sICZsZHF1bzs8YSBocmVmPSJodHRwOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMzOTg2Ij5Vbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIg KFVSSSk6IEdlbmVyaWMgU3ludGF4PC9hPiwmcmRxdW87IFNURCZuYnNwOzY2LCBSRkMmbmJzcDsz OTg2LCBKYW51YXJ5Jm5ic3A7MjAwNSAoPGEgaHJlZj0iaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9y Zy9yZmMvcmZjMzk4Ni50eHQiPlRYVDwvYT4sIDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uu b3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMzOTg2Lmh0bWwiPkhUTUw8L2E+LCA8YSBocmVmPSJodHRw Oi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMzOTg2LnhtbCI+WE1MPC9hPiku PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5h bWU9IlJGQzUyMzQiPltSRkM1MjM0XTwvYT48L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5D cm9ja2VyLCBELiBhbmQgUC4gT3ZlcmVsbCwgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly90b29scy5p ZXRmLm9yZy9odG1sL3JmYzUyMzQiPkF1Z21lbnRlZCBCTkYgZm9yIFN5bnRheCBTcGVjaWZpY2F0 aW9uczogQUJORjwvYT4sJnJkcXVvOyBTVEQmbmJzcDs2OCwgUkZDJm5ic3A7NTIzNCwgSmFudWFy eSZuYnNwOzIwMDggKDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzUy MzQudHh0Ij5UWFQ8L2E+KS48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0IiB2 YWxpZ249InRvcCI+PGEgbmFtZT0iUkZDNTI0NiI+W1JGQzUyNDZdPC9hPjwvdGQ+Cjx0ZCBjbGFz cz0iYXV0aG9yLXRleHQiPkRpZXJrcywgVC4gYW5kIEUuIFJlc2NvcmxhLCAmbGRxdW87PGEgaHJl Zj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNTI0NiI+VGhlIFRyYW5zcG9ydCBMYXll ciBTZWN1cml0eSAoVExTKSBQcm90b2NvbCBWZXJzaW9uIDEuMjwvYT4sJnJkcXVvOyBSRkMmbmJz cDs1MjQ2LCBBdWd1c3QmbmJzcDsyMDA4ICg8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iu b3JnL3JmYy9yZmM1MjQ2LnR4dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJh dXRob3ItdGV4dCIgdmFsaWduPSJ0b3AiPjxhIG5hbWU9IlJGQzYxMjUiPltSRkM2MTI1XTwvYT48 L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5TYWludC1BbmRyZSwgUC4gYW5kIEouIEhvZGdl cywgJmxkcXVvOzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzYxMjUiPlJl cHJlc2VudGF0aW9uIGFuZCBWZXJpZmljYXRpb24gb2YgRG9tYWluLUJhc2VkIEFwcGxpY2F0aW9u IFNlcnZpY2UgSWRlbnRpdHkgd2l0aGluIEludGVybmV0IFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1 cmUgVXNpbmcgWC41MDkgKFBLSVgpIENlcnRpZmljYXRlcyBpbiB0aGUgQ29udGV4dCBvZiBUcmFu c3BvcnQgTGF5ZXIgU2VjdXJpdHkgKFRMUyk8L2E+LCZyZHF1bzsgUkZDJm5ic3A7NjEyNSwgTWFy Y2gmbmJzcDsyMDExICg8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM2 MTI1LnR4dCI+VFhUPC9hPikuPC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCIg dmFsaWduPSJ0b3AiPjxhIG5hbWU9IlczQy5SRUMtaHRtbDQwMS0xOTk5MTIyNCI+W1czQy5SRUMt aHRtbDQwMS0xOTk5MTIyNF08L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+SmFjb2Jz LCBJLiwgUmFnZ2V0dCwgRC4sIGFuZCBBLiBIb3JzLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL3d3 dy53My5vcmcvVFIvMTk5OS9SRUMtaHRtbDQwMS0xOTk5MTIyNCI+SFRNTCA0LjAxIFNwZWNpZmlj YXRpb248L2E+LCZyZHF1bzsgV29ybGQgV2lkZSBXZWIgQ29uc29ydGl1bSBSZWNvbW1lbmRhdGlv biZuYnNwO1JFQy1odG1sNDAxLTE5OTkxMjI0LCBEZWNlbWJlciZuYnNwOzE5OTkgKDxhIGhyZWY9 Imh0dHA6Ly93d3cudzMub3JnL1RSLzE5OTkvUkVDLWh0bWw0MDEtMTk5OTEyMjQiPkhUTUw8L2E+ KS48L3RkPjwvdHI+CjwvdGFibGU+Cgo8YSBuYW1lPSJyZmMucmVmZXJlbmNlczIiPjwvYT48YnIg Lz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFj aW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48dGQgY2xhc3M9IlRPQ2J1 ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+PC90cj48L3RhYmxlPgo8 aDM+Ni4yLiZuYnNwO0luZm9ybWF0aXZlIFJlZmVyZW5jZXM8L2gzPgo8dGFibGUgd2lkdGg9Ijk5 JSIgYm9yZGVyPSIwIj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48 YSBuYW1lPSJOSVNUODAwLTYzIj5bTklTVDgwMC02M108L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRo b3ItdGV4dCI+QnVyciwgVy4sIERvZHNvbiwgRC4sIFBlcmxuZXIsIFIuLCBQb2xrLCBULiwgR3Vw dGEsIFMuLCBhbmQgRS4gTmFiYnVzLCAmbGRxdW87PGEgaHJlZj0iaHR0cDovL2NzcmMubmlzdC5n b3YvcHVibGljYXRpb25zL1B1YnNEcmFmdHMuaHRtbCNTUC04MDAtNjMtUmV2LiUyMDEiPk5JU1Qg U3BlY2lhbCBQdWJsaWNhdGlvbiA4MDAtNjMtMSwgSU5GT1JNQVRJT04gU0VDVVJJVFk8L2E+LCZy ZHF1bzsgRGVjZW1iZXImbmJzcDsyMDA4LjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9y LXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkMyNjE2Ij5bUkZDMjYxNl08L2E+PC90ZD4K PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0ibWFpbHRvOmZpZWxkaW5nQGljcy51Y2ku ZWR1Ij5GaWVsZGluZywgUi48L2E+LCA8YSBocmVmPSJtYWlsdG86amdAdzMub3JnIj5HZXR0eXMs IEouPC9hPiwgPGEgaHJlZj0ibWFpbHRvOm1vZ3VsQHdybC5kZWMuY29tIj5Nb2d1bCwgSi48L2E+ LCA8YSBocmVmPSJtYWlsdG86ZnJ5c3R5a0B3My5vcmciPkZyeXN0eWssIEguPC9hPiwgPGEgaHJl Zj0ibWFpbHRvOm1hc2ludGVyQHBhcmMueGVyb3guY29tIj5NYXNpbnRlciwgTC48L2E+LCA8YSBo cmVmPSJtYWlsdG86cGF1bGxlQG1pY3Jvc29mdC5jb20iPkxlYWNoLCBQLjwvYT4sIGFuZCA8YSBo cmVmPSJtYWlsdG86dGltYmxAdzMub3JnIj5ULiBCZXJuZXJzLUxlZTwvYT4sICZsZHF1bzs8YSBo cmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMyNjE2Ij5IeXBlcnRleHQgVHJhbnNm ZXIgUHJvdG9jb2wgLS0gSFRUUC8xLjE8L2E+LCZyZHF1bzsgUkZDJm5ic3A7MjYxNiwgSnVuZSZu YnNwOzE5OTkgKDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzI2MTYu dHh0Ij5UWFQ8L2E+LCA8YSBocmVmPSJodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMy NjE2LnBzIj5QUzwvYT4sIDxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3Jm YzI2MTYucGRmIj5QREY8L2E+LCA8YSBocmVmPSJodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJs aWMvcmZjL2h0bWwvcmZjMjYxNi5odG1sIj5IVE1MPC9hPiwgPGEgaHJlZj0iaHR0cDovL3htbC5y ZXNvdXJjZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjYxNi54bWwiPlhNTDwvYT4pLjwvdGQ+PC90 cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiIHZhbGlnbj0idG9wIj48YSBuYW1lPSJSRkMy NjE3Ij5bUkZDMjYxN108L2E+PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEgaHJlZj0i bWFpbHRvOmpvaG5AbWF0aC5ud3UuZWR1Ij5GcmFua3MsIEouPC9hPiwgPGEgaHJlZj0ibWFpbHRv OnBiYWtlckB2ZXJpc2lnbi5jb20iPkhhbGxhbS1CYWtlciwgUC48L2E+LCA8YSBocmVmPSJtYWls dG86amVmZkBBYmlTb3VyY2UuY29tIj5Ib3N0ZXRsZXIsIEouPC9hPiwgPGEgaHJlZj0ibWFpbHRv Omxhd3JlbmNlQGFncmFuYXQuY29tIj5MYXdyZW5jZSwgUy48L2E+LCA8YSBocmVmPSJtYWlsdG86 cGF1bGxlQG1pY3Jvc29mdC5jb20iPkxlYWNoLCBQLjwvYT4sIEx1b3RvbmVuLCBBLiwgYW5kIDxh IGhyZWY9Im1haWx0bzpzdGV3YXJ0QE9wZW5NYXJrZXQuY29tIj5MLiBTdGV3YXJ0PC9hPiwgJmxk cXVvOzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzI2MTciPkhUVFAgQXV0 aGVudGljYXRpb246IEJhc2ljIGFuZCBEaWdlc3QgQWNjZXNzIEF1dGhlbnRpY2F0aW9uPC9hPiwm cmRxdW87IFJGQyZuYnNwOzI2MTcsIEp1bmUmbmJzcDsxOTk5ICg8YSBocmVmPSJodHRwOi8vd3d3 LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMyNjE3LnR4dCI+VFhUPC9hPiwgPGEgaHJlZj0iaHR0cDov L3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9odG1sL3JmYzI2MTcuaHRtbCI+SFRNTDwvYT4s IDxhIGhyZWY9Imh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMveG1sL3JmYzI2MTcu eG1sIj5YTUw8L2E+KS48L3RkPjwvdHI+CjwvdGFibGU+Cgo8YSBuYW1lPSJhbmNob3IxNCI+PC9h PjxiciAvPjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2Vs bHNwYWNpbmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0i VE9DYnVnIj48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFi bGU+CjxhIG5hbWU9InJmYy5zZWN0aW9uLkEiPjwvYT48aDM+QXBwZW5kaXggQS4mbmJzcDsKQWNr bm93bGVkZ2VtZW50czwvaDM+Cgo8cD4KICAgICAgICBUaGUgZm9sbG93aW5nIHBlb3BsZSBjb250 cmlidXRlZCB0byBwcmVsaW1pbmFyeSB2ZXJzaW9ucyBvZiB0aGlzIGRvY3VtZW50OgogICAgICAg IEJsYWluZSBDb29rIChCVCksIEJyaWFuIEVhdG9uIChHb29nbGUpLCBZYXJvbiBZLiBHb2xhbmQg KE1pY3Jvc29mdCksIEJyZW50IEdvbGRtYW4gKEZhY2Vib29rKSwKICAgICAgICBSYWZmaSBLcmlr b3JpYW4gKFR3aXR0ZXIpLCBMdWtlIFNoZXBhcmQgKEZhY2Vib29rKSwgYW5kIEFsbGVuIFRvbSAo WWFob28hKS4gVGhlIGNvbnRlbnQgYW5kCiAgICAgICAgY29uY2VwdHMgd2l0aGluIGFyZSBhIHBy b2R1Y3Qgb2YgdGhlIE9BdXRoIGNvbW11bml0eSwgdGhlIFdSQVAgY29tbXVuaXR5LCBhbmQgdGhl IE9BdXRoIFdvcmtpbmcKICAgICAgICBHcm91cC4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgVGhl IE9BdXRoIFdvcmtpbmcgR3JvdXAgaGFzIGRvemVucyBvZiB2ZXJ5IGFjdGl2ZSBjb250cmlidXRv cnMgd2hvIHByb3Bvc2VkIGlkZWFzIGFuZAogICAgICAgIHdvcmRpbmcgZm9yIHRoaXMgZG9jdW1l bnQsIGluY2x1ZGluZzoKCU1pY2hhZWwgQWRhbXMsIEFtYW5kYSBBbmdhbmVzLCBBbmRyZXcgQXJu b3R0LCBEaXJrIEJhbGZhbnosCglKb2huIEJyYWRsZXksIEJyaWFuIENhbXBiZWxsLCBMZWFoIEN1 bHZlciwgQmlsbCBkZSBow5NyYSwKCUJyaWFuIEVsbGluLCBJZ29yIEZheW5iZXJnLCBTdGVwaGVu IEZhcnJlbGwsIEdlb3JnZSBGbGV0Y2hlciwKCVRpbSBGcmVlbWFuLCBFdmFuIEdpbGJlcnQsIFlh cm9uIFkuIEdvbGFuZCwgVGhvbWFzIEhhcmRqb25vLAoJSnVzdGluIEhhcnQsIFBoaWwgSHVudCwg Sm9obiBLZW1wLCBFcmFuIEhhbW1lci1MYWhhdiwKCUNoYXNlbiBMZSBIYXJhLCBCYXJyeSBMZWli YSwgTWljaGFlbCBCLiBKb25lcywKCVRvcnN0ZW4gTG9kZGVyc3RlZHQsIEV2ZSBNYWxlciwgSmFt ZXMgTWFuZ2VyLCBMYXVyZW5jZSBNaWFvLAoJV2lsbGlhbSBKLiBNaWxscywgQ2h1Y2sgTW9ydGlt b3JlLCBBbnRob255IE5hZGFsaW4sCglKdWxpYW4gUmVzY2hrZSwgSnVzdGluIFJpY2hlciwgUGV0 ZXIgU2FpbnQtQW5kcmUsIE5hdCBTYWtpbXVyYSwKCVJvYiBTYXlyZSwgTWFyaXVzIFNjdXJ0ZXNj dSwgTmFpdGlrIFNoYWgsIEp1c3RpbiBTbWl0aCwKCUplcmVteSBTdXJpZWwsIENocmlzdGlhbiBT dMO8Ym5lciwgUGF1bCBUYXJqYW4sCglIYW5uZXMgVHNjaG9mZW5pZywgRnJhbmtsaW4gVHNlLCBh bmQgU2hhbmUgV2VlZGVuLgogICAgICAKPC9wPgo8YSBuYW1lPSJhbmNob3IxNSI+PC9hPjxiciAv PjxociAvPgo8dGFibGUgc3VtbWFyeT0ibGF5b3V0IiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNp bmc9IjIiIGNsYXNzPSJUT0NidWciIGFsaWduPSJyaWdodCI+PHRyPjx0ZCBjbGFzcz0iVE9DYnVn Ij48YSBocmVmPSIjdG9jIj4mbmJzcDtUT0MmbmJzcDs8L2E+PC90ZD48L3RyPjwvdGFibGU+Cjxh IG5hbWU9InJmYy5zZWN0aW9uLkIiPjwvYT48aDM+QXBwZW5kaXggQi4mbmJzcDsKRG9jdW1lbnQg SGlzdG9yeTwvaDM+Cgo8cD4KICAgICAgICBbWyB0byBiZSByZW1vdmVkIGJ5IHRoZSBSRkMgZWRp dG9yIGJlZm9yZSBwdWJsaWNhdGlvbiBhcyBhbiBSRkMgXV0KICAgICAgCjwvcD4KPHA+CiAgICAg ICAgLTE1CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CgkgICAgQ2xhcmlmaWVk IHRoYXQgZm9ybS1lbmNvZGVkIGNvbnRlbnQgbXVzdCBjb25zaXN0IGVudGlyZWx5CgkgICAgb2Yg QVNDSUkgY2hhcmFjdGVycy4KCSAgCjwvbGk+CjxsaT4KCSAgICBBZGRlZCBUTFMgdmVyc2lvbiBy ZXF1aXJlbWVudHMuCgkgIAo8L2xpPgo8bGk+CgkgICAgQXBwbGllZCBlZGl0b3JpYWwgaW1wcm92 ZW1lbnRzIHN1Z2dlc3RlZCBieSBNYXJrCgkgICAgTm90dGluZ2hhbSBkdXJpbmcgdGhlIEFQUFMg YXJlYSByZXZpZXcuCgkgIAo8L2xpPgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAt MTQKICAgICAgICA8L3A+Cjx1bCBjbGFzcz0idGV4dCI+CjxsaT4KCSAgICBDaGFuZ2VzIG1hZGUg aW4gcmVzcG9uc2UgdG8gcmV2aWV3IGNvbW1lbnRzIGJ5IFNlY3VyaXR5CgkgICAgQXJlYSBEaXJl Y3RvciBTdGVwaGVuIEZhcnJlbGwuICBTcGVjaWZpY2FsbHk6CgkgIAo8L2xpPgo8bGk+CgkgICAg U3RyZW5ndGhlbmVkIHdhcm5pbmdzIGFib3V0IHBhc3NpbmcgYW4gYWNjZXNzIHRva2VuIGFzIGEK CSAgICBxdWVyeSBwYXJhbWV0ZXIgYW5kIG1vcmUgcHJlY2lzZWx5IGRlc2NyaWJlZCB0aGUKCSAg ICBsaW1pdGF0aW9ucyBwbGFjZWQgdXBvbiB0aGUgdXNlIG9mIHRoaXMgbWV0aG9kLgoJICAKPC9s aT4KPGxpPgoJICAgIENsYXJpZmllZCB0aGF0IHRoZSA8dHQ+cmVhbG08L3R0PgoJICAgIGF0dHJp YnV0ZSBNQVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24KCSAg ICBpbiB0aGUgbWFubmVyIGRlc2NyaWJlZCBpbgoJICAgIEhUVFAvMS4xLCBQYXJ0IDcgPGEgY2xh c3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0 ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4g Y2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2Vu LCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFku LCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9u LCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAg CjwvbGk+CjxsaT4KCSAgICBOb3JtYXRpdmVseSBzdGF0ZWQgdGhhdCAidGhlIHRva2VuIGludGVn cml0eSBwcm90ZWN0aW9uCgkgICAgTVVTVCBiZSBzdWZmaWNpZW50IHRvIHByZXZlbnQgdGhlIHRv a2VuIGZyb20gYmVpbmcKCSAgICBtb2RpZmllZCIuCgkgIAo8L2xpPgo8bGk+CgkgICAgQWRkZWQg c3RhdGVtZW50IHRoYXQgIlRMUyBpcyBtYW5kYXRvcnkgdG8gaW1wbGVtZW50IGFuZAoJICAgIHVz ZSB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbiIgdG8gdGhlIGludHJvZHVjdGlvbi4KCSAgCjwvbGk+ CjxsaT4KCSAgICBTdGF0ZWQgdGhhdCBUTFMgTVVTVCBiZSB1c2VkIHdpdGggImEgY2lwaGVyc3Vp dGUgdGhhdAoJICAgIHByb3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQgaW50ZWdyaXR5IHByb3Rl Y3Rpb24iLgoJICAKPC9saT4KPGxpPgoJICAgIEFkZGVkICJBcyBhIGZ1cnRoZXIgZGVmZW5zZSBh Z2FpbnN0IHRva2VuIGRpc2Nsb3N1cmUsIHRoZQoJICAgIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRo ZSBUTFMgY2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcKCSAgICByZXF1ZXN0cyB0byBwcm90 ZWN0ZWQgcmVzb3VyY2VzIiB0byB0aGUgVGhyZWF0IE1pdGlnYXRpb24KCSAgICBzZWN0aW9uLgoJ ICAKPC9saT4KPGxpPgoJICAgIENsYXJpZmllZCB0aGF0IHB1dHRpbmcgYSB2YWxpZGl0eSB0aW1l IGZpZWxkIGluc2lkZSB0aGUKCSAgICBwcm90ZWN0ZWQgcGFydCBvZiB0aGUgdG9rZW4gaXMgb25l IG1lYW5zLCBidXQgbm90IHRoZSBvbmx5CgkgICAgbWVhbnMsIG9mIGxpbWl0aW5nIHRoZSBsaWZl dGltZSBvZiB0aGUgdG9rZW4uCgkgIAo8L2xpPgo8bGk+CgkgICAgRHJvcHBlZCB0aGUgY29uZnVz aW5nIHBocmFzZSAiZm9yIGluc3RhbmNlLCB0aHJvdWdoIHRoZQoJICAgIHVzZSBvZiBUTFMiIGZy b20gdGhlIHNlbnRlbmNlIGFib3V0IGNvbmZpZGVudGlhbGl0eQoJICAgIHByb3RlY3Rpb24gb2Yg dGhlIGV4Y2hhbmdlcy4KCSAgCjwvbGk+CjxsaT4KCSAgICBSZWZlcmVuY2UgUkZDIDYxMjUgZm9y IGlkZW50aXR5IHZlcmlmaWNhdGlvbiwgcmF0aGVyIHRoYW4KCSAgICBSRkMgMjgxOC4KCSAgCjwv bGk+CjxsaT4KCSAgICBTdGF0ZWQgdGhhdCB0aGUgdG9rZW4gTVVTVCBiZSBwcm90ZWN0ZWQgYmV0 d2VlbiBmcm9udCBlbmQKCSAgICBhbmQgYmFjayBlbmQgc2VydmVycyB3aGVuIHRoZSBUTFMgY29u bmVjdGlvbiB0ZXJtaW5hdGVzIGF0CgkgICAgYSBmcm9udCBlbmQgc2VydmVyIHRoYXQgaXMgZGlz dGluY3QgZnJvbSB0aGUgYWN0dWFsIHNlcnZlcgoJICAgIHRoYXQgcHJvdmlkZXMgdGhlIHJlc291 cmNlLgoJICAKPC9saT4KPGxpPgoJICAgIFN0YXRlZCB0aGF0IGJlYXJlciB0b2tlbnMgTVVTVCBu b3QgYmUgc3RvcmVkIGluIGNvb2tpZXMKCSAgICB0aGF0IGNhbiBiZSBzZW50IGluIHRoZSBjbGVh ciBpbiB0aGUgVGhyZWF0IE1pdGlnYXRpb24KCSAgICBzZWN0aW9uLgoJICAKPC9saT4KPGxpPgoJ ICAgIFJlcGxhY2VkIHNvbGUgcmVtYWluaW5nIHJlZmVyZW5jZSB0byA8YSBjbGFzcz0naW5mbycg aHJlZj0nI1JGQzI2MTYnPltSRkMyNjE2XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZv Jz5GaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwgRnJ5c3R5aywgSC4sIE1hc2lu dGVyLCBMLiwgTGVhY2gsIFAuLCBhbmQgVC4gQmVybmVycy1MZWUsICZsZHF1bztIeXBlcnRleHQg VHJhbnNmZXIgUHJvdG9jb2wgLS0gSFRUUC8xLjEsJnJkcXVvOyBKdW5lJm5ic3A7MTk5OS48L3Nw YW4+PHNwYW4+KTwvc3Bhbj48L2E+IHdpdGgKCSAgICBIVFRQYmlzIDxhIGNsYXNzPSdpbmZvJyBo cmVmPScjSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcnPltJJiM4MjA5O0QuaWV0ZiYjODIw OTtodHRwYmlzJiM4MjA5O3AxJiM4MjA5O21lc3NhZ2luZ108c3Bhbj4gKDwvc3Bhbj48c3BhbiBj bGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4s IEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4s IGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgMTogVVJJcywgQ29ubmVjdGlv bnMsIGFuZCBNZXNzYWdlIFBhcnNpbmcsJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+ PHNwYW4+KTwvc3Bhbj48L2E+CgkgICAgcmVmZXJlbmNlLgoJICAKPC9saT4KPGxpPgoJICAgIFJl cGxhY2VkIGFsbCByZWZlcmVuY2VzIHdoZXJlIHRoZSByZWZlcmVuY2UgaXMgdXNlZCBhcyBpZgoJ ICAgIGl0IHdlcmUgcGFydCBvZiB0aGUgc2VudGVuY2UgKHN1Y2ggYXMgImRlZmluZWQgYnkKCSAg ICBbSS1ELndoYXRldmVyXSIpIHdpdGggb25lcyB3aGVyZSB0aGUgc3BlY2lmaWNhdGlvbiBuYW1l IGlzCgkgICAgdXNlZCwgZm9sbG93ZWQgYnkgdGhlIHJlZmVyZW5jZSAoc3VjaCBhcyAiZGVmaW5l ZCBieQoJICAgIFdoYXRldmVyIFtJLUQud2hhdGV2ZXJdIikuCgkgIAo8L2xpPgo8bGk+CgkgICAg T3RoZXIgb24tbm9ybWF0aXZlIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMuCgkgIAo8L2xpPgo8L3Vs PjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMTMKICAgICAgICA8L3A+Cjx1bCBjbGFzcz0i dGV4dCI+CjxsaT4KCSAgICBBdCB0aGUgcmVxdWVzdCBvZiBIYW5uZXMgVHNjaG9mZW5pZywgbWFk ZSBBQk5GIGNoYW5nZXMgdG8KCSAgICBtYWtlIGl0IGNsZWFyIHRoYXQgbm8gc3BlY2lhbCBXV1ct QXV0aGVudGljYXRlIHJlc3BvbnNlCgkgICAgaGVhZGVyIGZpZWxkIHBhcnNlcnMgYXJlIG5lZWRl ZC4gIFRoZSA8dHQ+c2NvcGU8L3R0PiwgPHR0PmVycm9yLWRlc2NyaXB0aW9uPC90dD4sIGFuZCA8 dHQ+ZXJyb3ItdXJpPC90dD4gcGFyYW1ldGVycyBhcmUgYWxsIG5vdwoJICAgIGRlZmluZWQgYXMg cXVvdGVkLXN0cmluZyBpbiB0aGUgQUJORiAoYXMgPHR0PmVycm9yPC90dD4gYWxyZWFkeSB3YXMp LiAgUmVzdHJpY3Rpb25zIG9uCgkgICAgdGhlc2UgdmFsdWVzIHRoYXQgd2VyZSBmb3JtZXJseSBk ZXNjcmliZWQgaW4gdGhlIEFCTkZzIGFyZQoJICAgIG5vdyBkZXNjcmliZWQgaW4gbm9ybWF0aXZl IHRleHQgaW5zdGVhZC4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAg IC0xMgogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAgIE1hZGUgbm9uLW5v cm1hdGl2ZSBlZGl0b3JpYWwgY2hhbmdlcyB0aGF0IEhhbm5lcwoJICAgIFRzY2hvZmVuaWcgcmVx dWVzdGVkIGJlIGFwcGxpZWQgcHJpb3IgdG8gZm9yd2FyZGluZyB0aGUKCSAgICBzcGVjaWZpY2F0 aW9uIHRvIHRoZSBJRVNHLgoJICAKPC9saT4KPGxpPgoJICAgIEFkZGVkIHJhdGlvbmFsZSBmb3Ig dGhlIGNob2ljZSBvZiB0aGUgYjY0dG9rZW4gc3ludGF4LgoJICAKPC9saT4KPGxpPgoJICAgIEFk ZGVkIHJhdGlvbmFsZSBzdGF0aW5nIHRoYXQgcmVjZWl2ZXJzIGFyZSBmcmVlIHRvIHBhcnNlCgkg ICAgdGhlIDx0dD5zY29wZTwvdHQ+IGF0dHJpYnV0ZSB1c2luZyBhCgkgICAgc3RhbmRhcmQgcXVv dGVkLXN0cmluZyBwYXJzZXIsIHNpbmNlIGl0IHdpbGwgY29ycmVjdGx5CgkgICAgcHJvY2VzcyBh bGwgbGVnYWwgPHR0PnNjb3BlPC90dD4KCSAgICB2YWx1ZXMuCgkgIAo8L2xpPgo8bGk+CgkgICAg QWRkZWQgYWRkaXRpb25hbCBhY3RpdmUgd29ya2luZyBncm91cCBjb250cmlidXRvcnMgdG8gdGhl CgkgICAgQWNrbm93bGVkZ2VtZW50cyBzZWN0aW9uLgoJICAKPC9saT4KPC91bD48cD4KICAgICAg CjwvcD4KPHA+CiAgICAgICAgLTExCiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+ CgkgICAgUmVwbGFjZWQgdXNlcyBvZiAmbHQ7IiZndDsgd2l0aCBEUVVPVEUgdG8gcGFzcyBBQk5G IHN5bnRheCBjaGVjay4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAg IC0xMAogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAgIFJlbW92ZWQgdGhl ICNhdXRoLXBhcmFtIG9wdGlvbiBmcm9tIEF1dGhvcml6YXRpb24gaGVhZGVyCgkgICAgc3ludGF4 IChsZWF2aW5nIG9ubHkgdGhlIGI2NHRva2VuIHN5bnRheCkuCgkgIAo8L2xpPgo8bGk+CgkgICAg UmVzdHJpY3RlZCB0aGUgPHR0PnNjb3BlPC90dD4gdmFsdWUKCSAgICBjaGFyYWN0ZXIgc2V0IHRv ICV4MjEgLyAleDIzLTVCIC8gJXg1RC03RSAocHJpbnRhYmxlIEFTQ0lJCgkgICAgY2hhcmFjdGVy cyBleGNsdWRpbmcgZG91YmxlLXF1b3RlIGFuZCBiYWNrc2xhc2gpLgoJICAgIEluZGljYXRlZCB0 aGF0IHNjb3BlIGlzIGludGVuZGVkIGZvciBwcm9ncmFtbWF0aWMgdXNlIGFuZAoJICAgIGlzIG5v dCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoJICAKPC9saT4KPGxpPgoJICAg IFJlc3RyaWN0ZWQgdGhlIGNoYXJhY3RlciBzZXQgZm9yIDx0dD5lcnJvcl9kZXNjcmlwdGlvbjwv dHQ+IHN0cmluZ3MgdG8gU1AgLwoJICAgIFZDSEFSIGFuZCBpbmRpY2F0ZWQgdGhhdCB0aGV5IGFy ZSBub3QgbWVhbnQgdG8gYmUKCSAgICBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoJICAKPC9saT4K PGxpPgoJICAgIEluY2x1ZGVkIG1vcmUgZGVzY3JpcHRpb24gaW4gdGhlIEFic3RyYWN0LCBzaW5j ZSBIYW5uZXMKCSAgICBUc2Nob2ZlbmlnIGluZGljYXRlZCB0aGF0IHRoZSBSRkMgZWRpdG9yIHdv dWxkIHJlcXVpcmUKCSAgICB0aGlzLgoJICAKPC9saT4KPGxpPgogICAgICAgICAgICBDaGFuZ2Vk ICJBY2Nlc3MgR3JhbnQiIHRvICJBdXRob3JpemF0aW9uIEdyYW50IiwgYXMgd2FzCiAgICAgICAg ICAgIGRvbmUgaW4gdGhlIGNvcmUgc3BlYy4KCSAgCjwvbGk+CjxsaT4KCSAgICBTaW1wbGlmaWVk IHRoZSBpbnRyb2R1Y3Rpb24gdG8gdGhlIEF1dGhlbnRpY2F0ZWQgUmVxdWVzdHMKCSAgICBzZWN0 aW9uLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTA5CiAgICAg ICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIEluY29ycG9yYXRlZCB3 b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBjb21tZW50cy4gIFNwZWNpZmljIGNoYW5nZXMgd2VyZToK CSAgCjwvbGk+CjxsaT4KCSAgICBVc2UgZGVmaW5pdGlvbnMgZnJvbSA8YSBjbGFzcz0naW5mbycg aHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0 dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bhbj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5m byc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNp bnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1MZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBS ZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQgNzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBP Y3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48L2E+IHJhdGhlciB0aGFuIDxh IGNsYXNzPSdpbmZvJyBocmVmPScjUkZDMjYxNyc+W1JGQzI2MTddPHNwYW4+ICg8L3NwYW4+PHNw YW4gY2xhc3M9J2luZm8nPkZyYW5rcywgSi4sIEhhbGxhbS1CYWtlciwgUC4sIEhvc3RldGxlciwg Si4sIExhd3JlbmNlLCBTLiwgTGVhY2gsIFAuLCBMdW90b25lbiwgQS4sIGFuZCBMLiBTdGV3YXJ0 LCAmbGRxdW87SFRUUCBBdXRoZW50aWNhdGlvbjogQmFzaWMgYW5kIERpZ2VzdCBBY2Nlc3MgQXV0 aGVudGljYXRpb24sJnJkcXVvOyBKdW5lJm5ic3A7MTk5OS48L3NwYW4+PHNwYW4+KTwvc3Bhbj48 L2E+LgoJICAKPC9saT4KPGxpPgoJICAgIFVwZGF0ZSBjcmVkZW50aWFscyBkZWZpbml0aW9uIHRv IGNvbmZvcm0gdG8gPGEgY2xhc3M9J2luZm8nIGhyZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1 dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRwYmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNw YW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8nPkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwg TW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMt TGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVzY2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0 IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFu Pik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+CjxsaT4KCSAgICBGdXJ0aGVyIGNsYXJpZmllZCB0aGF0 IHF1ZXJ5IHBhcmFtZXRlcnMgbWF5IG9jY3VyIGluIGFueSBvcmRlci4KCSAgCjwvbGk+CjxsaT4K CSAgICBTcGVjaWZ5IHRoYXQgZXJyb3JfZGVzY3JpcHRpb24gaXMgVVRGLTggZW5jb2RlZAoJICAg IChtYXRjaGluZyB0aGUgY29yZSBzcGVjaWZpY2F0aW9uKS4KCSAgCjwvbGk+CjxsaT4KCSAgICBS ZWdpc3RlcmVkICJCZWFyZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBpbgoJICAgIEF1dGhlbnRp Y2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZpbmVkIGJ5CgkgICAgPGEgY2xhc3M9J2luZm8nIGhy ZWY9JyNJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnPltJJiM4MjA5O0QuaWV0ZiYjODIwOTtodHRw YmlzJiM4MjA5O3A3JiM4MjA5O2F1dGhdPHNwYW4+ICg8L3NwYW4+PHNwYW4gY2xhc3M9J2luZm8n PkZpZWxkaW5nLCBSLiwgR2V0dHlzLCBKLiwgTW9ndWwsIEouLCBOaWVsc2VuLCBILiwgTWFzaW50 ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5lcnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQgSi4gUmVz Y2hrZSwgJmxkcXVvO0hUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uLCZyZHF1bzsgT2N0 b2JlciZuYnNwOzIwMTEuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+CjxsaT4K ICAgICAgICAgICAgVXBkYXRlZCByZWZlcmVuY2VzIHRvIG9hdXRoLXYyLCBodHRwYmlzLXAxLW1l c3NhZ2luZywgYW5kCiAgICAgICAgICAgIGh0dHBiaXMtcDctYXV0aCBkcmFmdHMuCgkgIAo8L2xp Pgo8bGk+CgkgICAgT3RoZXIgd29yZGluZyBpbXByb3ZlbWVudHMgbm90IGludHJvZHVjaW5nIG5v cm1hdGl2ZSBjaGFuZ2VzLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAg ICAgLTA4CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIFVw ZGF0ZWQgcmVmZXJlbmNlcyB0byBvYXV0aC12MiBhbmQgSFRUUGJpcyBkcmFmdHMuCgkgIAo8L2xp Pgo8L3VsPjxwPgogICAgICAKPC9wPgo8cD4KICAgICAgICAtMDcKICAgICAgICA8L3A+Cjx1bCBj bGFzcz0idGV4dCI+CjxsaT4KICAgICAgICAgICAgQWRkZWQgbWlzc2luZyBjb21tYSBpbiBlcnJv ciByZXNwb25zZSBleGFtcGxlLgoJICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAg ICAgICAgLTA2CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAg IENoYW5nZWQgcGFyYW1ldGVyIG5hbWUgPHR0PmJlYXJlcl90b2tlbjwvdHQ+IHRvIDx0dD5hY2Nl c3NfdG9rZW48L3R0PiwgcGVyIHdvcmtpbmcgZ3JvdXAKICAgICAgICAgICAgY29uc2Vuc3VzLgoJ ICAKPC9saT4KPGxpPgoJICAgIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgPHR0PmludmFs aWRfcmVxdWVzdDwvdHQ+IGVycm9yIGNvZGUgZnJvbSBIVFRQCgkgICAgNDAxIChVbmF1dGhvcml6 ZWQpIGJhY2sgdG8gSFRUUCA0MDAgKEJhZCBSZXF1ZXN0KSwgcGVyCgkgICAgaW5wdXQgZnJvbSBI VFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCSAgCjwvbGk+CjwvdWw+PHA+CiAgICAgIAo8L3A+ CjxwPgogICAgICAgIC0wNQogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0ZXh0Ij4KPGxpPgoJICAg IFJlbW92ZWQgT0F1dGggRXJyb3JzIFJlZ2lzdHJ5LCBwZXIgZGVzaWduIHRlYW0gaW5wdXQuCgkg IAo8L2xpPgo8bGk+CgkgICAgQ2hhbmdlZCBIVFRQIHN0YXR1cyBjb2RlIGZvciA8dHQ+aW52YWxp ZF9yZXF1ZXN0PC90dD4gZXJyb3IgY29kZSBmcm9tIEhUVFAKCSAgICA0MDAgKEJhZCBSZXF1ZXN0 KSB0byBIVFRQIDQwMSAoVW5hdXRob3JpemVkKSB0byBtYXRjaCBIVFRQCgkgICAgdXNhZ2UgW1sg Y2hhbmdlIHBlbmRpbmcgd29ya2luZyBncm91cCBjb25zZW5zdXMgXV0uCgkgIAo8L2xpPgo8bGk+ CgkgICAgQWRkZWQgbWlzc2luZyBxdW90YXRpb24gbWFya3MgaW4gZXJyb3ItdXJpIGRlZmluaXRp b24uCgkgIAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgbm90ZSB0byBhZGQgbGFuZ3VhZ2UgYW5kIGVu Y29kaW5nIGluZm9ybWF0aW9uIHRvCgkgICAgZXJyb3JfZGVzY3JpcHRpb24gaWYgdGhlIGNvcmUg c3BlY2lmaWNhdGlvbiBkb2VzLgoJICAKPC9saT4KPGxpPgoJICAgIEV4cGxpY2l0bHkgcmVmZXJl bmNlIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikKCSAgICBkZWZpbmVkIGlu IDxhIGNsYXNzPSdpbmZvJyBocmVmPScjUkZDNTIzNCc+W1JGQzUyMzRdPHNwYW4+ICg8L3NwYW4+ PHNwYW4gY2xhc3M9J2luZm8nPkNyb2NrZXIsIEQuIGFuZCBQLiBPdmVyZWxsLCAmbGRxdW87QXVn bWVudGVkIEJORiBmb3IgU3ludGF4IFNwZWNpZmljYXRpb25zOiBBQk5GLCZyZHF1bzsgSmFudWFy eSZuYnNwOzIwMDguPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+CjxsaT4KCSAg ICBVc2UgYXV0aC1wYXJhbSBpbnN0ZWFkIG9mIHJlcGVhdGluZyBpdHMgZGVmaW5pdGlvbiwgd2hp Y2gKCSAgICBpcyAoIHRva2VuICI9IiAoIHRva2VuIC8gcXVvdGVkLXN0cmluZyApICkuCgkgIAo8 L2xpPgo8bGk+CgkgICAgQ2xhcmlmeSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBhYm91dCBpbmNs dWRpbmcgYW4KCSAgICBhdWRpZW5jZSByZXN0cmljdGlvbiBpbiB0aGUgdG9rZW4gYW5kIGluY2x1 ZGUgYQoJICAgIHJlY29tbWVuZGF0aW9uIHRvIGlzc3VlIHNjb3BlZCBiZWFyZXIgdG9rZW5zIGlu IHRoZQoJICAgIHN1bW1hcnkgb2YgcmVjb21tZW5kYXRpb25zLgoJICAKPC9saT4KPC91bD48cD4K ICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTA0CiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQi Pgo8bGk+CgkgICAgRWRpdHMgcmVzcG9uZGluZyB0byB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBm ZWVkYmFjayBvbgoJICAgIC0wMy4gIFNwZWNpZmljIGVkaXRzIGVudW1lcmF0ZWQgYmVsb3cuCgkg IAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgQmVhcmVyIFRva2VuIGRlZmluaXRpb24gaW4gVGVybWlu b2xvZ3kgc2VjdGlvbi4KCSAgCjwvbGk+CjxsaT4KICAgICAgICAgICAgQ2hhbmdlZCBwYXJhbWV0 ZXIgbmFtZSA8dHQ+b2F1dGhfdG9rZW48L3R0PiB0byA8dHQ+YmVhcmVyX3Rva2VuPC90dD4uCgkg IAo8L2xpPgo8bGk+CgkgICAgQWRkZWQgcmVhbG0gcGFyYW1ldGVyIHRvIDx0dD5XV1ctQXV0aGVu dGljYXRlPC90dD4gcmVzcG9uc2UgdG8gY29tcGx5CgkgICAgd2l0aCA8YSBjbGFzcz0naW5mbycg aHJlZj0nI1JGQzI2MTcnPltSRkMyNjE3XTxzcGFuPiAoPC9zcGFuPjxzcGFuIGNsYXNzPSdpbmZv Jz5GcmFua3MsIEouLCBIYWxsYW0tQmFrZXIsIFAuLCBIb3N0ZXRsZXIsIEouLCBMYXdyZW5jZSwg Uy4sIExlYWNoLCBQLiwgTHVvdG9uZW4sIEEuLCBhbmQgTC4gU3Rld2FydCwgJmxkcXVvO0hUVFAg QXV0aGVudGljYXRpb246IEJhc2ljIGFuZCBEaWdlc3QgQWNjZXNzIEF1dGhlbnRpY2F0aW9uLCZy ZHF1bzsgSnVuZSZuYnNwOzE5OTkuPC9zcGFuPjxzcGFuPik8L3NwYW4+PC9hPi4KCSAgCjwvbGk+ CjxsaT4KCSAgICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFyYW0gXSIgZnJvbSA8dHQ+Y3JlZGVu dGlhbHM8L3R0PiBkZWZpbml0aW9uIHNpbmNlIGl0IGRpZAoJICAgIG5vdCBjb21wbHkgd2l0aCB0 aGUgQUJORiBpbiA8YSBjbGFzcz0naW5mbycgaHJlZj0nI0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0 aCc+W0kmIzgyMDk7RC5pZXRmJiM4MjA5O2h0dHBiaXMmIzgyMDk7cDcmIzgyMDk7YXV0aF08c3Bh bj4gKDwvc3Bhbj48c3BhbiBjbGFzcz0naW5mbyc+RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBN b2d1bCwgSi4sIE5pZWxzZW4sIEguLCBNYXNpbnRlciwgTC4sIExlYWNoLCBQLiwgQmVybmVycy1M ZWUsIFQuLCBMYWZvbiwgWS4sIGFuZCBKLiBSZXNjaGtlLCAmbGRxdW87SFRUUC8xLjEsIHBhcnQg NzogQXV0aGVudGljYXRpb24sJnJkcXVvOyBPY3RvYmVyJm5ic3A7MjAxMS48L3NwYW4+PHNwYW4+ KTwvc3Bhbj48L2E+LgoJICAKPC9saT4KPGxpPgoJICAgIFJlbW92ZWQgcmVzdHJpY3Rpb24gdGhh dCB0aGUgPHR0PmJlYXJlcl90b2tlbjwvdHQ+IChmb3JtZXJseSA8dHQ+b2F1dGhfdG9rZW48L3R0 PikgcGFyYW1ldGVyIGJlIHRoZSBsYXN0CgkgICAgcGFyYW1ldGVyIGluIHRoZSBlbnRpdHktYm9k eSBhbmQgdGhlIEhUVFAgcmVxdWVzdCBVUkkKCSAgICBxdWVyeS4KCSAgCjwvbGk+CjxsaT4KCSAg ICBEbyBub3QgcmVxdWlyZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIGluIGEgcmVwbHkgdG8g YQoJICAgIG1hbGZvcm1lZCByZXF1ZXN0LCBhcyBhbiBIVFRQIDQwMCBCYWQgUmVxdWVzdCByZXNw b25zZQoJICAgIHdpdGhvdXQgYSBXV1ctQXV0aGVudGljYXRlIGhlYWRlciBpcyBsaWtlbHkgdGhl IHJpZ2h0CgkgICAgcmVzcG9uc2UgaW4gc29tZSBjYXNlcyBvZiBtYWxmb3JtZWQgcmVxdWVzdHMu CgkgIAo8L2xpPgo8bGk+CgkgICAgUmVtb3ZlZCBPQXV0aCBQYXJhbWV0ZXJzIHJlZ2lzdHJ5IGV4 dGVuc2lvbi4KCSAgCjwvbGk+CjxsaT4KCSAgICBOdW1lcm91cyBlZGl0b3JpYWwgaW1wcm92ZW1l bnRzIHN1Z2dlc3RlZCBieSB3b3JraW5nIGdyb3VwCgkgICAgbWVtYmVycy4KCSAgCjwvbGk+Cjwv dWw+PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAgIC0wMwogICAgICAgIDwvcD4KPHVsIGNsYXNz PSJ0ZXh0Ij4KPGxpPgoJICAgIFJlc3RvcmVkIHRoZSBXV1ctQXV0aGVudGljYXRlIHJlc3BvbnNl IGhlYWRlcgoJICAgIGZ1bmN0aW9uYWxpdHkgZGVsZXRlZCBmcm9tIHRoZSBmcmFtZXdvcmsgc3Bl Y2lmaWNhdGlvbiBpbgoJICAgIGRyYWZ0IDEyIGJhc2VkIHVwb24gdGhlIHNwZWNpZmljYXRpb24g dGV4dCBmcm9tIGRyYWZ0IDExLgoJICAKPC9saT4KPGxpPgoJICAgIEF1Z21lbnRlZCB0aGUgT0F1 dGggUGFyYW1ldGVycyByZWdpc3RyeSBieSBhZGRpbmcgdHdvCgkgICAgYWRkaXRpb25hbCBwYXJh bWV0ZXIgdXNhZ2UgbG9jYXRpb25zOiAicmVzb3VyY2UgcmVxdWVzdCIKCSAgICBhbmQgInJlc291 cmNlIHJlc3BvbnNlIi4KCSAgCjwvbGk+CjxsaT4KICAgICAgICAgICAgUmVnaXN0ZXJlZCB0aGUg Im9hdXRoX3Rva2VuIiBPQXV0aCBwYXJhbWV0ZXIgd2l0aCB1c2FnZQogICAgICAgICAgICBsb2Nh dGlvbiAicmVzb3VyY2UgcmVxdWVzdCIuCiAgICAgICAgICAKPC9saT4KPGxpPgogICAgICAgICAg ICBSZWdpc3RlcmVkIHRoZSAiZXJyb3IiIE9BdXRoIHBhcmFtZXRlci4KICAgICAgICAgIAo8L2xp Pgo8bGk+CgkgICAgQ3JlYXRlZCB0aGUgT0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVy ZWQgZXJyb3JzLgoJICAKPC9saT4KPGxpPgoJICAgIENoYW5nZWQgdGhlICJPQXV0aDIiIE9BdXRo IGFjY2VzcyB0b2tlbiB0eXBlIG5hbWUgdG8KCSAgICAiQmVhcmVyIi4KCSAgCjwvbGk+CjwvdWw+ PHA+CiAgICAgIAo8L3A+CjxwPgogICAgICAgIC0wMgogICAgICAgIDwvcD4KPHVsIGNsYXNzPSJ0 ZXh0Ij4KPGxpPgogICAgICAgICAgICBJbmNvcnBvcmF0ZWQgZmVlZGJhY2sgcmVjZWl2ZWQgb24g ZHJhZnQgMDEuICBNb3N0IGNoYW5nZXMKICAgICAgICAgICAgd2VyZSB0byB0aGUgc2VjdXJpdHkg Y29uc2lkZXJhdGlvbnMgc2VjdGlvbi4gIE5vIG5vcm1hdGl2ZQogICAgICAgICAgICBjaGFuZ2Vz IHdlcmUgbWFkZS4gIFNwZWNpZmljIGNoYW5nZXMgaW5jbHVkZWQ6CiAgICAgICAgICAKPC9saT4K PGxpPgoJICAgIENoYW5nZWQgdGVybWlub2xvZ3kgZnJvbSAidG9rZW4gcmV1c2UiIHRvICJ0b2tl biBjYXB0dXJlCgkgICAgYW5kIHJlcGxheSIuCgkgIAo8L2xpPgo8bGk+CgkgICAgUmVtb3ZlZCBz ZW50ZW5jZSAiRW5jcnlwdGluZyB0aGUgdG9rZW4gY29udGVudHMgaXMgYW5vdGhlcgoJICAgIGFs dGVybmF0aXZlIiBmcm9tIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzaW5jZSBpdCB3YXMK CSAgICByZWR1bmRhbnQgYW5kIHBvdGVudGlhbGx5IGNvbmZ1c2luZy4KCSAgCjwvbGk+CjxsaT4K CSAgICBDb3JyZWN0ZWQgc29tZSByZWZlcmVuY2VzIHRvICJyZXNvdXJjZSBzZXJ2ZXIiIHRvIGJl CgkgICAgImF1dGhvcml6YXRpb24gc2VydmVyIiBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlv bnMuCgkgIAo8L2xpPgo8bGk+CgkgICAgR2VuZXJhbGl6ZWQgc2VjdXJpdHkgY29uc2lkZXJhdGlv bnMgbGFuZ3VhZ2UgYWJvdXQKCSAgICBvYnRhaW5pbmcgY29uc2VudCBvZiB0aGUgcmVzb3VyY2Ug b3duZXIuCgkgIAo8L2xpPgo8bGk+CgkgICAgQnJvYWRlbmVkIHNjb3BlIG9mIHNlY3VyaXR5IGNv bnNpZGVyYXRpb25zIGRlc2NyaXB0aW9uIGZvcgoJICAgIHJlY29tbWVuZGF0aW9uICJEb24ndCBw YXNzIGJlYXJlciB0b2tlbnMgaW4gcGFnZSBVUkxzIi4KCSAgCjwvbGk+CjxsaT4KCSAgICBSZW1v dmVkIHVudXNlZCByZWZlcmVuY2UgdG8gT0F1dGggMS4wLgoJICAKPC9saT4KPGxpPgoJICAgIFVw ZGF0ZWQgcmVmZXJlbmNlIHRvIGZyYW1ld29yayBzcGVjaWZpY2F0aW9uIGFuZCB1cGRhdGVkCgkg ICAgRGF2aWQgUmVjb3Jkb24ncyBlLW1haWwgYWRkcmVzcy4KCSAgCjwvbGk+CjxsaT4KCSAgICBS ZW1vdmVkIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHRleHQgb24gYXV0aGVudGljYXRpbmcKCSAg ICBjbGllbnRzLgoJICAKPC9saT4KPGxpPgoJICAgIFJlZ2lzdGVyZWQgdGhlICJPQXV0aDIiIE9B dXRoIGFjY2VzcyB0b2tlbiB0eXBlIGFuZAoJICAgICJvYXV0aF90b2tlbiIgcGFyYW1ldGVyLgoJ ICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAgLTAxCiAgICAgICAgPC9w Pgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIEZpcnN0IHB1YmxpYyBkcmFmdCwg d2hpY2ggaW5jb3Jwb3JhdGVzIGZlZWRiYWNrIHJlY2VpdmVkCiAgICAgICAgICAgIG9uIC0wMCBp bmNsdWRpbmcgZW5oYW5jZWQgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgY29udGVudC4KICAgICAg ICAgICAgVGhpcyB2ZXJzaW9uIGlzIGludGVuZGVkIHRvIGFjY29tcGFueSBPQXV0aCAyLjAgZHJh ZnQgMTEuCiAgICAgICAgICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPHA+CiAgICAgICAg LTAwCiAgICAgICAgPC9wPgo8dWwgY2xhc3M9InRleHQiPgo8bGk+CiAgICAgICAgICAgIEluaXRp YWwgZHJhZnQgYmFzZWQgb24gcHJlbGltaW5hcnkgdmVyc2lvbiBvZiBPQXV0aCAyLjAgZHJhZnQg MTEuCiAgICAgICAgICAKPC9saT4KPC91bD48cD4KICAgICAgCjwvcD4KPGEgbmFtZT0icmZjLmF1 dGhvcnMiPjwvYT48YnIgLz48aHIgLz4KPHRhYmxlIHN1bW1hcnk9ImxheW91dCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIyIiBjbGFzcz0iVE9DYnVnIiBhbGlnbj0icmlnaHQiPjx0cj48 dGQgY2xhc3M9IlRPQ2J1ZyI+PGEgaHJlZj0iI3RvYyI+Jm5ic3A7VE9DJm5ic3A7PC9hPjwvdGQ+ PC90cj48L3RhYmxlPgo8aDM+QXV0aG9ycycgQWRkcmVzc2VzPC9oMz4KPHRhYmxlIHdpZHRoPSI5 OSUiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIj4KPHRyPjx0ZCBj bGFzcz0iYXV0aG9yLXRleHQiPiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPk1p Y2hhZWwgQi4gSm9uZXM8L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij4mbmJz cDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5NaWNyb3NvZnQ8L3RkPjwvdHI+Cjx0cj48 dGQgY2xhc3M9ImF1dGhvciIgYWxpZ249InJpZ2h0Ij5FbWFpbDombmJzcDs8L3RkPgo8dGQgY2xh c3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJtYWlsdG86bWJqQG1pY3Jvc29mdC5jb20iPm1iakBt aWNyb3NvZnQuY29tPC9hPjwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0i cmlnaHQiPlVSSTombmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij48YSBocmVmPSJo dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8iPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLzwvYT48L3Rk PjwvdHI+Cjx0ciBjZWxscGFkZGluZz0iMyI+PHRkPiZuYnNwOzwvdGQ+PHRkPiZuYnNwOzwvdGQ+ PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0i YXV0aG9yLXRleHQiPkRpY2sgSGFyZHQ8L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvci10 ZXh0Ij4mbmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5pbmRlcGVuZGVudDwvdGQ+ PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0icmlnaHQiPkVtYWlsOiZuYnNwOzwv dGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzpkaWNrLmhhcmR0QGdt YWlsLmNvbSI+ZGljay5oYXJkdEBnbWFpbC5jb208L2E+PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNz PSJhdXRob3IiIGFsaWduPSJyaWdodCI+VVJJOiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9y LXRleHQiPjxhIGhyZWY9Imh0dHA6Ly9kaWNraGFyZHQub3JnLyI+aHR0cDovL2RpY2toYXJkdC5v cmcvPC9hPjwvdGQ+PC90cj4KPHRyIGNlbGxwYWRkaW5nPSIzIj48dGQ+Jm5ic3A7PC90ZD48dGQ+ Jm5ic3A7PC90ZD48L3RyPgo8dHI+PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+Jm5ic3A7PC90ZD4K PHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+RGF2aWQgUmVjb3Jkb248L3RkPjwvdHI+Cjx0cj48dGQg Y2xhc3M9ImF1dGhvci10ZXh0Ij4mbmJzcDs8L3RkPgo8dGQgY2xhc3M9ImF1dGhvci10ZXh0Ij5G YWNlYm9vazwvdGQ+PC90cj4KPHRyPjx0ZCBjbGFzcz0iYXV0aG9yIiBhbGlnbj0icmlnaHQiPkVt YWlsOiZuYnNwOzwvdGQ+Cjx0ZCBjbGFzcz0iYXV0aG9yLXRleHQiPjxhIGhyZWY9Im1haWx0bzpk ckBmYi5jb20iPmRyQGZiLmNvbTwvYT48L3RkPjwvdHI+Cjx0cj48dGQgY2xhc3M9ImF1dGhvciIg YWxpZ249InJpZ2h0Ij5VUkk6Jm5ic3A7PC90ZD4KPHRkIGNsYXNzPSJhdXRob3ItdGV4dCI+PGEg aHJlZj0iaHR0cDovL3d3dy5kYXZpZHJlY29yZG9uLmNvbS8iPmh0dHA6Ly93d3cuZGF2aWRyZWNv cmRvbi5jb20vPC9hPjwvdGQ+PC90cj4KPC90YWJsZT4KPC9ib2R5PjwvaHRtbD4K --_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: text/plain; name="draft-ietf-oauth-v2-bearer-15 preliminary.txt" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.txt Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.txt"; size=45441; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:05:55 GMT" Content-Transfer-Encoding: base64 CgoKTmV0d29yayBXb3JraW5nIEdyb3VwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIE0uIEpvbmVzCkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIE1pY3Jvc29mdApJbnRlbmRlZCBzdGF0dXM6IFN0YW5k YXJkcyBUcmFjayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRC4gSGFyZHQKRXhwaXJl czogSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlu ZGVwZW5kZW50CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBELiBSZWNvcmRvbgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmFjZWJvb2sKICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERlY2VtYmVyIDEyLCAyMDEx CgoKICAgICAgICAgIFRoZSBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVy IFRva2VucwogICAgICAgICAgICAgICAgICAgICBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0x NQoKQWJzdHJhY3QKCiAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkZXNjcmliZXMgaG93IHRvIHVzZSBi ZWFyZXIgdG9rZW5zIGluIEhUVFAKICAgcmVxdWVzdHMgdG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90 ZWN0ZWQgcmVzb3VyY2VzLiAgQW55IHBhcnR5IGluCiAgIHBvc3Nlc3Npb24gb2YgYSBiZWFyZXIg dG9rZW4gKGEgImJlYXJlciIpIGNhbiB1c2UgaXQgdG8gZ2V0IGFjY2VzcyB0bwogICB0aGUgYXNz b2NpYXRlZCByZXNvdXJjZXMgKHdpdGhvdXQgZGVtb25zdHJhdGluZyBwb3NzZXNzaW9uIG9mIGEK ICAgY3J5cHRvZ3JhcGhpYyBrZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMg bmVlZCB0byBiZQogICBwcm90ZWN0ZWQgZnJvbSBkaXNjbG9zdXJlIGluIHN0b3JhZ2UgYW5kIGlu IHRyYW5zcG9ydC4KClN0YXR1cyBvZiB0aGlzIE1lbW8KCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQg aXMgc3VibWl0dGVkIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUKICAgcHJvdmlzaW9ucyBv ZiBCQ1AgNzggYW5kIEJDUCA3OS4KCiAgIEludGVybmV0LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1 bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nCiAgIFRhc2sgRm9yY2UgKElFVEYpLiAg Tm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlCiAgIHdvcmtpbmcgZG9j dW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQt CiAgIERyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJl bnQvLgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9yIGEg bWF4aW11bSBvZiBzaXggbW9udGhzCiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9y IG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55CiAgIHRpbWUuICBJdCBpcyBpbmFw cHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlCiAgIG1hdGVyaWFs IG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiIKCiAgIFRo aXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gSnVuZSAxNCwgMjAxMi4KCkNvcHlyaWdo dCBOb3RpY2UKCiAgIENvcHlyaWdodCAoYykgMjAxMSBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29u cyBpZGVudGlmaWVkIGFzIHRoZQogICBkb2N1bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyByZXNl cnZlZC4KCiAgIFRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRG IFRydXN0J3MgTGVnYWwKICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cwog ICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24gdGhl IGRhdGUgb2YKICAgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcg dGhlc2UgZG9jdW1lbnRzCiAgIGNhcmVmdWxseSwgYXMgdGhleSBkZXNjcmliZSB5b3VyIHJpZ2h0 cyBhbmQgcmVzdHJpY3Rpb25zIHdpdGggcmVzcGVjdAoKCgpKb25lcywgZXQgYWwuICAgICAgICAg ICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgMV0KDApJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERl Y2VtYmVyIDIwMTEKCgogICB0byB0aGlzIGRvY3VtZW50LiAgQ29kZSBDb21wb25lbnRzIGV4dHJh Y3RlZCBmcm9tIHRoaXMgZG9jdW1lbnQgbXVzdAogICBpbmNsdWRlIFNpbXBsaWZpZWQgQlNEIExp Y2Vuc2UgdGV4dCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbiA0LmUgb2YKICAgdGhlIFRydXN0IExl Z2FsIFByb3Zpc2lvbnMgYW5kIGFyZSBwcm92aWRlZCB3aXRob3V0IHdhcnJhbnR5IGFzCiAgIGRl c2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZS4KCgpUYWJsZSBvZiBDb250ZW50 cwoKICAgMS4gIEludHJvZHVjdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAzCiAgICAgMS4xLiAgTm90YXRpb25hbCBDb252ZW50aW9ucyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMwogICAgIDEuMi4gIFRlcm1pbm9sb2d5 ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDMKICAgICAx LjMuICBPdmVydmlldyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICA0CiAgIDIuICBBdXRoZW50aWNhdGVkIFJlcXVlc3RzIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNQogICAgIDIuMS4gIEF1dGhvcml6YXRpb24gUmVxdWVz dCBIZWFkZXIgRmllbGQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDUKICAgICAyLjIuICBGb3Jt LUVuY29kZWQgQm9keSBQYXJhbWV0ZXIgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA2 CiAgICAgMi4zLiAgVVJJIFF1ZXJ5IFBhcmFtZXRlciAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgNwogICAzLiAgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVh ZGVyIEZpZWxkIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDcKICAgICAzLjEuICBFcnJvciBDb2RlcyAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA5CiAgIDQuICBT ZWN1cml0eSBDb25zaWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAxMAogICAgIDQuMS4gIFNlY3VyaXR5IFRocmVhdHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gMTAKICAgICA0LjIuICBUaHJlYXQgTWl0aWdhdGlvbiAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDEwCiAgICAgNC4zLiAgU3VtbWFy eSBvZiBSZWNvbW1lbmRhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMgog ICA1LiAgSUFOQSBDb25zaWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gMTMKICAgICA1LjEuICBPQXV0aCBBY2Nlc3MgVG9rZW4gVHlwZSBSZWdpc3Ry YXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDEzCiAgICAgICA1LjEuMS4gIFRoZSAiQmVhcmVy IiBPQXV0aCBBY2Nlc3MgVG9rZW4gVHlwZSAuIC4gLiAuIC4gLiAuIC4gLiAxMwogICAgIDUuMi4g IEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyYXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gMTQKICAgICAgIDUuMi4xLiAgVGhlICJCZWFyZXIiIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSAu IC4gLiAuIC4gLiAuIC4gLiAuIDE0CiAgIDYuICBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxNAogICAgIDYuMS4gIE5vcm1hdGl2 ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTQKICAg ICA2LjIuICBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIDE1CiAgIEFwcGVuZGl4IEEuICBBY2tub3dsZWRnZW1lbnRzICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxNQogICBBcHBlbmRpeCBCLiAgRG9jdW1lbnQgSGlz dG9yeSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTYKICAgQXV0aG9ycycg QWRkcmVzc2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IDIyCgoKCgoKCgoKCgoKCgoKCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJlcyBK dW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAyXQoMCkludGVybmV0LURyYWZ0ICAg ICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgRGVjZW1iZXIgMjAxMQoK CjEuICBJbnRyb2R1Y3Rpb24KCiAgIE9BdXRoIGVuYWJsZXMgY2xpZW50cyB0byBhY2Nlc3MgcHJv dGVjdGVkIHJlc291cmNlcyBieSBvYnRhaW5pbmcgYW4KICAgYWNjZXNzIHRva2VuLCB3aGljaCBp cyBkZWZpbmVkIGluIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uCiAgIFtJLUQuaWV0Zi1vYXV0aC12 Ml0gYXMgImEgc3RyaW5nIHJlcHJlc2VudGluZyBhbiBhY2Nlc3MgYXV0aG9yaXphdGlvbgogICBp c3N1ZWQgdG8gdGhlIGNsaWVudCIsIHJhdGhlciB0aGFuIHVzaW5nIHRoZSByZXNvdXJjZSBvd25l cidzCiAgIGNyZWRlbnRpYWxzIGRpcmVjdGx5LgoKICAgVG9rZW5zIGFyZSBpc3N1ZWQgdG8gY2xp ZW50cyBieSBhbiBhdXRob3JpemF0aW9uIHNlcnZlciB3aXRoIHRoZQogICBhcHByb3ZhbCBvZiB0 aGUgcmVzb3VyY2Ugb3duZXIuICBUaGUgY2xpZW50IHVzZXMgdGhlIGFjY2VzcyB0b2tlbiB0bwog ICBhY2Nlc3MgdGhlIHByb3RlY3RlZCByZXNvdXJjZXMgaG9zdGVkIGJ5IHRoZSByZXNvdXJjZSBz ZXJ2ZXIuICBUaGlzCiAgIHNwZWNpZmljYXRpb24gZGVzY3JpYmVzIGhvdyB0byBtYWtlIHByb3Rl Y3RlZCByZXNvdXJjZSByZXF1ZXN0cyB3aGVuCiAgIHRoZSBPQXV0aCBhY2Nlc3MgdG9rZW4gaXMg YSBiZWFyZXIgdG9rZW4uCgogICBUaGlzIHNwZWNpZmljYXRpb24gZGVmaW5lcyB0aGUgdXNlIG9m IGJlYXJlciB0b2tlbnMgb3ZlciBIVFRQLzEuMQogICBbSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNz YWdpbmddIHVzaW5nIFRMUyBbUkZDNTI0Nl0gdG8gYWNjZXNzCiAgIHByb3RlY3RlZCByZXNvdXJj ZXMuICBUTFMgaXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbmQgdXNlIHdpdGggdGhpcwogICBz cGVjaWZpY2F0aW9uOyBvdGhlciBzcGVjaWZpY2F0aW9ucyBtYXkgZXh0ZW5kIHRoaXMgc3BlY2lm aWNhdGlvbiBmb3IKICAgdXNlIHdpdGggb3RoZXIgdHJhbnNwb3J0IHByb3RvY29scy4gIFdoaWxl IGRlc2lnbmVkIGZvciB1c2Ugd2l0aAogICBhY2Nlc3MgdG9rZW5zIHJlc3VsdGluZyBmcm9tIE9B dXRoIDIuMCBBdXRob3JpemF0aW9uCiAgIFtJLUQuaWV0Zi1vYXV0aC12Ml0gZmxvd3MgdG8gYWNj ZXNzIE9BdXRoIHByb3RlY3RlZCByZXNvdXJjZXMsIHRoaXMKICAgc3BlY2lmaWNhdGlvbiBhY3R1 YWxseSBkZWZpbmVzIGEgZ2VuZXJhbCBIVFRQIGF1dGhvcml6YXRpb24gbWV0aG9kCiAgIHRoYXQg Y2FuIGJlIHVzZWQgd2l0aCBiZWFyZXIgdG9rZW5zIGZyb20gYW55IHNvdXJjZSB0byBhY2Nlc3Mg YW55CiAgIHJlc291cmNlcyBwcm90ZWN0ZWQgYnkgdGhvc2UgYmVhcmVyIHRva2Vucy4KCjEuMS4g IE5vdGF0aW9uYWwgQ29udmVudGlvbnMKCiAgIFRoZSBrZXkgd29yZHMgJ01VU1QnLCAnTVVTVCBO T1QnLCAnUkVRVUlSRUQnLCAnU0hBTEwnLCAnU0hBTEwgTk9UJywKICAgJ1NIT1VMRCcsICdTSE9V TEQgTk9UJywgJ1JFQ09NTUVOREVEJywgJ01BWScsIGFuZCAnT1BUSU9OQUwnIGluIHRoaXMKICAg ZG9jdW1lbnQgYXJlIHRvIGJlIGludGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbiBLZXkgd29yZHMg Zm9yIHVzZSBpbgogICBSRkNzIHRvIEluZGljYXRlIFJlcXVpcmVtZW50IExldmVscyBbUkZDMjEx OV0uCgogICBUaGlzIGRvY3VtZW50IHVzZXMgdGhlIEF1Z21lbnRlZCBCYWNrdXMtTmF1ciBGb3Jt IChBQk5GKSBub3RhdGlvbiBvZgogICBIVFRQLzEuMSwgUGFydCAxIFtJLUQuaWV0Zi1odHRwYmlz LXAxLW1lc3NhZ2luZ10sIHdoaWNoIGlzIGJhc2VkIHVwb24KICAgdGhlIEF1Z21lbnRlZCBCYWNr dXMtTmF1ciBGb3JtIChBQk5GKSBbUkZDNTIzNF0gbm90YXRpb24uCiAgIEFkZGl0aW9uYWxseSwg dGhlIGZvbGxvd2luZyBydWxlcyBhcmUgaW5jbHVkZWQgZnJvbSBIVFRQLzEuMSwgUGFydCA3CiAg IFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdOiBiNjR0b2tlbiwgYXV0aC1wYXJhbSwgYW5kIHJl YWxtOyBmcm9tCiAgIEhUVFAvMS4xLCBQYXJ0IDEgW0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2Fn aW5nXTogcXVvdGVkLXN0cmluZzsgYW5kCiAgIGZyb20gVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlm aWVyIChVUkkpIFtSRkMzOTg2XTogVVJJLVJlZmVyZW5jZS4KCiAgIFVubGVzcyBvdGhlcndpc2Ug bm90ZWQsIGFsbCB0aGUgcHJvdG9jb2wgcGFyYW1ldGVyIG5hbWVzIGFuZCB2YWx1ZXMKICAgYXJl IGNhc2Ugc2Vuc2l0aXZlLgoKMS4yLiAgVGVybWlub2xvZ3kKCgoKCgoKCkpvbmVzLCBldCBhbC4g ICAgICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgICBbUGFnZSAz XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAg ICAgICAgRGVjZW1iZXIgMjAxMQoKCiAgIEJlYXJlciBUb2tlbgogICAgICBBIHNlY3VyaXR5IHRv a2VuIHdpdGggdGhlIHByb3BlcnR5IHRoYXQgYW55IHBhcnR5IGluIHBvc3Nlc3Npb24gb2YKICAg ICAgdGhlIHRva2VuIChhICJiZWFyZXIiKSBjYW4gdXNlIHRoZSB0b2tlbiBpbiBhbnkgd2F5IHRo YXQgYW55IG90aGVyCiAgICAgIHBhcnR5IGluIHBvc3Nlc3Npb24gb2YgaXQgY2FuLiAgVXNpbmcg YSBiZWFyZXIgdG9rZW4gZG9lcyBub3QKICAgICAgcmVxdWlyZSBhIGJlYXJlciB0byBwcm92ZSBw b3NzZXNzaW9uIG9mIGNyeXB0b2dyYXBoaWMga2V5IG1hdGVyaWFsCiAgICAgIChwcm9vZi1vZi1w b3NzZXNzaW9uKS4KCiAgIEFsbCBvdGhlciB0ZXJtcyBhcmUgYXMgZGVmaW5lZCBpbiBPQXV0aCAy LjAgQXV0aG9yaXphdGlvbgogICBbSS1ELmlldGYtb2F1dGgtdjJdLgoKMS4zLiAgT3ZlcnZpZXcK CiAgIE9BdXRoIHByb3ZpZGVzIGEgbWV0aG9kIGZvciBjbGllbnRzIHRvIGFjY2VzcyBhIHByb3Rl Y3RlZCByZXNvdXJjZSBvbgogICBiZWhhbGYgb2YgYSByZXNvdXJjZSBvd25lci4gIEluIHRoZSBn ZW5lcmFsIGNhc2UsIGJlZm9yZSBhIGNsaWVudCBjYW4KICAgYWNjZXNzIGEgcHJvdGVjdGVkIHJl c291cmNlLCBpdCBtdXN0IGZpcnN0IG9idGFpbiBhbiBhdXRob3JpemF0aW9uCiAgIGdyYW50IGZy b20gdGhlIHJlc291cmNlIG93bmVyIGFuZCB0aGVuIGV4Y2hhbmdlIHRoZSBhdXRob3JpemF0aW9u CiAgIGdyYW50IGZvciBhbiBhY2Nlc3MgdG9rZW4uICBUaGUgYWNjZXNzIHRva2VuIHJlcHJlc2Vu dHMgdGhlIGdyYW50J3MKICAgc2NvcGUsIGR1cmF0aW9uLCBhbmQgb3RoZXIgYXR0cmlidXRlcyBn cmFudGVkIGJ5IHRoZSBhdXRob3JpemF0aW9uCiAgIGdyYW50LiAgVGhlIGNsaWVudCBhY2Nlc3Nl cyB0aGUgcHJvdGVjdGVkIHJlc291cmNlIGJ5IHByZXNlbnRpbmcgdGhlCiAgIGFjY2VzcyB0b2tl biB0byB0aGUgcmVzb3VyY2Ugc2VydmVyLiAgSW4gc29tZSBjYXNlcywgYSBjbGllbnQgY2FuCiAg IGRpcmVjdGx5IHByZXNlbnQgaXRzIG93biBjcmVkZW50aWFscyB0byBhbiBhdXRob3JpemF0aW9u IHNlcnZlciB0bwogICBvYnRhaW4gYW4gYWNjZXNzIHRva2VuIHdpdGhvdXQgaGF2aW5nIHRvIGZp cnN0IG9idGFpbiBhbgogICBhdXRob3JpemF0aW9uIGdyYW50IGZyb20gYSByZXNvdXJjZSBvd25l ci4KCiAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZXMgYW4gYWJzdHJhY3Rpb24sIHJlcGxhY2lu ZyBkaWZmZXJlbnQKICAgYXV0aG9yaXphdGlvbiBjb25zdHJ1Y3RzIChlLmcuIHVzZXJuYW1lIGFu ZCBwYXNzd29yZCwgYXNzZXJ0aW9uKSBmb3IKICAgYSBzaW5nbGUgdG9rZW4gdW5kZXJzdG9vZCBi eSB0aGUgcmVzb3VyY2Ugc2VydmVyLiAgVGhpcyBhYnN0cmFjdGlvbgogICBlbmFibGVzIGlzc3Vp bmcgYWNjZXNzIHRva2VucyB2YWxpZCBmb3IgYSBzaG9ydCB0aW1lIHBlcmlvZCwgYXMgd2VsbAog ICBhcyByZW1vdmluZyB0aGUgcmVzb3VyY2Ugc2VydmVyJ3MgbmVlZCB0byB1bmRlcnN0YW5kIGEg d2lkZSByYW5nZSBvZgogICBhdXRoZW50aWNhdGlvbiBzY2hlbWVzLgoKCgoKCgoKCgoKCgoKCgoK CgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAg ICAgICAgICAgICAgW1BhZ2UgNF0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4w IEJlYXJlciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgogICArLS0tLS0tLS0rICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0rCiAgIHwgICAgICAg IHwtLShBKS0gQXV0aG9yaXphdGlvbiBSZXF1ZXN0IC0+fCAgIFJlc291cmNlICAgIHwKICAgfCAg ICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICBPd25lciAgICAgfAog ICB8ICAgICAgICB8PC0oQiktLSBBdXRob3JpemF0aW9uIEdyYW50IC0tLXwgICAgICAgICAgICAg ICB8CiAgIHwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0t LS0tLS0tLSsKICAgfCAgICAgICAgfAogICB8ICAgICAgICB8ICAgICAgICBBdXRob3JpemF0aW9u IEdyYW50ICYgICstLS0tLS0tLS0tLS0tLS0rCiAgIHwgICAgICAgIHwtLShDKS0tLSBDbGllbnQg Q3JlZGVudGlhbHMgLS0+fCBBdXRob3JpemF0aW9uIHwKICAgfCBDbGllbnQgfCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICB8ICAgICBTZXJ2ZXIgICAgfAogICB8ICAgICAgICB8PC0oRCkt LS0tLSBBY2Nlc3MgVG9rZW4gLS0tLS0tLXwgICAgICAgICAgICAgICB8CiAgIHwgICAgICAgIHwg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKICAgfCAgICAg ICAgfAogICB8ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0t LS0tLS0tLS0rCiAgIHwgICAgICAgIHwtLShFKS0tLS0tIEFjY2VzcyBUb2tlbiAtLS0tLS0+fCAg ICBSZXNvdXJjZSAgIHwKICAgfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICB8ICAgICBTZXJ2ZXIgICAgfAogICB8ICAgICAgICB8PC0oRiktLS0gUHJvdGVjdGVkIFJlc291 cmNlIC0tLXwgICAgICAgICAgICAgICB8CiAgICstLS0tLS0tLSsgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKCiAgICAgICAgICAgICAgICAgICAgIEZpZ3Vy ZSAxOiBBYnN0cmFjdCBQcm90b2NvbCBGbG93CgogICBUaGUgYWJzdHJhY3QgZmxvdyBpbGx1c3Ry YXRlZCBpbiBGaWd1cmUgMSBkZXNjcmliZXMgdGhlIG92ZXJhbGwgT0F1dGgKICAgMi4wIHByb3Rv Y29sIGFyY2hpdGVjdHVyZS4gIFRoZSBmb2xsb3dpbmcgc3RlcHMgYXJlIHNwZWNpZmllZCB3aXRo aW4KICAgdGhpcyBkb2N1bWVudDoKCiAgICAgIEUpIFRoZSBjbGllbnQgbWFrZXMgYSBwcm90ZWN0 ZWQgcmVzb3VyY2UgcmVxdWVzdCB0byB0aGUgcmVzb3VyY2UKICAgICAgc2VydmVyIGJ5IHByZXNl bnRpbmcgdGhlIGFjY2VzcyB0b2tlbi4KCiAgICAgIEYpIFRoZSByZXNvdXJjZSBzZXJ2ZXIgdmFs aWRhdGVzIHRoZSBhY2Nlc3MgdG9rZW4sIGFuZCBpZiB2YWxpZCwKICAgICAgc2VydmVzIHRoZSBy ZXF1ZXN0LgoKCjIuICBBdXRoZW50aWNhdGVkIFJlcXVlc3RzCgogICBUaGlzIHNlY3Rpb24gZGVm aW5lcyB0aHJlZSBtZXRob2RzIG9mIHNlbmRpbmcgYmVhcmVyIGFjY2VzcyB0b2tlbnMgaW4KICAg cmVzb3VyY2UgcmVxdWVzdHMgdG8gcmVzb3VyY2Ugc2VydmVycy4gIENsaWVudHMgTVVTVCBOT1Qg dXNlIG1vcmUKICAgdGhhbiBvbmUgbWV0aG9kIHRvIHRyYW5zbWl0IHRoZSB0b2tlbiBpbiBlYWNo IHJlcXVlc3QuCgoyLjEuICBBdXRob3JpemF0aW9uIFJlcXVlc3QgSGVhZGVyIEZpZWxkCgogICBX aGVuIHNlbmRpbmcgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgIkF1dGhvcml6YXRpb24iIHJlcXVl c3QgaGVhZGVyCiAgIGZpZWxkIGRlZmluZWQgYnkgSFRUUC8xLjEsIFBhcnQgNyBbSS1ELmlldGYt aHR0cGJpcy1wNy1hdXRoXSwgdGhlCiAgIGNsaWVudCB1c2VzIHRoZSAiQmVhcmVyIiBhdXRoZW50 aWNhdGlvbiBzY2hlbWUgdG8gdHJhbnNtaXQgdGhlIGFjY2VzcwogICB0b2tlbi4KCgoKCgoKCgpK b25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAg ICAgICAgW1BhZ2UgNV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJl ciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgogICBGb3IgZXhhbXBsZToKCiAgIEdF VCAvcmVzb3VyY2UgSFRUUC8xLjEKICAgSG9zdDogc2VydmVyLmV4YW1wbGUuY29tCiAgIEF1dGhv cml6YXRpb246IEJlYXJlciB2RjlkZnQ0cW1UCgogICBUaGUgIkF1dGhvcml6YXRpb24iIGhlYWRl ciBmaWVsZCB1c2VzIHRoZSBmcmFtZXdvcmsgZGVmaW5lZCBieQogICBIVFRQLzEuMSwgUGFydCA3 IFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdIGFzIGZvbGxvd3M6CgogICBjcmVkZW50aWFscyA9 ICJCZWFyZXIiIDEqU1AgYjY0dG9rZW4KCiAgIFRoZSBiNjR0b2tlbiBzeW50YXggd2FzIGNob3Nl biBvdmVyIHRoZSBhbHRlcm5hdGl2ZSAjYXV0aC1wYXJhbQogICBzeW50YXggYWxzbyBkZWZpbmVk IGJ5IEhUVFAvMS4xLCBQYXJ0IDcgW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0KICAgYm90aCBm b3Igc2ltcGxpY2l0eSBhbmQgZm9yIGNvbXBhdGliaWxpdHkgd2l0aCBleGlzdGluZwogICBpbXBs ZW1lbnRhdGlvbnMuICBJZiBhZGRpdGlvbmFsIHBhcmFtZXRlcnMgYXJlIG5lZWRlZCBpbiB0aGUg ZnV0dXJlLAogICBhIGRpZmZlcmVudCBzY2hlbWUgd291bGQgbmVlZCB0byBiZSBkZWZpbmVkLgoK ICAgQ2xpZW50cyBTSE9VTEQgbWFrZSBhdXRoZW50aWNhdGVkIHJlcXVlc3RzIHdpdGggYSBiZWFy ZXIgdG9rZW4gdXNpbmcKICAgdGhlICJBdXRob3JpemF0aW9uIiByZXF1ZXN0IGhlYWRlciBmaWVs ZCB3aXRoIHRoZSAiQmVhcmVyIiBIVFRQCiAgIGF1dGhvcml6YXRpb24gc2NoZW1lLiAgUmVzb3Vy Y2Ugc2VydmVycyBNVVNUIHN1cHBvcnQgdGhpcyBtZXRob2QuCgoyLjIuICBGb3JtLUVuY29kZWQg Qm9keSBQYXJhbWV0ZXIKCiAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBI VFRQIHJlcXVlc3QgZW50aXR5LWJvZHksIHRoZQogICBjbGllbnQgYWRkcyB0aGUgYWNjZXNzIHRv a2VuIHRvIHRoZSByZXF1ZXN0IGJvZHkgdXNpbmcgdGhlCiAgICJhY2Nlc3NfdG9rZW4iIHBhcmFt ZXRlci4gIFRoZSBjbGllbnQgTVVTVCBOT1QgdXNlIHRoaXMgbWV0aG9kIHVubGVzcwogICBhbGwg b2YgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zIGFyZSBtZXQ6CgogICBvICBUaGUgSFRUUCByZXF1 ZXN0IGVudGl0eS1ib2R5IGlzIHNpbmdsZS1wYXJ0LgoKICAgbyAgVGhlIGVudGl0eS1ib2R5IGZv bGxvd3MgdGhlIGVuY29kaW5nIHJlcXVpcmVtZW50cyBvZiB0aGUKICAgICAgImFwcGxpY2F0aW9u L3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIgY29udGVudC10eXBlIGFzIGRlZmluZWQgYnkKICAgICAg SFRNTCA0LjAxIFtXM0MuUkVDLWh0bWw0MDEtMTk5OTEyMjRdLgoKICAgbyAgVGhlIEhUVFAgcmVx dWVzdCBlbnRpdHktaGVhZGVyIGluY2x1ZGVzIHRoZSAiQ29udGVudC1UeXBlIiBoZWFkZXIKICAg ICAgZmllbGQgc2V0IHRvICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiLgoKICAg byAgVGhlIEhUVFAgcmVxdWVzdCBtZXRob2QgaXMgb25lIGZvciB3aGljaCB0aGUgcmVxdWVzdCBi b2R5IGhhcwogICAgICBkZWZpbmVkIHNlbWFudGljcy4gIEluIHBhcnRpY3VsYXIsIHRoaXMgbWVh bnMgdGhhdCB0aGUgIkdFVCIKICAgICAgbWV0aG9kIE1VU1QgTk9UIGJlIHVzZWQuCgogICBvICBU aGUgY29udGVudCB0byBiZSBlbmNvZGVkIGluIHRoZSBlbnRpdHktYm9keSBNVVNUIGNvbnNpc3Qg ZW50aXJlbHkKICAgICAgb2YgQVNDSUkgY2hhcmFjdGVycy4KCiAgIFRoZSBlbnRpdHktYm9keSBN QVkgaW5jbHVkZSBvdGhlciByZXF1ZXN0LXNwZWNpZmljIHBhcmFtZXRlcnMsIGluCiAgIHdoaWNo IGNhc2UsIHRoZSAiYWNjZXNzX3Rva2VuIiBwYXJhbWV0ZXIgTVVTVCBiZSBwcm9wZXJseSBzZXBh cmF0ZWQKICAgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVzaW5nICImIiBj aGFyYWN0ZXIocykgKEFTQ0lJCiAgIGNvZGUgMzgpLgoKCgpKb25lcywgZXQgYWwuICAgICAgICAg ICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgNl0KDApJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERl Y2VtYmVyIDIwMTEKCgogICBGb3IgZXhhbXBsZSwgdGhlIGNsaWVudCBtYWtlcyB0aGUgZm9sbG93 aW5nIEhUVFAgcmVxdWVzdCB1c2luZwogICB0cmFuc3BvcnQtbGF5ZXIgc2VjdXJpdHk6CgogICBQ T1NUIC9yZXNvdXJjZSBIVFRQLzEuMQogICBIb3N0OiBzZXJ2ZXIuZXhhbXBsZS5jb20KICAgQ29u dGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKCiAgIGFjY2Vzc190 b2tlbj12RjlkZnQ0cW1UCgogICBUaGUgImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2Rl ZCIgbWV0aG9kIFNIT1VMRCBOT1QgYmUgdXNlZAogICBleGNlcHQgaW4gYXBwbGljYXRpb24gY29u dGV4dHMgd2hlcmUgcGFydGljaXBhdGluZyBicm93c2VycyBkbyBub3QKICAgaGF2ZSBhY2Nlc3Mg dG8gdGhlICJBdXRob3JpemF0aW9uIiByZXF1ZXN0IGhlYWRlciBmaWVsZC4gIFJlc291cmNlCiAg IHNlcnZlcnMgTUFZIHN1cHBvcnQgdGhpcyBtZXRob2QuCgoyLjMuICBVUkkgUXVlcnkgUGFyYW1l dGVyCgogICBXaGVuIHNlbmRpbmcgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUgSFRUUCByZXF1ZXN0 IFVSSSwgdGhlIGNsaWVudAogICBhZGRzIHRoZSBhY2Nlc3MgdG9rZW4gdG8gdGhlIHJlcXVlc3Qg VVJJIHF1ZXJ5IGNvbXBvbmVudCBhcyBkZWZpbmVkCiAgIGJ5IFVuaWZvcm0gUmVzb3VyY2UgSWRl bnRpZmllciAoVVJJKSBbUkZDMzk4Nl0gdXNpbmcgdGhlCiAgICJhY2Nlc3NfdG9rZW4iIHBhcmFt ZXRlci4KCiAgIEZvciBleGFtcGxlLCB0aGUgY2xpZW50IG1ha2VzIHRoZSBmb2xsb3dpbmcgSFRU UCByZXF1ZXN0IHVzaW5nCiAgIHRyYW5zcG9ydC1sYXllciBzZWN1cml0eToKCiAgIEdFVCAvcmVz b3VyY2U/YWNjZXNzX3Rva2VuPXZGOWRmdDRxbVQgSFRUUC8xLjEKICAgSG9zdDogc2VydmVyLmV4 YW1wbGUuY29tCgogICBUaGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeSBjYW4gaW5jbHVkZSBvdGhl ciByZXF1ZXN0LXNwZWNpZmljCiAgIHBhcmFtZXRlcnMsIGluIHdoaWNoIGNhc2UsIHRoZSAiYWNj ZXNzX3Rva2VuIiBwYXJhbWV0ZXIgTVVTVCBiZQogICBwcm9wZXJseSBzZXBhcmF0ZWQgZnJvbSB0 aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVzaW5nICImIgogICBjaGFyYWN0ZXIocykg KEFTQ0lJIGNvZGUgMzgpLgoKICAgRm9yIGV4YW1wbGU6CgogICBodHRwczovL3NlcnZlci5leGFt cGxlLmNvbS9yZXNvdXJjZT94PXkmYWNjZXNzX3Rva2VuPXZGOWRmdDRxbVQmcD1xCgogICBCZWNh dXNlIG9mIHRoZSBzZWN1cml0eSB3ZWFrbmVzc2VzIGFzc29jaWF0ZWQgd2l0aCB0aGUgVVJJIG1l dGhvZAogICAoc2VlIFNlY3Rpb24gNCksIGluY2x1ZGluZyB0aGUgaGlnaCBsaWtlbGlob29kIHRo YXQgdGhlIFVSTAogICBjb250YWluaW5nIHRoZSBhY2Nlc3MgdG9rZW4gd2lsbCBiZSBsb2dnZWQs IGl0IFNIT1VMRCBOT1QgYmUgdXNlZAogICB1bmxlc3MgaXQgaXMgaW1wb3NzaWJsZSB0byB0cmFu c3BvcnQgdGhlIGFjY2VzcyB0b2tlbiBpbiB0aGUKICAgIkF1dGhvcml6YXRpb24iIHJlcXVlc3Qg aGVhZGVyIGZpZWxkIG9yIHRoZSBIVFRQIHJlcXVlc3QgZW50aXR5LWJvZHkuCiAgIFJlc291cmNl IHNlcnZlcnMgTUFZIHN1cHBvcnQgdGhpcyBtZXRob2QuCgoKMy4gIFRoZSBXV1ctQXV0aGVudGlj YXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZAoKICAgSWYgdGhlIHByb3RlY3RlZCByZXNvdXJjZSBy ZXF1ZXN0IGRvZXMgbm90IGluY2x1ZGUgYXV0aGVudGljYXRpb24KICAgY3JlZGVudGlhbHMgb3Ig ZG9lcyBub3QgY29udGFpbiBhbiBhY2Nlc3MgdG9rZW4gdGhhdCBlbmFibGVzIGFjY2VzcwoKCgpK b25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAg ICAgICAgW1BhZ2UgN10KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJl ciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgogICB0byB0aGUgcHJvdGVjdGVkIHJl c291cmNlLCB0aGUgcmVzb3VyY2Ugc2VydmVyIE1VU1QgaW5jbHVkZSB0aGUgSFRUUAogICAiV1dX LUF1dGhlbnRpY2F0ZSIgcmVzcG9uc2UgaGVhZGVyIGZpZWxkOyBpdCBNQVkgaW5jbHVkZSBpdCBp bgogICByZXNwb25zZSB0byBvdGhlciBjb25kaXRpb25zIGFzIHdlbGwuICBUaGUgIldXVy1BdXRo ZW50aWNhdGUiIGhlYWRlcgogICBmaWVsZCB1c2VzIHRoZSBmcmFtZXdvcmsgZGVmaW5lZCBieSBI VFRQLzEuMSwgUGFydCA3CiAgIFtJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGhdIGFzIGZvbGxvd3M6 CgogICBjaGFsbGVuZ2UgICAgICAgPSAiQmVhcmVyIiBbIDEqU1AgMSNwYXJhbSBdCgogICBwYXJh bSAgICAgICAgICAgPSByZWFsbSAvIHNjb3BlIC8KICAgICAgICAgICAgICAgICAgICAgZXJyb3Ig LyBlcnJvci1kZXNjIC8gZXJyb3ItdXJpIC8KICAgICAgICAgICAgICAgICAgICAgYXV0aC1wYXJh bQoKICAgc2NvcGUgICAgICAgICAgID0gInNjb3BlIiAiPSIgcXVvdGVkLXN0cmluZwogICBlcnJv ciAgICAgICAgICAgPSAiZXJyb3IiICI9IiBxdW90ZWQtc3RyaW5nCiAgIGVycm9yLWRlc2MgICAg ICA9ICJlcnJvcl9kZXNjcmlwdGlvbiIgIj0iIHF1b3RlZC1zdHJpbmcKICAgZXJyb3ItdXJpICAg ICAgID0gImVycm9yX3VyaSIgIj0iIHF1b3RlZC1zdHJpbmcKCiAgIEEgInJlYWxtIiBhdHRyaWJ1 dGUgTUFZIGJlIGluY2x1ZGVkIHRvIGluZGljYXRlIHRoZSBzY29wZSBvZgogICBwcm90ZWN0aW9u IGluIHRoZSBtYW5uZXIgZGVzY3JpYmVkIGluIEhUVFAvMS4xLCBQYXJ0IDcKICAgW0ktRC5pZXRm LWh0dHBiaXMtcDctYXV0aF0uICBUaGUgInJlYWxtIiBhdHRyaWJ1dGUgTVVTVCBOT1QgYXBwZWFy CiAgIG1vcmUgdGhhbiBvbmNlLiAgVGhlICJyZWFsbSIgdmFsdWUgaXMgaW50ZW5kZWQgZm9yIHBy b2dyYW1tYXRpYyB1c2UKICAgYW5kIGlzIG5vdCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8gZW5k IHVzZXJzLgoKICAgVGhlICJzY29wZSIgYXR0cmlidXRlIGlzIGEgc3BhY2UtZGVsaW1pdGVkIGxp c3Qgb2Ygc2NvcGUgdmFsdWVzCiAgIGluZGljYXRpbmcgdGhlIHJlcXVpcmVkIHNjb3BlIG9mIHRo ZSBhY2Nlc3MgdG9rZW4gZm9yIGFjY2Vzc2luZyB0aGUKICAgcmVxdWVzdGVkIHJlc291cmNlLiAg SW4gc29tZSBjYXNlcywgdGhlICJzY29wZSIgdmFsdWUgd2lsbCBiZSB1c2VkCiAgIHdoZW4gcmVx dWVzdGluZyBhIG5ldyBhY2Nlc3MgdG9rZW4gd2l0aCBzdWZmaWNpZW50IHNjb3BlIG9mIGFjY2Vz cyB0bwogICB1dGlsaXplIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuICBUaGUgInNjb3BlIiBhdHRy aWJ1dGUgTVVTVCBOT1QKICAgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLiAgVGhlICJzY29wZSIgdmFs dWUgaXMgaW50ZW5kZWQgZm9yCiAgIHByb2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5vdCBtZWFudCB0 byBiZSBkaXNwbGF5ZWQgdG8gZW5kIHVzZXJzLgoKICAgSWYgdGhlIHByb3RlY3RlZCByZXNvdXJj ZSByZXF1ZXN0IGluY2x1ZGVkIGFuIGFjY2VzcyB0b2tlbiBhbmQgZmFpbGVkCiAgIGF1dGhlbnRp Y2F0aW9uLCB0aGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBpbmNsdWRlIHRoZSAiZXJyb3IiCiAg IGF0dHJpYnV0ZSB0byBwcm92aWRlIHRoZSBjbGllbnQgd2l0aCB0aGUgcmVhc29uIHdoeSB0aGUg YWNjZXNzCiAgIHJlcXVlc3Qgd2FzIGRlY2xpbmVkLiAgVGhlIHBhcmFtZXRlciB2YWx1ZSBpcyBk ZXNjcmliZWQgaW4KICAgU2VjdGlvbiAzLjEuICBJbiBhZGRpdGlvbiwgdGhlIHJlc291cmNlIHNl cnZlciBNQVkgaW5jbHVkZSB0aGUKICAgImVycm9yX2Rlc2NyaXB0aW9uIiBhdHRyaWJ1dGUgdG8g cHJvdmlkZSBkZXZlbG9wZXJzIGEgaHVtYW4tcmVhZGFibGUKICAgZXhwbGFuYXRpb24gdGhhdCBp cyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRvIGVuZCB1c2Vycy4gIEl0IGFsc28KICAgTUFZ IGluY2x1ZGUgdGhlICJlcnJvcl91cmkiIGF0dHJpYnV0ZSB3aXRoIGFuIGFic29sdXRlIFVSSQog ICBpZGVudGlmeWluZyBhIGh1bWFuLXJlYWRhYmxlIHdlYiBwYWdlIGV4cGxhaW5pbmcgdGhlIGVy cm9yLiAgVGhlCiAgICJlcnJvciIsICJlcnJvcl9kZXNjcmlwdGlvbiIsIGFuZCAiZXJyb3JfdXJp IiBhdHRyaWJ1dGVzIE1VU1QgTk9UCiAgIGFwcGVhciBtb3JlIHRoYW4gb25jZS4KCiAgIFByb2R1 Y2VycyBvZiAic2NvcGUiIHN0cmluZ3MgTVVTVCBOT1QgdXNlIGNoYXJhY3RlcnMgb3V0c2lkZSB0 aGUgc2V0CiAgICV4MjEgLyAleDIzLTVCIC8gJXg1RC03RSBmb3IgcmVwcmVzZW50aW5nIHRoZSBz Y29wZSB2YWx1ZXMgYW5kICV4MjAKICAgZm9yIHRoZSBkZWxpbWl0ZXIuICBQcm9kdWNlcnMgb2Yg ImVycm9yIiBhbmQgImVycm9yX2Rlc2NyaXB0aW9uIgogICBzdHJpbmdzIE1VU1QgTk9UIHVzZSBj aGFyYWN0ZXJzIG91dHNpZGUgdGhlIHNldCAleDIwLTIxIC8gJXgyMy01QiAvCiAgICV4NUQtN0Ug Zm9yIHJlcHJlc2VudGluZyB0aGVzZSB2YWx1ZXMuICBQcm9kdWNlcnMgb2YgImVycm9yLXVyaSIK CgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAg ICAgICAgICAgIFtQYWdlIDhdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBC ZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJlciAyMDExCgoKICAgc3RyaW5ncyBNVVNUIE5P VCB1c2UgY2hhcmFjdGVycyBvdXRzaWRlIHRoZSBzZXQgJXgyMSAvICV4MjMtNUIgLwogICAleDVE LTdFIGZvciByZXByZXNlbnRpbmcgdGhlc2UgdmFsdWVzLiAgRnVydGhlcm1vcmUsICJlcnJvci11 cmkiCiAgIHN0cmluZ3MgTVVTVCBjb25mb3JtIHRvIHRoZSBVUkktUmVmZXJlbmNlIHN5bnRheC4g IEluIGFsbCB0aGVzZQogICBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwg YXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZAogICBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hh cmFjdGVyLgoKICAgRm9yIGV4YW1wbGUsIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291 cmNlIHJlcXVlc3Qgd2l0aG91dAogICBhdXRoZW50aWNhdGlvbjoKCiAgIEhUVFAvMS4xIDQwMSBV bmF1dGhvcml6ZWQKICAgV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIgoK ICAgQW5kIGluIHJlc3BvbnNlIHRvIGEgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3Qgd2l0aCBh bgogICBhdXRoZW50aWNhdGlvbiBhdHRlbXB0IHVzaW5nIGFuIGV4cGlyZWQgYWNjZXNzIHRva2Vu OgoKICAgSFRUUC8xLjEgNDAxIFVuYXV0aG9yaXplZAogICBXV1ctQXV0aGVudGljYXRlOiBCZWFy ZXIgcmVhbG09ImV4YW1wbGUiLAogICAgICAgICAgICAgICAgICAgICBlcnJvcj0iaW52YWxpZF90 b2tlbiIsCiAgICAgICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uPSJUaGUgYWNjZXNz IHRva2VuIGV4cGlyZWQiCgozLjEuICBFcnJvciBDb2RlcwoKICAgV2hlbiBhIHJlcXVlc3QgZmFp bHMsIHRoZSByZXNvdXJjZSBzZXJ2ZXIgcmVzcG9uZHMgdXNpbmcgdGhlCiAgIGFwcHJvcHJpYXRl IEhUVFAgc3RhdHVzIGNvZGUgKHR5cGljYWxseSwgNDAwLCA0MDEsIDQwMywgb3IgNDA1KSwgYW5k CiAgIGluY2x1ZGVzIG9uZSBvZiB0aGUgZm9sbG93aW5nIGVycm9yIGNvZGVzIGluIHRoZSByZXNw b25zZToKCiAgIGludmFsaWRfcmVxdWVzdAogICAgICAgICBUaGUgcmVxdWVzdCBpcyBtaXNzaW5n IGEgcmVxdWlyZWQgcGFyYW1ldGVyLCBpbmNsdWRlcyBhbgogICAgICAgICB1bnN1cHBvcnRlZCBw YXJhbWV0ZXIgb3IgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIHRoZSBzYW1lCiAgICAgICAgIHBh cmFtZXRlciwgdXNlcyBtb3JlIHRoYW4gb25lIG1ldGhvZCBmb3IgaW5jbHVkaW5nIGFuIGFjY2Vz cwogICAgICAgICB0b2tlbiwgb3IgaXMgb3RoZXJ3aXNlIG1hbGZvcm1lZC4gIFRoZSByZXNvdXJj ZSBzZXJ2ZXIgU0hPVUxECiAgICAgICAgIHJlc3BvbmQgd2l0aCB0aGUgSFRUUCA0MDAgKEJhZCBS ZXF1ZXN0KSBzdGF0dXMgY29kZS4KCiAgIGludmFsaWRfdG9rZW4KICAgICAgICAgVGhlIGFjY2Vz cyB0b2tlbiBwcm92aWRlZCBpcyBleHBpcmVkLCByZXZva2VkLCBtYWxmb3JtZWQsIG9yCiAgICAg ICAgIGludmFsaWQgZm9yIG90aGVyIHJlYXNvbnMuICBUaGUgcmVzb3VyY2UgU0hPVUxEIHJlc3Bv bmQgd2l0aAogICAgICAgICB0aGUgSFRUUCA0MDEgKFVuYXV0aG9yaXplZCkgc3RhdHVzIGNvZGUu ICBUaGUgY2xpZW50IE1BWQogICAgICAgICByZXF1ZXN0IGEgbmV3IGFjY2VzcyB0b2tlbiBhbmQg cmV0cnkgdGhlIHByb3RlY3RlZCByZXNvdXJjZQogICAgICAgICByZXF1ZXN0LgoKICAgaW5zdWZm aWNpZW50X3Njb3BlCiAgICAgICAgIFRoZSByZXF1ZXN0IHJlcXVpcmVzIGhpZ2hlciBwcml2aWxl Z2VzIHRoYW4gcHJvdmlkZWQgYnkgdGhlCiAgICAgICAgIGFjY2VzcyB0b2tlbi4gIFRoZSByZXNv dXJjZSBzZXJ2ZXIgU0hPVUxEIHJlc3BvbmQgd2l0aCB0aGUgSFRUUAogICAgICAgICA0MDMgKEZv cmJpZGRlbikgc3RhdHVzIGNvZGUgYW5kIE1BWSBpbmNsdWRlIHRoZSAic2NvcGUiCiAgICAgICAg IGF0dHJpYnV0ZSB3aXRoIHRoZSBzY29wZSBuZWNlc3NhcnkgdG8gYWNjZXNzIHRoZSBwcm90ZWN0 ZWQKICAgICAgICAgcmVzb3VyY2UuCgogICBJZiB0aGUgcmVxdWVzdCBsYWNrcyBhbnkgYXV0aGVu dGljYXRpb24gaW5mb3JtYXRpb24gKGkuZS4gdGhlIGNsaWVudAoKCgpKb25lcywgZXQgYWwuICAg ICAgICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICAgW1BhZ2UgOV0K DApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAg ICAgIERlY2VtYmVyIDIwMTEKCgogICB3YXMgdW5hd2FyZSBhdXRoZW50aWNhdGlvbiBpcyBuZWNl c3Nhcnkgb3IgYXR0ZW1wdGVkIHVzaW5nIGFuCiAgIHVuc3VwcG9ydGVkIGF1dGhlbnRpY2F0aW9u IG1ldGhvZCksIHRoZSByZXNvdXJjZSBzZXJ2ZXIgU0hPVUxEIE5PVAogICBpbmNsdWRlIGFuIGVy cm9yIGNvZGUgb3Igb3RoZXIgZXJyb3IgaW5mb3JtYXRpb24uCgogICBGb3IgZXhhbXBsZToKCiAg IEhUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKICAgV1dXLUF1dGhlbnRpY2F0ZTogQmVhcmVyIHJl YWxtPSJleGFtcGxlIgoKCjQuICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucwoKICAgVGhpcyBzZWN0 aW9uIGRlc2NyaWJlcyB0aGUgcmVsZXZhbnQgc2VjdXJpdHkgdGhyZWF0cyByZWdhcmRpbmcgdG9r ZW4KICAgaGFuZGxpbmcgd2hlbiB1c2luZyBiZWFyZXIgdG9rZW5zIGFuZCBkZXNjcmliZXMgaG93 IHRvIG1pdGlnYXRlIHRoZXNlCiAgIHRocmVhdHMuCgo0LjEuICBTZWN1cml0eSBUaHJlYXRzCgog ICBUaGUgZm9sbG93aW5nIGxpc3QgcHJlc2VudHMgc2V2ZXJhbCBjb21tb24gdGhyZWF0cyBhZ2Fp bnN0IHByb3RvY29scwogICB1dGlsaXppbmcgc29tZSBmb3JtIG9mIHRva2Vucy4gIFRoaXMgbGlz dCBvZiB0aHJlYXRzIGlzIGJhc2VkIG9uIE5JU1QKICAgU3BlY2lhbCBQdWJsaWNhdGlvbiA4MDAt NjMgW05JU1Q4MDAtNjNdLiAgU2luY2UgdGhpcyBkb2N1bWVudCBidWlsZHMKICAgb24gdGhlIE9B dXRoIDIuMCBzcGVjaWZpY2F0aW9uLCB3ZSBleGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0aHJlYXRz CiAgIHRoYXQgYXJlIGRlc2NyaWJlZCB0aGVyZSBvciBpbiByZWxhdGVkIGRvY3VtZW50cy4KCiAg IFRva2VuIG1hbnVmYWN0dXJlL21vZGlmaWNhdGlvbjogIEFuIGF0dGFja2VyIG1heSBnZW5lcmF0 ZSBhIGJvZ3VzCiAgICAgIHRva2VuIG9yIG1vZGlmeSB0aGUgdG9rZW4gY29udGVudHMgKHN1Y2gg YXMgdGhlIGF1dGhlbnRpY2F0aW9uIG9yCiAgICAgIGF0dHJpYnV0ZSBzdGF0ZW1lbnRzKSBvZiBh biBleGlzdGluZyB0b2tlbiwgY2F1c2luZyB0aGUgcmVzb3VyY2UKICAgICAgc2VydmVyIHRvIGdy YW50IGluYXBwcm9wcmlhdGUgYWNjZXNzIHRvIHRoZSBjbGllbnQuICBGb3IgZXhhbXBsZSwKICAg ICAgYW4gYXR0YWNrZXIgbWF5IG1vZGlmeSB0aGUgdG9rZW4gdG8gZXh0ZW5kIHRoZSB2YWxpZGl0 eSBwZXJpb2Q7IGEKICAgICAgbWFsaWNpb3VzIGNsaWVudCBtYXkgbW9kaWZ5IHRoZSBhc3NlcnRp b24gdG8gZ2FpbiBhY2Nlc3MgdG8KICAgICAgaW5mb3JtYXRpb24gdGhhdCB0aGV5IHNob3VsZCBu b3QgYmUgYWJsZSB0byB2aWV3LgoKICAgVG9rZW4gZGlzY2xvc3VyZTogIFRva2VucyBtYXkgY29u dGFpbiBhdXRoZW50aWNhdGlvbiBhbmQgYXR0cmlidXRlCiAgICAgIHN0YXRlbWVudHMgdGhhdCBp bmNsdWRlIHNlbnNpdGl2ZSBpbmZvcm1hdGlvbi4KCiAgIFRva2VuIHJlZGlyZWN0OiAgQW4gYXR0 YWNrZXIgdXNlcyBhIHRva2VuIGdlbmVyYXRlZCBmb3IgY29uc3VtcHRpb24KICAgICAgYnkgb25l IHJlc291cmNlIHNlcnZlciB0byBnYWluIGFjY2VzcyB0byBhIGRpZmZlcmVudCByZXNvdXJjZQog ICAgICBzZXJ2ZXIgdGhhdCBtaXN0YWtlbmx5IGJlbGlldmVzIHRoZSB0b2tlbiB0byBiZSBmb3Ig aXQuCgogICBUb2tlbiByZXBsYXk6ICBBbiBhdHRhY2tlciBhdHRlbXB0cyB0byB1c2UgYSB0b2tl biB0aGF0IGhhcyBhbHJlYWR5CiAgICAgIGJlZW4gdXNlZCB3aXRoIHRoYXQgcmVzb3VyY2Ugc2Vy dmVyIGluIHRoZSBwYXN0LgoKNC4yLiAgVGhyZWF0IE1pdGlnYXRpb24KCiAgIEEgbGFyZ2UgcmFu Z2Ugb2YgdGhyZWF0cyBjYW4gYmUgbWl0aWdhdGVkIGJ5IHByb3RlY3RpbmcgdGhlIGNvbnRlbnRz CiAgIG9mIHRoZSB0b2tlbiBieSB1c2luZyBhIGRpZ2l0YWwgc2lnbmF0dXJlIG9yIGEgTWVzc2Fn ZSBBdXRoZW50aWNhdGlvbgogICBDb2RlIChNQUMpLiAgQWx0ZXJuYXRpdmVseSwgYSBiZWFyZXIg dG9rZW4gY2FuIGNvbnRhaW4gYSByZWZlcmVuY2UgdG8KICAgYXV0aG9yaXphdGlvbiBpbmZvcm1h dGlvbiwgcmF0aGVyIHRoYW4gZW5jb2RpbmcgdGhlIGluZm9ybWF0aW9uCgoKCkpvbmVzLCBldCBh bC4gICAgICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgIFtQYWdl IDEwXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAg ICAgICAgICAgRGVjZW1iZXIgMjAxMQoKCiAgIGRpcmVjdGx5LiAgU3VjaCByZWZlcmVuY2VzIE1V U1QgYmUgaW5mZWFzaWJsZSBmb3IgYW4gYXR0YWNrZXIgdG8KICAgZ3Vlc3M7IHVzaW5nIGEgcmVm ZXJlbmNlIG1heSByZXF1aXJlIGFuIGV4dHJhIGludGVyYWN0aW9uIGJldHdlZW4gYQogICBzZXJ2 ZXIgYW5kIHRoZSB0b2tlbiBpc3N1ZXIgdG8gcmVzb2x2ZSB0aGUgcmVmZXJlbmNlIHRvIHRoZQog ICBhdXRob3JpemF0aW9uIGluZm9ybWF0aW9uLiAgVGhlIG1lY2hhbmljcyBvZiBzdWNoIGFuIGlu dGVyYWN0aW9uIGFyZQogICBub3QgZGVmaW5lZCBieSB0aGlzIHNwZWNpZmljYXRpb24uCgogICBU aGlzIGRvY3VtZW50IGRvZXMgbm90IHNwZWNpZnkgdGhlIGVuY29kaW5nIG9yIHRoZSBjb250ZW50 cyBvZiB0aGUKICAgdG9rZW47IGhlbmNlIGRldGFpbGVkIHJlY29tbWVuZGF0aW9ucyBhYm91dCB0 aGUgbWVhbnMgb2YgZ3VhcmFudGVlaW5nCiAgIHRva2VuIGludGVncml0eSBwcm90ZWN0aW9uIGFy ZSBvdXRzaWRlIHRoZSBzY29wZSBvZiB0aGlzIGRvY3VtZW50LgogICBUaGUgdG9rZW4gaW50ZWdy aXR5IHByb3RlY3Rpb24gTVVTVCBiZSBzdWZmaWNpZW50IHRvIHByZXZlbnQgdGhlCiAgIHRva2Vu IGZyb20gYmVpbmcgbW9kaWZpZWQuCgogICBUbyBkZWFsIHdpdGggdG9rZW4gcmVkaXJlY3QsIGl0 IGlzIGltcG9ydGFudCBmb3IgdGhlIGF1dGhvcml6YXRpb24KICAgc2VydmVyIHRvIGluY2x1ZGUg dGhlIGlkZW50aXR5IG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnRzICh0aGUKICAgYXVkaWVuY2Up LCB0eXBpY2FsbHkgYSBzaW5nbGUgcmVzb3VyY2Ugc2VydmVyIChvciBhIGxpc3Qgb2YgcmVzb3Vy Y2UKICAgc2VydmVycyksIGluIHRoZSB0b2tlbi4gIFJlc3RyaWN0aW5nIHRoZSB1c2Ugb2YgdGhl IHRva2VuIHRvIGEKICAgc3BlY2lmaWMgc2NvcGUgaXMgYWxzbyBSRUNPTU1FTkRFRC4KCiAgIFRo ZSBhdXRob3JpemF0aW9uIHNlcnZlciBNVVNUIGltcGxlbWVudCBUTFMuICBXaGljaCB2ZXJzaW9u KHMpIG91Z2h0CiAgIHRvIGJlIGltcGxlbWVudGVkIHdpbGwgdmFyeSBvdmVyIHRpbWUsIGFuZCBk ZXBlbmQgb24gdGhlIHdpZGVzcHJlYWQKICAgZGVwbG95bWVudCBhbmQga25vd24gc2VjdXJpdHkg dnVsbmVyYWJpbGl0aWVzIGF0IHRoZSB0aW1lIG9mCiAgIGltcGxlbWVudGF0aW9uLiAgQXQgdGhl IHRpbWUgb2YgdGhpcyB3cml0aW5nLCBUTFMgdmVyc2lvbiAxLjIKICAgW1JGQzUyNDZdIGlzIHRo ZSBtb3N0IHJlY2VudCB2ZXJzaW9uLCBidXQgaGFzIHZlcnkgbGltaXRlZCBhY3R1YWwKICAgZGVw bG95bWVudCwgYW5kIG1pZ2h0IG5vdCBiZSByZWFkaWx5IGF2YWlsYWJsZSBpbiBpbXBsZW1lbnRh dGlvbgogICB0b29sa2l0cy4gIFRMUyB2ZXJzaW9uIDEuMCBbUkZDMjI0Nl0gaXMgdGhlIG1vc3Qg d2lkZWx5IGRlcGxveWVkCiAgIHZlcnNpb24sIGFuZCB3aWxsIGdpdmUgdGhlIGJyb2FkZXN0IGlu dGVyb3BlcmFiaWxpdHkuCgogICBUbyBwcm90ZWN0IGFnYWluc3QgdG9rZW4gZGlzY2xvc3VyZSwg Y29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gTVVTVAogICBiZSBhcHBsaWVkIHVzaW5nIFRMUyBb UkZDNTI0Nl0gd2l0aCBhIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlkZXMKICAgY29uZmlkZW50aWFs aXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbi4gIFRoaXMgcmVxdWlyZXMgdGhhdCB0aGUKICAg Y29tbXVuaWNhdGlvbiBpbnRlcmFjdGlvbiBiZXR3ZWVuIHRoZSBjbGllbnQgYW5kIHRoZSBhdXRo b3JpemF0aW9uCiAgIHNlcnZlciwgYXMgd2VsbCBhcyB0aGUgaW50ZXJhY3Rpb24gYmV0d2VlbiB0 aGUgY2xpZW50IGFuZCB0aGUKICAgcmVzb3VyY2Ugc2VydmVyLCB1dGlsaXplIGNvbmZpZGVudGlh bGl0eSBhbmQgaW50ZWdyaXR5IHByb3RlY3Rpb24uCiAgIFNpbmNlIFRMUyBpcyBtYW5kYXRvcnkg dG8gaW1wbGVtZW50IGFuZCB0byB1c2Ugd2l0aCB0aGlzCiAgIHNwZWNpZmljYXRpb24sIGl0IGlz IHRoZSBwcmVmZXJyZWQgYXBwcm9hY2ggZm9yIHByZXZlbnRpbmcgdG9rZW4KICAgZGlzY2xvc3Vy ZSB2aWEgdGhlIGNvbW11bmljYXRpb24gY2hhbm5lbC4gIEZvciB0aG9zZSBjYXNlcyB3aGVyZSB0 aGUKICAgY2xpZW50IGlzIHByZXZlbnRlZCBmcm9tIG9ic2VydmluZyB0aGUgY29udGVudHMgb2Yg dGhlIHRva2VuLCB0b2tlbgogICBlbmNyeXB0aW9uIE1VU1QgYmUgYXBwbGllZCBpbiBhZGRpdGlv biB0byB0aGUgdXNhZ2Ugb2YgVExTCiAgIHByb3RlY3Rpb24uICBBcyBhIGZ1cnRoZXIgZGVmZW5z ZSBhZ2FpbnN0IHRva2VuIGRpc2Nsb3N1cmUsIHRoZQogICBjbGllbnQgTVVTVCB2YWxpZGF0ZSB0 aGUgVExTIGNlcnRpZmljYXRlIGNoYWluIHdoZW4gbWFraW5nIHJlcXVlc3RzCiAgIHRvIHByb3Rl Y3RlZCByZXNvdXJjZXMuCgogICBDb29raWVzIGFyZSB0eXBpY2FsbHkgdHJhbnNtaXR0ZWQgaW4g dGhlIGNsZWFyLiAgVGh1cywgYW55CiAgIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGVtIGlz IGF0IHJpc2sgb2YgZGlzY2xvc3VyZS4gIFRoZXJlZm9yZSwKICAgYmVhcmVyIHRva2VucyBNVVNU IE5PVCBiZSBzdG9yZWQgaW4gY29va2llcyB0aGF0IGNhbiBiZSBzZW50IGluIHRoZQogICBjbGVh ci4KCiAgIEluIHNvbWUgZGVwbG95bWVudHMsIGluY2x1ZGluZyB0aG9zZSB1dGlsaXppbmcgbG9h ZCBiYWxhbmNlcnMsIHRoZQoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgIEV4cGlyZXMgSnVu ZSAxNCwgMjAxMiAgICAgICAgICAgICAgICBbUGFnZSAxMV0KDApJbnRlcm5ldC1EcmFmdCAgICAg ICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVyIDIwMTEKCgog ICBUTFMgY29ubmVjdGlvbiB0byB0aGUgcmVzb3VyY2Ugc2VydmVyIHRlcm1pbmF0ZXMgcHJpb3Ig dG8gdGhlIGFjdHVhbAogICBzZXJ2ZXIgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2UuICBUaGlz IGNvdWxkIGxlYXZlIHRoZSB0b2tlbgogICB1bnByb3RlY3RlZCBiZXR3ZWVuIHRoZSBmcm9udCBl bmQgc2VydmVyIHdoZXJlIHRoZSBUTFMgY29ubmVjdGlvbgogICB0ZXJtaW5hdGVzIGFuZCB0aGUg YmFjayBlbmQgc2VydmVyIHRoYXQgcHJvdmlkZXMgdGhlIHJlc291cmNlLiAgSW4KICAgc3VjaCBk ZXBsb3ltZW50cywgc3VmZmljaWVudCBtZWFzdXJlcyBNVVNUIGJlIGVtcGxveWVkIHRvIGVuc3Vy ZQogICBjb25maWRlbnRpYWxpdHkgb2YgdGhlIHRva2VuIGJldHdlZW4gdGhlIGZyb250IGVuZCBh bmQgYmFjayBlbmQKICAgc2VydmVyczsgZW5jcnlwdGlvbiBvZiB0aGUgdG9rZW4gaXMgb25lIHBv c3NpYmxlIHN1Y2ggbWVhc3VyZS4KCiAgIFRvIGRlYWwgd2l0aCB0b2tlbiBjYXB0dXJlIGFuZCBy ZXBsYXksIHRoZSBmb2xsb3dpbmcgcmVjb21tZW5kYXRpb25zCiAgIGFyZSBtYWRlOiBGaXJzdCwg dGhlIGxpZmV0aW1lIG9mIHRoZSB0b2tlbiBNVVNUIGJlIGxpbWl0ZWQ7IG9uZSBtZWFucwogICBv ZiBhY2hpZXZpbmcgdGhpcyBpcyBieSBwdXR0aW5nIGEgdmFsaWRpdHkgdGltZSBmaWVsZCBpbnNp ZGUgdGhlCiAgIHByb3RlY3RlZCBwYXJ0IG9mIHRoZSB0b2tlbi4gIE5vdGUgdGhhdCB1c2luZyBz aG9ydC1saXZlZCAob25lIGhvdXIKICAgb3IgbGVzcykgdG9rZW5zIHJlZHVjZXMgdGhlIGltcGFj dCBvZiB0aGVtIGJlaW5nIGxlYWtlZC4gIFNlY29uZCwKICAgY29uZmlkZW50aWFsaXR5IHByb3Rl Y3Rpb24gb2YgdGhlIGV4Y2hhbmdlcyBiZXR3ZWVuIHRoZSBjbGllbnQgYW5kCiAgIHRoZSBhdXRo b3JpemF0aW9uIHNlcnZlciBhbmQgYmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgcmVzb3VyY2UK ICAgc2VydmVyIE1VU1QgYmUgYXBwbGllZC4gIEFzIGEgY29uc2VxdWVuY2UsIG5vIGVhdmVzZHJv cHBlciBhbG9uZyB0aGUKICAgY29tbXVuaWNhdGlvbiBwYXRoIGlzIGFibGUgdG8gb2JzZXJ2ZSB0 aGUgdG9rZW4gZXhjaGFuZ2UuCiAgIENvbnNlcXVlbnRseSwgc3VjaCBhbiBvbi1wYXRoIGFkdmVy c2FyeSBjYW5ub3QgcmVwbGF5IHRoZSB0b2tlbi4KICAgRnVydGhlcm1vcmUsIHdoZW4gcHJlc2Vu dGluZyB0aGUgdG9rZW4gdG8gYSByZXNvdXJjZSBzZXJ2ZXIsIHRoZQogICBjbGllbnQgTVVTVCB2 ZXJpZnkgdGhlIGlkZW50aXR5IG9mIHRoYXQgcmVzb3VyY2Ugc2VydmVyLCBhcyBwZXIKICAgUmVw cmVzZW50YXRpb24gYW5kIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRpb24g U2VydmljZQogICBJZGVudGl0eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtleSBJbmZyYXN0cnVj dHVyZSBVc2luZyBYLjUwOSAoUEtJWCkKICAgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0IG9m IFRyYW5zcG9ydCBMYXllciBTZWN1cml0eSAoVExTKQogICBbUkZDNjEyNV0uICBOb3RlIHRoYXQg dGhlIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMgY2VydGlmaWNhdGUKICAgY2hhaW4gd2hl biBtYWtpbmcgdGhlc2UgcmVxdWVzdHMgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4gIFByZXNlbnRp bmcKICAgdGhlIHRva2VuIHRvIGFuIHVuYXV0aGVudGljYXRlZCBhbmQgdW5hdXRob3JpemVkIHJl c291cmNlIHNlcnZlciBvcgogICBmYWlsaW5nIHRvIHZhbGlkYXRlIHRoZSBjZXJ0aWZpY2F0ZSBj aGFpbiB3aWxsIGFsbG93IGFkdmVyc2FyaWVzIHRvCiAgIHN0ZWFsIHRoZSB0b2tlbiBhbmQgZ2Fp biB1bmF1dGhvcml6ZWQgYWNjZXNzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMuCgo0LjMuICBTdW1t YXJ5IG9mIFJlY29tbWVuZGF0aW9ucwoKICAgU2FmZWd1YXJkIGJlYXJlciB0b2tlbnM6ICBDbGll bnQgaW1wbGVtZW50YXRpb25zIE1VU1QgZW5zdXJlIHRoYXQKICAgICAgYmVhcmVyIHRva2VucyBh cmUgbm90IGxlYWtlZCB0byB1bmludGVuZGVkIHBhcnRpZXMsIGFzIHRoZXkgd2lsbAogICAgICBi ZSBhYmxlIHRvIHVzZSB0aGVtIHRvIGdhaW4gYWNjZXNzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMu ICBUaGlzCiAgICAgIGlzIHRoZSBwcmltYXJ5IHNlY3VyaXR5IGNvbnNpZGVyYXRpb24gd2hlbiB1 c2luZyBiZWFyZXIgdG9rZW5zIGFuZAogICAgICB1bmRlcmxpZXMgYWxsIHRoZSBtb3JlIHNwZWNp ZmljIHJlY29tbWVuZGF0aW9ucyB0aGF0IGZvbGxvdy4KCiAgIFZhbGlkYXRlIFNTTCBjZXJ0aWZp Y2F0ZSBjaGFpbnM6ICBUaGUgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUwogICAgICBjZXJ0 aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZyByZXF1ZXN0cyB0byBwcm90ZWN0ZWQgcmVzb3VyY2Vz LgogICAgICBGYWlsaW5nIHRvIGRvIHNvIG1heSBlbmFibGUgRE5TIGhpamFja2luZyBhdHRhY2tz IHRvIHN0ZWFsIHRoZQogICAgICB0b2tlbiBhbmQgZ2FpbiB1bmludGVuZGVkIGFjY2Vzcy4KCiAg IEFsd2F5cyB1c2UgVExTIChodHRwcyk6ICBDbGllbnRzIE1VU1QgYWx3YXlzIHVzZSBUTFMgW1JG QzUyNDZdCiAgICAgIChodHRwcykgb3IgZXF1aXZhbGVudCB0cmFuc3BvcnQgc2VjdXJpdHkgd2hl biBtYWtpbmcgcmVxdWVzdHMgd2l0aAogICAgICBiZWFyZXIgdG9rZW5zLiAgRmFpbGluZyB0byBk byBzbyBleHBvc2VzIHRoZSB0b2tlbiB0byBudW1lcm91cwogICAgICBhdHRhY2tzIHRoYXQgY291 bGQgZ2l2ZSBhdHRhY2tlcnMgdW5pbnRlbmRlZCBhY2Nlc3MuCgoKCgoKSm9uZXMsIGV0IGFsLiAg ICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMTJd CgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAg ICAgICBEZWNlbWJlciAyMDExCgoKICAgRG9uJ3Qgc3RvcmUgYmVhcmVyIHRva2VucyBpbiBjb29r aWVzOiAgSW1wbGVtZW50YXRpb25zIE1VU1QgTk9UIHN0b3JlCiAgICAgIGJlYXJlciB0b2tlbnMg d2l0aGluIGNvb2tpZXMgdGhhdCBjYW4gYmUgc2VudCBpbiB0aGUgY2xlYXIgKHdoaWNoCiAgICAg IGlzIHRoZSBkZWZhdWx0IHRyYW5zbWlzc2lvbiBtb2RlIGZvciBjb29raWVzKS4gIEltcGxlbWVu dGF0aW9ucwogICAgICB0aGF0IGRvIHN0b3JlIGJlYXJlciB0b2tlbnMgaW4gY29va2llcyBNVVNU IHRha2UgcHJlY2F1dGlvbnMKICAgICAgYWdhaW5zdCBjcm9zcyBzaXRlIHJlcXVlc3QgZm9yZ2Vy eS4KCiAgIElzc3VlIHNob3J0LWxpdmVkIGJlYXJlciB0b2tlbnM6ICBUb2tlbiBzZXJ2ZXJzIFNI T1VMRCBpc3N1ZSBzaG9ydC0KICAgICAgbGl2ZWQgKG9uZSBob3VyIG9yIGxlc3MpIGJlYXJlciB0 b2tlbnMsIHBhcnRpY3VsYXJseSB3aGVuIGlzc3VpbmcKICAgICAgdG9rZW5zIHRvIGNsaWVudHMg dGhhdCBydW4gd2l0aGluIGEgd2ViIGJyb3dzZXIgb3Igb3RoZXIKICAgICAgZW52aXJvbm1lbnRz IHdoZXJlIGluZm9ybWF0aW9uIGxlYWthZ2UgbWF5IG9jY3VyLiAgVXNpbmcgc2hvcnQtCiAgICAg IGxpdmVkIGJlYXJlciB0b2tlbnMgY2FuIHJlZHVjZSB0aGUgaW1wYWN0IG9mIHRoZW0gYmVpbmcg bGVha2VkLgoKICAgSXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnM6ICBUb2tlbiBzZXJ2ZXJzIFNI T1VMRCBpc3N1ZSBiZWFyZXIgdG9rZW5zCiAgICAgIHRoYXQgY29udGFpbiBhbiBhdWRpZW5jZSBy ZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1c2UgdG8gdGhlCiAgICAgIGludGVuZGVkIHJlbHlp bmcgcGFydHkgb3Igc2V0IG9mIHJlbHlpbmcgcGFydGllcy4KCiAgIERvbid0IHBhc3MgYmVhcmVy IHRva2VucyBpbiBwYWdlIFVSTHM6ICBCZWFyZXIgdG9rZW5zIFNIT1VMRCBOT1QgYmUKICAgICAg cGFzc2VkIGluIHBhZ2UgVVJMcyAoZm9yIGV4YW1wbGUgYXMgcXVlcnkgc3RyaW5nIHBhcmFtZXRl cnMpLgogICAgICBJbnN0ZWFkLCBiZWFyZXIgdG9rZW5zIFNIT1VMRCBiZSBwYXNzZWQgaW4gSFRU UCBtZXNzYWdlIGhlYWRlcnMgb3IKICAgICAgbWVzc2FnZSBib2RpZXMgZm9yIHdoaWNoIGNvbmZp ZGVudGlhbGl0eSBtZWFzdXJlcyBhcmUgdGFrZW4uCiAgICAgIEJyb3dzZXJzLCB3ZWIgc2VydmVy cywgYW5kIG90aGVyIHNvZnR3YXJlIG1heSBub3QgYWRlcXVhdGVseQogICAgICBzZWN1cmUgVVJM cyBpbiB0aGUgYnJvd3NlciBoaXN0b3J5LCB3ZWIgc2VydmVyIGxvZ3MsIGFuZCBvdGhlcgogICAg ICBkYXRhIHN0cnVjdHVyZXMuICBJZiBiZWFyZXIgdG9rZW5zIGFyZSBwYXNzZWQgaW4gcGFnZSBV UkxzLAogICAgICBhdHRhY2tlcnMgbWlnaHQgYmUgYWJsZSB0byBzdGVhbCB0aGVtIGZyb20gdGhl IGhpc3RvcnkgZGF0YSwgbG9ncywKICAgICAgb3Igb3RoZXIgdW5zZWN1cmVkIGxvY2F0aW9ucy4K Cgo1LiAgSUFOQSBDb25zaWRlcmF0aW9ucwoKNS4xLiAgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUg UmVnaXN0cmF0aW9uCgogICBUaGlzIHNwZWNpZmljYXRpb24gcmVnaXN0ZXJzIHRoZSBmb2xsb3dp bmcgYWNjZXNzIHRva2VuIHR5cGUgaW4gdGhlCiAgIE9BdXRoIEFjY2VzcyBUb2tlbiBUeXBlIFJl Z2lzdHJ5LgoKNS4xLjEuICBUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUKCiAg IFR5cGUgbmFtZToKICAgICAgQmVhcmVyCgogICBBZGRpdGlvbmFsIFRva2VuIEVuZHBvaW50IFJl c3BvbnNlIFBhcmFtZXRlcnM6CiAgICAgIChub25lKQoKICAgSFRUUCBBdXRoZW50aWNhdGlvbiBT Y2hlbWUocyk6CiAgICAgIEJlYXJlcgoKCgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBF eHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMTNdCgwKSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJl ciAyMDExCgoKICAgQ2hhbmdlIGNvbnRyb2xsZXI6CiAgICAgIElFVEYKCiAgIFNwZWNpZmljYXRp b24gZG9jdW1lbnQocyk6CiAgICAgIFtbIHRoaXMgZG9jdW1lbnQgXV0KCjUuMi4gIEF1dGhlbnRp Y2F0aW9uIFNjaGVtZSBSZWdpc3RyYXRpb24KCiAgIFRoaXMgc3BlY2lmaWNhdGlvbiByZWdpc3Rl cnMgdGhlIGZvbGxvd2luZyBhdXRoZW50aWNhdGlvbiBzY2hlbWUgaW4KICAgdGhlIEF1dGhlbnRp Y2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZpbmVkIGluIEhUVFAvMS4xLCBQYXJ0IDcKICAgW0kt RC5pZXRmLWh0dHBiaXMtcDctYXV0aF0uCgo1LjIuMS4gIFRoZSAiQmVhcmVyIiBBdXRoZW50aWNh dGlvbiBTY2hlbWUKCiAgIEF1dGhlbnRpY2F0aW9uIFNjaGVtZSBOYW1lOgogICAgICBCZWFyZXIK CiAgIFBvaW50ZXIgdG8gc3BlY2lmaWNhdGlvbiB0ZXh0OgogICAgICBbWyB0aGlzIGRvY3VtZW50 IF1dCgogICBOb3RlcyAob3B0aW9uYWwpOgogICAgICAobm9uZSkKCgo2LiAgUmVmZXJlbmNlcwoK Ni4xLiAgTm9ybWF0aXZlIFJlZmVyZW5jZXMKCiAgIFtJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3Nh Z2luZ10KICAgICAgICAgICAgICBGaWVsZGluZywgUi4sIEdldHR5cywgSi4sIE1vZ3VsLCBKLiwg TmllbHNlbiwgSC4sCiAgICAgICAgICAgICAgTWFzaW50ZXIsIEwuLCBMZWFjaCwgUC4sIEJlcm5l cnMtTGVlLCBULiwgTGFmb24sIFkuLCBhbmQKICAgICAgICAgICAgICBKLiBSZXNjaGtlLCAiSFRU UC8xLjEsIHBhcnQgMTogVVJJcywgQ29ubmVjdGlvbnMsIGFuZAogICAgICAgICAgICAgIE1lc3Nh Z2UgUGFyc2luZyIsIGRyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmctMTcgKHdvcmsKICAg ICAgICAgICAgICBpbiBwcm9ncmVzcyksIE9jdG9iZXIgMjAxMS4KCiAgIFtJLUQuaWV0Zi1odHRw YmlzLXA3LWF1dGhdCiAgICAgICAgICAgICAgRmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1 bCwgSi4sIE5pZWxzZW4sIEguLAogICAgICAgICAgICAgIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAu LCBCZXJuZXJzLUxlZSwgVC4sIExhZm9uLCBZLiwgYW5kCiAgICAgICAgICAgICAgSi4gUmVzY2hr ZSwgIkhUVFAvMS4xLCBwYXJ0IDc6IEF1dGhlbnRpY2F0aW9uIiwKICAgICAgICAgICAgICBkcmFm dC1pZXRmLWh0dHBiaXMtcDctYXV0aC0xNyAod29yayBpbiBwcm9ncmVzcyksCiAgICAgICAgICAg ICAgT2N0b2JlciAyMDExLgoKICAgW0ktRC5pZXRmLW9hdXRoLXYyXQogICAgICAgICAgICAgIEhh bW1lci1MYWhhdiwgRS4sIFJlY29yZG9uLCBELiwgYW5kIEQuIEhhcmR0LCAiVGhlIE9BdXRoCiAg ICAgICAgICAgICAgMi4wIEF1dGhvcml6YXRpb24gUHJvdG9jb2wiLCBkcmFmdC1pZXRmLW9hdXRo LXYyLTIyICh3b3JrCiAgICAgICAgICAgICAgaW4gcHJvZ3Jlc3MpLCBTZXB0ZW1iZXIgMjAxMS4K CiAgIFtSRkMyMTE5XSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRv IEluZGljYXRlCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAy MDEyICAgICAgICAgICAgICAgIFtQYWdlIDE0XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBP QXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgRGVjZW1iZXIgMjAxMQoKCiAgICAgICAg ICAgICAgUmVxdWlyZW1lbnQgTGV2ZWxzIiwgQkNQIDE0LCBSRkMgMjExOSwgTWFyY2ggMTk5Ny4K CiAgIFtSRkMyMjQ2XSAgRGllcmtzLCBULiBhbmQgQy4gQWxsZW4sICJUaGUgVExTIFByb3RvY29s IFZlcnNpb24gMS4wIiwKICAgICAgICAgICAgICBSRkMgMjI0NiwgSmFudWFyeSAxOTk5LgoKICAg W1JGQzM5ODZdICBCZXJuZXJzLUxlZSwgVC4sIEZpZWxkaW5nLCBSLiwgYW5kIEwuIE1hc2ludGVy LCAiVW5pZm9ybQogICAgICAgICAgICAgIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6IEdlbmVy aWMgU3ludGF4IiwgU1REIDY2LAogICAgICAgICAgICAgIFJGQyAzOTg2LCBKYW51YXJ5IDIwMDUu CgogICBbUkZDNTIzNF0gIENyb2NrZXIsIEQuIGFuZCBQLiBPdmVyZWxsLCAiQXVnbWVudGVkIEJO RiBmb3IgU3ludGF4CiAgICAgICAgICAgICAgU3BlY2lmaWNhdGlvbnM6IEFCTkYiLCBTVEQgNjgs IFJGQyA1MjM0LCBKYW51YXJ5IDIwMDguCgogICBbUkZDNTI0Nl0gIERpZXJrcywgVC4gYW5kIEUu IFJlc2NvcmxhLCAiVGhlIFRyYW5zcG9ydCBMYXllciBTZWN1cml0eQogICAgICAgICAgICAgIChU TFMpIFByb3RvY29sIFZlcnNpb24gMS4yIiwgUkZDIDUyNDYsIEF1Z3VzdCAyMDA4LgoKICAgW1JG QzYxMjVdICBTYWludC1BbmRyZSwgUC4gYW5kIEouIEhvZGdlcywgIlJlcHJlc2VudGF0aW9uIGFu ZAogICAgICAgICAgICAgIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRpb24g U2VydmljZSBJZGVudGl0eQogICAgICAgICAgICAgIHdpdGhpbiBJbnRlcm5ldCBQdWJsaWMgS2V5 IEluZnJhc3RydWN0dXJlIFVzaW5nIFguNTA5CiAgICAgICAgICAgICAgKFBLSVgpIENlcnRpZmlj YXRlcyBpbiB0aGUgQ29udGV4dCBvZiBUcmFuc3BvcnQgTGF5ZXIKICAgICAgICAgICAgICBTZWN1 cml0eSAoVExTKSIsIFJGQyA2MTI1LCBNYXJjaCAyMDExLgoKICAgW1czQy5SRUMtaHRtbDQwMS0x OTk5MTIyNF0KICAgICAgICAgICAgICBKYWNvYnMsIEkuLCBSYWdnZXR0LCBELiwgYW5kIEEuIEhv cnMsICJIVE1MIDQuMDEKICAgICAgICAgICAgICBTcGVjaWZpY2F0aW9uIiwgV29ybGQgV2lkZSBX ZWIgQ29uc29ydGl1bQogICAgICAgICAgICAgIFJlY29tbWVuZGF0aW9uIFJFQy1odG1sNDAxLTE5 OTkxMjI0LCBEZWNlbWJlciAxOTk5LAogICAgICAgICAgICAgIDxodHRwOi8vd3d3LnczLm9yZy9U Ui8xOTk5L1JFQy1odG1sNDAxLTE5OTkxMjI0Pi4KCjYuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5j ZXMKCiAgIFtOSVNUODAwLTYzXQogICAgICAgICAgICAgIEJ1cnIsIFcuLCBEb2Rzb24sIEQuLCBQ ZXJsbmVyLCBSLiwgUG9saywgVC4sIEd1cHRhLCBTLiwKICAgICAgICAgICAgICBhbmQgRS4gTmFi YnVzLCAiTklTVCBTcGVjaWFsIFB1YmxpY2F0aW9uIDgwMC02My0xLAogICAgICAgICAgICAgIElO Rk9STUFUSU9OIFNFQ1VSSVRZIiwgRGVjZW1iZXIgMjAwOC4KCiAgIFtSRkMyNjE2XSAgRmllbGRp bmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIEZyeXN0eWssIEguLAogICAgICAgICAgICAg IE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBhbmQgVC4gQmVybmVycy1MZWUsICJIeXBlcnRleHQK ICAgICAgICAgICAgICBUcmFuc2ZlciBQcm90b2NvbCAtLSBIVFRQLzEuMSIsIFJGQyAyNjE2LCBK dW5lIDE5OTkuCgogICBbUkZDMjYxN10gIEZyYW5rcywgSi4sIEhhbGxhbS1CYWtlciwgUC4sIEhv c3RldGxlciwgSi4sIExhd3JlbmNlLCBTLiwKICAgICAgICAgICAgICBMZWFjaCwgUC4sIEx1b3Rv bmVuLCBBLiwgYW5kIEwuIFN0ZXdhcnQsICJIVFRQCiAgICAgICAgICAgICAgQXV0aGVudGljYXRp b246IEJhc2ljIGFuZCBEaWdlc3QgQWNjZXNzIEF1dGhlbnRpY2F0aW9uIiwKICAgICAgICAgICAg ICBSRkMgMjYxNywgSnVuZSAxOTk5LgoKCkFwcGVuZGl4IEEuICBBY2tub3dsZWRnZW1lbnRzCgog ICBUaGUgZm9sbG93aW5nIHBlb3BsZSBjb250cmlidXRlZCB0byBwcmVsaW1pbmFyeSB2ZXJzaW9u cyBvZiB0aGlzCiAgIGRvY3VtZW50OiBCbGFpbmUgQ29vayAoQlQpLCBCcmlhbiBFYXRvbiAoR29v Z2xlKSwgWWFyb24gWS4gR29sYW5kCgoKCkpvbmVzLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJl cyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgIFtQYWdlIDE1XQoMCkludGVybmV0LURyYWZ0 ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAgICAgRGVjZW1iZXIgMjAx MQoKCiAgIChNaWNyb3NvZnQpLCBCcmVudCBHb2xkbWFuIChGYWNlYm9vayksIFJhZmZpIEtyaWtv cmlhbiAoVHdpdHRlciksCiAgIEx1a2UgU2hlcGFyZCAoRmFjZWJvb2spLCBhbmQgQWxsZW4gVG9t IChZYWhvbyEpLiAgVGhlIGNvbnRlbnQgYW5kCiAgIGNvbmNlcHRzIHdpdGhpbiBhcmUgYSBwcm9k dWN0IG9mIHRoZSBPQXV0aCBjb21tdW5pdHksIHRoZSBXUkFQCiAgIGNvbW11bml0eSwgYW5kIHRo ZSBPQXV0aCBXb3JraW5nIEdyb3VwLgoKICAgVGhlIE9BdXRoIFdvcmtpbmcgR3JvdXAgaGFzIGRv emVucyBvZiB2ZXJ5IGFjdGl2ZSBjb250cmlidXRvcnMgd2hvCiAgIHByb3Bvc2VkIGlkZWFzIGFu ZCB3b3JkaW5nIGZvciB0aGlzIGRvY3VtZW50LCBpbmNsdWRpbmc6IE1pY2hhZWwKICAgQWRhbXMs IEFtYW5kYSBBbmdhbmVzLCBBbmRyZXcgQXJub3R0LCBEaXJrIEJhbGZhbnosIEpvaG4gQnJhZGxl eSwKICAgQnJpYW4gQ2FtcGJlbGwsIExlYWggQ3VsdmVyLCBCaWxsIGRlIGhPcmEsIEJyaWFuIEVs bGluLCBJZ29yCiAgIEZheW5iZXJnLCBTdGVwaGVuIEZhcnJlbGwsIEdlb3JnZSBGbGV0Y2hlciwg VGltIEZyZWVtYW4sIEV2YW4KICAgR2lsYmVydCwgWWFyb24gWS4gR29sYW5kLCBUaG9tYXMgSGFy ZGpvbm8sIEp1c3RpbiBIYXJ0LCBQaGlsIEh1bnQsCiAgIEpvaG4gS2VtcCwgRXJhbiBIYW1tZXIt TGFoYXYsIENoYXNlbiBMZSBIYXJhLCBCYXJyeSBMZWliYSwgTWljaGFlbCBCLgogICBKb25lcywg VG9yc3RlbiBMb2RkZXJzdGVkdCwgRXZlIE1hbGVyLCBKYW1lcyBNYW5nZXIsIExhdXJlbmNlIE1p YW8sCiAgIFdpbGxpYW0gSi4gTWlsbHMsIENodWNrIE1vcnRpbW9yZSwgQW50aG9ueSBOYWRhbGlu LCBKdWxpYW4gUmVzY2hrZSwKICAgSnVzdGluIFJpY2hlciwgUGV0ZXIgU2FpbnQtQW5kcmUsIE5h dCBTYWtpbXVyYSwgUm9iIFNheXJlLCBNYXJpdXMKICAgU2N1cnRlc2N1LCBOYWl0aWsgU2hhaCwg SnVzdGluIFNtaXRoLCBKZXJlbXkgU3VyaWVsLCBDaHJpc3RpYW4KICAgU3R1ZWJuZXIsIFBhdWwg VGFyamFuLCBIYW5uZXMgVHNjaG9mZW5pZywgRnJhbmtsaW4gVHNlLCBhbmQgU2hhbmUKICAgV2Vl ZGVuLgoKCkFwcGVuZGl4IEIuICBEb2N1bWVudCBIaXN0b3J5CgogICBbWyB0byBiZSByZW1vdmVk IGJ5IHRoZSBSRkMgZWRpdG9yIGJlZm9yZSBwdWJsaWNhdGlvbiBhcyBhbiBSRkMgXV0KCiAgIC0x NQoKICAgbyAgQ2xhcmlmaWVkIHRoYXQgZm9ybS1lbmNvZGVkIGNvbnRlbnQgbXVzdCBjb25zaXN0 IGVudGlyZWx5IG9mIEFTQ0lJCiAgICAgIGNoYXJhY3RlcnMuCgogICBvICBBZGRlZCBUTFMgdmVy c2lvbiByZXF1aXJlbWVudHMuCgogICBvICBBcHBsaWVkIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMg c3VnZ2VzdGVkIGJ5IE1hcmsgTm90dGluZ2hhbSBkdXJpbmcKICAgICAgdGhlIEFQUFMgYXJlYSBy ZXZpZXcuCgogICAtMTQKCiAgIG8gIENoYW5nZXMgbWFkZSBpbiByZXNwb25zZSB0byByZXZpZXcg Y29tbWVudHMgYnkgU2VjdXJpdHkgQXJlYQogICAgICBEaXJlY3RvciBTdGVwaGVuIEZhcnJlbGwu ICBTcGVjaWZpY2FsbHk6CgogICBvICBTdHJlbmd0aGVuZWQgd2FybmluZ3MgYWJvdXQgcGFzc2lu ZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYSBxdWVyeQogICAgICBwYXJhbWV0ZXIgYW5kIG1vcmUgcHJl Y2lzZWx5IGRlc2NyaWJlZCB0aGUgbGltaXRhdGlvbnMgcGxhY2VkIHVwb24KICAgICAgdGhlIHVz ZSBvZiB0aGlzIG1ldGhvZC4KCiAgIG8gIENsYXJpZmllZCB0aGF0IHRoZSAicmVhbG0iIGF0dHJp YnV0ZSBNQVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlCiAgICAgIHNjb3BlIG9mIHByb3RlY3Rp b24gaW4gdGhlIG1hbm5lciBkZXNjcmliZWQgaW4gSFRUUC8xLjEsIFBhcnQgNwogICAgICBbSS1E LmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCgoKCgpKb25lcywgZXQgYWwuICAgICAgICAgICAgIEV4 cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICBbUGFnZSAxNl0KDApJbnRlcm5ldC1E cmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAgIERlY2VtYmVy IDIwMTEKCgogICBvICBOb3JtYXRpdmVseSBzdGF0ZWQgdGhhdCAidGhlIHRva2VuIGludGVncml0 eSBwcm90ZWN0aW9uIE1VU1QgYmUKICAgICAgc3VmZmljaWVudCB0byBwcmV2ZW50IHRoZSB0b2tl biBmcm9tIGJlaW5nIG1vZGlmaWVkIi4KCiAgIG8gIEFkZGVkIHN0YXRlbWVudCB0aGF0ICJUTFMg aXMgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBhbmQgdXNlIHdpdGgKICAgICAgdGhpcyBzcGVjaWZp Y2F0aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoKICAgbyAgU3RhdGVkIHRoYXQgVExTIE1VU1Qg YmUgdXNlZCB3aXRoICJhIGNpcGhlcnN1aXRlIHRoYXQgcHJvdmlkZXMKICAgICAgY29uZmlkZW50 aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiIuCgogICBvICBBZGRlZCAiQXMgYSBmdXJ0 aGVyIGRlZmVuc2UgYWdhaW5zdCB0b2tlbiBkaXNjbG9zdXJlLCB0aGUgY2xpZW50CiAgICAgIE1V U1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFpbiB3aGVuIG1ha2luZyByZXF1ZXN0 cyB0bwogICAgICBwcm90ZWN0ZWQgcmVzb3VyY2VzIiB0byB0aGUgVGhyZWF0IE1pdGlnYXRpb24g c2VjdGlvbi4KCiAgIG8gIENsYXJpZmllZCB0aGF0IHB1dHRpbmcgYSB2YWxpZGl0eSB0aW1lIGZp ZWxkIGluc2lkZSB0aGUgcHJvdGVjdGVkCiAgICAgIHBhcnQgb2YgdGhlIHRva2VuIGlzIG9uZSBt ZWFucywgYnV0IG5vdCB0aGUgb25seSBtZWFucywgb2YKICAgICAgbGltaXRpbmcgdGhlIGxpZmV0 aW1lIG9mIHRoZSB0b2tlbi4KCiAgIG8gIERyb3BwZWQgdGhlIGNvbmZ1c2luZyBwaHJhc2UgImZv ciBpbnN0YW5jZSwgdGhyb3VnaCB0aGUgdXNlIG9mCiAgICAgIFRMUyIgZnJvbSB0aGUgc2VudGVu Y2UgYWJvdXQgY29uZmlkZW50aWFsaXR5IHByb3RlY3Rpb24gb2YgdGhlCiAgICAgIGV4Y2hhbmdl cy4KCiAgIG8gIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRlbnRpdHkgdmVyaWZpY2F0aW9uLCBy YXRoZXIgdGhhbiBSRkMKICAgICAgMjgxOC4KCiAgIG8gIFN0YXRlZCB0aGF0IHRoZSB0b2tlbiBN VVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVuIGZyb250IGVuZCBhbmQgYmFjawogICAgICBlbmQgc2Vy dmVycyB3aGVuIHRoZSBUTFMgY29ubmVjdGlvbiB0ZXJtaW5hdGVzIGF0IGEgZnJvbnQgZW5kCiAg ICAgIHNlcnZlciB0aGF0IGlzIGRpc3RpbmN0IGZyb20gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhhdCBw cm92aWRlcyB0aGUKICAgICAgcmVzb3VyY2UuCgogICBvICBTdGF0ZWQgdGhhdCBiZWFyZXIgdG9r ZW5zIE1VU1Qgbm90IGJlIHN0b3JlZCBpbiBjb29raWVzIHRoYXQgY2FuCiAgICAgIGJlIHNlbnQg aW4gdGhlIGNsZWFyIGluIHRoZSBUaHJlYXQgTWl0aWdhdGlvbiBzZWN0aW9uLgoKICAgbyAgUmVw bGFjZWQgc29sZSByZW1haW5pbmcgcmVmZXJlbmNlIHRvIFtSRkMyNjE2XSB3aXRoIEhUVFBiaXMK ICAgICAgW0ktRC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nXSByZWZlcmVuY2UuCgogICBvICBS ZXBsYWNlZCBhbGwgcmVmZXJlbmNlcyB3aGVyZSB0aGUgcmVmZXJlbmNlIGlzIHVzZWQgYXMgaWYg aXQgd2VyZQogICAgICBwYXJ0IG9mIHRoZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBieSBb SS1ELndoYXRldmVyXSIpIHdpdGgKICAgICAgb25lcyB3aGVyZSB0aGUgc3BlY2lmaWNhdGlvbiBu YW1lIGlzIHVzZWQsIGZvbGxvd2VkIGJ5IHRoZQogICAgICByZWZlcmVuY2UgKHN1Y2ggYXMgImRl ZmluZWQgYnkgV2hhdGV2ZXIgW0ktRC53aGF0ZXZlcl0iKS4KCiAgIG8gIE90aGVyIG9uLW5vcm1h dGl2ZSBlZGl0b3JpYWwgaW1wcm92ZW1lbnRzLgoKICAgLTEzCgogICBvICBBdCB0aGUgcmVxdWVz dCBvZiBIYW5uZXMgVHNjaG9mZW5pZywgbWFkZSBBQk5GIGNoYW5nZXMgdG8gbWFrZSBpdAogICAg ICBjbGVhciB0aGF0IG5vIHNwZWNpYWwgV1dXLUF1dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIg ZmllbGQKICAgICAgcGFyc2VycyBhcmUgbmVlZGVkLiAgVGhlICJzY29wZSIsICJlcnJvci1kZXNj cmlwdGlvbiIsIGFuZAogICAgICAiZXJyb3ItdXJpIiBwYXJhbWV0ZXJzIGFyZSBhbGwgbm93IGRl ZmluZWQgYXMgcXVvdGVkLXN0cmluZyBpbiB0aGUKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAg ICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMTddCgwKSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNl bWJlciAyMDExCgoKICAgICAgQUJORiAoYXMgImVycm9yIiBhbHJlYWR5IHdhcykuICBSZXN0cmlj dGlvbnMgb24gdGhlc2UgdmFsdWVzIHRoYXQKICAgICAgd2VyZSBmb3JtZXJseSBkZXNjcmliZWQg aW4gdGhlIEFCTkZzIGFyZSBub3cgZGVzY3JpYmVkIGluCiAgICAgIG5vcm1hdGl2ZSB0ZXh0IGlu c3RlYWQuCgogICAtMTIKCiAgIG8gIE1hZGUgbm9uLW5vcm1hdGl2ZSBlZGl0b3JpYWwgY2hhbmdl cyB0aGF0IEhhbm5lcyBUc2Nob2ZlbmlnCiAgICAgIHJlcXVlc3RlZCBiZSBhcHBsaWVkIHByaW9y IHRvIGZvcndhcmRpbmcgdGhlIHNwZWNpZmljYXRpb24gdG8gdGhlCiAgICAgIElFU0cuCgogICBv ICBBZGRlZCByYXRpb25hbGUgZm9yIHRoZSBjaG9pY2Ugb2YgdGhlIGI2NHRva2VuIHN5bnRheC4K CiAgIG8gIEFkZGVkIHJhdGlvbmFsZSBzdGF0aW5nIHRoYXQgcmVjZWl2ZXJzIGFyZSBmcmVlIHRv IHBhcnNlIHRoZQogICAgICAic2NvcGUiIGF0dHJpYnV0ZSB1c2luZyBhIHN0YW5kYXJkIHF1b3Rl ZC1zdHJpbmcgcGFyc2VyLCBzaW5jZSBpdAogICAgICB3aWxsIGNvcnJlY3RseSBwcm9jZXNzIGFs bCBsZWdhbCAic2NvcGUiIHZhbHVlcy4KCiAgIG8gIEFkZGVkIGFkZGl0aW9uYWwgYWN0aXZlIHdv cmtpbmcgZ3JvdXAgY29udHJpYnV0b3JzIHRvIHRoZQogICAgICBBY2tub3dsZWRnZW1lbnRzIHNl Y3Rpb24uCgogICAtMTEKCiAgIG8gIFJlcGxhY2VkIHVzZXMgb2YgPCI+IHdpdGggRFFVT1RFIHRv IHBhc3MgQUJORiBzeW50YXggY2hlY2suCgogICAtMTAKCiAgIG8gIFJlbW92ZWQgdGhlICNhdXRo LXBhcmFtIG9wdGlvbiBmcm9tIEF1dGhvcml6YXRpb24gaGVhZGVyIHN5bnRheAogICAgICAobGVh dmluZyBvbmx5IHRoZSBiNjR0b2tlbiBzeW50YXgpLgoKICAgbyAgUmVzdHJpY3RlZCB0aGUgInNj b3BlIiB2YWx1ZSBjaGFyYWN0ZXIgc2V0IHRvICV4MjEgLyAleDIzLTVCIC8KICAgICAgJXg1RC03 RSAocHJpbnRhYmxlIEFTQ0lJIGNoYXJhY3RlcnMgZXhjbHVkaW5nIGRvdWJsZS1xdW90ZSBhbmQK ICAgICAgYmFja3NsYXNoKS4gIEluZGljYXRlZCB0aGF0IHNjb3BlIGlzIGludGVuZGVkIGZvciBw cm9ncmFtbWF0aWMgdXNlCiAgICAgIGFuZCBpcyBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRv IGVuZCB1c2Vycy4KCiAgIG8gIFJlc3RyaWN0ZWQgdGhlIGNoYXJhY3RlciBzZXQgZm9yICJlcnJv cl9kZXNjcmlwdGlvbiIgc3RyaW5ncyB0byBTUAogICAgICAvIFZDSEFSIGFuZCBpbmRpY2F0ZWQg dGhhdCB0aGV5IGFyZSBub3QgbWVhbnQgdG8gYmUgZGlzcGxheWVkIHRvCiAgICAgIGVuZCB1c2Vy cy4KCiAgIG8gIEluY2x1ZGVkIG1vcmUgZGVzY3JpcHRpb24gaW4gdGhlIEFic3RyYWN0LCBzaW5j ZSBIYW5uZXMgVHNjaG9mZW5pZwogICAgICBpbmRpY2F0ZWQgdGhhdCB0aGUgUkZDIGVkaXRvciB3 b3VsZCByZXF1aXJlIHRoaXMuCgogICBvICBDaGFuZ2VkICJBY2Nlc3MgR3JhbnQiIHRvICJBdXRo b3JpemF0aW9uIEdyYW50IiwgYXMgd2FzIGRvbmUgaW4KICAgICAgdGhlIGNvcmUgc3BlYy4KCiAg IG8gIFNpbXBsaWZpZWQgdGhlIGludHJvZHVjdGlvbiB0byB0aGUgQXV0aGVudGljYXRlZCBSZXF1 ZXN0cyBzZWN0aW9uLgoKICAgLTA5CgoKCgoKSm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBFeHBp cmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAgW1BhZ2UgMThdCgwKSW50ZXJuZXQtRHJh ZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFyZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJlciAy MDExCgoKICAgbyAgSW5jb3Jwb3JhdGVkIHdvcmtpbmcgZ3JvdXAgbGFzdCBjYWxsIGNvbW1lbnRz LiAgU3BlY2lmaWMgY2hhbmdlcwogICAgICB3ZXJlOgoKICAgbyAgVXNlIGRlZmluaXRpb25zIGZy b20gW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0gcmF0aGVyIHRoYW4KICAgICAgW1JGQzI2MTdd LgoKICAgbyAgVXBkYXRlIGNyZWRlbnRpYWxzIGRlZmluaXRpb24gdG8gY29uZm9ybSB0bwogICAg ICBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCiAgIG8gIEZ1cnRoZXIgY2xhcmlmaWVkIHRo YXQgcXVlcnkgcGFyYW1ldGVycyBtYXkgb2NjdXIgaW4gYW55IG9yZGVyLgoKICAgbyAgU3BlY2lm eSB0aGF0IGVycm9yX2Rlc2NyaXB0aW9uIGlzIFVURi04IGVuY29kZWQgKG1hdGNoaW5nIHRoZSBj b3JlCiAgICAgIHNwZWNpZmljYXRpb24pLgoKICAgbyAgUmVnaXN0ZXJlZCAiQmVhcmVyIiBBdXRo ZW50aWNhdGlvbiBTY2hlbWUgaW4gQXV0aGVudGljYXRpb24gU2NoZW1lCiAgICAgIFJlZ2lzdHJ5 IGRlZmluZWQgYnkgW0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aF0uCgogICBvICBVcGRhdGVkIHJl ZmVyZW5jZXMgdG8gb2F1dGgtdjIsIGh0dHBiaXMtcDEtbWVzc2FnaW5nLCBhbmQgaHR0cGJpcy0K ICAgICAgcDctYXV0aCBkcmFmdHMuCgogICBvICBPdGhlciB3b3JkaW5nIGltcHJvdmVtZW50cyBu b3QgaW50cm9kdWNpbmcgbm9ybWF0aXZlIGNoYW5nZXMuCgogICAtMDgKCiAgIG8gIFVwZGF0ZWQg cmVmZXJlbmNlcyB0byBvYXV0aC12MiBhbmQgSFRUUGJpcyBkcmFmdHMuCgogICAtMDcKCiAgIG8g IEFkZGVkIG1pc3NpbmcgY29tbWEgaW4gZXJyb3IgcmVzcG9uc2UgZXhhbXBsZS4KCiAgIC0wNgoK ICAgbyAgQ2hhbmdlZCBwYXJhbWV0ZXIgbmFtZSAiYmVhcmVyX3Rva2VuIiB0byAiYWNjZXNzX3Rv a2VuIiwgcGVyCiAgICAgIHdvcmtpbmcgZ3JvdXAgY29uc2Vuc3VzLgoKICAgbyAgQ2hhbmdlZCBI VFRQIHN0YXR1cyBjb2RlIGZvciAiaW52YWxpZF9yZXF1ZXN0IiBlcnJvciBjb2RlIGZyb20KICAg ICAgSFRUUCA0MDEgKFVuYXV0aG9yaXplZCkgYmFjayB0byBIVFRQIDQwMCAoQmFkIFJlcXVlc3Qp LCBwZXIgaW5wdXQKICAgICAgZnJvbSBIVFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCiAgIC0w NQoKICAgbyAgUmVtb3ZlZCBPQXV0aCBFcnJvcnMgUmVnaXN0cnksIHBlciBkZXNpZ24gdGVhbSBp bnB1dC4KCiAgIG8gIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgImludmFsaWRfcmVxdWVz dCIgZXJyb3IgY29kZSBmcm9tCiAgICAgIEhUVFAgNDAwIChCYWQgUmVxdWVzdCkgdG8gSFRUUCA0 MDEgKFVuYXV0aG9yaXplZCkgdG8gbWF0Y2ggSFRUUAogICAgICB1c2FnZSBbWyBjaGFuZ2UgcGVu ZGluZyB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBdXS4KCgoKCgpKb25lcywgZXQgYWwuICAgICAg ICAgICAgIEV4cGlyZXMgSnVuZSAxNCwgMjAxMiAgICAgICAgICAgICAgICBbUGFnZSAxOV0KDApJ bnRlcm5ldC1EcmFmdCAgICAgICAgICAgT0F1dGggMi4wIEJlYXJlciBUb2tlbnMgICAgICAgICAg IERlY2VtYmVyIDIwMTEKCgogICBvICBBZGRlZCBtaXNzaW5nIHF1b3RhdGlvbiBtYXJrcyBpbiBl cnJvci11cmkgZGVmaW5pdGlvbi4KCiAgIG8gIEFkZGVkIG5vdGUgdG8gYWRkIGxhbmd1YWdlIGFu ZCBlbmNvZGluZyBpbmZvcm1hdGlvbiB0bwogICAgICBlcnJvcl9kZXNjcmlwdGlvbiBpZiB0aGUg Y29yZSBzcGVjaWZpY2F0aW9uIGRvZXMuCgogICBvICBFeHBsaWNpdGx5IHJlZmVyZW5jZSB0aGUg QXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFCTkYpIGRlZmluZWQKICAgICAgaW4gW1JGQzUy MzRdLgoKICAgbyAgVXNlIGF1dGgtcGFyYW0gaW5zdGVhZCBvZiByZXBlYXRpbmcgaXRzIGRlZmlu aXRpb24sIHdoaWNoIGlzICgKICAgICAgdG9rZW4gIj0iICggdG9rZW4gLyBxdW90ZWQtc3RyaW5n ICkgKS4KCiAgIG8gIENsYXJpZnkgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgYWJvdXQgaW5jbHVk aW5nIGFuIGF1ZGllbmNlCiAgICAgIHJlc3RyaWN0aW9uIGluIHRoZSB0b2tlbiBhbmQgaW5jbHVk ZSBhIHJlY29tbWVuZGF0aW9uIHRvIGlzc3VlCiAgICAgIHNjb3BlZCBiZWFyZXIgdG9rZW5zIGlu IHRoZSBzdW1tYXJ5IG9mIHJlY29tbWVuZGF0aW9ucy4KCiAgIC0wNAoKICAgbyAgRWRpdHMgcmVz cG9uZGluZyB0byB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBmZWVkYmFjayBvbiAtMDMuCiAgICAg IFNwZWNpZmljIGVkaXRzIGVudW1lcmF0ZWQgYmVsb3cuCgogICBvICBBZGRlZCBCZWFyZXIgVG9r ZW4gZGVmaW5pdGlvbiBpbiBUZXJtaW5vbG9neSBzZWN0aW9uLgoKICAgbyAgQ2hhbmdlZCBwYXJh bWV0ZXIgbmFtZSAib2F1dGhfdG9rZW4iIHRvICJiZWFyZXJfdG9rZW4iLgoKICAgbyAgQWRkZWQg cmVhbG0gcGFyYW1ldGVyIHRvICJXV1ctQXV0aGVudGljYXRlIiByZXNwb25zZSB0byBjb21wbHkK ICAgICAgd2l0aCBbUkZDMjYxN10uCgogICBvICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFyYW0g XSIgZnJvbSAiY3JlZGVudGlhbHMiIGRlZmluaXRpb24gc2luY2UKICAgICAgaXQgZGlkIG5vdCBj b21wbHkgd2l0aCB0aGUgQUJORiBpbiBbSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoXS4KCiAgIG8g IFJlbW92ZWQgcmVzdHJpY3Rpb24gdGhhdCB0aGUgImJlYXJlcl90b2tlbiIgKGZvcm1lcmx5CiAg ICAgICJvYXV0aF90b2tlbiIpIHBhcmFtZXRlciBiZSB0aGUgbGFzdCBwYXJhbWV0ZXIgaW4gdGhl IGVudGl0eS1ib2R5CiAgICAgIGFuZCB0aGUgSFRUUCByZXF1ZXN0IFVSSSBxdWVyeS4KCiAgIG8g IERvIG5vdCByZXF1aXJlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgaW4gYSByZXBseSB0byBh IG1hbGZvcm1lZAogICAgICByZXF1ZXN0LCBhcyBhbiBIVFRQIDQwMCBCYWQgUmVxdWVzdCByZXNw b25zZSB3aXRob3V0IGEgV1dXLQogICAgICBBdXRoZW50aWNhdGUgaGVhZGVyIGlzIGxpa2VseSB0 aGUgcmlnaHQgcmVzcG9uc2UgaW4gc29tZSBjYXNlcyBvZgogICAgICBtYWxmb3JtZWQgcmVxdWVz dHMuCgogICBvICBSZW1vdmVkIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0cnkgZXh0ZW5zaW9uLgoK ICAgbyAgTnVtZXJvdXMgZWRpdG9yaWFsIGltcHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgd29ya2lu ZyBncm91cAogICAgICBtZW1iZXJzLgoKICAgLTAzCgogICBvICBSZXN0b3JlZCB0aGUgV1dXLUF1 dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIgZnVuY3Rpb25hbGl0eQogICAgICBkZWxldGVkIGZy b20gdGhlIGZyYW1ld29yayBzcGVjaWZpY2F0aW9uIGluIGRyYWZ0IDEyIGJhc2VkIHVwb24KCgoK Sm9uZXMsIGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAg ICAgICAgW1BhZ2UgMjBdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIE9BdXRoIDIuMCBCZWFy ZXIgVG9rZW5zICAgICAgICAgICBEZWNlbWJlciAyMDExCgoKICAgICAgdGhlIHNwZWNpZmljYXRp b24gdGV4dCBmcm9tIGRyYWZ0IDExLgoKICAgbyAgQXVnbWVudGVkIHRoZSBPQXV0aCBQYXJhbWV0 ZXJzIHJlZ2lzdHJ5IGJ5IGFkZGluZyB0d28gYWRkaXRpb25hbAogICAgICBwYXJhbWV0ZXIgdXNh Z2UgbG9jYXRpb25zOiAicmVzb3VyY2UgcmVxdWVzdCIgYW5kICJyZXNvdXJjZQogICAgICByZXNw b25zZSIuCgogICBvICBSZWdpc3RlcmVkIHRoZSAib2F1dGhfdG9rZW4iIE9BdXRoIHBhcmFtZXRl ciB3aXRoIHVzYWdlIGxvY2F0aW9uCiAgICAgICJyZXNvdXJjZSByZXF1ZXN0Ii4KCiAgIG8gIFJl Z2lzdGVyZWQgdGhlICJlcnJvciIgT0F1dGggcGFyYW1ldGVyLgoKICAgbyAgQ3JlYXRlZCB0aGUg T0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVyZWQgZXJyb3JzLgoKICAgbyAgQ2hhbmdl ZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRva2VuIHR5cGUgbmFtZSB0byAiQmVhcmVyIi4K CiAgIC0wMgoKICAgbyAgSW5jb3Jwb3JhdGVkIGZlZWRiYWNrIHJlY2VpdmVkIG9uIGRyYWZ0IDAx LiAgTW9zdCBjaGFuZ2VzIHdlcmUgdG8KICAgICAgdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25z IHNlY3Rpb24uICBObyBub3JtYXRpdmUgY2hhbmdlcyB3ZXJlCiAgICAgIG1hZGUuICBTcGVjaWZp YyBjaGFuZ2VzIGluY2x1ZGVkOgoKICAgbyAgQ2hhbmdlZCB0ZXJtaW5vbG9neSBmcm9tICJ0b2tl biByZXVzZSIgdG8gInRva2VuIGNhcHR1cmUgYW5kCiAgICAgIHJlcGxheSIuCgogICBvICBSZW1v dmVkIHNlbnRlbmNlICJFbmNyeXB0aW5nIHRoZSB0b2tlbiBjb250ZW50cyBpcyBhbm90aGVyCiAg ICAgIGFsdGVybmF0aXZlIiBmcm9tIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzaW5jZSBp dCB3YXMKICAgICAgcmVkdW5kYW50IGFuZCBwb3RlbnRpYWxseSBjb25mdXNpbmcuCgogICBvICBD b3JyZWN0ZWQgc29tZSByZWZlcmVuY2VzIHRvICJyZXNvdXJjZSBzZXJ2ZXIiIHRvIGJlCiAgICAg ICJhdXRob3JpemF0aW9uIHNlcnZlciIgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLgoK ICAgbyAgR2VuZXJhbGl6ZWQgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgbGFuZ3VhZ2UgYWJvdXQg b2J0YWluaW5nCiAgICAgIGNvbnNlbnQgb2YgdGhlIHJlc291cmNlIG93bmVyLgoKICAgbyAgQnJv YWRlbmVkIHNjb3BlIG9mIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGRlc2NyaXB0aW9uIGZvcgog ICAgICByZWNvbW1lbmRhdGlvbiAiRG9uJ3QgcGFzcyBiZWFyZXIgdG9rZW5zIGluIHBhZ2UgVVJM cyIuCgogICBvICBSZW1vdmVkIHVudXNlZCByZWZlcmVuY2UgdG8gT0F1dGggMS4wLgoKICAgbyAg VXBkYXRlZCByZWZlcmVuY2UgdG8gZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gYW5kIHVwZGF0ZWQg RGF2aWQKICAgICAgUmVjb3Jkb24ncyBlLW1haWwgYWRkcmVzcy4KCiAgIG8gIFJlbW92ZWQgc2Vj dXJpdHkgY29uc2lkZXJhdGlvbnMgdGV4dCBvbiBhdXRoZW50aWNhdGluZyBjbGllbnRzLgoKICAg byAgUmVnaXN0ZXJlZCB0aGUgIk9BdXRoMiIgT0F1dGggYWNjZXNzIHRva2VuIHR5cGUgYW5kICJv YXV0aF90b2tlbiIKICAgICAgcGFyYW1ldGVyLgoKICAgLTAxCgoKCkpvbmVzLCBldCBhbC4gICAg ICAgICAgICAgRXhwaXJlcyBKdW5lIDE0LCAyMDEyICAgICAgICAgICAgICAgIFtQYWdlIDIxXQoM CkludGVybmV0LURyYWZ0ICAgICAgICAgICBPQXV0aCAyLjAgQmVhcmVyIFRva2VucyAgICAgICAg ICAgRGVjZW1iZXIgMjAxMQoKCiAgIG8gIEZpcnN0IHB1YmxpYyBkcmFmdCwgd2hpY2ggaW5jb3Jw b3JhdGVzIGZlZWRiYWNrIHJlY2VpdmVkIG9uIC0wMAogICAgICBpbmNsdWRpbmcgZW5oYW5jZWQg U2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgY29udGVudC4gIFRoaXMgdmVyc2lvbgogICAgICBpcyBp bnRlbmRlZCB0byBhY2NvbXBhbnkgT0F1dGggMi4wIGRyYWZ0IDExLgoKICAgLTAwCgogICBvICBJ bml0aWFsIGRyYWZ0IGJhc2VkIG9uIHByZWxpbWluYXJ5IHZlcnNpb24gb2YgT0F1dGggMi4wIGRy YWZ0IDExLgoKCkF1dGhvcnMnIEFkZHJlc3NlcwoKICAgTWljaGFlbCBCLiBKb25lcwogICBNaWNy b3NvZnQKCiAgIEVtYWlsOiBtYmpAbWljcm9zb2Z0LmNvbQogICBVUkk6ICAgaHR0cDovL3NlbGYt aXNzdWVkLmluZm8vCgoKICAgRGljayBIYXJkdAogICBpbmRlcGVuZGVudAoKICAgRW1haWw6IGRp Y2suaGFyZHRAZ21haWwuY29tCiAgIFVSSTogICBodHRwOi8vZGlja2hhcmR0Lm9yZy8KCgogICBE YXZpZCBSZWNvcmRvbgogICBGYWNlYm9vawoKICAgRW1haWw6IGRyQGZiLmNvbQogICBVUkk6ICAg aHR0cDovL3d3dy5kYXZpZHJlY29yZG9uLmNvbS8KCgoKCgoKCgoKCgoKCgoKCgoKCgoKSm9uZXMs IGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIEp1bmUgMTQsIDIwMTIgICAgICAgICAgICAgICAg W1BhZ2UgMjJdCgwK --_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: application/pdf; name="draft-ietf-oauth-v2-bearer-15 preliminary.pdf" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.pdf Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.pdf"; size=169692; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:06:35 GMT" Content-Transfer-Encoding: base64 JVBERi0xLjQKMSAwIG9iago8PAovVGl0bGUgKP7/AFQAaABlACAATwBBAHUAdABoACAAMgAuADAA IABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUAByAG8AdABvAGMAbwBsADoAIABCAGUAYQBy AGUAcgAgAFQAbwBrAGUAbgBzKQovQ3JlYXRvciAo/v8pCi9Qcm9kdWNlciAo/v8AdwBrAGgAdABt AGwAdABvAHAAZABmKQovQ3JlYXRpb25EYXRlIChEOjIwMTExMjEyMTcwNjI0KzAxJzAwJykKPj4K ZW5kb2JqCjMgMCBvYmoKPDwKL1R5cGUgL0V4dEdTdGF0ZQovU0EgdHJ1ZQovU00gMC4wMgovY2Eg MS4wCi9DQSAxLjAKL0FJUyBmYWxzZQovU01hc2sgL05vbmU+PgplbmRvYmoKNCAwIG9iagpbL1Bh dHRlcm4gL0RldmljZVJHQl0KZW5kb2JqCjEwIDAgb2JqClswIC9YWVogNDcuNTE5OTk5OSAgCjY4 OC44Nzk5OTkgIDBdCmVuZG9iagoxMSAwIG9iagpbMCAvWFlaIDQ3LjUxOTk5OTkgIAo1NzQuNjM5 OTk5ICAwXQplbmRvYmoKMTIgMCBvYmoKWzAgL1hZWiA0Ny41MTk5OTk5ICAKNDc5LjU5OTk5OSAg MF0KZW5kb2JqCjEzIDAgb2JqClswIC9YWVogNDcuNTE5OTk5OSAgCjE1MS4yNzk5OTkgIDBdCmVu ZG9iagoxNCAwIG9iagpbMCAvWFlaIDQ3LjUxOTk5OTkgIAozMTkuMjc5OTk5ICAwXQplbmRvYmoK MTUgMCBvYmoKWzAgL1hZWiA0Ny41MTk5OTk5ICAKMTgxLjAzOTk5OSAgMF0KZW5kb2JqCjE2IDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNzgy Ljk1OTk5OSAgNTQzLjg0MDAwMCAgNzkwLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5OTk5ICAxMTQu Nzk5OTk5ICA4OC43OTk5OTk5ICAxMjUuMzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMQo+PgplbmRvYmoKMTgg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICAx MDMuMjc5OTk5ICAxMTQuNzE5OTk5ICAxMTMuODM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMgo+PgplbmRvYmoK MTkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5 ICA5MS43NTk5OTk5ICAxMTQuNzE5OTk5ICAxMDIuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMwo+PgplbmRv YmoKMjAgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5 OTk5ICA4MC4yMzk5OTk5ICAxMTQuNzE5OTk5ICA5MC43OTk5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNAo+Pgpl bmRvYmoKMjEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4y Mzk5OTk5ICA2OC43MTk5OTk5ICA4OC43OTk5OTk5ICA3OS4yNzk5OTk5IF0KL0JvcmRlciBbMCAw IDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNQo+ PgplbmRvYmoKMjIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5 My41OTk5OTk5ICA1Ny4xOTk5OTk5ICAxMTQuNzE5OTk5ICA2Ny43NTk5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYXV0aHoj MmRoZWFkZXIKPj4KZW5kb2JqCjIzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbOTMuNTk5OTk5OSAgNDUuNjc5OTk5OSAgMTE0LjcxOTk5OSAgNTYuMjM5OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM2JvZHkjMmRwYXJhbQo+PgplbmRvYmoKMjQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICAzNC4xNTk5OTk5ICAxMTQuNzE5OTk5ICA0NC43 MTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1w IzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIu aHRtbC5odG1sIzIzcXVlcnkjMmRwYXJhbQo+PgplbmRvYmoKNSAwIG9iago8PAovVHlwZSAvUGFn ZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAyNSAwIFIKL1Jlc291cmNlcyAyNyAwIFIKL0Fubm90 cyAyOCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjI3IDAgb2JqCjw8Ci9D b2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3Jh eQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwK L0Y2IDYgMCBSCi9GNyA3IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+ Cj4+CmVuZG9iagoyOCAwIG9iagpbIDE2IDAgUiAxNyAwIFIgMTggMCBSIDE5IDAgUiAyMCAwIFIg MjEgMCBSIDIyIDAgUiAyMyAwIFIgMjQgMCBSIF0KZW5kb2JqCjI1IDAgb2JqCjw8Ci9MZW5ndGgg MjYgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dy27kuBXd11doHcBuUW8B wQB+BsgigNEGshhkEfSkJxi0B3Fmkd+PVKUqU/eIOuQtSla52+6ZttkSeXnfL7I+/eXzP5Nf/0g+ 3X3+T/Jl+Pvu8y69Tsv28JWk3feVPZA113mW9l9JY/Lrqt6PfnnZvSavu6fdU/f//u/X3XHWdP/9 x5ffd58O6w1P9aMvu6atutnT1OTdr9/sX02emvq66n7uxlP5a//wv3d//1Py++xSp3+5LtLhy/mz /d7rzmTXzX7c7CcVv3b7zeqk/2OyxFTJf/+1+9rta8nlinTd9eqkKNbd3qrr1Ull1t3equvVSd2s u71V16uTtlx3e6uuVyemW2vV/a27YLfBrF15gzMLVmneZqasGufP9oJ5PixQJCZtTLU3WJ0ty4uy N1BpWvbjnaFsDtaqqUzRw94vPh7P6uvsOH6c55tj/t7efbVgbvPhy/nzCOYRbIU5WNIXsVZ5gBNg s8ftvRzn+eaYX8IcCc8OmF0wuOiyBJ6naf0ixn3wPM0bLl4aw3z01lpwiDyEpertcNP/MeVRVJ58 Xjyub/bf9qqHkc93f+s8t/8lWfLX7r/fkp//0b33i+W/4Yu3z7tPj1W31eT5a3JY6Orw1/MB0Ku8 TZ5/Sf7cw/FT8vzbrvcjh4FsP1C/DeT7geZtoJBPHOZ4eB55sA6wagdYnZ4BqGoJVSWhymegKuUr lXyl3g8UbwONfKLdD7RnTXojn7iVc9zJAYDjXtIAlgXAHuTAYwwqFZlFJpMK9BjgJrkTcyBkOQM4 oEfS3uSR+K2sjjMWlEbAb8CRQBK6EZjUlHKgklwtVzG1xA4wTxR09YR/w5ckPDC5aSl6JOEHshYz TyyztY4T6jwmJ8hXzA1laXgCBAewA8wjOQEhlToBJjW3VIDvpu3DHBwUH/gKsDm8AvgASO/DZQe4 to4lO28cJkXaQ2k+yFfC8RVNVNrTEo8CqiyVuv1RAgG2ELSCQ9kHsSjYGLCFXDXLSTMjnsjkKxmI G8xRyFekhsNVilgM2LqJEK6vkLIRlKBL1Z7PsyatxzSJgM+3ORUSnYFdB74HVURdT8Sww7eKgNCs iI/Q05wZ6GWuqEEaG4oMGIii7HvsFCY+dk5zok/IeQewIwMbRBf3b7mKBH23iIq0wk+fYF7+Gw2w 5ybbE64L+6spwhlTJldZlh03ewDUAJINqDxj+TWOwDZLJWmM5Y/XMHEjXXZcG1ZqAZgb+cgthzcS dHcwcnDwjIUI6SgNdspYSjIFgGFtmAWWNkhKue3BCzH1HLy4JwAG10YWwWcAmlLOC08gmWChCeTh nhC8+yklqJaqsik6qSpLt1QhOmqACfcG85hJ5a2GO8/qDu6mGSvpWX5GfA823iKSZJjBP55jZ6QQ TCKXwVkRycgcGjmHlYaI054X9BK+dM8161ncbFMJFn+Apazk2xsjHToC0n2VZvrnsd3iz3vYsrBF B47uDNmUY1IlVz1Xj/W8kUSwEHMgfyP5oZTYBa56e8VAPrqZwC1afU9bPy3TbdKZkCld1KdDy6NI u9LWjWQnnrbm9tSatJ7GyEyOZpCgmWwSznEjV7mVtIM57uQrkMeG3T7QzQE+ANJHBhgwlccqACnQ Vu52sChQPShmUAgYk68YWBYghb3AHHz7QGzAKbwCT4TvdpDtub0AB3FCAVtSLhzcJ9sOgGjLgcHD glml+xCmYIqiGmkYSgYjtQMyDOd1IBRHcjgnI4+BIMMAB51CevQFLfsN3g+gDHYHT8AyraTDjXxi MhmjMUCn3DKaBuAXIAtsjVsT/gpocSA+1ydASdAWQASYNJyBgExRxNg0rU0n4DhQSVhmAQwCrbnO loRzrXLeZrOyGDFluP7FvQHbcsFX6IoYDgy8Aq4WV4Qf2mDD5u7lKhwfD5KRV0EQLstRyN1ojqAI Lh+yNtA2gknPOBmiGb1TIuWd/AiNx8PdCE5I2C0HHQDj8SEP9j6QzecqCUM5Lk88PuRuZnh4PFRD TJAR4wEAYFmRDZDLora4eD/gTL3WBSW2YlvCleDZEnQKgQpU9SFpOQPBKjx5Np2gDzcmRXryzKlD A+gBJ2CZEKKpbTgxH8GtDw8OQZlAMzB376gOm9BQNCuqcIEyRzvhB/WqHTbtPJ7L02rEdLAqwKXw ChQ5UE44BfNvJTMCSp5COiFR3HHglQi5uwx6Y6k19nDXFKELD8K5QwOgUwPlEdxwcwygP8QyYaY5 A18Kf49rIO688QTVzRt6PlbdtCjNmK/sYoOsiqLCg7rpgRfnSq2FJPqdfOVGTgqvwLKZmGPg5yIA Dqc/AH4IBjXvVvQtGtHVFbfom8mDIB5+FvdEuPmWkw59qtYAVE88VAVYNB7nRqiTg+0BKfLxRAFU tYk/N6lejrhOoeQlGQBBYODR4vNwkofKwA7ULkwQitsjngcCvzJGlmeRpF+494qhGxcpRdqDi2V4 EiOT1THoVnbV2q05wHu7jeaszS27COgQH1pe0VlWrE84fZ8Gh/OtIvTn+oRqOgz9Y6RRgW9pRQBt A6pgRS5oCXURQ8Fuhf0RMJiDk5+7BjxtQ1voNGwInjKtZaE4AIIczfpze1F4BrIgBAyDhJK7BUhX ShyX7VjTP4JC9c18RTA4WelcA6SWl5i49lDoBprA9Shu8FIfeHQ8JuROsEfXEDgX4OLz8nGM5CLP ONGmXY/66Q8TvYCJ5h0IWzWv7+VdLqTYi3ykUXkiivtBoA0Ukuzr00UwJ4W/dCBhuUOvKG5+55we JZOnMPzcFMCAtMB5KibNDRtArc1B509wugCz84Ix9zWBUDxagYwiTMpTe9I0eiB5CcbFZd9HowAc 8ZI91bFC+ENJUY2jKFMvwqYX7CdiBprHHo4bq+bQHl5NUHTNecReOU244yQ+pImRIaOZfgTeAwO8 OsCjb4VoKrLyMSJnRdORR9SvcCBovTGbvDZJYzGaU+cX14dyayjcvE/fd2tzvK4Qf8jWAKlpTgR3 y72n8N4wTIHwhM8qKbELMkua6ILqIA860P54j/278ghz8ecivRa8xMDbuxUdmfyVGAdZYnSoRjiy tTEvPYI5aU8ByGb8fP4Kt3wAGKcCV2zhNSqfJhkFw1CJ8mgSUthkxek6fqothuxTa6ny4RcxyooS G+8iCxehXGanohRdYrSJK9qqeO0v/LwZmPV88tZXhcqtsuOV3T/aVCMYmPCGQU1LpdwuBufAt0A6 Rf4q/K6DXJIf3R5OS5gU8vKKk11w+Yrs/oNVXPe1fMCjB1XZjjFpXdkGhwIGfrUGoIFRXtkGZwAG 8YRb/+AWw5mjB0eJngEVJ4HDCHB3XD5BZFCzyx0jqE63ckOjKI9+MOikzhuar/Az6HhfB4T21DVR CCgMcGuk6MnyaFoD14THehEyDJqDlDEazbm55v1CMe5s4/cCctdDcQui4vymIsaMQbnNZOAoQjTX q/EIcqWem7q1tTZc5KXx9xbR2rEiiDotnXDySIdqD48bBiRjRyuI17n7NoUYF7duVyJXOV2Xw6c1 Kc7PR8gLXfBxokWONmzWK8rbYLbM4fMIIFgE3Rmev0T+uJjjdznwKSCI12kXudpJIchqTo5gK4qZ 2sVma50Yqr1TnyTtcdQEUfQU0+X0OHp0QvGCENcOIPsyb+qRRKf9Vh6XYipS9bzqxstwCndDcQHs IsFcjDK2onGMXiaOdyooOHmdTxZY5GSpw6pHMDhV7mSGd7I3C12NnZX2bsHX8uis4hkXLhyKu/Co MdF8AITitv4Lyg3xOJMrh/CGDMVFJ5Bb9+g8XCXx59FptpWPUAFvFEBX3O67ZvYsRltyBEtQ+3/6 R4xzth5u0hKR6jKX7ygwpvh4pSXSVnrn4xJykh6drLwgyhVd+KQTu+P3GPIuhximkfeFRDhKuOEr TD+gQESwDm3uBCNKZZrH6vSeWIQjXHJz6Pbw6J/nZ1JWKQlDBQI2M5FU5KnuVVJEHmKo0EsxfOet uLlcHYanu5DbFU5IhKQJ9N6h3V4k7xQjh7ZK407EAtT5tqBJTx8ufLkVqyh10xjnuRe5c5MrLX4I cCOfRYNwcKwrrhWHyCH8jqvv3JjE0KY/3K/3cb8+bhd6U4uPzbb6ceCYM3yQONxMD53dEa6792iP RyUITegSMv6KsT7XKL0u2+ErOXahGyRUVSat6Z49EOJlV7f27992ny1CjicccwouRrjCPdmeAyqH u9LBe9Wm7VjaLJRUE2yP4HoCGQZa3+FpgWYkPWGglpwGn+560GrWCYkbOXArX7kDjSRlABUfLPM4 bQmA9fxcz1laZoU/whwDIfzedPyelW/8bjrQrIHtMXwzRpKD4cHd2oZI9NgNIvGgwW3NCawnuRX1 opqfZ/Tz4OhCnAhmwBY9vgwoeXlsykMpKHYXUoCfFd88QN9FEt8iFeJbbNheNWMkUfE1cOTt3cU3 hMTQ5gPsLC2YGVxoSPrP2UXJ4Cic8EQjhdOEXCY6KwPl+iaslCas3LoJK/1N2OBgb0kGQkgMzr+H kgepgLBECgXMYW6DOal3/mvh/NcbVqZ7aauO6mhTqnLv/Ff+mtJ4+Ong6Dii2fOcBTgmRd0pXBY3 A/t9AP0LDIwfMEA3jPlqADaaq9Osr+Ybqeabrav5E5Jc0rnpSCWAxFEEGD11CPClvEJZaJHwZzvy C5Ac88VmZlbHPUFz0CPmYWG4fILbZPBLrY+fPE8btasHXqZ78aB9Bm1kDWxUG7XMV9h04BVAYuRN qlkw8BrS1tas3L+AXCJPSGrch+EI32xuBReSl4XgtBW84yhOzqSbEJG4Q+5ChRxOn1MMppt7fc1g SqEZTgPb1AwWljxUw+bi0SAiY5ESjTnWImCWRppdbt1Rdi5UIrvv5LWjman2ZBj++vKipf5T8rT7 Pw8FJ1xlbmRzdHJlYW0KZW5kb2JqCjI2IDAgb2JqCjM2NzIKZW5kb2JqCjMxIDAgb2JqClsxIC9Y WVogNDcuNTE5OTk5OSAgCjU2Ni45NTk5OTkgIDBdCmVuZG9iagozMiAwIG9iagpbMSAvWFlaIDQ3 LjUxOTk5OTkgIAo2MDguMjQwMDAwICAwXQplbmRvYmoKMzMgMCBvYmoKWzEgL1hZWiA0Ny41MTk5 OTk5ICAKMzI1Ljk5OTk5OSAgMF0KZW5kb2JqCjM0IDAgb2JqClsxIC9YWVogNDcuNTE5OTk5OSAg CjI5Ni4yMzk5OTkgIDBdCmVuZG9iagozNSAwIG9iagpbMSAvWFlaIDQ3LjUxOTk5OTkgIAoxMjUu MzU5OTk5ICAwXQplbmRvYmoKMzYgMCBvYmoKWzEgL1hZWiA0Ny41MTk5OTk5ICAKOTUuNTk5OTk5 OSAgMF0KZW5kb2JqCjM3IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbNzguMjM5OTk5OSAgODAzLjEyMDAwMCAgODguNzk5OTk5OSAgODEzLjY3OTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkz Ni5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2F1 dGhuIzJkaGVhZGVyCj4+CmVuZG9iagozOCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzkzLjU5OTk5OTkgIDc5MS41OTk5OTkgIDExNC43MTk5OTkgIDgwMi4xNTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNyZXNvdXJjZSMyZGVycm9yIzJkY29kZXMKPj4KZW5kb2JqCjM5IDAgb2JqCjw8Ci9U eXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzguMjM5OTk5OSAgNzgwLjA3OTk5OSAg ODguNzk5OTk5OSAgNzkwLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMy ZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0 aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3NlYyMyZGNvbgo+PgplbmRvYmoKNDAgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA3NjguNTU5 OTk5ICAxMTQuNzE5OTk5ICA3NzkuMTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxl IzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMy ZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdGhyZWF0cwo+PgplbmRvYmoKNDEgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA3NTcu MDM5OTk5ICAxMTQuNzE5OTk5ICA3NjcuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzbWl0aWdhdGlvbgo+PgplbmRvYmoK NDIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs5My41OTk5OTk5 ICA3NDUuNTE5OTk5ICAxMTQuNzE5OTk5ICA3NTYuMDc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yNgo+PgplbmRv YmoKNDMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5 OTk5ICA3MzQgIDg4Ljc5OTk5OTkgIDc0NC41NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3Qg L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I3Cj4+CmVuZG9iago0 NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzkzLjU5OTk5OTkg IDcyMi40Nzk5OTkgIDExNC43MTk5OTkgIDczMy4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rl c3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I4Cj4+CmVuZG9i ago0NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEwOC45NTk5 OTkgIDcxMC45NTk5OTkgIDE0MC42Mzk5OTkgIDcyMS41MTk5OTkgXQovQm9yZGVyIFswIDAgMF0K L0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJh ZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I5Cj4+CmVu ZG9iago0NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzkzLjU5 OTk5OTkgIDY5OS40Mzk5OTkgIDExNC43MTk5OTkgIDcwOS45OTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxMAo+ PgplbmRvYmoKNDcgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsx MDguOTU5OTk5ICA2ODcuOTE5OTk5ICAxNDAuNjM5OTk5ICA2OTguNDc5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y MTEKPj4KZW5kb2JqCjQ4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbNzguMjM5OTk5OSAgNjc2LjM5OTk5OSAgODguNzk5OTk5OSAgNjg2Ljk1OTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkz Ni5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3Jm Yy5yZWZlcmVuY2VzMQo+PgplbmRvYmoKNDkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFs5My41OTk5OTk5ICA2NjQuODc5OTk5ICAxMTQuNzE5OTk5ICA2NzUuNDM5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzcmZjLnJlZmVyZW5jZXMxCj4+CmVuZG9iago1MCAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzkzLjU5OTk5OTkgIDY1My4zNTk5OTkgIDExNC43MTk5 OTkgIDY2My45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjNyZmMucmVmZXJlbmNlczIKPj4KZW5kb2JqCjUxIDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzguMjM5OTk5OSAgNjQxLjgzOTk5 OSAgMTQ3LjM2MDAwMCAgNjUyLjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjE0Cj4+CmVuZG9iago1MiAwIG9i ago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzc4LjIzOTk5OTkgIDYzMC4z MTk5OTkgIDE0Ny4zNjAwMDAgIDY0MC44Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2Zp bGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRm IzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxNQo+PgplbmRvYmoKNTMg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs3OC4yMzk5OTk5ICA2 MTguNzk5OTk5ICA4My4wMzk5OTk5ICA2MjkuMzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzcmZjLmF1dGhvcnMKPj4KZW5k b2JqCjU0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcy MDAwMCAgNTYzLjEyMDAwMCAgNTQzLjg0MDAwMCAgNTcwLjc5OTk5OSBdCi9Cb3JkZXIgWzAgMCAw XQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRv YmoKNTUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyMzkuNTE5 OTk5ICA1MTguOTU5OTk5ICAzMzkuMzYwMDAwICA1MjkuNTE5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMy ZG9hdXRoIzJkdjIKPj4KZW5kb2JqCjU2IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNjcuNjc5OTk5OSAgNDA2LjYzOTk5OSAgMjQ0LjMxOTk5OSAgNDE3LjE5OTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNH SXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwu aHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEjMmRtZXNzYWdpbmcKPj4KZW5kb2JqCjU3 IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjk3LjEyMDAwMCAg NDA2LjYzOTk5OSAgMzU1LjY4MDAwMCAgNDE3LjE5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyNDYKPj4KZW5kb2Jq CjU4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzMyLjYzOTk5 OSAgMzcyLjA3OTk5OSAgNDMyLjQ4MDAwMCAgMzgyLjYzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRv YXV0aCMyZHYyCj4+CmVuZG9iago1OSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xp bmsKL1JlY3QgWzUyMi43MjAwMDAgIDI5Mi4zOTk5OTkgIDU0My44NDAwMDAgIDMwMC4wNzk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0 ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0 bWwjMjN0b2MKPj4KZW5kb2JqCjYwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbNDEyLjMxOTk5OSAgMjM2LjcxOTk5OSAgNDcwLjg3OTk5OSAgMjQ3LjI3OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM1JGQzIxMTkKPj4KZW5kb2JqCjYxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNjcuNjc5OTk5OSAgMjA0LjA3OTk5OSAgMjQ0LjMxOTk5OSAgMjE0LjYzOTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNH SXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwu aHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEjMmRtZXNzYWdpbmcKPj4KZW5kb2JqCjYy IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTA1LjEyMDAwMCAg MTkyLjU1OTk5OSAgMTYzLjY4MDAwMCAgMjAzLjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVz dCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMy ZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyMzQKPj4KZW5kb2Jq CjYzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNzcuMjgwMDAw MCAgMTgxLjAzOTk5OSAgMjE2LjQ3OTk5OSAgMTkxLjU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRo dHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iago2NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDE2OS41MTk5OTkgIDI0NC4zMTk5OTkgIDE4 MC4wNzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHAxIzJkbWVzc2FnaW5nCj4+CmVu ZG9iago2NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk0LjU2 MDAwMDAgIDE1Ny45OTk5OTkgIDE1My4xMjAwMDAgIDE2OC41NTk5OTkgXQovQm9yZGVyIFswIDAg MF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkMzOTg2Cj4+ CmVuZG9iago2NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDkxLjc1OTk5OTkgIDU0My44NDAwMDAgIDk5LjQzOTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjI5IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDY3 IDAgUgovUmVzb3VyY2VzIDY5IDAgUgovQW5ub3RzIDcwIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUg ODQyXQo+PgplbmRvYmoKNjkgMCBvYmoKPDwKL0NvbG9yU3BhY2UgPDwKL1BDU3AgNCAwIFIKL0NT cCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRHU3RhdGUgPDwKL0dTYSAzIDAg Ugo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjYgNiAwIFIKL0Y4IDggMCBSCi9GOSA5IDAg UgovRjMwIDMwIDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKNzAgMCBvYmoKWyAzNyAw IFIgMzggMCBSIDM5IDAgUiA0MCAwIFIgNDEgMCBSIDQyIDAgUiA0MyAwIFIgNDQgMCBSIDQ1IDAg UiA0NiAwIFIgNDcgMCBSIDQ4IDAgUiA0OSAwIFIgNTAgMCBSIDUxIDAgUiA1MiAwIFIgNTMgMCBS IDU0IDAgUiA1NSAwIFIgNTYgMCBSIDU3IDAgUiA1OCAwIFIgNTkgMCBSIDYwIDAgUiA2MSAwIFIg NjIgMCBSIDYzIDAgUiA2NCAwIFIgNjUgMCBSIDY2IDAgUiBdCmVuZG9iago2NyAwIG9iago8PAov TGVuZ3RoIDY4IDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXd1v3LgRf/df sc8F4oikqA+gKJA4ToE+FAhioA+HPhS5XouDfah7D/33q5W0K3F+oobiDrWSvQna2LxdcmY435wh P/75+z8O//r98PHh+38OP/p/H77fZfeZrbs/h6z5+2E8oKt7o7Pjn0OlzH1RtqM/Xu5eD6933+6+ Nf//eqeK9ov9P81/PC2RtX9///Hb3cdu8btu5PvDX5uf/nfQh780//v18NPfm8Gf+/mOH3i5q+qi gSPLlGl+fR7/qnRd6/bnZjyjvx4//O+7v/3h8NsRMH1ftcCrDsDxrx+UyVR5Xxx/uwTk1+GrzWSm 1soWlffn8cTG9PDkB1PV6v5IZ9ugbnJ7BOv4i6mz/L77saFBofL7vIFX03FdHr98HB/mefbMfyTP LyOYa9P/8f7swDyGTRXt/C3Mo7VqXbefobC54yNczvM8e+anMAvR2QOzDwbfvqSg8/Rev7jjQXSe 5g0fLwnRuTJ1S7dmeoefqzxrYWvGHRjI+Bnm0TzPnvnF+LnKte7BcXijyo3twXFhc8dHuJznefbM n4jOHph9MPj2JQWdp/f6xR0PovM0b/h4SYjOSpU2a+d3+bkZL0wLjwsDGT/DPJrn2TO/GD83c5ZF ZxhfyFpV1RIOYBuPj3E5zfPsmT8RnT0w+2Dw7UsKOk/v9QsZD6HzNG/4eMmF+eSm1eC0LPJ9iryh TEOlxts7KHv47z+bRb61rk2EA6Xav2NYuhGPA/U688XPT3cfvxYHlR2efjl0EHzo/nnqgG5AyM3h 6efDH48w/enw9Ovd0V3sB3Q7UA4Dph2ohoGcfqKb4/GpRz8NpYsq3yGli9rujtJ1XuyQ0rUtE1Ga UvcIv0L4i0aBZqb58JEsjVIr6/Hvz3ffg7ZrarFZYs1NdiKbmSSbbX7JdN1jrD61GNcDCYqBBJFx 3uvMF2dha2g3hq3fDUu3ZzSgyY6qLwQdlVP86By6bgdUvmzEkGnUQ/eRbFiJwpJ1sxRLoK24ObKv 7cAAWfZIaaJYOFgiqUeKHXxHWbKu/gQU+cyhB5ME7F83oNQMaEAB2Cxc5xMlNCys6VfoViAgmm7W wyBt0WLTiXSjDoPFxjOwRO9VR73XOJEnvaeO2aZhYHuKr3Kp5FN8I6LYDanGI3mXbbLmORoGQD5Z IehN6KyQ88LWi/1iu1sQu1ts3e7ak23TQKWr210bbnf1A2u4qBVCawi8BZYM7FRNJ41hR9bmICAR 5oK3urhMKKgS5qK8grkoqbkot24uzlTyyeu2zcWCTd6uSLM+Psoe7wACHHKSVS2IX6Qkq86IZNXb tYSVSyVeslSxPclassmrMDAKdLeKGiVEWGnECKYCyydn1wSErfGIVxe2xlNyhW0Y2KiwDVQKELYt JYQ6YVuyyWDGwEipsmPpfG4EmBwklLdblNT6kRPZgCwLGmG6TBB+fJ4JXd7UDu2CwE9pN/Abft+e BHZ6Sp3N3dcNyVcb+A2wBajMkhoI5JOsG1Ezn7nFbdEGz1zB4Blq8MzWDd6ZSj5x23TctmiTTYC4 LT+JQNuEs4IpgpMH9owAZZj1nkHaTMZGrmDdeB+d2nc8zZA5NQEHG31woBFopIRKTEJn5ZdHxBID S/Seagtj7CiszsvxwPYU3xHiMa3jNd9WdWOzAwuZSeB42HQDQ42AtrxQ8+ED64fAujfNvzXNL6Ea iyu4cwV154qtu3NFuDu3wWThkk3ecxlJRGAUkL8BOFhsQ/IdN1dtWh+Ve3XVKuqqVZt31cpwV82n 1bbtqi1hpjftqt20ekKtvjh5XFs3eVxv1/3plHJ98h8MlBxePXlcL/BteBsLZyQBCVteLEKjEwED qrP1T/+1Iqf/w8D2OLpyqeTj6K0attahX7LJeBzCV1mGHEjyR/e020HECd6/gOr1I26tScQ9DGxV QDVncjYdcS/aZHqkCeyJB/c3Cb5Ighc4azof2TbrDGxPdDoFY869VeD1Yyox5FiJr80A1jHQ6hYQ klxTbK1LuqhEGeVBSA8jJaF4phtQehihLTu4P1hlgFVzMTkqNryLlSlriUzZ7ZqjTqZsvgeZwnzD BmTKhptCk/O+KlsELsLZAV1+MclX3m7XcRJVjurR9Pj3rQpUcQ7A7PU4tCHVGJSVTkcCuIBykimo jxgAWcgIX/jNnpvOeloDt3QXkx1Z0vezy4785wNYdNmiLa+0NxBM8IoujhcODHYA9NAnukU5N6Ar qkHAR68oR36hKgXaZmo6R0k/AXYEVnmkoMMqamKPhaW29kitPUqtqU43XJz0Pbg/I2g9J/lzZ/2W kqCcNjzAASPJyMhA3xJrZiaFGyEAjop8Aic17CoAOtCDhwO+8sCSkBIIcMEBnkA8pAWd4ysLOiAH cACk/FdAZQCkABiPPgUdeR0mjSAyhRRYu7c/8JWwjJlP1HPlyjpiS+HAbQCmA/EAaWA/oWFZntdh la2IByvIvcGYWxYIZOgqwEFg64BxYRsAfV5rwxxLSqdmLVCe+QUb6FOzcAF7RKgPflIJoVSqctBf yQBDXZyiHlefPJmbQwIwMBagYOk+mC+UcUHUYVnYS1g2yebmWeHytowaz9xJAX3e4Dyyeh3EASYF IrM7F6P5eSPOOyS8Xo/w6d6eWZNQ48r6AH2DyoG3jDOuA9IjwkZFhA081QGO60RNoKR4Nwj5g999 Hn2YNIKmyyUd+QNYSkIFRbPDpUbMuOpiK8EaEAhWAVebdzYpHKZm1QUrcwEU4z3pCDNHORllX86a GD8qABdPDjbJAKhAHN57yRK42eoEBhScCoSMAQwFKomn4I7N3kYSfcGpHlkv8W07X7w7T0HXcJvw cquPhgBwiUiMS7hnQHUIkZYncZFivCFgbSlmciR8C2uMq2AlaHpV/0TC3pTGC5eARwPpI6QgmLmt Bh4xrnjE0VMSSd9vknvPZ2ISW3k7VwtShbyIiRiPQVvyfhGfGV1O5Bg/MZQLJaxJVW2NG67jFYrY PT6K4pED9cHrAliWP1eDOdZx8PlEBtCDT5dQwPD0O8Kos9oCnS0Bu3eqp5xJ0wRY5JtJElJCFyrY vF6oYRXdqIAkC2+0+FwGX3Tg8foELJDNjBfy5d7XWmVvW/FPk/jrEWaMPXYOUMoRecyIEx0Biskl j61RN+9iRe9CouBolSgyJlMRnaV7m1IasFF8bjQUl0vLi0pHGSi8d9dzmcnoPAa6IxRB14B3QWMe Uwggo6tWs+WFJIV0VTiTpjxUvwxSo3MXfbpR5hMdgGtYRHhKV1PbsMu03C1+eVoYv8BprZzLUnhd lmDOvsjXDIiR0RZ4+pLmGIY9No3J5PEiRgkygS4VB76BZmKS6OOUCxW5LV0miti7FM7StQ6Bb069 67RAjx3v1SapBHzLRBbRsWrJG6nzFqUsfDQ14JDzRnq5/riJ6WIOAmwBML7qaD9qfB2Vw/dh8LaS Zzp+X5LYfVNVrqhL+PTwCWB+iPA9Ra7gKQuXMuXtrR8D+qbDdnxxBqtzAvqkJQ7cYFkIkyWa8nav LyQMX+33gnd8nsAvuzxKhr1GYUjS2AVsytdXouskEjflmcMxt/ZSbrt31F5qu1zdoA5kCqCIjqG8 jCLE1zjs7QIMAS1dZOek80qHy7d0pzvp8t0P6DCUi/kuVOxF5jDZO4sbedmHdlK2JxMUG98Ptt3D ZLayAr0Y3kXjo9PlTSEih5bvoQNKwibpk1UPyexHEEgiZ8ZTjO+NjWi35sVBIpDkDyVSZKLeWX2G YPS1pA0zwDrspwo1zytHYWzMQV9k+iI2alseqoTqN6Ip1FXihDRNMHz/Dq/537I+Hdd8vLEbZ8sh JmdvnBW5k7aP/BXdsZlLaZG3oi+Urf2TKh52eJA2YBmQLXj0gr+UNwK7aoJjQUd2I0nuzy1NeQJW oMuZF2JeDyKd+WAGGJ41tXCPTQ7vI+W9ZzWEd1jdBQVhdFo+L5MIEoyav9JJMLuXBB9D8+WaKvJc U0AQ4/5NgyXTasBPBB0QakgDQJIU6wRhYLOQbYiRAvADSCZkh2J4PT65AFoBx7ps/v/aW8oLMb3H foJoqDBhBOcFlJENVtIoCC2IaU4Na8S6EoWnsOzECRFkOD3P4c5NMsGQvOaCq+n42uuIqzwkKuWA zmxdD5YDCBY4z/FIxNVqy/MtESnMgL3k43hALuJGXolTRc89yBI6vii9YFzpKoLN3F/e3pcyECjP OdC3ErxspZYsQp+iwX+k1gEerklRggE2KMAYSpwgszQFAsXcmbD8itE05gSDCViXbUDlC1hliofK 0tEGcv1jZX2+KjhJy/tmnYnNXj7HFzFBiYEMhZbbQg1PFLJHU5CE4/dB07eU0f8OKEtgbQ7oet5u BRxv9g/rWf/2AhEngj8KmkrT997WPo00AvAMf4C1TpnSmheeDvS48j0AI3nnHy6COJePnXiDKXcf QaU4XC5cpc6cVa77kNOcTw4hCf/sTMSJL4DONyJJZB8SlVCU7t7eDObODKaA31rps1bekYVVZeXA LjNp5RJkK2Y7Teuezo27/SBSIIV8rCzhpAiUPYvUyfOJETZBw4Me0JuS4pWygL4ziZpuiRc7gD/Y O9ZRBfNJ0YjOzmu1zFnr6r534U1LWLr8DKin+eBShVo4q5gsidq2ubMK+L05bC1/mLHKG7ASLQ/g kaH/zXMUGBiQ03WOWQPUI28LAfaAq2a2o8raV9ZGzPweVNlKiQF7sg+J9FCXGDivEnBeEVG1TWUI 5Z+/J1rg2dcAmZLQB5uRy7wzZefNxYKlgGfUlx9fBqSB+YOzKz3ngEeNSV435JszPeUPEg5UeaYg TRVMVLTBETDUA6XJDBS5A2oa7adKlyAx+IMuC+Bt2H6+2IXnOpbZ5U5Jq7ryUgzVcERMuvxyZIlL rwKC9oi6i4j0E29Al3u2AUmMJNmVrdykxQMmEXLElJzxDVl8ci0AEIGOxoCM/vL3G2NeEUmSs+Ir hCKkn/8K33m8PD/LV+q84fa7ujhZp4DmOnqDVET7XeYxG7DHBd0fBX4mX50IPQozLWy9bzIasBO7 Dg5ANyLdwla0e1PXJ1DgoGKd5la5Z7Av9D2zhh662cTTskCPCF3CFo8FhNFwo43AReISD/9s9yHk CBeHvzWJTTuJdKlH3IIice9BhO8Vgf46pem5yR1BDqgl4eOdiBBpzUIyYQFaR3/QbEcmEQ/3alyf zFrvcsw12qewc7gsbwklrjOSaEzYOAcJPA004o+YtjYBjYvG03Nj/i7NyTo3oG/LaM0B9qYNDu/1 CWi66fDY1v0f0AH0vwWEvf7JWoVS+BRKebyrPc9OkPZ1AQXdSqq2uPVM5tVg7oLZdNFiND7tCeQI n/7weHQhDJwWfqXaLafarSZE6QsaxYhijEpJFGMKd/rPBEHU5184EqjpqDWeBG3xZjoSVMaZXsEd PzS5YSpRAKz7UGByOSvIw4Sy5CxKF5tdSJnKqpQ0UW3dyujZRlaGEOPOTuAlE+MTMSDktGMZT6ai SEqmUjnTI84eTzkeodYmpEOotu6+91dazLA61AnhgOe6sDlGyKBVA74jrNSMVfNarQ8kx70AmkoF lHf1DQQjPCDxTA2YobNKI1qXzvsCydV3/0purdLwbK7c9xL2ocBza5ISxZKXKTboJtksS0kCm1n3 5ZXV3aQWv6EXX0ajANS9iZkZ6O8vSOsPDm126/iDw3op/MERNrtQJ50/mIwmnT846qTctT+Yjkyt PzhqWV7JH0yHUOsPjvb9/fiDKlNOF9Ja/qCiyhodRFlEC7ffJrn2Lt31hDm2rF1s9qG9dZaSJkpb twtlr9q7a4pORqbKbdaZwHm6Vy8+gZzplAjpNvAa7Xu0z5/YdbReJZvGdbQ2DcE713HAZh/Kp3Md U9Gkdx2t3bvyKYqkZOpcx/P0q7mOyRDqXMdh39+P61iVboeOTNwPQTwM0CLX2Uxi8/fw2mCrihbs /p8fL7HVr98O3+7+D2tbD2hlbmRzdHJlYW0KZW5kb2JqCjY4IDAgb2JqCjQ0NzUKZW5kb2JqCjcz IDAgb2JqClsyIC9YWVogNDcuNTE5OTk5OSAgCjUyMy43NTk5OTkgIDBdCmVuZG9iago3NCAwIG9i agpbMiAvWFlaIDQ3LjUxOTk5OTkgIAo3NTkuOTE5OTk5ICAwXQplbmRvYmoKNzUgMCBvYmoKWzIg L1hZWiA0Ny41MTk5OTk5ICAKMTc1LjI3OTk5OSAgMF0KZW5kb2JqCjc2IDAgb2JqClsyIC9YWVog NDcuNTE5OTk5OSAgCjcyOS4xOTk5OTkgIDBdCmVuZG9iago3NyAwIG9iagpbMiAvWFlaIDQ3LjUx OTk5OTkgIAo3NC40Nzk5OTk5ICAwXQplbmRvYmoKNzggMCBvYmoKWzIgL1hZWiA0Ny41MTk5OTk5 ICAKMTQ1LjUxOTk5OSAgMF0KZW5kb2JqCjc5IDAgb2JqClsyIC9YWVogNDcuNTE5OTk5OSAgCjQ0 LjcxOTk5OTkgIDBdCmVuZG9iago4MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xp bmsKL1JlY3QgWzM0OC45NTk5OTkgIDc3MC40Nzk5OTkgIDQ0OC43OTk5OTkgIDc4MS4wMzk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0 ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0 bWwjMjNJIzJkRC5pZXRmIzJkb2F1dGgjMmR2Mgo+PgplbmRvYmoKODEgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICA3MjUuMzU5OTk5ICA1NDMu ODQwMDAwICA3MzMuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJm IzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJk djIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iago4MiAwIG9iago8PAovVHlwZSAv QW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIxNi40Nzk5OTkgIDI2My41OTk5OTkgIDI2Mi41 NjAwMDAgIDI3NC4xNTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYj MmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2 MiMyZGJlYXJlci5odG1sLmh0bWwjMjNGaWd1cmUjMmQxCj4+CmVuZG9iago4MyAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDE0MS42Nzk5OTkg IDU0My44NDAwMDAgIDE0OS4zNTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2Ej MmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1 dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjg0IDAgb2JqCjw8Ci9U eXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDAuODc5OTk5OSAg NTQzLjg0MDAwMCAgNDguNTU5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMy ZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0 aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKNzEgMCBvYmoKPDwKL1R5 cGUgL1BhZ2UKL1BhcmVudCAyIDAgUgovQ29udGVudHMgODUgMCBSCi9SZXNvdXJjZXMgODcgMCBS Ci9Bbm5vdHMgODggMCBSCi9NZWRpYUJveCBbMCAwIDU5NSA4NDJdCj4+CmVuZG9iago4NyAwIG9i ago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0Rl dmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9G b250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y4IDggMCBSCi9GNzIgNzIgMCBSCi9GMzAgMzAg MCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iago4OCAwIG9iagpbIDgwIDAgUiA4MSAwIFIg ODIgMCBSIDgzIDAgUiA4NCAwIFIgXQplbmRvYmoKODUgMCBvYmoKPDwKL0xlbmd0aCA4NiAwIFIK L0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7V1Lb+Q2Er73r9B5gfHwIVESsFhgxmMv kEMAwwb2EOSwmNkkGNjBenPI31+1pHZL/ER9FJtSS448SKZdoy5WFYv1IlX8+M/Hfye//pF8vH38 b/K1/fv28SBuRFY2P4mo/nzoAlRxo5U4/iSF1Dcmr6FfXw6vyevh4fBQ/f/1IE39xfav6h9PQ4j6 zx9ffz98bAY/NJDH2x+rT38mKvmh+u978tPPFfBbi+/4wMuhKE1FhxBSV78+d3+VWhTyxlSfK7iw fz0+/NvhX39Lfj8Spm6KmnjZENj99YOqvlMev6gvIvn1/NUKmS6VzEzh/NxFrHVLT5pImedHUirK Xg46zerPIqvgpbhJRcNcYWR6/EUqG67yG9XC3/A8O/AfxfNLh+ZStz/Ozz2aO7QpoY/DNjR3xlLS 3IgB2vrwMy9nPM8O/DbNkeTsoNlFg2te5pDz8Fy/9OXmJedh3XDpUp/mZrUcF7/rc5fmSeutlIlK q4+ZLBKZ/O8/1bgPy4xssmpkpZM0V4kyetGxj1znSrq4DtdrUcqink/LfohSy3r+rTnvw886csbz 7MAfz36IMk1vBtaiKDNz/AVp68K7vJzwPDvwx7MfPTk7aHbR4JqXOeQ8PNcvFtxHzsO64dKlWHJW WZmdaO7ZYyOKkzx7trAH79jCNzzPDvwR/aFRopGb5VuM1qcApUdbD97l5YTn2YF/Jjk7aHbR4JqX OeQ8PNeWP/SS87BuuHSpT/MpLC4hSJzmgdI0UVJXfqjyAtnJDTyEBayy/tOlpYE4AtbXkS9+fjp8 vDfVgk6efkkaCj40fz01RH9QMjXJ07fk70ea/pE8fT8cw/MWoGpAfgboGlCcAan9RIPj7qllfx5J V7nDBiVdinxrktZC5duTtBa6mEnSgUnl68gXa37KKusd4kcKU4lUVFw1tKQNLVKMkKttlr9YHCph s5zVgPQM+MSekIAjtwGA474GZCNfgSeAsM/2E7cWDqltecAotjxwlDv7CXsURArTAEhhWEAKzAEO KkJpbICyRwH94PPyjvQDv2JLDEexcSgwIg6J1TYjePGnVZjXXfxIKTAHWggArrjcoMCwfEXBV8oI AmqtY1aekBY26fZUylv7CZAp1SA0n6AwoNowCl+VwAssMWrpkFsbh2r9iR6hHQTClyUwYyNVqf1E jAWjCtHTB/nFJmz6WndpbkeGhuLgX9nM0pawpD5FmLlMHSeuOAXIslH+0q0vLgUaMzmgyLAIYzgc imNgzfHgIcBZchx8WAiEYBRbtXn4iThgFKCDI41iP4zsq2FDaSfaBsXE8IprGRjy0l5jn+wnPlMc MQiDFUMNu/5iqxB3H8HhxIUmJi37k9uxW+fkudkaFfX2wPDnXtLn8TxPCScOWnNZ5+SDKnys6WRv TMLSslVL2coHT7RmYgzQzI9UduQB8Q1Mshn5yt2wFehEEUNTCFoxT2ZeeyxZnAoNC5mKKMkKLEBu 5QMclEeoCcMEmCjuO8BDcTMHOOxgHMMPECovOwC3XMoB6S1MDCQWAAgIJKfrQ0gszoMt4IV/hWsQ j7VAHlCWAk0GpHwaeIhLE3GPugxQypM3WGK++f/YVxwadGEUUKeIZ7t93bmNkDQpoZ10ScsDeYTi juxuZJ5UZmsDrwYFZGIwLFfk6dx61ylGXINHmmXTofSwkC/MZlTR0w+PpR/gKiPUihfyrgEzxzV5 967vxbu6FuFYFYLqGAa9SCpwxzWXF12Af8coMTyQLJzzAiYHeANNXqbUU5o+5RGW/jusuIy5W77p EWCSQbF5eotp5RzhxlqsFI+sY0R9Hg4HkHJDHzANfBXaX9FQ7gCZ0gTH48QEn5cYSvf+TEwMf6O1 c1qWMUq+BaQLd7el7HG7ofB0jlM6rkz00iRJ94UsqbUIyHi2K/UQR8hTD87tMtXTGGWHCCZHl7b1 5LzAE6BSYKVgXgJSINvLe8Q0c8SnHpT6RiwxPFLqzIDmOXTARQoA6vUhV/MINqbvE83jsqdXHZBb elZqj+im+opZJptXpMN9+IXnNZuA7WwMrlTXXCb8CNgjjrGA1lXXjOE8jHayspIaQ4ixvFIQGOPl h2A1jbJfY9z53ntKIwJOMrzrMh5XfjhHyt9C8N3NvfQ9BdNT3JAdYSp1n+NDc+zNwhMhqcfWdjxj uLX8LQyCYDzgDSTqoUGC6/VRAfuK3GoHbANEcVpC9yebvoLjkazF8Pv8JMcyp+32fcQr+LkoU7nk ZnZcDZozULzQNeRZ31zECzZj+Kzy7awUWE9uo+mi9FjYMLX8MCY/3h0jBeLLJd6ZlDF5bHdRvmuz vunjIbMcNE5V2bMo6808Zzw2HMEmayVPg+xbs4S57bwcFGA+wcJw78FtEC/8zrI3OX0PHdMXzkuM QIDn7mCTAcDD9Tl2Pd6hv73QnGrLnvITA0DH9DWH08DXHDUo2NgBWl/Ae66whxHPRWnjZHZ6uotC h5A/pBQa4wAn+BdeTrUBGFzwNWcTFlKBDdjPBDoiLGTonjHP66q8AB2haxi6pIBDsXPEQbgKua7z 2eemj7eOWdexlEtNn+jZvvUmOEturcVwJ9mEjAeW7fRgfDuRNT/9z50ncOthxrhM+TSAI+RTGaNv 44bTW36WEFYp3/Th6e1aHHJAcsKTJLoI/WPLC8tjpeibOno42aPLHPW3USJH8NkQ0sK56oDuZQ46 YvgX4++yB9QhoIS05Bms/axPCwh5qYAXegPe756+l3StAD5Gjsw74/KtRc4c1/VZ3mn07eJyoW8o TN9MxSjtxThTwo9PLXNkgr/R6mHHqTGclNHkyjGZ5rgNltoN2YsR2q8EAMKgY90O+CsDVqu4V10v UaxD9rZJnq5ksh2XQkwSUGYDeIrjqAmM4SiGXXIH4HBSHQD3SRCR3NNhHf6148UhALG5lfaaA8cv QUC2PPArMJVAOiAFHDC3ERTXg1sYBaYS1AEyGt8LImKslyjWwRQRhbyQdVgLYTtgFYBF9EPCHjjY Qv6KN+/bvDLrUGwvdoB+7zx2kODEeeywBxP9JzilNh2IdHqo4AFYreJedb1EsQ7lHjvsgG0D9rrD kDxiWIdMbiV2iMKt2m1hMGCPlKJHSh5XxOy2cDlbmG7FFk4SEORRfIc7YBpAteHYLyxkeAJqfQEr it4wi6PAQg6gA4YFpNA1kOsYlXpIDfYvZcZjxg6Zf+xwJeVfr9naAasALKIf+JYRrbAquu0zT1E2 onXItxc7BNRgFT9TNEuQR70YbunRPT5wwNwjK6DDdkkKkHK7Pt3vzwNYreJuv+5Q7HWHHbBtwF53 GJJHDOtgxFZihyjcyt0W7oBtA3ZbOJst1FuxhZMEBHkUFO72PKr/xGbyqFnOwQJgywdjI8YO6R47 7IBtA/Ya7GzWwWwvdgipwQa8QzM9MlCA1HGnTAdg84I+CkjnX4F9wu24xr0GuybrkO/v3+6AbQNW q7gbqDuYRIrB2zuyvLIOubQajnUa1TTDmvOw99YTEpoRODqidlqlQUMDe9jW75+faNuswh1/cN3L ua1G2/+k088gs3kpLcKQUmjAdkdxgAgNk0frkfMRpPAE0GE/0bpoPUKYPbf4FUD62RLyJC0c7UqU p3kfZ9w+39dqcke7iWErKN6Pnbaf4w2nPDrVBsgjwsWswMs8zZC1yPtKxztf8+5R/O4jmzlUyytd q8m7evEGS7T7nqvt2YXtgtL+VLbvwUph+6jzCgppIAR9nCB9s1tO4zn6WW4zhSdoX28VrZdcbpTT GPBOaY4scuySnekXw3m0cKPNwyNeMTylsaTHAuLOgtpTj2583DfQCwxCbongDfw4pbxgxO9N4Fcb BVxAHuOGKV9fOclZANJZbgJLpe7bD5AYtWuwsn26nNG2b1pE4K6sjWP5RlhAH/gYFuY614wOTAOE 45qGFwH2YuWXhY9RutpepdxZ8uIw5yWgc/F+XzT5yhz3aLruJ4hgLQuR+S/bdd0dfxn30qR99mPo 7TtqBB/lZoVGxd4OWKk7O5ZYxiHv5qQfKQCOGB38A8pSyxRZ3tGiDOmkH9BNm6dii6iUB7ezLKB4 ahnDep4PoF0nKOw6gjdGbpRof5yfu2z6PP94++NBJH8mKvmh+u978tPPFQnfutKbOGgt2yKR2eAe 3LHZeXl+McDxBjqo2higkb6UtrQ71YZiWHGgHjFWWgIcd3a4CDggggIc8JXSHtZmV30GduFEj707 iAKBceFYjE1q+0RfH2FhNRCuU9NWZF19LdPSPzjxLetMsmnL3PLEt2J4hY43/ohhbHl8N8ttOkqW PXXwKYQF3IYK88BF5ntjxCSt44FEhKK3x9ZcQME64Kqo7QaJIRencWuw2hzqSqWyWcrzpglLzg7G oR8R9hBLk65+apdJjx03sES+XkeavCd1ZQdY8+wSUFuQCjuMS1s3dt7J1xDHQeADCeG9jQQPCHAs ITc7e+yL8Dv9Au7UBVJ5Js79No+f4uwK9i3CUoHMLNsN0+/kAqUa4J9vE89Su1rk5mZXOBDDy+Sl ky4ectHTQHtJJHJJRItz7EFLIthi7lpFE/BPjQJ3DuraNRKPXqq0zgLDYq1mLUUTJOQLJQR3HaEm BK8LgNxh3DsbB0gV6LBxtHRYyy8r2x8wU/a/eSwrN7LTyX6HIy0qoyeK06FIndvyGK4Ls/G0cA2o +gM6ToYH86N1n58UtMYM+9/Unr7OjJeWUFqdiCeUPJ1VKHnZR28fz0cz8IWJQA573GARZErOKYKs zlPP6LHibCyOdRGVAJWa3uljBS4B1LCA9ANm5ZM9K6C6cjjqq9mq/iSvFXPS1FS2f319Ca1SPyQP h/8D0JRZzWVuZHN0cmVhbQplbmRvYmoKODYgMCBvYmoKMzYyNAplbmRvYmoKOTAgMCBvYmoKWzMg L1hZWiA0Ny41MTk5OTk5ICAKNDMuNzU5OTk5OSAgMF0KZW5kb2JqCjkxIDAgb2JqClszIC9YWVog NDcuNTE5OTk5OSAgCjQ1MS43NTk5OTkgIDBdCmVuZG9iago5MiAwIG9iagpbMyAvWFlaIDQ3LjUx OTk5OTkgIAo0ODEuNTE5OTk5ICAwXQplbmRvYmoKOTMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9T dWJ0eXBlIC9MaW5rCi9SZWN0IFsxNDkuMjgwMDAwICA3ODAuMDc5OTk5ICAyODguNDgwMDAwICA3 OTAuNjM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJm dG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFy ZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBiaXMjMmRwNyMyZGF1dGgKPj4KZW5kb2Jq Cjk0IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNjcuNjc5OTk5 OSAgNjQxLjgzOTk5OSAgMjA2Ljg3OTk5OSAgNjUyLjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov RGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFm dCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRo dHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iago5NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzE0OS4yODAwMDAgIDU2MS4xOTk5OTkgIDI4OC40ODAwMDAgIDU3 MS43NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRvYmoK OTYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA0NDcuOTE5OTk5ICA1NDMuODQwMDAwICA0NTUuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iago5 NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEyOC4xNTk5OTkg IDMzMy42Nzk5OTkgIDI5Ny4xMjAwMDAgIDM0NC4yMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rl c3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNXM0MuUkVDIzJkaHRtbDQw MSMyZDE5OTkxMjI0Cj4+CmVuZG9iago4OSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIg MCBSCi9Db250ZW50cyA5OCAwIFIKL1Jlc291cmNlcyAxMDAgMCBSCi9Bbm5vdHMgMTAxIDAgUgov TWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+PgplbmRvYmoKMTAwIDAgb2JqCjw8Ci9Db2xvclNwYWNl IDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0 R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBS Ci9GOSA5IDAgUgovRjcyIDcyIDAgUgovRjggOCAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3Qg PDwKPj4KPj4KZW5kb2JqCjEwMSAwIG9iagpbIDkzIDAgUiA5NCAwIFIgOTUgMCBSIDk2IDAgUiA5 NyAwIFIgXQplbmRvYmoKOTggMCBvYmoKPDwKL0xlbmd0aCA5OSAwIFIKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnic7V1fj9y4DX+fT+HnA7LRP8s2UBRI9jYF+lAgSIA+HPpQ5JoeDpdD t/fQr19b9sxY/FmmrZHsmclkcbezGluiKJIiKZJ6+5dP/yz+/Ufx9vnTf4ovw+/nTwfxJMqm/1eI 9ufNuEHVT1qJ7l9RS/1kK9f65dvhtXg9fDx8bP//epDWvTj8ar88DiHczx9ffj+87Qc/9C2fnv/W fvpfoYq/tv/9Wvz0j7bx56G/7oFvh7qxLRxCSN3++dv4T6lFLZ9s+7ltF/TP7uFfDn//ofi9A0w9 1Q542QM4/vONbkQjn9rJlReB/Hp+dei9Q1bo87jjVfDZstDStgtiTVHq4r//OnxtB99saN1+VI0t 1MTQVuhGydLWwc/jobUehmrnUUs3iqjbBdem7FaxG7OslekWu21vV95K82RawBRtV1X3sms/9fNb oP+OKL6OYG708C/42YN5DJu2rn8H83gs07hnADavfTSXUz+/BfqnMCfCcwDmEAyhdcmB5+m1/ua3 L8LzNG2EaMmHOTMr1XXd/s8U9QQrHeVuA1Jo3TDGFLqUnfguZHkc5mOcRJTuZwxL3xKQiK8zL77/ fHj7wRZSFJ+/Fj0Eb/pfn3ug3+hSt3/8XPypg+nPxedfD538HxqUa6jODdo11OcGQ5/o+3j5PMby Ogn/OvOim0/TbkFT8ylVOx1RH0HRHxwoUtL5jMCvaMOPtKF0DWZmxnwfL7RBU0TTV5Rg4XjvGso1 k4M+3tEnajo5aIBOAR/QwIP+TDqVej2SYRQWyQlxSun9SY3EmJkUY+GnlvDFggEcr1QqwCyqqT1u EXaaFkYNDW0A8nlPG+jCLuCND+yw0AcdVor9hJARvhRCIvtAiYzSlKRLIXkyBKYDUgY4+E5hfWGx 4BWYHAzbsHxKO1WGPgFwjLgwfvvQhCP42fJzAVqFPgJzOXcq6V4gn1PM1pFpa2AMffY4loLu5LC1 nxtkSQDTkoCugZLfcU8oTXEK+KDDIp0CFbLcoKCPFCSljfCwHJrcpaPU3igXbmPxcFTah4MqD8jI LO+HhP3MUqK05FW2CJ3lflUDU/lUKylvIIZh0waNDl55nsTOJnt0KQnDJNk+lC9RQSohCiJoimcH YClQ4QNq21wfAT0uwRYkpQoyIUDO4kf1O5CckyjrzZEFr8COA0iGlaPTnYAd1oHX6h5m4ZTCkYJQ zWmhXigYQDC8Gkwh1+BroaswQR+gPMEGC8OIFfgI7hC26RBSmyOSqQGmqIqmwHFEGxSYm+wWMuis c/Yn3ylvawGk1CCFyWEDyCkKGOifCnC6hpKZlWua0FzQlgYkw/SB+un0oY+QNgDEvuoVAJ2+okAG U71FUWtM0SckfQJHATjAtQJr+5JsbZU8cuUdenRWEV1GrXVOOlDCVXQZNNjzFA5N+wCMaZCFAAdQ sk61Eyp7ggt8BPdrFVWNP/X7465dbDFZax+v34Gf8mp9FXPTZy2cBbaX7B9pZgieDoM6P4B65X5a AP0yEWys9Rjm4blNgFSlu6NwVSX1CCl3oDDqFGbLszJQLmi9VOigFAKtBriQwpHQStTqNCzsmLyF B9o3PAEH5fz2x6v0YPNQ7Uqz9qwGm2cTfRSGRQWVwqHBWAdlG4QhzBaU3IB/Y26hwCpizUa5hk5n dVptT1wardPObAUGBC70sU1QBOV03KN4DzMQELiuAB8gcSJEIe8NBmUiIlYHhgWBC7ONUC5zeGlR 8MMoPKSAj/WHBQsQlOS0sbEe35peBI3DvRKcwAzW++gJ2MV4HWaBpnwljLqAqICn+NOSK1fQU2wf tfR1h+9dHU/N7C6Q4ozlRJ0af+lAlwTS5uX2eg1+wXYBPAcyN+ZsiD8pZs8fc5m40l9t/jCVZf4k 6wAIChxbzK1DxI6KhAnrzy/u0qWb09r482iVTKKeAyn4o1KAiw+HTBGCnYQLY0IY1m/98TEeM+o0 bEJp3CZKeus/HCaPIAVW5iMYQD7wMfkpMMarUwB6Hv2SNzd524A30XhQebOGV/R4zW+9brhptsDM rsSbKCG30QySeVUQVy5JSByV5DzTAWtDA0+nS8Vlgl3KyJOOslP0Gn+kggEK68+pknBlgsA71IR4 FtvH+kwXeGY0idZpZlYyRUA1K+f1M4EDjV5Z0RYjaYt+RwZS8BKal8gi4OXh/aSs+LuhWN0Ivtsp A4mlq3iDY83axgiVCMUmYE1eaBnrxpMI25waLIhS2DWj9faCiUrjS/ZHNFHCFHBTljtLuu8rhimL 1P6OhEEfJ3Km2rvLt1K19dkSSCjFoUkerY73ElNq1z+uV+IiXEv8IUEWAzSPz8+41NEzhWjYy3gp zLMALB2fxhRR/oOOEhMwwKrKpt9kR6fdE/YVNdPGxVku3GKroN8D0Q66DRsIFnHuuICV+VOCBdYm 70jlRcicr+Bcmmi8rUx/9iT3gud5ub5yUEcoruLRlNTvhH5pToQSUGBBXZl7wnANQ9oDuMNGDb0k tZQ/R4ss6ZoOWUBj/wZVeiABAwaW1HuDKSvwBJ2exCAXdhhIxsNeFUwPrDWKNczIATRitah6et+D YfazHcrqmI78KB+1Wr+64TzhazkQyqQJ72oHXxilU1ceXybxs7LBEBD3tyA4CLZ16JQ/h0vBlvuU XYk5c98mlSmjmEqgSpctfW8q2FKUu4hYhRsWQbIXQaeFSiELHk72/H61uvT5CxJ/gOJYEsRSBrRB 8577yxJdttaLuzhMD41pdnWyNlcb9pTJ4WUJUhNkHe208V/iiprzvaDNjeEBbC8xCdbpXEsJ1AMr 9CXkvd4ZtQCFsO2wQa2LzbwLN+pSeijj4y8XBGQCxvjw0ywJ+Fkyf1OoFGxUfIxLI0e8cpaA1Ri2 1Cu3c4nbuVSi0FZVxbfjx/pJClPaQsqm/9R0rS2ryLr/8KWV0fapbkqjxfEr679p+z7dk93Hsn+8 8F8sj32W7snxcO1XPTSnN49wfjn8cnj/Q64qItoxvj45m1Mk8d6hK2YujvZm3CgLfHU85ycwrhbk cqTIHgUkT50WxQgPo07Cw+gp4WHMwOjtByI83FfWf9P2fR6FhxFTwsOIY5+CCo/uqx4a4QkP12d+ 4WFSVgC4K/bapwhJHrWKXxdenclyIJNiXwA4+NSQJNlm/NJtqUTfnqfKuMs4RhII6lKyDVDEBkvh wt6TpTAjVDaFPsC5RV/hG4J5phcvxbAZ2NMxMNRiZMNsofQiUi5fl5YtM4rVDNgyowvKKX1Yp1sk jRIsfcwnMTR5fx/7CipxfCo1LEXEKVUWD4m2wkfyldfmSF1ZQPvTX2DjoXsT8pYwQYqNmoSS2UP9 jgtXt3cZVnVqU6FuTqZCI6ZMhUYOan37gZgK7ivrv2n7Po+mQl1NmQp1NfRZV9RU6L7qAas8U8H1 md9UaHSIWh5+hvUKdw5DaK+MC142soc0uAw8YI/7a8ZC3l3vcmZSuV6LBU04pvAk5F1D1UQopR9Q 0Ha6Jcf4si5JSQCyNnedGbXgrDEirn06kef62bLfOyvR+Kv0MHJDDdDHwxbdLOalKT1aTaVIV0oe FelKqQlFulK6V3q7D74i3X9l/Tdt3+egSFdtT6hIt61Dn7IhirT7SgnvzSOcGyjSlTqlBD4UaWYj 2Cv8I+ZwjffLJIh/4Hd5PGPgPeZ80uQjOpao27XPynnOoGC2ERWkt/R1XRjI1ItHE57cgoMcvmpm REGajWoAitKbP9YA5OPcExy18/hYUFyLHTbPrcCqrn0S2itBdv1NmDEils+xf7hEzsSw+MbGXbRv 46rjjEg3yTZlrC9SdtKnrjtcen19vZgI60UJ8DPEFjSvylNIU1VOhTRV5RDS1H0g5lU5hDSN37R9 n0fzqpwKaWpbj33SkCb3VQ+NF9LU95nfvCqThjTtc/y6V9nILIFCt1OY9o7i15JK3EvTfozPlxE8 xUeu7nRKxwebwVEXb/etDxwb/KhNeG2xjio1L1SSbJReCJ9L5fC+hfVJb9hpgsre6YrXVqerph9R tZxUAsI1/N2XO50382wasQfxp3b7eMkwuABe4eO9+LtVeN8T9JEkIqyqfT692kxcQPuCehrrtaeN nMZ8pWfe5ZeunMjteTTc7lKfL7t/5PZHqSim9tGYwou6kTTYyLESYzsGghDmTFZ+BwG38VJt+tJb 0qRPIrx7JwHNJKlzz99hvuD+rjs67rsyRSaBeVHrGxBU/L0HGUv/3N7OLt294eeVldMBb9vsj1Xl Uxmvx12JTT8Evc4Z+Xz8BO0joWtlTsKmcKyCdgDacyAibTrR+kIxVZ6u8Hlh58abwXQqeCHiAskW cTPhPZcvTHOx0DY5zDdTGua+I/L2qtjH7x/8mUGCEuygTfKhL2ihLDXzLr2IsPak8AIbhg304S+C 4D3N4zpA7OSCCpPTl5pznTDgBhDkEM8OdbhpA0S889ctgPcEo9X5TpfWPBhBCkk18AQ0AIIgvh82 VPDzrFEWmKWUdWguGEYPSIbpA2dD2XnWRRWyk1e9AqBD6ByILUgIoXofnyGCowAcbK6CWhPSyayt vp+stDU09kj2YRoeyT7JWMzqEDnc3KHAaBTYtCh9KDoXDQtF8YE0RkHXABjAATJZr1jKObPZCHF5 8MDt+b+qxp/6Q3I+JOdCybl5mqTRPq2mOXCqvE73CtTe85brWw7mjvFX8hdwBDglohZHio3pnLcK vhf2trsF/syIa8BT3CCZI8Ab13pp9cBL7+ww3kItCOvhfVERJ/85ks7wCX5YfpQI9y48wR6wLyj7 meBAFWUSf8cNkDYf0rg+SXXBXaB8YbgruWXtu06oK43w94HHBe7JLmE04nxp6JUc9WxapujSOzCM j8IcpY7yZH3LLmV5BPrjFmhGSKfJIXjc4MyNG3mDc9kM/1B4ku8W3Mwc7szxlA2Kg+7oUzTHjLOh NKml+KCcy42nRTB8yx8wcOl49HzcTfGj+RjKAgKiHD9QvdVQJbQhSAmc+EQjRblaetmQomTjdT+c Lc1MEGfcU/DYcdHQFkTktNSPR1OlsqLJRfOdu5+Y8/vEE2pszglpIf11B+uKJQQgFT0dnBsLoot/ U9Vm4sf64yVGuK382dyE8JGizokTKbXX/a0KH2ltVjRV0us+v/CRjcg6IVcjcbTu1yd8euWnu8B0 U+XnPGAW5Wc0n5uQP73ykw0pvfJz7v5W5U+v/ORDk1N+zt1vpfxkm1Cv/IzW/QrlT39dwOk+BpA/ Q4CfHFHVOwo0xlBDfYIX+ogCJp++kDZ+bYXxZpaaWEXjX2TBL2UFmFTUF/CervYL7TU1S9smK5Yq sgglnSAlJr4B+hgcrDMNiNcRF7U/xWs7WWkd1MOvL99iPcsfi4+H/wOhd/IsZW5kc3RyZWFtCmVu ZG9iago5OSAwIG9iago0MDE5CmVuZG9iagoxMDMgMCBvYmoKWzQgL1hZWiA0Ny41MTk5OTk5ICAK Nzk5LjI3OTk5OSAgMF0KZW5kb2JqCjEwNCAwIG9iagpbNCAvWFlaIDQ3LjUxOTk5OTkgIAo0MzMu NTE5OTk5ICAwXQplbmRvYmoKMTA1IDAgb2JqCls0IC9YWVogNDcuNTE5OTk5OSAgCjQ2NC4yMzk5 OTkgIDBdCmVuZG9iagoxMDYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFs1MjIuNzIwMDAwICA3OTUuNDM5OTk5ICA1NDMuODQwMDAwICA4MDMuMTE5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw OTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz dG9jCj4+CmVuZG9iagoxMDcgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFs2Ny42Nzk5OTk5ICA3MzkuNzU5OTk5ICAxMjYuMjM5OTk5ICA3NTAuMzE5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw OTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz UkZDMzk4Ngo+PgplbmRvYmoKMTA4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbNDMxLjUxOTk5OSAgNTIxLjgzOTk5OSAgNDgzLjM1OTk5OSAgNTMyLjM5OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM3NlYyMyZGNvbgo+PgplbmRvYmoKMTA5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDI5LjY3OTk5OSAgNTQzLjg0MDAwMCAgNDM3LjM1 OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMy ZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0 bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMTEwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlw ZSAvTGluawovUmVjdCBbMjU3Ljc1OTk5OSAgMzQ5Ljk5OTk5OSAgMzk2Ljk1OTk5OSAgMzYwLjU1 OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMy ZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0 bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iagoxMTEg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyMTEuNjgwMDAwICAx NjQuNzE5OTk5ICAzNTAuODc5OTk5ICAxNzUuMjc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0 IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBi aXMjMmRwNyMyZGF1dGgKPj4KZW5kb2JqCjEwMiAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50 IDIgMCBSCi9Db250ZW50cyAxMTIgMCBSCi9SZXNvdXJjZXMgMTE0IDAgUgovQW5ub3RzIDExNSAw IFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjExNCAwIG9iago8PAovQ29sb3JT cGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4K L0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2 IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCi9GNzIgNzIgMCBSCi9GMzAgMzAgMCBSCj4+Ci9YT2Jq ZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMTUgMCBvYmoKWyAxMDYgMCBSIDEwNyAwIFIgMTA4IDAgUiAx MDkgMCBSIDExMCAwIFIgMTExIDAgUiBdCmVuZG9iagoxMTIgMCBvYmoKPDwKL0xlbmd0aCAxMTMg MCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dS2/kuBG+96/QOcB4xIdeQBDA 9tgBcghgjIEcFjkEs9kEC3sRZw/5+9Gru8X6RBVFkWqp3TZ2bXPUZL2rWCyWvv75+z+Sf/2efH38 /p/kR//z8fshvUuzqvtK0vr7y3BAlndKps1XUgp1lxft6I/3w0fycXg5vNT//ziIvP1g/6P+x+MS afv9+4/fDl+7xQ/dyPfHv9a//S+RyV/q/35Nfvp7PfhzP1/zwPuhrPIajjQVqv7zbfinkFVR3dVA iXo8pX82D//78Lc/JL81gMm7sgVedAAO//ySSVFmd3maFotA/jh/tJ5MVVJkeWn9fTixUj08egjZ +0HpFqw0zRLZ/5aqhga50He6fkbScVm0BJDDed4s8zfk+WUAc6X6L+vvBsxn2FTZANP++j5cKxN3 ncQUJmxk/ITLYJ43y/wU5kB0tsBsg8HGlxh0Huf1+3Dckc7jsmGTJRPm7vlG+W2/D2GepW95lmip 0kQVeU3l5L//rBd+WW9pVWVJpnUiFS7tLV25SDtaVqYW50J0clSZlCfjJ04N5nmzzB9Mi3OhOnmp TI2oodSNwUXYjPEBLqd53izzB9Nik84WmG0w2PgSg87jvH43x53oPC4bNllaVYuLekmty0RkI2p8 DCQqcKvz1qlVVadlE4/U6xyXefFz8aL9HsLSjVhc/MfEBx9eD1+f80SkyesvSQfBl+7Hawf0Fy1q +r7+nPyxgelPyeuvhyag6QdkO1CcB1Q7UJ4HNH2im+PptUc/DqWzmq/7o3RWu5I4lD5TWQ70Z/x3 I3R0eJ6lxdxFW0q1zBuhlMwbkRTiiGRFyXDfDujTgGSf6Ck3MaDSdkCI86wPMFKys3QMqW3d6ZGi HakmuPqtHcjPy2TjfD8vIzpREel5JOVmhSdkP4maAK1DOGOBNyVw3vbkY+KDrZxUSQ3jiJxkspET LY+0f6b86jWqpMwA8AcD2TiLizlzPNEBRVWdfkQC+wCOB8oKHjmY436cv8XEAEwK9IABHvRHMqlQ 84kMq7BEjkJToakq9kYZrPR5QICCA2TPFDIKiMjpAA87cArwp3BoQbFTD1R0M0J3qSgyUWSZSqrU lP8gELxQsQRBFQJlhwEPBdm4brfm3t9ul4VhuFeyD5ZVFuLS+qCsCMnJHes+mkcPUCn+4pFVIBBt KkFSQLBDIYPPoExFMSC8eQCLAnBU850hzAGrAC9pkGJjzDKVUrkwdArlEJEBdIEgwFwqZSMSQgkA 8u+gZmDKQP5B3Xk7TQFDPeRFhhddnqi8hwXkQKi+kSd8zI54DiB3QlaN3BXSBHXhpEoZkyL7QWK8 NwsLIS2Eib63K6ObQSMfoE+/kw2i5SmXTaPDAi3qNW4W3KvcxP2Z9bisX+s3BhMDqhw346CTA9bD pLBsOsqDZI0NuazkmAYNDAb4XPCGYDDoEyN2GuQQRJePMe5DBYMyPSau5BPnDHjzCJAryBI6EIiS HfdKdJmr3sSNUIgS0WHHsc62jg1kgGRIQ4hBOvwhJ7koQXXdiZCYfntKYlhziOIPgPEbHViFwiFz OgBCBhoEmwPX4HChEc5Kwwo7JHCpFXKI0YHZlGKAvkpnIGeNVPImRpU6O65iCY3BkMNeafAEhCHs ngVCGQhUUn5SVm+VJTjYcVg2WAXYIOgAxUXB/pvSQ9E5AHQFgAEcdOvoIEF0FfgIDkDAQakuIa4B qs+J2RiNyq24ALNR+AF9MLAUfZRCMDmWDNasjwDo9CMSvAcVKRQHUEL6BK4CcIBLAt4+hXAFTTyu UnLiPvAEt+MeE45dp3z5yMjjyJDdoCByfOoN4AB74bFziBJMKV2YKnQZQYXw0yHIZaM8n/wmzLGf DAeQzGGLP/9IHbeWwH6eqPARD+Vno/6AGY79JTw7zyiFKSw7Dqwvku8UujTJuCNrAK4f6t9GgoFH qtwQ+7Bnhg7eEIgGwIO/5K0/HPeBI49zmKmFKSJ8NiKAzDgIBHvai96QZYPDEeqOCyQ2FoSE2Bqp wgr5ZgwVm2aPfqS6K88u2nzGmbPicRSRdfxjUZhSxsdxwEsP4weTehwH0qoEkCkxv7JBlMR9gj/t k0+DASiuZLfffC2Uxw5VQ/QMKZ14J6oqP24/93yiGjD/r4Vd+CGkhuQkxPo0xob0JeZm6cAtnznq 6KaW3c2pC9AUji4UlTFhUcsdbzAn0N/PyQ3wBYQfkOtXCWDGdXYy49QROsTJcLzMR30eeVcIvqPs XzZyIu2QvAPA+DoZvtCYv2XgUWvDJwDZ0lyHzVmMjbZDNQ4vdDHkdMFp0DJzoVVl2gufnSUbTThw ht0FIBxTNbH+9rNSBkEg2JbhrHQhrGIY5XRsK3cj2XMKhMOihQvrsPPSYANfEsnXKjqUVfLqMl9/ HPjCG9QLWbY+DF506cihNBXw55VuKwpzzZeJeZ/sUHbrfRay0IzrlDEgsAuA1gA8pJa9xqzT5Idg Tqs8ekZIqWHBjijoyIg5oNov4UNYVf7MrxTlwMxnK8THPjApmBk25eWj3nzsy39k/ipe10N57MBT g6LxNJxvAMMcXLZl1GfF2mxp+s25zXVuMTtl7O/ArHUg2fm6AIgkn1S0BLFTYs33jKGZOVzWEl1C 6vIyZ39ZbtJ1I6f4Dhs/NunlcIDGH0PNv0yNzoLfgbmejy10FmllMvvWWIdjf4j7+GyGF0pWMLpk d/UwqYDmakF2LakyRGizvRYcgmvIzsEJc4CyFyzYg/oCHSwrmInCBhgSGTxouChvYWotzUxceDM1 f2+xUrJ6WF5xZa0fm/5QPS0DNHZMLRXpUx0Zoa1j3ypx3ogANudUZbE7JHRcZKHFXBXM8UR9K8wB foHv/EiJhP0yEVQoJNEUdsjfUOxgDgfIvvGQwQk9LcXi+3biuk90DsoI28VATeG4XIPNXJRHdOCw b53jco96cP5Y1qNIkI+22eDyUjHLVqJeICFwzuPoHyJnXhy2dRNw4earyA01dSiV8dBKj+0Jf0mL n4NPnPDHcrxWRumWBnV0sH3nRdujvPWiKhZgq5ErZeXkOgesfDLY4yOb7cba9X0bUP1C3VhDlAbw cIBt9DiR8ShG28jpwS0+4+ZYJT6znZUvtJ4iYxQ5xlW7K8zChXBi+hiNRbpXu5nWFRvL9O/v/FG2 ie+zwGAlGjuANA9wiMlfhOBPJPFeDHuq2S97kXyHUsJgRRBz6NFm3OMmwxUdYipIkgWpKS8Jb+cX GrmfuOzBcIcotPoWgDGdv8z15lXMI7qO2NdpWR0yX4UfIjUT4tbO/DtKfGVunBNsWVamJHu3m9tf EKNEbuB+C2IuFsTo9j2DAzG8aKyw0GlXhYnLKkVTPvXU4ZqBh/CmpT1AC9HGBW0wm6fGnCGfuAYi X9NbbkR7pe/MqSCb4P4W+aAoAY71qOuDJ/iLHLj35pu08D35YY6AUX8ZeNLMnNTjlU7rtPWncATs QVLIo1FG/8j37YZqJrbnBrZh4POMbOPqKAPQQgGfgKYT/JEtxBw8+vQJWBYBs1w2HIglhVRRY4CX ycAG85OyTVp4evCdXxD9OflfRj0yvSro+xng1cP5BGHCfvAUwwY8fJN2vs0PAMYaJTmnnR8jdPX/ t8Xs/Qzw5tOWzZl6wkPoosAB3pSVUwfh3ypyfBcs26X6OFpZatsqtwFuAHylx208aN8WziOHkI9S nCLpVRzOfgZ8IukYJHQInKEVHfsEGkfAFmQdbKEl8Thh6NEVsK+z4c2nbXMWRD1kZUMuiovez4CP esQg4U09LqkeWsfk7TqR43WrBzTLDUFCVugwyvFuIHBT9W2oehbXE8bYR31yVfcg4U3FoqrY5MFp lZ5erAotivdampFnBmIBk6uX6SuTEnz4miI4e+RbWXXaMdG4y+FOHd+FMkQ9oc8Llih2K5UgWo7e F1ZdtbcfB/LgUabH04Ovl/O47LhKcT2eRfPlgvxrjEJ0Ur/QtSHgnMcVU15gYrBypDKHv5nIV8QE u/RSnd9yxhsDXiznG2WfK2GurFxY7aOUQaBbtU8MKmspTCpHqfPVsjKF/RPV+eq2q98A951Hk7oi +FxTNBnkouGMrsYhXMj5XXFAeL6tGF/HzF6mGPGxfA+GEIGcR48BPnBh79VGugkhhMnLT2QhpSpN 3HduIWVB8AGN4V+fx28ePfasHq3E+W4hfAMJ723unOLfSLcp2gYB1cRLX/k3/ELI7XGfwGUf49Fd KMQ1Do/WLx5bjFVaWrn0oeSxC9bWp8rcG8wESXLxKRv2HimW3EOdNtwN8TAH6zT0F0VqssHD1oVQ MbbTbbgXx1blZ9yjFZWBesCKqMsk/IWJz463aD6ewJIomUrw8vdx+A5F8K57Nu7h3zE24pGAIAG6 PDm87Myjc6VHgnuVzHuc8DtKp7nutY4DTb7QuQu77EovUAvRlBVw8Wh2ua0joxB+v5rR4f2TvwvI ey+6OoGuSW09einvt91hpGOYLsl4UnXsTs4LP4u+yyaa78fD3w9nGePwekVv2d7fFidTucH7ve9x ssLEZ9Uk6zI1bPqOG6zwfnPqcsefpeKY3djMazQtbx+ZAoy3WxdyQSE8ML+fZStWkKafKmTjNczB FYRQfVVoQ+ccXg0F0Sbf0gcYBU94NOvf1pZnyqtvVZIdzCdrP/hMTd+QZFmfxmiNtrJUllZpuDVB n2ZcnF2BKAlfPlHiXzZv4RzgvveoWGoTnx1n/i9fnDXrjOFWasU57q2UWmVafVp7lzUn2ldk73KR Ttu7gFmAEMGPJn1tbsVZSwIXXZg0vRVnsay6FWcxy9xKrTzpsfRd5qmpy1dfapWltZfuOQnnMLe3 xL5ucQO+mbTyxu8nz3I4u8nfBSkeCOGAwTqwb+x0eEXjfFZe9UtyA54eh/AV5emcc7OmMOLrBScs H6SA8J4wJnhGMkn31DxiVmgrRvczlzHIKjXUIWBPogu9P8/EZ8cJW582Ih47drAZoIXrvENe58Lk XIiInLUXUY5yAx6Pr1046FAoZnH1prrfZVX/hYpP/o03AROTtSKVT1XiitO2UHXI5mc+PVGf1GsD vL9k6P3uySMKBqgLVXRWNd7a2x/P5lZl0xihx8LiwwdogU5XhDa9qID8DeaA/mSCxiPjV/d80ZRV Zbz0BvhpiQ+59WqXYXEmqbmgpcmALz5KaBOfXtbOJ3Qp3IGhXEHOUkZa2oT7EyXLohIlT82XUn3j EESM7yEarSD4BEKO+zBvMmmhYpJJtzWP5+lHcPZTPjtCqoiKkDZfG4c+lBUEEJXAZlYqs+tOdPvT Vh9gm59g+GTaxGcX9kdWWUyiqDQ1Gzjt1P6oTEUlU1Ya08e3P6oooiJUmv3jQtuf+jv5qAEVebti /+PHu+8O+SV5Ofwf3ngAaGVuZHN0cmVhbQplbmRvYmoKMTEzIDAgb2JqCjQwMjgKZW5kb2JqCjEx NyAwIG9iagpbNSAvWFlaIDQ3LjUxOTk5OTkgIAo0NDEuMTk5OTk5ICAwXQplbmRvYmoKMTE4IDAg b2JqCls1IC9YWVogNDcuNTE5OTk5OSAgCjQxMC40Nzk5OTkgIDBdCmVuZG9iagoxMTkgMCBvYmoK WzUgL1hZWiA0Ny41MTk5OTk5ICAKNDEuODM5OTk5OSAgMF0KZW5kb2JqCjEyMCAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzQzMi40Nzk5OTkgIDgwMy4xMjAwMDAg IDQ5NC44Nzk5OTkgIDgxMy42Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2Ej MmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1 dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNyZXNvdXJjZSMyZGVycm9yIzJkY29kZXMKPj4K ZW5kb2JqCjEyMSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUy Mi43MjAwMDAgIDQwNi42Mzk5OTkgIDU0My44NDAwMDAgIDQxNC4zMTk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4K ZW5kb2JqCjExNiAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAx MjIgMCBSCi9SZXNvdXJjZXMgMTI0IDAgUgovQW5ub3RzIDEyNSAwIFIKL01lZGlhQm94IFswIDAg NTk1IDg0Ml0KPj4KZW5kb2JqCjEyNCAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAg UgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1Nh IDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y3 MiA3MiAwIFIKL0Y4IDggMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxMjUgMCBvYmoK WyAxMjAgMCBSIDEyMSAwIFIgXQplbmRvYmoKMTIyIDAgb2JqCjw8Ci9MZW5ndGggMTIzIDAgUgov RmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0KeJztXUuP3LgRvvev0DmAx6JIURIQLGCP7QA5 BDA8QA6LHAJvvMHCXmSyh/z9qNXd0yK/Zn8UVXp0j2ZgTw9HIovFerNYfPuXL//Mfv0je/v45T/Z 1+PPxy+7/CEvm8NXlrffb/oNRf2gi3z/ldVKP9iqa/36Y/ecPe8+7z63/z/vlO1ePP5o/3gaIu++ //j6++7tYfDdoeXL49/aT//Liuyv7b/fsp//0Tb+cuxv/8CPXd3YFo48V7r99Xv/V6XzWj3Y9nPb nvu/7h/+9+7vf8p+3wNWPNQd8OoAYP/XN7ZU1uwbmlEgP59fPfa+R1boc7/jQfDZMit1ZTNd1Jmu s//+a/etHXy2oU1jszI3mb0wtM11U6iy/VPoc39orY9DtZ2ZutmvXDvMj502Zfc5LzNb5sWD6drb lbfK7H9Rhd9eVA/Fof3cz/dA/3ui+NaDudHHr+BnB+Y+bKrcD3uAuTdW2bJKfgE2t703l5d+vgf6 92EWwnMA5hAMoXWZAs+X1/qH2x6F58u0EaIlF+ZpWcnmJszFJ7nbgBQaNowxWWnzvfjOVHka5nOa RFTddx+WQ0tAIj5fefH90+7tJ5upPHv6lh0geHP48XQA+k1pi/aXX7I/72H6KXv6bbeX/8eGomuo zg26a6jPDcZ/4tDHx6c+lodJ+OcrL3bzaVoVdGk+ZdFOR+X6CIo6gNL40zlDrx596MuuwZwb3ncN ZbiPvPIboI93/hO1Pyw0QKeAZ2iAYT/5oPudKus38MnBsIAgHw5cBsAHn8tHCpiPwsL4xKz9hg+0 U39Y9c4HDCBV/lwSCMZfF8QYrK3/RHGAQ+kr48LSwRMwjA9qARICAPHXIYLIACGwdAGK6cROsvww rZ7oC5AIqgM4gJMBhf5cVD6YDCMQBLQtgaC9gnMkbIAdRo6iKmeUorw8uXGjHJSFqoMsBkiHBkA6 MBQ88ej34a9ToamEkVBJVDcgZfugIx9Dp1ytAWAwLJVJKIKGizFz4EGlzrOrPa1lNFVSnAmpkkKk chkkRyC+1fZwCETknTFuXj57llzgqRjrLmKAjomrIsDFra/ksDHiDzgOGt6zJ3Ttk/4nxgvKMFsr QhT4o+QNewXmclQui5jjplauiOWGMVAuNAxXp0gS3O7hLAWrx404AN3vAyUZSJSANJBQhdpEixwu ctH6BoQBfrjY5n4CUBQ8AZzqN1ywnKFXYFVL6RRmxw0O/wkgbcQyp2T/CQ1r6S8MjkLxEcHZw02j FEXH4Uj2NcwVSAM65pojFeGvcbQHhhnrFilXPgwXhhE+Dnf5+cIMp1yMACU4XwnKAUaBpaTDol4b bjvDKxN5dDp3KAg9uvdiasw0obVGaqA+zj06CuOQrKyH5VfkbKi6cuY+j7ORQ0NAUy5i5Bdl49LD 7Rr5GKjmAR4YVoLHdKmuS7II04jajlz4Rcic4Ug2RzsnPxO8zxKoHbgA5cKP20rQaeMTCBgLVJAX gPbNZfFQJufB2jLIybD1xdeFbsLg2i7kfXFzQoJOJcLO3CClQRJ4YhqTtTCNQ1Lp+3q3Z+cUlXXZ Sc7OWcRG0cqdT2iP5fZWShdmqpW6YpFu4e+osInNo6jumikQGxW4PcrdpzfOT7nr9qX2CYWOzrkd X8qIGXG1OnkKEGq54Ds8+oYeqGkItH7yO1GV38J7wZUAAcf3N3hWT0SUmNpHIhvGCR4oj+fT9ICj aSdAVkX+ErQpKcIAckgDA/zwTIeEzSyAw3dIb1b6K23dReH2AkQJAkbIIpJbVe58IvJahgvqCKeN 0pSoUB3pYXXa7owzGcGcsisCiwXczOUhTcjEThPSL4fLjAhlDp0mRNcmiRbwlaPbquaAdVWcqduP uCjfrdAge/xetbosiMeNayCJwg/RGf+Vwt98CoEqoUKLMn5yCCnwMsyugADbJEmsShlnNqhVuUmV kE/J04F4CqZEUHuhyB9PlE5IEJonGz0h62j4bn6KwFDgAANkErQtsfw8pYwe17jg+/D9OapSp4ke l12i/FnGbE7HCpyOstHuotx4WPuglc0pXvKaood17kx9C3t7wy4Y9i66zZYeWb4KV1g6vpjuxo5M PbHe6m2u8NMrdoXBwgSnbfXes4TnW1anQZId8HGzndSdlnAXxiaVGgfNmzudKPzndoWn8Z60rh1y 2LynFZjcpnBF4SQ2N7LCqjfsTePJrXXZuiNVX3e0tqf77sJeljAHKu1S52Ydh6TufVvHazN1JTaK pFW5yR2OuQdbd9v2uVU7VUL416dyBsVHfxBeECUBpVDuRCIF7H4yoNVBwNSTFgC5MbO0UC6lrsws nTwEG7G3DBJ0uDa4wIgyEVjlLl7C6XIBmyrlnB6oZXgFxwW8c9uWq0OBulN41o8rXV9zoSU3zWaz qVzFBOcnhx8XBaWL+/MT2gsCelrnJkgNvP4kBTTiMAcvCnI7eYfgbvPKobwEioCNyo9spxAygE7r tXLTL+X0zyRhHa1qlz0S3A3u5kuUbko4yDC85hayGK/PmZB2xIvIgCLk5cJCBsigsNhKEgQxMIBx gMZndpjuB98AabzZGV8DwxPHLA8JFaRejgOsVbDL+cXanOLE4BenBFb4OfmIgsf8KH2sXzyodk9C lIhWsorwYBLOOSS4FrxaRYIM5oSbQOtc5K62CO5qK7cnFMRJ2GfgxWx4HxwfCUFU7kkIlDnUveQ9 KpODcTG7T0DWzSmPqwBl6t/kgA0gHP2gF0bdIUQQqFUCgv3cYKBiDO3jGKvo0QeYLJBUCQE8yLIM rO0gmUyzEAZZG9cX2+T2hFMfUt6A/AJifDjGcLawLjS3FTNoaX4slkeChfIpSHEJA8NywUaHjVYn vSd8kir8Bg0sBlnJgCAgXH9YGAWP31Ja12JFAkz7/3EQ2NccfvRmM+nYE5tJ97SZdEMoKKE+4T2b dCKFXMAc4w5vBD3MEyAKEIiEKrBVCEG8th7OjcsPLoMWuu6LSn4FhYkpAwn6IqXafJE+jd21L1IW my9yedjNF2EImtMX6fFtr3rQWOI/n54DJG8NhPgnOclLqRBZHSS/L9c5N2Cn/itYnxBkEGgxykAA +qS0XtqVUdDtNGyn1hnhUr4FQzHCr4RXAEHgiVPXHFEIEgaGnYLVOY2BesWVo4lLIcsRFsrNfnVy fS9/dnJjI57nmbMDB+1EXneF98WKdfvrsnXQj8n95AJUCZAAaFgDno86LpC90gA5s/AEDHOgnF4q LnSiIP8CqK2+sOygVqZJeu6iAdaeAsP6E8wnIX6UECtdSaAP84notQH8fqTtclr2yhSX08602QCy ioacbie7LKVcM9/j4K/A9Hncl19TZEAhwIkIvwFP0CccCaGwR9CDRAarzV1RH3HcY7prU231ciDe Tz5E/MCZAh6QpvsTPMEZhuViXIPSAmMdrFWBTuFArUSneFqWa7HhGYsRcEBsMDZHfGydZevQqUS1 yqVuMEwowAGAcWURW8RDWEfRI2gRZxnADuL7vQkaeYprnFJO8UkQTGzyx0hd0UXLekwYSzASKqop gkhfJm1l0LZi0AzYi7WqGEDYw4+a8woX5r3f6ZwO4MiyW3mHQj3+jrMV+r/Dr/GOKTDM9+XnuRJS AsuTJD/QWxP5wZaYq9CHH3UROdqxkFEzPL8K4aBSGl/hPjLX6hJJfSujKRGhWw62jEYOW2h32JUh 9Yoon6RETIQ4SCjuA0/weE9CYpdEhayUtVw7Yw4R9ikFllMsiBu+no3XbkpZO77p/VFOytrxl7yM FbuVC8c8NsaEObuDXrndzNdJgoQJTknEyYrhNcQiokIJldz4JfToX4uUXaImZajuTq9hFtf3Dvct RcR0feoUin3hZhdWh71QquqdL0OxpKyIdLcu+Evt1M5zykfADp1m7zJht4qXDsGKqaDd6Drw+meT BMNgY2nZ3V7ZkL5IyZID3zbxVtlMsWM5S0ZCLtdKVD3ekXUocUQWSSqhnHbCTi3H2DIH6SQiMojT hMUeDtiKTd+Z/JhZ5GXClnnEXOQcLBGZe76XlrMQrxg4fLP2lftKs3sgy+d5bt6DR1c0LY17D0gR uBASJRC4vPPXTn8YrACX9SdEpKoJi4RkF2RqEUkDwciXCRUxoBAn1GSHGjsGbKjVZoHwTAq67YHi 8HV5NhLpolyz0QsIMHl6ko3SrdTRU4wFJSKUy3hTd5o4mVgoqa7CMjkh8QbcGmjg5wQEdAPGpwCl XJsGciRECKi+y8zFhXL7uL6ho+Cu8vC9yRSRDHDQ0FpEKWiYSwLGJsncWGuoEU6jz6Sy78j6EvQs JARsk6/D2ri2+sucyd3CRFuYiB40jNhkHn5XQsR1JLB0XLgHShXd5xZyuo8rIlTVyWodEWoZCYiu HECWOvkgx/23d3FloZSzBhFVmODIdaC00zKXTpbufCKYjNe8pZY+2pw8iM7F9Fo1m6D/PSokKmJQ 07MCKe5DoNr5OHFpGldur8bjuPn4pog+fSnItRYnRe5WraY8XSGGl3rOU5RgJUExjNdQHkT3W+Cg ZYRMeuWV7bkpKZL4NMtksKQP2B8QsEnYLJbg02U2i9FSir3EdNBRZWApPmzsMbuRQro0jpR+Dcwv odYqExyVC+nbMU8TshGXuhgkIdy/6NUhgwC74doHr0CgXJn+pCeMr0Q7p6nEVnYFhHvC7+aLpUro groJAnrvWzlY2xlHwr2LBJN7nuhtwl42X661VJKTUO5TnOVeCqc37OeJxWdsy68n0G/41nO5W75s brdbvvqrDTIY+OOKm7vyW75sXm23fF0edrvliyFo9huHzzeClM3xC2je/1vE9SLhzjoGskHtsd+B V7l2CQaM0F6IC0yUAxVaH4UQWOz1ATUNlKeTjmTZe8Je1lodTtvv7LlFh7LdvI4/vv5I3Xz+nH3e /R96p/x5ZW5kc3RyZWFtCmVuZG9iagoxMjMgMCBvYmoKMzY4MQplbmRvYmoKMTI3IDAgb2JqCls2 IC9YWVogNDcuNTE5OTk5OSAgCjczNi44Nzk5OTkgIDBdCmVuZG9iagoxMjggMCBvYmoKWzYgL1hZ WiA0Ny41MTk5OTk5ICAKNzk2LjM5OTk5OSAgMF0KZW5kb2JqCjEyOSAwIG9iagpbNiAvWFlaIDQ3 LjUxOTk5OTkgIAozODkuMzU5OTk5ICAwXQplbmRvYmoKMTMwIDAgb2JqCls2IC9YWVogNDcuNTE5 OTk5OSAgCjcwNy4xMTk5OTkgIDBdCmVuZG9iagoxMzEgMCBvYmoKWzYgL1hZWiA0Ny41MTk5OTk5 ICAKNDE5LjExOTk5OSAgMF0KZW5kb2JqCjEzMiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDc5Mi41NTk5OTkgIDU0My44NDAwMDAgIDgwMC4y Mzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzMyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDcwMy4yNzk5OTkgIDU0My44NDAwMDAgIDcxMC45 NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzNCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzQxMy4yNzk5OTkgIDY1OS4xMjAwMDAgIDQ4NS4yNzk5OTkgIDY2OS42 Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAj MmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5o dG1sLmh0bWwjMjNOSVNUODAwIzJkNjMKPj4KZW5kb2JqCjEzNSAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDM4NS41MTk5OTkgIDU0My44NDAw MDAgIDM5My4xOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjEzNiAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDExNS43NTk5OTkgIDEyNi4yMzk5 OTkgIDEyNi4zMTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjNSRkM1MjQ2Cj4+CmVuZG9iagoxMzcgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszOTUuMDM5OTk5ICAxMDQuMjM5OTk5ICA0NTMu NTk5OTk5ICAxMTQuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJm IzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJk djIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDMjI0Ngo+PgplbmRvYmoKMTM4IDAgb2JqCjw8Ci9U eXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNjcuNjc5OTk5OSAgNTkuMTE5OTk5OSAg MTI2LjIzOTk5OSAgNjkuNjc5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMy ZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0 aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyNDYKPj4KZW5kb2JqCjEyNiAwIG9iago8 PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAxMzkgMCBSCi9SZXNvdXJjZXMg MTQxIDAgUgovQW5ub3RzIDE0MiAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2Jq CjE0MSAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IK L0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJu IDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjggOCAwIFIKL0Y5IDkgMCBSCi9GMzAgMzAgMCBS Cj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoxNDIgMCBvYmoKWyAxMzIgMCBSIDEzMyAwIFIg MTM0IDAgUiAxMzUgMCBSIDEzNiAwIFIgMTM3IDAgUiAxMzggMCBSIF0KZW5kb2JqCjEzOSAwIG9i ago8PAovTGVuZ3RoIDE0MCAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic7V1L j9w2Er7Pr+jzAh6L1BtYLGBP7AVyCGDYwB6CHBb2ZhfBONjZHPL3Vy31dIv8mvqoUlGt7pkxEvfQ aqpYrHcVi2///vmfu3//sXv78Pm/u6+Hvx8+32X3WdkOP7us+/NmPGCb+9xm+59dY/L7qu5Hv36/ e9o93X26+9T9/+nOVP0XD391//j8iqz/88fX3+/eDi+/G0Y+P/zUffpzZ3c/dv/9tvv5l27w22G+ /QPf75q26uDIMpN3vz6OfzW2rar7ovvcjWf+r/uH/3P3j7/sft8DZu+bHngzADj+9U3d2GL/RWMW gfx0+up9leWtNWXVBD+PJ87zAzzFrirue8Cytlt6XpTdN7qfcldXwxNmv7imMkW/UOuP2/re9uOj eR4D8+/R8+sI5jY//AQ/OzCfYGva4VO3Jd/H7zKZ3UM5bMgINm/8uJbRPI+B+X2YlfAcgDkEQ2hf UuD5/F5/H49H4vk8bYRoSQnPpiya/rN16bn7juk/WxcGb/y0ltM8j4H51ejZlHUPzgDz+F1NDw7C 5oyP1nKc5zEwfyI8B2AOwRDalxR4Pr/XLj3H4fk8bYRoSUtuNN279jySufRcNZ1aavpxBwZv/MSD p3keA/Or0XPV1Pn+8wDz+F3NoC8BNmd8tJbjPI+B+RPhOQBzCIbQvqTA8/m9/u6OR+H5PG2EaMmF +dlMa8FomWX7VEWHmc6O6qy9jnt2//tX95JPvWkjMKBM/2cMyzASMKCeJr74/svd249Vp9B2X37d DRC8Gf76MgD9psNS98u33V/3MP1t9+W3u725eBiw/UB9Gsj7geY0UPhPDHN8+HJYfhpM26K8Qkzb sro6TFflNdJ0Vaei6ROWB5+u+wl+dlygiOcpLua+tMdUv3lnMGWrPfOX5rDIHNDwrh8ofLxMDNis HzBZGLkGXlP3A+1p4Id+oDoNfPDf2/QD5em95fktHEE2vNaY0yMP3nuN8Qcaf1YfENP6sMPq/MWY zH/CXwwuNxZSl0DneeFPE1/syajddR7cGTIq7Z6MGuvyyoh5rL/g3OdI4LfyPKGNnqjPY3H0xHsf rfDah/N71UzA8eE88U7JDgDsIwMMSYS/BSCF5cM2wKQwB0Dqf8UWPk7hCZC27yjWAXQFcjCwfLoN AId5UMA6xSkiCCblu893DmgMXgtzAPEDxvytxLeUJ0ElljhFUbkiBxDkc/ZB6UwRDOd92EpOyT7G kF/EKBwpIV8bRLA6XS3yCxBdLOjLNntQL20dLxs5IcNX4AnO2Bokxvl4Polds84CmgMkA6nP3ygV EWSbwiFLOwBmpjibGiQRMhnm4EpcYAhw9boRxWfenfbyxhwzWz3TFnfMDLD4LbluWUC/Tb0WQKde 18VdKNs27oKnXCjOkK0/4MtBsEXQOOHiV8F8ibCJQB5xD6GaL3641OOeioInix4TN1d8yYk4BThA xQN9gEo7o+QELvRWXCTAGde+lNqjKXWhA5QbV2BwaoeN4nYSpxCgMop1dCu4VUTlQ/6D/1oFsYRr 4QyiIZZh6868BmaFSVoFKuu1Ur7/t0iK0XCBDFgusNgUAcY0SiiwLbC4Zftk6oxs1IUk7PxtQDMN 4OBamnvEsVproY/YeYfjfbED1kcW9sH2HUkyP9KPxO4vBr8CyoDHymGn5hsUxrfjQdTD5kYwHUDK 6VIhzG/f+6DTAVt5cBQ+PoqAclgopNvKIbKQ/Fz2liornLcg0XHTCLayVtNRtglSg0byCQQKNZWA 9mNshfl5EOAoNK+4NQWr4whJYvUnYQ+bFw6BmNqXwQe/v53AIYcdNqb1NwZCNr4AiTBANQQ7WCCX EbmHdPyEmYexBm5c+0/k4Er7iwN2wN3n4XMetecihYslntGEr/CUjYCTY43arbj8CzWfMXM1TABS DUVX5MGXcAxuNjHEDXaB9hDgg7riES4O5x9BUYUgDSRIC17KqplK6sj5tjeL6+fiNvSjUpQInMEH TeCiGAd5CnPQWqeIahfQlYYvBiiEq7GN2Bu5RimCyXqiap6LeMF0jOB+vjgYoNsfQbpUkkWQLi9/ wqgq56H5yQ1JEpxaZKimINzLnS1BVV6SSqX5iiwNs6sUzCXxC4vKOqy80sbQlEqEukyRlTQ/UKUM +wJroV5xKJirIZWLzCwmqQlIJUEBwUZtJP4psYQFim2+7xCxDUnERZ7lLo3xZNB8rZXImuZbJ/Do eV2iIDgjSLlpJHpTiH4e3+KsrViCq+Fbq0hpc1S4gnoc2Bfu5QSSDsriwVTe4niSErL8gqofce3r lMXOzW/BeQ0eJoG3QLBbUOPCv0ITnyrOBlAhJ0sey1XYfRVTiYbUEcnz1VqatGbRuHxrPzCRE8GE XM9Bch0Vv0+5EQetuMYJcLKKYM9N8C03FeG4Oj959eCDQAxxlhF4wYEI+EJHoLYutSvsCz8iGSFS OdEJTjPyhDNXqJQ9cjgiMD96F8HbkmIjuhhJCDChvlSR5EUVj9RbFJgLC05M5iAxooBxvrOQJuij 4T0ISuav2Hzmi1Mp914n5icubJjlkVIuDLH20vKJ0mVLoAd+9hSy37yUDvAB28DPZfBMlWJ8pgqa 8RHVuwoWaIRxRLUjdkdRKygoaq+BU+KCAo06MX6sLyLZw8sH9BLsRZu2aoMfBtEwfFRyfSnU6QtL ZWl0ULjp3FZhjct015PbWsmImX+2IU1ZseCAMs8Y8fOXgcyEhqgvsyoeyZu1pfXsi9KuW7AYkYXj Fgifg9YrKloPZX6L5XkRgSZBvx1+TmGVkPFmyga5JTBfBqkYhtRAj0ghJTGv0IpJ4r4XVe2wdgSk Ct0NV61AmKXn16weUBHKxy6zLz1kqHE0DIQQDAhOw8RWdSwMj9fGIYdXJmQkpeDAxDSnm+/0Sari wC2iYRR+fEyQP4vYqXUa7G41I58yxlxWRy2uYU3xPLeed9ZszjvjdUI0cqnpe7W36HtJAIuIf3H7 PIUBInEkt+o3pon28TkEveWALQUH3n3DMJGrVRqXk7lzPn/nJFRInfOI7pTzO3lc6rz/IFD33Qei CeZlGcoCL1HDYgOpzaXDlEFyY02Lq2bGbTJ+jxxB0+J1WgNjr2TU5rTPMTxx6BjWzgEk9maYy3Ux rs3zrQxoAoJfyhtdgOjg2ohb0TQlLHnLtbXFmXMSTRAHjih73kzLfG5ZxEa5pxSFoCXv/ETaqicC YY6lXY1zR4Bs9rR8Gl7fSLRIQOsrHVTViOMMOso+X63Ag+0IFxdSgm7sFGEIBz9CqdAVKE1rAJUz t03tbGVxuL/CTCyGp3h4U3iKIZWGktdbcGfhSkR+3oPj1O9PgrsNaAdAoBNCokOltnUIEwEDccC1 FjDZfO6PLuyaEFygCySnTgW24/Vc6SU2rjX0WqFqOiVJzAtyHEmy24JAV2ywfaFe67vGj7ZSo36b K21+p8Y65dpXXAYaIQsFRWqCTqcaMez5/XwieExw8vN63Ndy0Psnxr06UtZQQWW8a6VROMwtFH6h DFxmoNLrbrN6jYY30LYuDlSXhXHGLyoRhAglLMRtR+prqxx1FNe2LGxQUWUuGwok+2YLMRROqCNv z48S8I4Vq0bErlIKyc9camip2kYvzviBfH7HiiSslqShIj+VmCY0VzYukrkYF0RA5ndFT3LgASGF sCu/yUQQV+C8f6HCDI0Dt1eTLYkopOaH61fRhBoFRHhlMCcYFdeqqFyBokEf21KNGlqtqReQx1a6 Zr+GqogZpHhiWTnzYavcJUOFe8xjGgdw75zrJJ49S1IWsE6bfQ1avhoLTeVqLIU+TRFpTn45Dj/W mqR4iYvpgN2joMaazLpzjgC9oRsQVY4lDQjLjy9JcTX2di4KE0AmONenwfqrEO5KXYM3m+cRVCKl 6Hd+2arEhbUqRe0KkBuqbIzoKywouxLUDXA7YH7pRURG4oOafinKeEuKcgeqApFyAKQm8fnmn/Tj 98hFOMUpeCwGy9xxSCKFbF/KOSKz+VIoIs/D3QLBTSc8krvVG4qS+IAR18kk6Ut/obMVF3JOBRKF px8DWkpDf1TL5dgyMOraBYNfa82vErrQibAr9t8SBR3z0t1chaDjq8C9GYGrWsy0tIld41CqpCCK x4t5czDBvScawRpBToqTnaCzkwboSa5IHJRlXUYjTEUIAXlQ1j6jDARVEgp28Vo31NOYu14st83y oAzi/MIjDfOPJq7UVeWWuxtHHAzgOBVUntCvxHSl4lFWHr0SiFyN1nAX8jbyvlntiJNfVlnEVhpn alzftE5ff40Ieqw/P4srY10HDcVnmuDGrZOD0CiB4GHq2Pz90grc3MWpQIsBPkA1aLgJVGnB0e+V KtW4ZaCQLIIj6RGmAnff+UbRCges9JzfuldSojzfK5CczdlWL72ld1g3LqtfRv8im+o1CikmNlvQ yDo2UKuh1fJ8mzS3ur0GgSuB5LtQy8cUvmqiWHhZOUSXv6er5ezCA8ob70o261jehdI6W0lJCLwo gZa/UBknByxJHlAQqOFhuoCy0NBZxbMpAeLDAttCj6UBHaPkypkEDIzgvB/9aSxMjF+CRxTjshMX v74elNmEhbFSGwNJEJX7KIkKpP3V5O/8Aeh9kcQwyQfD5MhE+Ud/byIqHeafhNEwVCWl/eALUetX UOSDJpNGYaH4apg5GnBDLJOubLY93qjLU2g83BJB27S0LCJkA7lesSBeGMDMaweFEd0MOTlImhUK Dq/zmC83IgWvFShmDZeKp4c5PriDoHBdisZGIVuCmIYOmWk0uwKhosNIjz7hbgeIbKn89LifW5C0 hFFeGLdcF9TZ8Z5rEKio14HGFC6/Ra3NT5TM78YvOW4nuKEpSThFoE9UYkMbto2up/NAXuQOl+Hd Iy+MqlIUkqPwny9SJQm+gNW2UCx3vueYYgSu8lbcTYAjh5ZlPtMZjQyX2Tc8rTuS1twXk+fupILo aZrTcrAPgkyjoAxDwVi8EF1ydwtbUwhCGAr3NQoQxH1pblCJbkCa3wBE0IeFn54MBSiWFjMYl/uv x0VbJ7gQQTLRcUENvyavgmuZ3zZDElrUCAxQV0hQ6xQRnuMeGPXiJMVPsVUUC0sRTOPSxwvzcySh dtpuESM2XF9A6iGNA7Y/Yjve7pdlTkOdjYqLUpYuTnUmbaf5cvP2tYbaKuNTM9wEkaiLVewaga24 WVdBJeCdJA/HI6uxTXI3cHTJlC578OPlsLfc3hIUISY5rcHXwhN1l4m8h2450ZCNdRvS4SontpM0 CuDmOL8nmFOUgEzXqdrkZ1VopSNXLxG9B/jxfC7nBe31eCloksNwPCQibr2x1BivXEZ+bd/hWwKC SAMIDMAqN9nmtxaQ1LCLq+0Xqo+2mNYfIR9QJQ3RvVxxLYc0xHHSNF0QeOm84FSm4HoJLtkFcWmB TSuoBZgv2tAc16hYetVjBB9i/21hRqGsXOnw2nRLXWunCSmWTenunLi5uYJXZLI2uAtwqDvJjWEa YbkL1Vqp9ARGJAru8NjKxTCC2MQLv+7sQgGxwhqX+7nfnKR53lYuVXs9uDYNuiB+foiJaCgpWwTx I6juo3kOHhwXwHEpTjeFh8JXKb4hKT5hTbwwCfyy+4ikKQYu2srh/QitNj+Jg0pMwXK+wSBCv5XH jbwv28MPbKn/b58ffrrLdn/u7O7H7r/fdj//0g1+G1PFxGQ9fVQh7ZrtD3Tm5thXZcBY5QvY8Xnm 2tsHC1Fqn8ggjn24wQYGfGJny8qz0Lr6TpWndR1c7LnzB9FWe2iz3noOgYPRAhtdAKxTTYrbNuBz 3FTCB/Eg1saPfPRXUXkD9r2/LH9W5XUWtVtsp7NQWNflFzps6DEktM0N7f7snrrVmqoH+/DX1+8T 2imbEmCfdp/u/g/aX9bNZW5kc3RyZWFtCmVuZG9iagoxNDAgMCBvYmoKNDQwOQplbmRvYmoKMTQ0 IDAgb2JqCls3IC9YWVogNDcuNTE5OTk5OSAgCjM5OC45NTk5OTkgIDBdCmVuZG9iagoxNDUgMCBv YmoKWzcgL1hZWiA0Ny41MTk5OTk5ICAKNDI4LjcxOTk5OSAgMF0KZW5kb2JqCjE0NiAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzY3LjY3OTk5OTkgIDQ3My44Mzk5 OTkgIDEyNi4yMzk5OTkgIDQ4NC4zOTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNSRkM2MTI1Cj4+CmVuZG9iagoxNDcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAwICAzOTUu MTE5OTk5ICA1NDMuODQwMDAwICA0MDIuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagoxNDggMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNTMuOTE5OTk5ICAyNDYu MzE5OTk5ICAzMTIuNDc5OTk5ICAyNTYuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9m aWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0 ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDNTI0Ngo+PgplbmRvYmoKMTQz IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDE0OSAwIFIKL1Jl c291cmNlcyAxNTEgMCBSCi9Bbm5vdHMgMTUyIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+ PgplbmRvYmoKMTUxIDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0Rl dmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4K L1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYgMCBSCi9GOSA5IDAgUgovRjggOCAwIFIKPj4K L1hPYmplY3QgPDwKPj4KPj4KZW5kb2JqCjE1MiAwIG9iagpbIDE0NiAwIFIgMTQ3IDAgUiAxNDgg MCBSIF0KZW5kb2JqCjE0OSAwIG9iago8PAovTGVuZ3RoIDE1MCAwIFIKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnic7V3LjtzGFd3PV3AdQCO+mwSCANJICuCFAUEDZCF4EUhxAsEyonjh 3w+b3dPNqtPsc+vyFsl+zECemXKTLFbd57mPev33T/9M/v1H8vrp03+TL/ufT58e0se0andfSdp9 vxoO5M1jkafbr6TJisd6049++f7wI/nx8PHhY/ffHw9Z3V+4/9H9z5dHpP33H19+f3i9e/jDbuTT 08/db38mefJT9+9b8vmXbvDr/n7bD3x/aNq6m0eaZkX352/DP7O87Wa1/b0bT/0/tx/+z8M//pL8 vp1Y/tj0k892Exz++arN8rx6rLe3nDLlH8dLu5sVbZ5VdTP6+/DGRbGfT5nUdVs+lt2vbffqRbmd VvdVJfUm3Tzm/Xi3BnXWfyjL/fG8/2M7frzPbyP33y7Pr4M5t8X+a/R3Z87DueW7Ldlu1/BZm93v WerNzR0fvMvhPr+N3N+fs9E6j8x5bA5j+xJjnU/v9Xd3XLTOp2ljjJbcOb+IgRaYIoi36rJMNnWd ddIkyarkf//qHvKxZx0Fg2b993Auu5ERBv1x5sK3zw+vP9RJt1DPvya7Gbza/XjeTfrVpiOA5Plr 8tftnP6WPH972Iqj/UDeD2yOA0U/0BwHSv8Tu3u8f+5eXilwfpy5sH+fNunW68T7VHn3OlnRvkzl jT/Zd/7Ae3+g6gdK/4WLM/d42w9Ux4GN94k89S/54F8CT/Fvmj356wwzrelTnoKnnjb+Y+ESmDo8 xV+x7I0/9epIM+rNzzvmHu5+sZtHG7KV8LawHrDqmXdJ8cYfgHlwGgOm8i/Jd4/NBtcoiB0ugc2F vfRpSkCX/KYW2180qcv8/qKeWDKfY/LS3whgZbwJkAgXELBEFoJKuszHS7KcCnNK/1lGuQwmBo/l 7wKXjLDMNBra6Y+qHF0OELFcXsJEW8r9cA/Op+FCOC9OC+FzE+OEHC7JBHs9QoTT9jprU3ezufqE ecBWwifgHvymnNOBHGDqClMAbgpUyNkW1oOqD40VAzIZjFSFSKa2ARpx4RI4K8JnCk8B+uA8528l 6jnYKP8eqCs4JYPRMuJNnDNi1OLCQhPU7dgKwoKhYYAjuIaw28voAlxlzvzcZIEBYFyfDMccgwEJ vWcbIRAxnIQoOwgcA75z/KZUe6L5xbVnOOPqdfSZ9UAhBISrNq2nMX+ZFy73K6yahdSYwpoApU1t hRNOENwVVB+oT079/kQE+sNCa0dUKM3B2qQKRbPZ/BJOuDAPoI8o0iGG7SRwcSKabBPRrGLjEgx/ LJAUx2pASsUwJsodD2bZcWQvQNLDCIJkPq6Gqg9Ym1NZuOek0VIWoDKfOjyFOwZRTMVw3MlCYAiw K3/FUBdwglFIQykgbKFP2oOJcuPgf5ZXznpkjS9PuObjvqe/+QKnWEHq3IEBTlcgU8DYCheHcxis KZd8MA+OOt6Bl8l2z3U7dI0rHSJZJOifAIPwJVIE6ebx32fUa3k27idxccmVVJQQjAIR4qBauKGo QYToTQXhZhSxFs45lXWZb/igvOSomtRNnhihTiuXthWW80JmnsLF4SgjLDJoba76uHgAffrGTEqV L3lTeevzHOwCt0i4slSYsAZYrwA1CBefoAgxFqBILIG35UEKf01PSDruRlvwiwISmMeIg3tQIovj 4hV9suKR6dAe81+fYwQCS5mS0BihTjRZ+2y2wdty+giPvkuyyOYJLyrQb4WttFa2lARUFDGokb20 UH3VZlTm0omi6rOA3S7GO48EgNW1uy9UOmoCw4oEn3BwQgDsK+wcRVqABYpEuTQWFvHBv0m28Ufi xFi4dxVONHEENddC81jtXGFwrWwhQ6rak+0cBeFwhAUFSWFDC822CbC4Ls0iN1ifIj3MqwpfH+ry S/LrFeEQHtUFTvetepvMf4UDEl61gr40kCG3lqJk0hjk1eG7UA+Fo+7FOyrXw9dDYE7yoL5NaUzm cC7KZB6n4JJfgdQruGHOSMa5ki2FB8vd0Rjx9lkTNiwUTFaN0stCELLCQOGpi1IHZaJbWNXumnKo UgAScZWkCJdZ5NRy9jBwA+MIJV5/A8A8dRNQjC9KylFcnknBMUFGMTcuV1viVvUBx/UJ1DgIWFW3 7ttyBEyBqVK9DwuETPjeTFcW4w+hTqKAjy8m01vgJcAlFxNKF0AooBogCQQumSmNva0cOjWhoPCK FU1NPl8gDkouo10vqCjsBlwxCzlfXoX9ru5yMdUHKskaKsoPeKazT0GCsOflipy7QR8s+q7aGC9r V25ZBAvwbaUtKiaK4Cxz5cflxxssdFIdsFFgsSkysO2KCc7mNfPgmkVrjKXSAjThWEG2kgG9a2L+ CqguPGND3/lkYtRmU7psprBzOZtxWabonaMoe1H0O7yiSvWV+fwLRX421ehOrtbDX8qnKd0Vu3V/ xH9K8Z7KgsttqHDVkk8DyvMl5C8HO8dzVWDAnzpwpQCmtwn8tK48tXOllred7XLZyrR4eQgYztyS 5JZTeDh2pm6qUfiWJ4tS4WjRZNCkly5/LPd4oEAWPPyRbKepEZfWJe0oERfA3Wg9HxIdp/UYBcM2 rRw1plGU0qqINaFTJWzj0KGk1oyK1CJlhg42iIRFpcYjbIxhXqKF2sqaUSbjrQ6oHylpnM4lxjWb qOvB5jgBqOqZKRQ35l5NVV21Q94Wdr3KSlVIWQW9KzpuUwx8qRaZCqct/BJgkDil11XmSlmw9QQl CFH6i9MGZXEaEEmxWgvVVoybrSZqiQPiwFEj6XtBEAYXKApgPooCvZisOJwpN3Q5JCwV41MVXUGI fSWmT6ROHrXL61irrCGyWVJSBG1HLSQ93JRX0lFiz2t/gBuPHInn2avvqABRoLV0PQRQEmf+D2Z6 rRx32XhuAICmUUqFmtqZ6ELtEBS9AARg9kIpXoojyBR1QAs534KmNQKPVi0tJ6qgPic0iC15w0NO qXFy7VL3XRB6CMdAOZwpwMTuCSvPa7CtI0acLVRjbWoFA2IMJozB0UaCTvJROohmVeqs2MVlCZ27 x5ztpI3DhTHqfwUgk8Ip4I0v5mkAuFCVgsFmX3I1XlVGkLgr51sLFbUZd4out/BjLUy5nmjaQscD RToOfRdMO5Cu4YkoE12vXWLAkacUbgKlVE1b+PCORgIfCG6qKFFQVO7DAoFe474HP1XYQAMLmmSt +0y/si1G6eXKD4nl2JUiWVEaFp4oHVNv78D8VqfuTqtPmufczCvq9LEWj19wdjE/JWIhRQehInoY g0Dzxcg5FzegnSjYm9aVDlwn+cE1vXA00ElV2ow+FXBcg2obQQNajo4qmg1z44r7kbOkel+OfI3k jGxahywhS3eekxRPhKyiNLC3O4LLIjI0kAbhp5Lrm3EbJ7+tlWFMrD5+9OiioJGFSsoLOUUZwExX eAZmJMhsqiNVOrurMSdo0cJM+nSeWPNaOh0o+jHdNnKtOSxM0dRYCqpNTXKvHb4t3tJ5LGQ8zINl zRhOqooXe6zkmTrhwnI18GC41Mo3vhaTHBASfhAcpsJCcIRzsiIVFp5iEV9aZncFSWZc5PJ3iVKa WtQbhw2xOd1KFL9JO4DwY4wEzfrC25AKsrx59n3FrAkBbM+JDsztkk3drgKqqgr5LvA2SVyMwaID dMdx2xh9HNCjiVJqUb7zHwMIWNn6u+3bSjn18KEKAkgZiAz2/8RUo5iG+U48HgkR4hac2bk0jGK2 KPL8lznlTRMLom+Lka8opQKAIxgcuy1ovxRezQfNxAVAfXhKgyLdXiAfLawHqLwK77aeWZRAZXmP /teHVKQ4J+AWG+cpF1RVuNQBMXnuLtk1wJmxq+EVSigKWBnl5ITLUez8XThfhqt+w8jegE45pCE4 d3ieurm6P1JqIDEUpDyCpFg4T80hyMTbCCoSZ7jzpKgr5dHBy+nJsJYAAeQexclqqGuH6MCnu4fX mRibKw+icKWDRYje4gwyi6IvC4Kx0Mh2vbItNEHbzLsLFqV3FyxwV1JLJD7vdargzxwaQ5uX2poC 18NCilO5dt1O0t3BOU9SioiToNNveNGPpluwSRZEnbqMvJJ0aQHMUlqpyjqbYhZxl4iXs3ECWrl1 althjnLegrGv2gziTZMULaGiFJ4VdTmZ5+54wHOgeTqCB/RbedjIxzzdf43+Ptxmyec/Pf38kCZ/ JnnyU/fvW/L5l24KX4fUE/jQnraaZHvI+SmzdEtaBy+3KE5zOEQhz3xiv3JnBvbSahhm2Xiqeq8z h2WvMIJ1jju5UB+vAXQF5gbRqzenVfFg9jsqH4QeUn/VMlhG/zGS98Pb+gZN5oeEcUka/3WgDTes ADylOUH5IMJ2I5x6w2RfD5dtsvKFPiFAAWKcdq8HXYnightbFj1fFKcsKA7VjdGCcX+mwsTga9rv bd66kmXAI/N0hVF0XOSF3TZHsS5z/Eek2KqCzkwO94nS0/eaudsGP9+kDnfrz5QJ6oxCd26erp3i nTMRoeWLetQ0AlHk6XL/VLFAFr3ZpRBIUFMCRYFOOPZgkditgNnEHa+m9m/aOHS6ltYpgtbsMUBn QRtkDSwfAwOaFSa5ppQHE8FetaPvsi5UxDovc7NxXx+My2VOE5rpuBSBR2LRPYXLumWSkE26+ykK s3lOeoyquCj5gTHPHJlaROyy9i14UrPns+zVxybALwhnDw08E75AmtixRbGNRdsfm8SRsnX2UlAH w60YiwQFReTm1s7RjVL4McvByiYnpu/A++ZF1GPrgpXkDQGYiQNQFnbPG3IHws8vNAwiNOlBOnJP 4SY6NN1Ktt69pGkGzo3oskwMMvS5eEfun7csKsT0WVnpkInQzQ7wzLqgt0kbdVU4Wl4WzkZBD9XL STrHvR25ZGqkonRJm5KDqjaTY2BcgMaIoWA3LSyJF2hUis4WjT81GmeII7i5zuVJGXymUeIddmnU JtqgKEfnsa7M66mhicx92wvO3l5tLsAsQUc7iKMpD2i2364Pj0UA25krByo+TOLYBq4Uto/h9QAw AMYkPcvaEkmoD77EPOmIi2XjURRgZZRq0aDsuLt6ap9oX+7Ux3EeNjetnJsuxIb60tozdq/AcQaX RYF4WSQS07aIa2lytmzk30RMbw4a9/Lb66wWR5oocquS7JSiM+1NJWLHAYWKJnX25RZAoXOyL/x0 TWyayaU0F7nzZJ+t1rGu++MVj2QZFbpuy7F3AXkqSUCgcLfA7L0caMoiiYFmguA+gMxR4CrcVOQc NM++KFpEXDwCNDUYWLqsfWEoUpseNDKg8DwbqWipMaVAkNU5bzdioQmSynmJBU935lMPT700BM3a /ACaVb6AvRfT7uZundUDYbkMhQYHAe8SwFwCzHoAi0X6zJF7F5JES5mcivac0nLJIKzNoGfB/h4m wrwY98Ci5FIqhAGNOwlQQZ6Px48Wn7OCzKKKYLC33EinDSoFLtoyoPkJe4HvFC+QCq/tklSR8I0I rwAQKMdlRD3EjOJAnJUnyW7ULDVRB1VAXo9CK1sguHejNVBAXrDbahMCqQqHtGPlWFBmF2ymon6c p1Ir+nZGKZCDwLxFJhyXD5yWeQK7oqkFNzFG0FYTQV7Lm0nEiTIb2DFIH1TEQpKSIWLbjOJeAuBY 4UzBTRXNdP1twYONaXBXEDW590e0Ytt2vAlKlG7U85zCQIUlHitY+hoZEc8TWttP6zsRW1G49Xdm fj6LvwiMA75AdD0ESWnqlMSJyGqVOrwrQL04jXEY7Jpl6r5Tn4FMbdJDP+E4XQdp8iSSA30spmcr OgYapEaaCMdZssXiOMrSJLWpZYitS6fztCRYKDLDj483OITGMOp2LhmITwycLUrr+AmecAaPDbfr TPL5eeE3F0omB0rvJP+xHzFlDzSMgD44SgA3NcGMFUFo6SqHYKQChlG4+IJmhzH68Jk0huZ4lqbz mKJ8HN6f5r5xYzpOrKYsXcZEH241vQvLxpMh1+TCRfQdTCR3OR6HmsfyM8gfEayYv1HIloqTNS0S ORTHZAgycLlxCBwEKsXgdUc7ck+NM1UO6QqYzMA1mueIAzMYvUmr0Tj9TMgbD2XyHpt3xNtK0m/G m/ndEW9v5JIQ76tmgLXUTWkyjixwj/BLkIJAhCowLal1NDHBbHsM7lBSKfrK8cxHnqJq4Ahb4urN uGekULFRUGIutjjKY9fUZFr1cwyzfjU9oChHCSIiC+EExbbZzJAbDKJMGsyHq0ZOp1EctEX39lwq 3Sxnjtl5Ttmx8+1MJaN8xcLz4m7MLlRYW3TVFTjzCc/hrU8g0PU+otuXHbvU+k30rpoeFnT7bIpI NUVxFmJEYVNcE+sJkrDUdUJTj34tHX4W9M+BRbWozxF4rXxRFZnQFkexKZzDEfvHRDYXUxKmBJvL zc5wgE1cazYQiIA/K4oLuLLyBRU/hHZWE2lipWlbuRRzc2r1qhUiLiNaCP5AVrG7SkQCXwCpau4J /EDej1W7/wJC9//fp6efH9LkzyRPfur+fUs+/9INfh3yypmb9VxTjwGK2+ZnVd28kN1uovVxCd/7 y76PQUCG15B44SOVzxS1N7A3CQcnXzUnZYL2PfO2dFrV2rwozBrf663/Xv5dhy/afSc/utfN6n7e +x9fvp+Riek5AvmYfHz4PyvZdHNlbmRzdHJlYW0KZW5kb2JqCjE1MCAwIG9iago0OTYzCmVuZG9i agoxNTQgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNTcxLjc1OTk5OSAgMF0KZW5kb2JqCjE1 NSAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAo0MjAuMDc5OTk5ICAwXQplbmRvYmoKMTU2IDAg b2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjMzMC43OTk5OTkgIDBdCmVuZG9iagoxNTcgMCBvYmoK WzggL1hZWiA1MC4zOTk5OTk5ICAKODAuMjM5OTk5OSAgMF0KZW5kb2JqCjE1OCAwIG9iagpbOCAv WFlaIDQ3LjUxOTk5OTkgIAozOTAuMzE5OTk5ICAwXQplbmRvYmoKMTU5IDAgb2JqCls4IC9YWVog NDcuNTE5OTk5OSAgCjEzOS43NTk5OTkgIDBdCmVuZG9iagoxNjAgMCBvYmoKWzggL1hZWiA0Ny41 MTk5OTk5ICAKMzAxLjAzOTk5OSAgMF0KZW5kb2JqCjE2MSAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5 OTkgIAoxNjUuNjc5OTk5ICAwXQplbmRvYmoKMTYyIDAgb2JqCls4IC9YWVogNTAuMzk5OTk5OSAg CjQ5LjUxOTk5OTkgIDBdCmVuZG9iagoxNjMgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNzQ2 LjQ3OTk5OSAgMF0KZW5kb2JqCjE2NCAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAoxMDkuOTk5 OTk5ICAwXQplbmRvYmoKMTY1IDAgb2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjcxNi43MTk5OTkg IDBdCmVuZG9iagoxNjYgMCBvYmoKWzggL1hZWiA0Ny41MTk5OTk5ICAKNjkwLjc5OTk5OSAgMF0K ZW5kb2JqCjE2NyAwIG9iagpbOCAvWFlaIDQ3LjUxOTk5OTkgIAo2MDEuNTE5OTk5ICAwXQplbmRv YmoKMTY4IDAgb2JqCls4IC9YWVogNDcuNTE5OTk5OSAgCjY2MC4wNzk5OTkgIDBdCmVuZG9iagox NjkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA3MTIuODc5OTk5ICA1NDMuODQwMDAwICA3MjAuNTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzAgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA2NTYuMjQwMDAwICA1NDMuODQwMDAwICA2NjMuOTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICA1NjcuOTE5OTk5ICA1NDMuODQwMDAwICA1NzUuNTk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs1MjIuNzIwMDAw ICAzODYuNDc5OTk5ICA1NDMuODQwMDAwICAzOTQuMTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzdG9jCj4+CmVuZG9iagox NzMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNDIuNDAwMDAw ICAzNDIuMzE5OTk5ICAzODEuNjAwMDAwICAzNTIuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9E ZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0 dHBiaXMjMmRwNyMyZGF1dGgKPj4KZW5kb2JqCjE3NCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDI5Ny4xOTk5OTkgIDU0My44NDAwMDAgIDMw NC44Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjE3NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDE2MS44Mzk5OTkgIDU0My44NDAwMDAgIDE2 OS41MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjE3NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDEwNi4xNTk5OTkgIDU0My44NDAwMDAgIDEx My44Mzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjE3NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzEwOC45NTk5OTkgIDYzLjkxOTk5OTkgIDM1OC41NjAwMDAgIDcx LjU5OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9V UkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNz YWdpbmctMTcpCj4+Cj4+CmVuZG9iagoxNzggMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFsyMDEuMTIwMDAwICA1NC4zMTk5OTk5ICAyMTcuNDM5OTk5ICA2MS45OTk5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJICho dHRwOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pZXRmLWh0dHBiaXMtcDEt bWVzc2FnaW5nLTE3LnR4dCkKPj4KPj4KZW5kb2JqCjE3OSAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEwOC45NTk5OTkgIDI4LjM5OTk5OTkgIDI1MC4wNzk5OTkg IDM2LjA3OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJ Ci9VUkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaHR0cGJpcy1wNy1h dXRoLTE3KQo+Pgo+PgplbmRvYmoKMTgwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAv TGluawovUmVjdCBbNDk0Ljg3OTk5OSAgMjguMzk5OTk5OSAgNTExLjE5OTk5OSAgMzYuMDc5OTk5 OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0 cDovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1odHRwYmlzLXA3LWF1 dGgtMTcudHh0KQo+Pgo+PgplbmRvYmoKMTUzIDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQg MiAwIFIKL0NvbnRlbnRzIDE4MSAwIFIKL1Jlc291cmNlcyAxODMgMCBSCi9Bbm5vdHMgMTg0IDAg UgovTWVkaWFCb3ggWzAgMCA1OTUgODQyXQo+PgplbmRvYmoKMTgzIDAgb2JqCjw8Ci9Db2xvclNw YWNlIDw8Ci9QQ1NwIDQgMCBSCi9DU3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+Pgov RXh0R1N0YXRlIDw8Ci9HU2EgMyAwIFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y2IDYg MCBSCi9GOSA5IDAgUgovRjggOCAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4K ZW5kb2JqCjE4NCAwIG9iagpbIDE2OSAwIFIgMTcwIDAgUiAxNzEgMCBSIDE3MiAwIFIgMTczIDAg UiAxNzQgMCBSIDE3NSAwIFIgMTc2IDAgUiAxNzcgMCBSIDE3OCAwIFIgMTc5IDAgUiAxODAgMCBS IF0KZW5kb2JqCjE4MSAwIG9iago8PAovTGVuZ3RoIDE4MiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnic7V1Lb+S4Eb73r9A5wHj4kkQCQYCxZxwghwCDMZDDIodgNptg0V7E2UP+ ftiSWk3WJ6okNmV3e9rGru0aqVjvFyn1xz9/+0f1r9+rjw/f/lN9H34+fNuJO1G7/qsS/vtDCFD2 Titx+Kqs1HdN20G/P+9eqpfd191X//+XnWy6G4cf/h+PS4ju+/fvv+0+9ovvesi3h7/63/5Xqeov /r9fq5/+7oE/D/gOFzzvrGs8HUJI7f/ch39KLYy+80RJDxf0z8PF/9797Q/VbwfC1J3tiJc9geGf H6QwsvYs+b/OIfnldKvHpZ2SdWOTv4eItR7oMZ4JVx94EMqzrk3t7/BfdSWNsAe2PdzLoJHmznjq FYWrthOACvHsE/gP4vkloNnp4Sv5e0RzSJsSHf6O5mAto3V3DaUthge8jHj2CfyU5kJyTtCcoiGl ly3kPK3r5xi+SM7TtpGypUJyVlq5jgYd27PSRh2W9fCIBgIfaQ7w7BP4i9mz0nUvHx3bhtJNLx+g LYIHvIx49gn8G8k5QXOKhpRetpDztK6fY/giOU/bRsqWCslZ2x69F1Vkz9r25PhfIxoIfKQ5wLNP 4C9mz9qaLmX2NIdr1f3vQFsED3gZ8ewT+DeSc4LmFA0pvWwh52ldP8fwRXKeto2ULRWSc2N1Fwek iO25sabzNSliGgh8pDnAs0/gL2bPjW26XNzTHK7VdvkOaYvgAS8jnn0C/0ZyTtCcoiGlly3kPK3r 5xi+SM7TtpGypUJytr5J6XCS+tkO10hS8xD4SHOAZ5/AX8ye7fC7JLWoF5sdyCS0RfCAlxHPPoF/ IzknaE7RkNLLFnKe1vVzDF8k52nbSNlSqT5F1G2PlPSDora9QEkNH8NPNf8Jzz6Bv1w/KGrXC470 VqKR8tigR7RF8JCXI559Av9Gck7QnKIhpZct5Dyt67gfXCbnadtI2VIpOcta9OsSe5b14FSEhhh+ ovmEZ5/AX86eZa0nbUPWZtLXYnjIiz754CT+jeScoDlFQ0ovW8h5WtfPBL5EztO2kbKlmObjmNPB 0G/V7LAxPnOpuq2UrWRd/feffpGv3WgwYwApu++Qlh6SGEC+zNx4/7T7+Nh4h66efql6Cj70P556 oj9Y5W3p6efqjwea/lQ9/bo7jFsHgOoA7QmgO4A9AQy9osfx5WlgfxtJay2uUNLayKuTtDHNFUra eE+8Nkk3Vl2hpBunr07SrbNXKGkr3NVJ2rXmCiXtbH1tknbCXGHt4XyfsZGkMzdzX2Zu7PhxldRT /PgWy1uONC4mP6C2pYBPFPCFveWxA9QzIqg7gDkBHlgc9Ulq+ey3LmJf9aqQeoYZoB0AVEJKsBKi /Eu4BQQCYtfUFHnSQewuVw8B6b0MHXWJOUotJQxuAUrhFqD0MwUAc0AHb8qA9J7KA5CCORh6BdxC kcoHTnNLLBc8l9qDBLGDtjNsCpblkZbw7do37lFoA01RwqSmvLDql59KRKE+CDfmqEtLPQgkRo0d nQ70sj4qK01Vyfs6XQUDGdjHekoVJNktmEPDBeeHeMHnMbBCPuOyIRdFCMtC7IMQA6rM9tvZqARO x4Y2FDsv1BIBxOg2csuMykc2FADaBqTAC0UK+WOBCHkfo/k0JxfQZc2gfjFC9D25R39iyylgBtIl GAjcstTrigTy9phyMPi9TiAH9vkKDFYBibGVIJjhlvnjPEUpIyJFvVIOgvAIlSAVMrYO7zqPAR18 dIQr+NgHOMCSgRfoNiB9Fiidh2JyRpWqpgYDeZ3vJPm+gCedVyUbPzKq7VRuOLNRcCYOBkvlUSRZ uLG8oLUC368tCFu8Z2dkU5bSjIlHkVohJxiCofIhBmol3pTXj8AmameqKhQzRKFEZbwqPrAyBByY 2HikfMFRpKhXIvY6Pjuw8RK5za4/7Zz6+WkdW14uwZqR2S+k4NykoBhiSolgr8a9sFeq/NZPb7cs 9M4UoasjEWLFxZcLm3S9bIrllY31JW+n4FH8ADxRcMY7T3f9U5P+K/l7tC+14Hp+12rlop2hdNuG U81d52qnJvxxOgZAhzADGCayUAJJebqkpRC8BvFquKTX4qkjhhZZ2mkDDFK6I7fgHmRvGs1MFWCp vdFVFlNK3b64rnWtFutaJjLCGmsYHFyqOVW3VAcgUEWvgHUAq6SKBACoGswF7QfWhakMqBqCICyb mGPNrDI0t1BXzdkxONQ9KILeoxqKFfwHJAS629B/3uQcgPcg70eWHIqa25DlCzp+EAN9JJufcVl+ U/d1citwyxYOWOFlFMklzlqUKPjZgwNQBPFVEcYQdlaBMuUHAGAfAMg4A/I68zB2FWyReJ97zf2W GRxDjgkGQpLui2O1zq8Ly8Bm++vYA0TYcvZwXp/VCCYXLLapM8eyHRnueNIOpoHbxFN2xvCOeyYz PlJRoo4uUmknzpKtKQk1dL1YrEP1CqZECz6+pYJ1b33EhfURb1JpN52nOXIoPiO6zqVfSAww1OSP C2pRIIj3c89apo+2lduNPDPtdYQqF1s3dIlzcz/2GGdOX5Gx2bBhaRF02nAFf6oALBnY50tNdkOL LxQWNKLrZ6kLCloalxaYeobflugRS/q+Ofq+/EyX5Q/2wRVwPqic79ej7/fiCDoPdCkI26BcttHI 6V5KnEd/m3mIprl/waH/BXuiYA9gZFD+UesvaezttSQ6O+5EwmYBf0SVn7rwJUrG8xtss5YzdGKD Y0HzaMRoHvQgF6ZTGmHUl1LKb+RR+eiU73okCwUJuw8LMXpJAmYN922DVKOPVmi+kFUAkDPZy9gZ uBTF4Kk0qgcThOB3Nv5px+i0YMvcsVfww50iww5+YMDuxOE0ZIvdcNyrFLTMxCkMy+5wDB1PCc7M ZW6bpGdMpFtNnrK/bZKekZFvm6Qxt5e6Sfoj9KpnHiwWOo4OYFKb9LsXs1t7m25MVR1FtF1gH7Wt R0ovZB91QRMA5sCnMXZeWPCBmHNfPaIjvRQZOmpJ7RIeQKZ1Olyx4KnNjEE222mpxIN8Z0blRsZS fr+791aNTBZo326799T5bu0rcdhN29e325u39fF1l7eaZruaZmZd9QiZ8G2PL1hvF8O6l72rY+1o upCiS2y1b/EY+I8+AWGFrOFFE/SWkqbujqZ+2xvg2J3dGzjPkZ08OvJEMOSf0Fz/kjbckYJVwAtf 5XTTlhthTjVJ9gsfTXlnvYYbw4RO9IKrnq7k9yOGvg2MbU2Nj88nLj30uvUTjE40brE8MzqziWdT obaj4sPKPKOtkImq47zNqQswhq06k9R7h5XzViLFMSvodjrkBxsHdIozNLQQ0GEzJlA4pA1HllVU 4ateljDPrDw+gDIE5xkykC76phjtKA5gtqYOQCUISIcsCm9kKMG9Ou4jSPBdUAuQjgCYHEK1S+WB VRUF6OngmMzEk9xKHytDyx4sCjw3eEaipYoy9AoeB0Q7Ma19OGZ9AgyDdHgyCHxwBkedODgXkH4/ XWRDjA1uMdQbeF4oIIMXI2hKoYSBkIdCfUaVr0O6goFphtFRqaMqwehYwiQN2kX08okzGN5f0CyB 28fp1DCnSkpYBreAAwmDKxJT2lWKoqkgxwoTz5nOyBT1wt8C0YHWAQtECN7AMjfsBdRldQuAxAmL s5zQ0KdlMkhHSkFzkLTWRzo+R6EqwfdZbxgq5ZlIt/aVWXOVwVgG6gAp/RCSQ7ktsdyWoq48BnNX dz3Z4ZXOIgTsd98Wfa7J1HJMx51GNlv8HSgOmR4mV7ClAjP4oAhtaJ0GIYAGK2wF6BVDEoG9vcAH aHUMNaeAtg3qePg0FUqH/szSAWOYxLmCmdKf5zZ1AmLuuA8U1IADQgAICKp0dtkM5lBziYc14GgC PM/g0tyW6FpQhEAH9QbeLIGOxb3R1puWkyHjENOikEGTkYYQD9kJDA9CBp9paUUIdQVfVGNVSVdB pDQ78Q3TEO3gXPJcv8gWTYBUUwDcctyVEDMCAdUBgCoGmqyc5hdKQmAG7AGKExqpJaQyqM2o1WGl AZabYK5I6THOYEC56B9sr4u3rFe2XN9T4RsWoL4D/6C8oH/wXQbQ4SjSe85hAJCysTUloVKHklA1 Y0moTBsCLq8kPFAcGSMt+EyiRnyTbHQQZzS+BJ9e84lJ8zNS8yONw+uLH4dDs1myDTRtLOPbgHhx vXMbEJ9N+m1ATEi/DYjXKuo2IJ5n7jYgZui4DYinK4PxtT3ZA+JGnLoB60LA5XUDw4C4Jp9Y/KMO iMF++QGxTBx9mimooeTGVgBCMz+6pf6M8sge/75N62ddbJq3QeQ8Ya8ziIRRHd4CZRXPC1RAVz8y nCHsNv/j6r2rmf81wsYZv+m2hC844x8oDsPqZc//Gh0XZbPzvzcT9PSHwrYuflI+0dXAaXBmPS+R xII2XlDILPxJfrrPtQz4GZ4wh08oggIj0Ba8Opn6ceK1dNlC0breUii6++Tf4IFwuk8NDCLHvQWH n1TpKAQFOf00e76YnN5UTM5G6Cd4vi/LkJHtlgwZFb8GA59vZg0BTCU8AO2/qxdPqGy6FYcf359z A/DX6uvu//lI2fBlbmRzdHJlYW0KZW5kb2JqCjE4MiAwIG9iagozNDE4CmVuZG9iagoxODYgMCBv YmoKWzkgL1hZWiA0Ny41MTk5OTk5ICAKNDY5Ljk5OTk5OSAgMF0KZW5kb2JqCjE4NyAwIG9iagpb OSAvWFlaIDUwLjM5OTk5OTkgIAo3NTguOTU5OTk5ICAwXQplbmRvYmoKMTg4IDAgb2JqCls5IC9Y WVogNTAuMzk5OTk5OSAgCjY4Mi4xNTk5OTkgIDBdCmVuZG9iagoxODkgMCBvYmoKWzkgL1hZWiA0 Ny41MTk5OTk5ICAKMjQ0LjM5OTk5OSAgMF0KZW5kb2JqCjE5MCAwIG9iagpbOSAvWFlaIDUwLjM5 OTk5OTkgIAo3ODAuMDc5OTk5ICAwXQplbmRvYmoKMTkxIDAgb2JqCls5IC9YWVogNTAuMzk5OTk5 OSAgCjY1MS40Mzk5OTkgIDBdCmVuZG9iagoxOTIgMCBvYmoKWzkgL1hZWiA1MC4zOTk5OTk5ICAK ODAyLjE1OTk5OSAgMF0KZW5kb2JqCjE5MyAwIG9iagpbOSAvWFlaIDUwLjM5OTk5OTkgIAo3MjUu MzU5OTk5ICAwXQplbmRvYmoKMTk0IDAgb2JqCls5IC9YWVogNTAuMzk5OTk5OSAgCjU0MS4wMzk5 OTkgIDBdCmVuZG9iagoxOTUgMCBvYmoKWzkgL1hZWiA1MC4zOTk5OTk5ICAKNzAzLjI3OTk5OSAg MF0KZW5kb2JqCjE5NiAwIG9iagpbOSAvWFlaIDUwLjM5OTk5OTkgIAo1MTkuOTE5OTk5ICAwXQpl bmRvYmoKMTk3IDAgb2JqCls5IC9YWVogNDcuNTE5OTk5OSAgCjQ5OS43NTk5OTkgIDBdCmVuZG9i agoxOTggMCBvYmoKWzkgL1hZWiA0Ny41MTk5OTk5ICAKMjc0LjE1OTk5OSAgMF0KZW5kb2JqCjE5 OSAwIG9iagpbOSAvWFlaIDQ3LjUxOTk5OTkgIAo2MjEuNjc5OTk5ICAwXQplbmRvYmoKMjAwIDAg b2JqCls5IC9YWVogNTAuMzk5OTk5OSAgCjc0Ni40Nzk5OTkgIDBdCmVuZG9iagoyMDEgMCBvYmoK WzkgL1hZWiA1MC4zOTk5OTk5ICAKNTYzLjEyMDAwMCAgMF0KZW5kb2JqCjIwMiAwIG9iagpbOSAv WFlaIDQ3LjUxOTk5OTkgIAo1OTEuOTE5OTk5ICAwXQplbmRvYmoKMjAzIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNTg4LjA3OTk5OSAgNTQz Ljg0MDAwMCAgNTk1Ljc1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjA0IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgNDY2LjE1OTk5OSAgNTQz Ljg0MDAwMCAgNDczLjgzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjA1IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbNTIyLjcyMDAwMCAgMjQwLjU1OTk5OSAgNTQz Ljg0MDAwMCAgMjQ4LjIzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMy ZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMy ZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3RvYwo+PgplbmRvYmoKMjA2IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMjkxLjM2MDAwMCAgNzk0LjQ3OTk5OSAgNDUy LjYzOTk5OSAgODAyLjE1OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAoaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0 aC12Mi0yMikKPj4KPj4KZW5kb2JqCjIwNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzI1NS44NDAwMDAgIDc4NC44Nzk5OTkgIDI3Mi4xNjAwMDAgIDc5Mi41NTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlldGYtb2F1dGgtdjItMjIu dHh0KQo+Pgo+PgplbmRvYmoKMjA4IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbMjc3LjkyMDAwMCAgNzg0Ljg3OTk5OSAgMjkzLjI4MDAwMCAgNzkyLjU1OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDov L3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtaWV0Zi1vYXV0aC12Mi0yMi5wZGYp Cj4+Cj4+CmVuZG9iagoyMDkgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFsxMDUuMTIwMDAwICA3NzIuMzk5OTk5ICAxNTMuMTIwMDAwICA3ODAuMDc5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86c29i QGhhcnZhcmQuZWR1KQo+Pgo+PgplbmRvYmoKMjEwIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMTYxLjc1OTk5OSAgNzcyLjM5OTk5OSAgNDA4LjQ4MDAwMCAgNzgw LjA3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VS SSAoaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMjExOSkKPj4KPj4KZW5kb2JqCjIxMSAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEwOCAgNzYzLjc1OTk5 OSAgMTI0LjMxOTk5OSAgNzcxLjQzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAv QWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMvcmZjMjEx OS50eHQpCj4+Cj4+CmVuZG9iagoyMTIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9M aW5rCi9SZWN0IFsxMjkuMTIwMDAwICA3NjMuNzU5OTk5ICAxNTIuMTU5OTk5ICA3NzEuNDM5OTk5 IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRw Oi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL2h0bWwvcmZjMjExOS5odG1sKQo+Pgo+Pgpl bmRvYmoKMjEzIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTU2 Ljk2MDAwMCAgNzYzLjc1OTk5OSAgMTc0LjI0MDAwMCAgNzcxLjQzOTk5OSBdCi9Cb3JkZXIgWzAg MCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3htbC5yZXNvdXJj ZS5vcmcvcHVibGljL3JmYy94bWwvcmZjMjExOS54bWwpCj4+Cj4+CmVuZG9iagoyMTQgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxMDUuMTIwMDAwICA3NTEuMjc5 OTk5ICAxNDYuNDAwMDAwICA3NTguOTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86dGRpZXJrc0BjZXJ0aWNvbS5jb20pCj4+Cj4+ CmVuZG9iagoyMTUgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsx NjQuNjM5OTk5ICA3NTEuMjc5OTk5ICAxOTcuMjc5OTk5ICA3NTguOTU5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86Y2FsbGVuQGNl cnRpY29tLmNvbSkKPj4KPj4KZW5kb2JqCjIxNiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzIwNS45MTk5OTkgIDc1MS4yNzk5OTkgIDMyOS43NTk5OTkgIDc1OC45 NTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkg KGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzIyNDYpCj4+Cj4+CmVuZG9iagoyMTcgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs0MzUuMzYwMDAwICA3NTEu Mjc5OTk5ICA0NTEuNjgwMDAwICA3NTguOTU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9U eXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9y ZmMyMjQ2LnR4dCkKPj4KPj4KZW5kb2JqCjIxOCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzEwNS4xMjAwMDAgIDczOC43OTk5OTkgIDE3MC40MDAwMDAgIDc0Ni40 Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkg KG1haWx0bzp0aW1ibEB3My5vcmcpCj4+Cj4+CmVuZG9iagoyMTkgMCBvYmoKPDwKL1R5cGUgL0Fu bm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxNzUuMTk5OTk5ICA3MzguNzk5OTk5ICAyMjIuMjM5 OTk5ICA3NDYuNDc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1Mg L1VSSQovVVJJIChtYWlsdG86ZmllbGRpbmdAZ2Jpdi5jb20pCj4+Cj4+CmVuZG9iagoyMjAgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyNDMuMzU5OTk5ICA3Mzgu Nzk5OTk5ICAyOTAuMzk5OTk5ICA3NDYuNDc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9U eXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86TE1NQGFjbS5vcmcpCj4+Cj4+CmVuZG9i agoyMjEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMDAgIDcz OC43OTk5OTkgIDUxNS4wMzk5OTkgIDc0Ni40Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3Jm YzM5ODYpCj4+Cj4+CmVuZG9iagoyMjIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9M aW5rCi9SZWN0IFsyMzEuODQwMDAwICA3MjkuMTk5OTk5ICAyNDguMTU5OTk5ICA3MzYuODc5OTk5 IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRw Oi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmMzOTg2LnR4dCkKPj4KPj4KZW5kb2JqCjIyMyAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI1My45MTk5OTkgIDcy OS4xOTk5OTkgIDI3Ni45NTk5OTkgIDczNi44Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1Ymxp Yy9yZmMvaHRtbC9yZmMzOTg2Lmh0bWwpCj4+Cj4+CmVuZG9iagoyMjQgMCBvYmoKPDwKL1R5cGUg L0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsyODEuNzU5OTk5ICA3MjkuMTk5OTk5ICAyOTku MDM5OTk5ICA3MzYuODc5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24K L1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMz OTg2LnhtbCkKPj4KPj4KZW5kb2JqCjIyNSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzIwOS43NTk5OTkgIDcxNy42Nzk5OTkgIDQxNy4xMjAwMDAgIDcyNS4zNTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzUyMzQpCj4+Cj4+CmVuZG9iagoyMjYgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxNTguODc5OTk5ICA3MDguMDc5 OTk5ICAxNzUuMTk5OTk5ICA3MTUuNzU5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM1 MjM0LnR4dCkKPj4KPj4KZW5kb2JqCjIyNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzIwNi44Nzk5OTkgIDY5NS41OTk5OTkgIDQ0OC43OTk5OTkgIDcwMy4yNzk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzUyNDYpCj4+Cj4+CmVuZG9iagoyMjggMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFsxNTYuOTYwMDAwICA2ODYuOTU5 OTk5ICAxNzMuMjgwMDAwICA2OTQuNjM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM1 MjQ2LnR4dCkKPj4KPj4KZW5kb2JqCjIyOSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzEwNS4xMjAwMDAgIDY1Ni4yNDAwMDAgIDUyMy42ODAwMDAgIDY4Mi4xNTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzYxMjUpCj4+Cj4+CmVuZG9iagoyMzAgMCBvYmoK PDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMzcuNDM5OTk5ICA2NTYuMjQw MDAwICAzNTMuNzU5OTk5ICA2NjMuOTE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBl IC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM2 MTI1LnR4dCkKPj4KPj4KZW5kb2JqCjIzMSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzI0Mi40MDAwMDAgIDYzOC45NTk5OTkgIDM0NC4xNTk5OTkgIDY0Ni42Mzk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0 dHA6Ly93d3cudzMub3JnL1RSLzE5OTkvUkVDLWh0bWw0MDEtMTk5OTEyMjQpCj4+Cj4+CmVuZG9i agoyMzIgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMzMuNTk5 OTk5ICA2MjkuMzU5OTk5ICAzNTYuNjM5OTk5ICA2MzcuMDM5OTk5IF0KL0JvcmRlciBbMCAwIDBd Ci9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnczLm9yZy9UUi8x OTk5L1JFQy1odG1sNDAxLTE5OTkxMjI0KQo+Pgo+PgplbmRvYmoKMjMzIDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTguMzk5OTk5OSAgNTQ2Ljc5OTk5OSAgNTAx LjU5OTk5OSAgNTYzLjEyMDAwMCBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAoaHR0cDovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL1B1YnNEcmFm dHMuaHRtbCNTUC04MDAtNjMtUmV2LiAxKQo+Pgo+PgplbmRvYmoKMjM0IDAgb2JqCjw8Ci9UeXBl IC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbOTguMzk5OTk5OSAgNTMzLjM2MDAwMCAgMTQ1 LjQzOTk5OSAgNTQxLjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9u Ci9TIC9VUkkKL1VSSSAobWFpbHRvOmZpZWxkaW5nQGljcy51Y2kuZWR1KQo+Pgo+PgplbmRvYmoK MjM1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTUxLjE5OTk5 OSAgNTMzLjM2MDAwMCAgMTkwLjU2MDAwMCAgNTQxLjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQov QSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOmpnQHczLm9yZykKPj4KPj4K ZW5kb2JqCjIzNiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzE5 NS4zNTk5OTkgIDUzMy4zNjAwMDAgIDIzMC44Nzk5OTkgIDU0MS4wMzk5OTkgXQovQm9yZGVyIFsw IDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzptb2d1bEB3cmwu ZGVjLmNvbSkKPj4KPj4KZW5kb2JqCjIzNyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzIzNS42ODAwMDAgIDUzMy4zNjAwMDAgIDI4Mi43MjAwMDAgIDU0MS4wMzk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1h aWx0bzpmcnlzdHlrQHczLm9yZykKPj4KPj4KZW5kb2JqCjIzOCAwIG9iago8PAovVHlwZSAvQW5u b3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI4OC40ODAwMDAgIDUzMy4zNjAwMDAgIDMzOC40MDAw MDAgIDU0MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAv VVJJCi9VUkkgKG1haWx0bzptYXNpbnRlckBwYXJjLnhlcm94LmNvbSkKPj4KPj4KZW5kb2JqCjIz OSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzM0My4xOTk5OTkg IDUzMy4zNjAwMDAgIDM4MS41OTk5OTkgIDU0MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Eg PDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpwYXVsbGVAbWljcm9zb2Z0LmNv bSkKPj4KPj4KZW5kb2JqCjI0MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsK L1JlY3QgWzQwMy42ODAwMDAgIDUzMy4zNjAwMDAgIDQ2Ni4wNzk5OTkgIDU0MS4wMzk5OTkgXQov Qm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzp0 aW1ibEB3My5vcmcpCj4+Cj4+CmVuZG9iagoyNDEgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFs5OC4zOTk5OTk5ICA1MjQuNzE5OTk5ICA1MTguODc5OTk5ICA1NDEu MDM5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJ IChodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmMyNjE2KQo+Pgo+PgplbmRvYmoKMjQyIDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzE2LjMxOTk5OSAgNTI0 LjcxOTk5OSAgMzMyLjYzOTk5OSAgNTMyLjM5OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAov VHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAoaHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9yZmMv cmZjMjYxNi50eHQpCj4+Cj4+CmVuZG9iagoyNDMgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0 eXBlIC9MaW5rCi9SZWN0IFszMzcuNDM5OTk5ICA1MjQuNzE5OTk5ICAzNDggIDUzMi4zOTk5OTkg XQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6 Ly93d3cucmZjLWVkaXRvci5vcmcvcmZjL3JmYzI2MTYucHMpCj4+Cj4+CmVuZG9iagoyNDQgMCBv YmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszNTIuODAwMDAwICA1MjQu NzE5OTk5ICAzNjguMTYwMDAwICA1MzIuMzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8Ci9U eXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9y ZmMyNjE2LnBkZikKPj4KPj4KZW5kb2JqCjI0NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzM3My45MTk5OTkgIDUyNC43MTk5OTkgIDM5Ni45NTk5OTkgIDUzMi4z OTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkg KGh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMyNjE2Lmh0bWwpCj4+ Cj4+CmVuZG9iagoyNDYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0 IFs0MDAuODAwMDAwICA1MjQuNzE5OTk5ICA0MTguMDgwMDAwICA1MzIuMzk5OTk5IF0KL0JvcmRl ciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8veG1sLnJl c291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyNjE2LnhtbCkKPj4KPj4KZW5kb2JqCjI0NyAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzk4LjM5OTk5OTkgIDUx Mi4yNDAwMDAgIDEzNy43NTk5OTkgIDUxOS45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpqb2huQG1hdGgubnd1LmVkdSkKPj4K Pj4KZW5kb2JqCjI0OCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzE0My41MTk5OTkgIDUxMi4yNDAwMDAgIDIxNS41MTk5OTkgIDUxOS45MTk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzpwYmFrZXJA dmVyaXNpZ24uY29tKQo+Pgo+PgplbmRvYmoKMjQ5IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMjIwLjMxOTk5OSAgNTEyLjI0MDAwMCAgMjcxLjE5OTk5OSAgNTE5 LjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VS SSAobWFpbHRvOmplZmZAQWJpU291cmNlLmNvbSkKPj4KPj4KZW5kb2JqCjI1MCAwIG9iago8PAov VHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI3NiAgNTEyLjI0MDAwMCAgMzMwLjcy MDAwMCAgNTE5LjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9T IC9VUkkKL1VSSSAobWFpbHRvOmxhd3JlbmNlQGFncmFuYXQuY29tKQo+Pgo+PgplbmRvYmoKMjUx IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMzM1LjUxOTk5OSAg NTEyLjI0MDAwMCAgMzczLjkxOTk5OSAgNTE5LjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8 PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOnBhdWxsZUBtaWNyb3NvZnQuY29t KQo+Pgo+PgplbmRvYmoKMjUyIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawov UmVjdCBbNDQ3LjgzOTk5OSAgNTEyLjI0MDAwMCAgNDkyICA1MTkuOTE5OTk5IF0KL0JvcmRlciBb MCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChtYWlsdG86c3Rld2FydEBP cGVuTWFya2V0LmNvbSkKPj4KPj4KZW5kb2JqCjI1MyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzk4LjM5OTk5OTkgIDUwMy41OTk5OTkgIDUyMi43MjAwMDAgIDUx OS45MTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9V UkkgKGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzI2MTcpCj4+Cj4+CmVuZG9iagoyNTQg MCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFs0MzIuNDc5OTk5ICA1 MDIuNjM5OTk5ICA0NDguNzk5OTk5ICA1MTAuMzE5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9BIDw8 Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3Jm Yy9yZmMyNjE3LnR4dCkKPj4KPj4KZW5kb2JqCjI1NSAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1 YnR5cGUgL0xpbmsKL1JlY3QgWzQ1NC41NjAwMDAgIDUwMi42Mzk5OTkgIDQ3Ny42MDAwMDAgIDUx MC4zMTk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9V UkkgKGh0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvaHRtbC9yZmMyNjE3Lmh0bWwp Cj4+Cj4+CmVuZG9iagoyNTYgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9S ZWN0IFs0ODEuNDM5OTk5ICA1MDIuNjM5OTk5ICA0OTguNzIwMDAwICA1MTAuMzE5OTk5IF0KL0Jv cmRlciBbMCAwIDBdCi9BIDw8Ci9UeXBlIC9BY3Rpb24KL1MgL1VSSQovVVJJIChodHRwOi8veG1s LnJlc291cmNlLm9yZy9wdWJsaWMvcmZjL3htbC9yZmMyNjE3LnhtbCkKPj4KPj4KZW5kb2JqCjE4 NSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIgMCBSCi9Db250ZW50cyAyNTcgMCBSCi9S ZXNvdXJjZXMgMjU5IDAgUgovQW5ub3RzIDI2MCAwIFIKL01lZGlhQm94IFswIDAgNTk1IDg0Ml0K Pj4KZW5kb2JqCjI1OSAwIG9iago8PAovQ29sb3JTcGFjZSA8PAovUENTcCA0IDAgUgovQ1NwIC9E ZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+ Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GNiA2IDAgUgovRjkgOSAwIFIKL0Y4IDggMCBSCi9G NzIgNzIgMCBSCj4+Ci9YT2JqZWN0IDw8Cj4+Cj4+CmVuZG9iagoyNjAgMCBvYmoKWyAyMDMgMCBS IDIwNCAwIFIgMjA1IDAgUiAyMDYgMCBSIDIwNyAwIFIgMjA4IDAgUiAyMDkgMCBSIDIxMCAwIFIg MjExIDAgUiAyMTIgMCBSIDIxMyAwIFIgMjE0IDAgUiAyMTUgMCBSIDIxNiAwIFIgMjE3IDAgUiAy MTggMCBSIDIxOSAwIFIgMjIwIDAgUiAyMjEgMCBSIDIyMiAwIFIgMjIzIDAgUiAyMjQgMCBSIDIy NSAwIFIgMjI2IDAgUiAyMjcgMCBSIDIyOCAwIFIgMjI5IDAgUiAyMzAgMCBSIDIzMSAwIFIgMjMy IDAgUiAyMzMgMCBSIDIzNCAwIFIgMjM1IDAgUiAyMzYgMCBSIDIzNyAwIFIgMjM4IDAgUiAyMzkg MCBSIDI0MCAwIFIgMjQxIDAgUiAyNDIgMCBSIDI0MyAwIFIgMjQ0IDAgUiAyNDUgMCBSIDI0NiAw IFIgMjQ3IDAgUiAyNDggMCBSIDI0OSAwIFIgMjUwIDAgUiAyNTEgMCBSIDI1MiAwIFIgMjUzIDAg UiAyNTQgMCBSIDI1NSAwIFIgMjU2IDAgUiBdCmVuZG9iagoyNTcgMCBvYmoKPDwKL0xlbmd0aCAy NTggMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nO1dXa/cuJF9v7+inwOMR/yQ WgIWAWyPvcA+LGDYwD4EeQicTYLADtabh/z9iJJaIus0dSg21a2eOzZm3Je3RRWLxfqu4s//+flP p7/+8/Tz+8//d/o6/fv+80v1pqq78c+p6v/+5A/o9o3RlftzapV505yH0a/fX36cfrx8evnU///H i2qGB6d/+l9eXlENf//59R8vP48vfxlHPr//7/7Tv0769F/9f38//eGP/eCfp/ncF76/tF3Tw1FV yvQ/fvN/VKZq1Zum/9yPV/JH9+W/vfzP707/cIDpN+0AvBoB9H/8Samz6pp+RN0E8o/l0R4K02lV N230sz+xMRM89mRs0w6f637pxtZuPe4HY8e19R97HDTKvrE99FqO6/MbPY3P83yLzO/Q8xcP5s5M f6KfA5h92LoBnBFm7111NYADsIXj3lrmeb5F5pcwF8JzBOYYDLF92QPP1/f6ezCehufrtBGjpUJ4 ruvKuuNatSE917Vqhu+0IQxifIbZm+dbZP5i9FzXuhs+tyFt1LXVAw0AbMG4t5Z5nm+R+XfCcwTm GAyxfdkDz9f3+ns4noTn67QRo6VCeO50M77WhPTc6fYilgIYxPgMszfPt8j8xei5090w/wiz9y5T Dd8B2MJxby3zPN8i8++E5wjMMRhi+7IHnq/vdUDPiXi+ThsxWgphvqhpHSgtm3SfxvaYsabttb2T qk///7/9Sz4Nqk2GAqWGvz4s40hEgfqx8uC7Ly8/f2xOqjp9+ctphOCn8Z8vI9A/ddZ2py9/Pv2H g+n3py9/f3Hq4jSgh4HzMmCGgXYZsPIb4xwfvkzL3wfTdXd+Qkw3PT99Nky3nXpCTHeV3gnTmUbO j5UHV9eju345qqknUJSSsP0iB7phoJ4HlPyGaZflULi6CFyqN2d7wOoL7zBmmVRSoMOJQpwoJ2VU b5TWjnZ6zq/bzh/49vI5iaivvW59C1YmW90MB7G/aK0k6QBxyQHdyN34OAzY5ZFaztGwb9hKfkNS vX4rHkFCeivoBggJJjXv5Fp+YXCo98NAdwv9KjifLZuj+ii5wIdhoFnBB59DLr/yDtZefCJ2Ht3Z CUjTyM2ycj01w0kFpPlWfqOT33gnBjQQ7wiYXgbOclI5B7wFJ9V0DhhoJAVUcg6AVKIQ4ZCTaokx fER+Q/G1yG/ApIbCAbuv5NlVwNzeM/pQhtIY4PQXBhjgFMlSAqZhK+ERIDo4HnJAyTngiCFOzxKF rXwL7K1cC5IlgB6RIB4cnZz0nRgAgoGBGMFskfhOAQ4kfmOqY0t8B7HPVkGe24gK8BAh4NDpQwsk q95uUP3WVdJWXSjlLGn6LJUPI9mTlUgDriiFLQp9KZ/1h+vns8RiOxOT+SUUcsDPxEe9t4DWWFCH n3dSwbaA9BpXq6qVEc6fUFyBdIIBEIoAGghFyp41aJZvr1PuyhygA+PygedTOYqaGDwixWbCaqUw ylgt7guIbwB9OxwoaihhJqAQNFO+t9ttWmNNL9BaPUu4urb+wPEknIPYZwIg4RLsL/CxSJdKCbMP bUnJFEGKmA90jhKAAQsAU1pKs0lB9SYtZ36urBacDwgpTApwwDciJ80jmAeqRO78+eT9yuxikBt7 WJsgesHemB4poq7MuhhaNXLgNyNXfGMPI9e8pxoQLA5oTD6CauWvyQ7W3blXCjo7awlGdf7A8bQE B3FgBx3aDnbo9KGNEfEmzU7XYs9sc+w9cxAHWAAjUqrV+pF71qMz4O77+S50NUetpO9CfbiOEuCh K7Y5BnDkgJHRGN+cT46eVadOq8WXphrjDxyPHkf5vSBfA56kNopaMcgaqfOicSInTQiWwVuax50L t60B1vYwW9XZhsRku+bgxHS2AVosmK1wTjtqDL6TxiC37CSpqFryC6Au6adMeAsY2GCTy9cmGOlg UFL7MYc7UnwkWJjwiPQwI+hwhAtEgDlOAUFIhR/lHOBOAEiBLcKkIz6UWgGVx8jlYqxhNIV+aviG lhjyNK97s1LH1FZZKfcFaIlG3ckdj0h/7y1gY4D1s93trCU5A2DcGuLGjwYjlEI6iVuPqXLfLXjM gc1QnCKkMLBFn1z3SWg9h1C2G4NqSKrVi8tY6cYfOKDsrWyw6GMbgw6dPrQljEFltNizRh98z3qI AyzQ1LUpOrYcXGseuImNLr+JTSs2sVMH38SmDbAA5+xYe9ajM+CNO1r05rynRQ8DGjIf5enJtuhN u9Cjix0uAwekx1H6LciHOC1P45DKramYBcENeEzDfaQBP0SgFiQVDKpvM/HbkLrcwTw2dZ3bEHFA OxDuouFdtEdgIGI5PSarV6sABbs4f/SgzHiUYbqD8x09KjMLZZTIWQAlVpq/6BY8VnzdxAGzVp4D yofRcVMgAYHXNkwpG48JQXR2/bRx/8Audjka6tJhYOVmJTCK7WIIcwWoKa8gnF7CcqeTZpjhtRHa V13rY3PB2lTrXPBQZrhDpw/tntZAbcKDcps1AME6GJCCoZw1UC/xZtU2/sDx6HGyBmbkQ3yPC52M cB7IKcimTvBjy4FnMzHaJsR8Ce9Ip0P604M1emT663SIBTja1BpFTYrHkYBk5QAnJuBKjyQmPdqr lJjubcDqVoUEOeRaH5kgHcQ+JoERcQMWHHoQpUzQ02noL8ZlH5QIZDbSX06efsjMXOnUwbmbkccy Ulu4wqoyMg8wspwT8wYShfdCEBw0AwjXc4sesgQgWaNAJTkidbvPE+31WnwDi2ZAZMjV2kbMwavz LbyFIihhcTTzgidgYe4O52mSUZoHhkIcd1nlaZNnoUgwem4WgpnZipEVhu/B+57haijgFLGQIwFe AZnL/cROEZ6oDgM2tfhhk87VOJuzabwWLa0/cDwx6SD2z8CxnSIOnT60JQw3PXjvvT0z2h58z0a/ 64KF58pNcPgtvYlm8Eb6m1ibY2+iMaHwOXZugkOnD+2e3sh4p4QMb6SW+aOYrCDdk5isUK55wLI4 FOG0gg3y/LC0jvcSKFD3vkuZO+SBJpS5S0iRHHjNG+hJIwXplYF9gspn13bTK4R3vV/0gQvhHcQ+ QfPScPD0FcnDxkd43BloraKUtEdZwp5229ry5Wux2x3gNFLTvcWu37OH3IrzJKPJXjJ9PCYyOPRY 0reU6O9i6YJBeSdLl4b/wRaOFRAUkfBzReYTG8ewlSWMY3V2AQmvItgVr3oDxxNxDmJ/R49tHDt0 +tDuqKObohXBXEfflj984wleFodMkDcd4e0voCsmDxhK7nwflZz3+8pp7wXCaXu/L1DJsbvZPjp6 z6+MV/Vb284fOB4DcxD7BL1L4mdCGTpV0kADTdCmMwoyIRgs9e2M2BMq8Vx55uE7UHxB76fl2RAU y0jZhaDYbzm8hLQzcnjVA7NXHAsLRN5jcni5Ep+cw1tEBViKsIB1QXsv2WgJlXhAIfRzOqzO7mr+ TFDzV/kDxxN5Y82feZZi206Q2446e9GaP1DAgc2hEi/V/JI6+7I4cG2AJszbzdHug8AWEtRr7nrm DdK3O8lLGALgychpQQtaPUgJ3rFuu+mUo+bXdc/ivMqGxnUuMweubHAQ+2eAp5ihvs2bpvCWOdud 1bu0beX2Bw8RZGiPh3WJo0oa0dhWfORYqgwaOQZzYDE01RaKEdAVTxN6MwJCGAGAoDCESMAAOcjm JtijcNYhZMTX4iXgbanQMbV3m4Wt/QHHV+9dfWOWy/zukv2aYcZjlzU+Ke+RxXkE7xmWmha/qV6J enXQ4QAXtoFXZ/tZRYFQoGEexykyYupcQ6cFoBC2AegDlg9zUJcV9xxiZsn2WgxUvGGjwL6D/ttg iMi+91CymJBxLskSCAYzziWk3NuG1Zb8zBVIyS/R/C+hs2EGl8q4/Y7iNEHo0tViFgZlbDGtbLuM bRZ/jXadSpeBh8jYJuqL+S10wOZ4+tDBY/LEh263C+E9yqsNuUhwiSLkqsBVEAfpGHmUuwBsZUIO Z12j+ZDDHcs74yBe5YKH8kjboQv+Au2eHulz1CM9nS3fmQBsnra3Qre2lQQJfrFid+CZtguJfE17 QNeJtFgwAwbuapKeknJrsZWKvQSbe9ABHilIyP8pGDpoNyTs0VwVvHZlu89aU3d7zj17kCIjIU3w v9Nbgp/nWj0M7JaIaYCgvU/E4uzykNols9Iq7Q8cTyY6iP2jl1/CtpaiD2eAX3gHyRqvIHn+MXqG 0iEFZKjoH6Xim5E5yIOf8BaIH8McwDj5pPIRFCTAScH+oLeeYiYK52DA8+XyMSNGlRPO3VycX+Di 2LzreLlsAXFEcZawVdwghXuRJUHg/Yb09sIrKJJHBjKxuCWINxgX6GLIjWmeRJahryTQ3X1u5ztK J0jTuRyxrvEs8mDgeNqHg9jnLU9WQO/w64O/aqIvyNLV9Cf6OdwN/v2EHdr20mHZ7UnV11tVOFO0 mcm/lpv2Vp4YEJDwDSvZXytRqcTGq8iVVlD36p26kZqUd8pkPSHyEKkRTikKUIvSrixm5Mt+Myq4 aBpWA7OCYII5AEUwBzxyB8Vz3aPR6VAk1Ct7I+N22NgaqpGgwylEGOVAOW9NXdnLSyBmvXaRYjY/ GvpILhiFO58wIRpkW8Y1ulKDzvAjoGynSYoJGjQc/7v4RPAeLd4LAowhOOsF+kmA3lpkcaDZyLVA 3V2JMjs+Ry25BxI/v905o5oNIomP8apllAxO2RggpVdMYRygJRe7+N0GRdd2ZsloU8HA8TTfUXVc eHUJYXcfFxkG4GkF2H0yxe6T1ZmvUXhGN1UH4BHwh07B5i2nxDXGrqvau0in9gfum5Iy6CqLhgTk ntAJBpRZCDNCE2IwEWhuGL4FTio/djzcub1NKkavH3rfTx1sZ84NpYf175SoASwXrK/1jNM9rozj 9WQlLokYWJFW4Y1xy8Dx5PXIrnQcsb+16E++Us5DY5HbMKuQlrTSx6YlB7GPhYTu1aDJ0FTCjNsH p5Q3bzcemTmodHFS0c4qCEilqY9NKg7iAAtSo8Hqr0hB7AojejbKaOrylOFaYvmUYVyLmUNTxtAS a00iQUo3ZRGcq8Alp5x2MKbzQNoxQx+esrRjTBfSjq0OzlUcxKtc5a6XtSzfSGBEkZtoHhP+q8oz IqsEI7LNwbUZB3GgzfBby8BRA64cKbMS2Az4mB5JGU2a8lLC57uJulrBqupQ7h2QutqQVcWur1uj jGe7zu8x/aekPrGHn75uhd3f2OrY9OcgDtAitRlQkRJ87LQMLrmKcbPPxSwxkqG9yjLwCPev0dFj XaIgEVI3MioDj9pVDxt0QMiAa+KAdUi3AvdgxFu6xpA9OXX/OyHrgM6OcjM2L0gscQkURmN5XsFh kxvPdci+THeW7OtYosNBvMrjDlVu6NC5elJy1E1XIurvmVUH37OxRNTDAhTAvX+gVaF22CItt8ja g2+RJlsEHbIeeUeEQ2fxPasrsWdtdfA9q6sQC0+W591W5TexbcJNrKvu4Js4XNa+YOHYF6U5dPrQ 7lg+X9v2wnoeFJFfq8reYh3abonID3JgHjgeOY4W5Iz6hPgHtSAhuvHsQVQ1Sp8FSSXi7YP08ShF H51S1Ch9FiyAD4emNOIAPAKtIzJaaCIBFoiZHMozrnegSC0p0gxmxoEpUjOKRIcQj9XSpBEk4hIR uSPxOzNaSEWpywwWkk9dXX1s6jKjhTRjIaGHGrQ25U0lId4b6Uy7KYgHKXGPJKauLk5MroFPQEy2 1scmJgfxOjG9wvBurZMow/OiQikNqKvgNIVqJN6qgLZMSKjwou14jhLMru05PEtNdXDG7CBePUsJ wWzgkLzfq2TueEAjAcmHHK6mSmO7NwWiG9UI2rEHpx0H8brKmBrM2+wVaPzUtrM/8IiY8dx3gN9z ndOUOKOV/F0K0fjtyRk3NGS0Xy9xpwfeYQHVEzQBJ6HbOr1cAldLdVi85IJ2034NdPqg/MtzwBCe J7ivMwrLf83B/VqfQzkzXOgaypljiWMHsU97xw7uj5dLrpyUHPV7SB/z96ytD75nYzLQgoXnikI6 /BbfxE6Fm9goe/BN7FSAhWNHIR06A531FXUIa9R8pdMoZvzYiLzVDQYSult119U5aG640pkLIeOt yRImgcZbCko85Wqge9mkIyivkw68GF4jUTKZfCtoxZ5oHPNQiH+PNmL9ETPXJbGjtVqo32AGQ18B 0OigXx243qCBvYkPwCOIReDfv8i3QKsJgBQoPNJJC8rvVtaSgKCIzQfd6iCiBbYFdLzzFMlIC6e1 SQF0KH+HtcAcsBaOdViLhAORLFd76V2x8hVE6lsGiAJjXC5GR1qgrK0OrFGAlNMDzAFYhjngWPK9 BIoBSDkcQEIAWKTRXru2uYBlemIMREk8he8G/tkEDHTqGgiiGdz7a0iFtVCWokGaA5aBo0JRjJx0 MkW97mNycSAulCT2rbfZrwippo6CQZkhIh1wDCjl7ILzPvoWwPHUeU9VG7YSJB0XSrGNWmEPFgiG 8s8MhMBbFKiU8pEElCWcQoCMyj7YuykQi51qvfeC7Oc4i1wEvMbaJWVmbHfCKdvOhMvsHaSFonzY ft6R28GtGjApbCYcM9BBt/Pl5L27kcnWJuCyk3N3jf8B2cFAxMniHfdIMGNNsQU+BDjNlgcl5FQb pSgUl9yqgRPElXbQYrcffrjtCnQy3AWqpJhI/8A1RQdsBS5ztvPtpzvp0GT3NjlGddYEI5fyV3Qt AKNHNs5FLldKgMjoxtTQQRmOFFVKinhSSjgKCgjpfCK7kZ/aNmCoOfigBxdZDOCDGrk5fJzb1uVE 0nzHRgL75FQJc2R4eGDjJAGhtwp2ktPtLj4QiqBLMcOi0wKHTfDFwTe2cwdkqDiCkMARorQMbrIE uVUAz1M3Bc/cAp0VEQ/Xrfy60FpAHXiiI4AUwG0BVFyzIwm3seZmqJZfePMVU5iyTUSiZL2bCjVX pchZXy45LKHbvA4KWXV0FNhdPLzwCHCEAi57Azl4XMvcI2KREX3hIZ0E4w/oEMJRHLDniQpy90qG gsytshJaJTzCnasZMVBgD5HrB247lamivQSrN2104zg1wOpLhOppUgHC8brimwnKIQ80SlDB8YPs osBu7xOa1V0VkHJWdIaLU56rQP1tiEP5lisUApeg0P1HP19O3ITCmrBefv45HHBCCiAkYbXUX4Ic k78WJgU4gKnQuEBChA9UcDwQEd24hIyp5zvTAR9A/nCmQBxQggGddZ8wmhrKKpbFQeUBbiV3FWTE ZgEfEDTlOQLb/Q93Ss2AbJcEfgmGceTOuBUM4cD2QFqCKkiNWlg/ahQA6XZLKWe3wQ7ikSSuUHHT SS6/1sDZ6AHZhx3YxhBed5fcpYR94GobpwfJ61Cub9faeXAWTXoJOj/rSP2QU1VO8jVzxzOIiPPw HZi03PfG6YUHwGGftiftZrDPK14znqJNtzIhnxJuoeQRcNg6bkxk8+AbLaPmHJAh+nMT0qs5DfHQ IpBMhkGSwJbgkUi/9C1H5gplUuGXwYYy1PrXnqeZ4Ajh8YuE3JSIC6+EgGgv6sJUtOSjbHsC1NTP clN9Aax/H2NpuKBtWW6sTHvNT0p98QmpnzlY3n4wMfZM/Y8JziSAPSH0vB32XcxYTP5MEAhQgLWd /ydYyyVoJiVPIEEFaMQAmpTcggTQoFZ7H+vnbIPzjYZ7Rrhyu3qbYIQXYQmpJuWaBb1d8VbvC+zU KHe6Nh1jNLKYgY7DuOhhX7h2k8Ahy/mwb9T/hyZhy27z1NyEkG9G4ik/pzRNMMFbVAJ0eEuGt51b IZQrXTkf3FVewNGHtJ3gcKXEnbO8hNBRifVSEYtKVkZ1FM9NzmGQgLKILl9AYLRq1twxzyrDF0zX kuCHQBuCsu4ErCYAvz3+yNUhngXNy3ivrI6zd57hhDvBZwVBXCJEy7M6qCBOqPOf6HtNH+RR/HJO 99sOrzk34emldnfGWU2Q91BiyGUGVf94YVqGvLuPHwLxkaH9FhB/6Kjgzm6udvFywIzOCKCHeV1a b5Rtes6B2yNNJEE6JLAcWgLDkcyznVOqGx4UXlWdDbYKTxDkVNNUwwSUgbgosN0pyi9P7+V8ii+X 5ismqAvbGTmKnCInhBfi8fryjEJm6pI7rhCCVmoJrZWoDrZXz4IqPP5gp3KxxF3OXDsEnCUcGcAh j5+Xs9vsBo8shzyDDDOURZorUUPrPeD13ANXQluizoKELKjILQMrkGKYLzt2fqN7ceiXu9BYii8d Nma7rzQBh9utiYSiJO7nAYUqklu0Jup4dgXFKQi2DHs0B8nbdaESZaw5Qnp747Urfi+a5ZLgs4at +/U2uu1mL8RxG92qEo1uDdxxCF1rofPtRBkeAko0nAXQptiED5pE0mQEgycSkojATPa639dXqBhk yziyS6PbztoJFPtBQA8DCeVjtGQxIeEL3pKhoKKHn4eWeFcgqBTllbMlmjpICx5TMeFAAxx8tdyC 2Z6pnLDbGVWMnGKgsgFcorw/JHc0ct8TzLE9q3Cfutg9aMzKjZoGClhn3Xm+Kh1yf+Re2413jV27 klhXp67rGndt9fjx/EZVtm5OSnXjp86N9lJcteOHr72oaN60XW1NdflVEz7ZjHMO33Qf7fj1U/ig vcxph2/6r+t/NUIzP3mB8+vL317e/W4nOaGM6n8a9JgIKSTkqHKTmXdKLNGLm2u8vIfSdpZ1Je9N 0nFOcJzngmSg7CAd1lJc7NzLUmJ1vDl5BhwZGKKVqNxfFlNYbmTRVRUyiIy+JRBRQqcrcB2orQJf J99+zg+4V4E3Q9megXXVvN0uxZQzfiYx5j7rQZz4YsyNmkHmjJ8CQXb5ZRM+3EzzjqLM7Xw3PHEK H626y7z9p0CYTb/UVfDwDO9dxJmqY6SXk1LH+ar0CkFGFbpngCc+6GqF7RaZohp4Djsr0RRkx5Om m+Wk6fO1k6bby4nQLZw03V6O1vJwM807nzRtr500bed5LZw0PR+t+eEZ3rucNBNl8li6yS+TKaEW 3sca5rl7POiRkGS2vQkU5yP7HDVcHhxGiAuBoc5dCiWymQv4fnLSF2KR9huLTuouPIhX0gS2t1PJ aWLFy3B4OmtCY1x+FDP6bZVoAkqbr8KAKVHLcuHE9paux7zJMZfgwHgoN8foRan2nT0+znPQn7qV plhFATWhOy9qQtdeUxO6WXHuOlAThl824cPNNO+sJnT1NTWhq+d5a1AT3C8noOpATRjm3V9N6P9e NiOjJi6jCIJKp5QK54zWLBkRZX44YTG8zyN3dPC1ZNx1dxcmkeH4yatNLaAEZagWaCoCYBkpi9vb b5dxH6kuPP8J3eC2C6ec1m4cq8lmQRH57Zh7jABeVZucWAHTjVlapmFY5tejAoVkBDpopDEBQ/Ko Th1Fb9dflF70F6Wv6S9KX/QX90noL+Mvm/DhZpr3or8ofU1/6UfneUF/GX45ARXoL+O8d9BfjEo/ nNtLI1GhybBHeDYXN4RB1PITzy964KvdHvXm908ldPqmqQUJ8Xnugs2wRrfH+BMCF7z8li9uu46Y cHHafdIkymgzTcgNElzhJVr0Z1wLl1OxnhraKqPv2Ca6mu3pr0XqcxMQn6FF8ohydmh3xW+WU1u6 /TqFfdI2IvtyYxGwu13NJ7syt6zDanZJHOP8jsdWtl/ymKAw8CtbMiKQJZyxPJ+En/573ilfhqc2 s5sth93zahDwzpeKr6qzXgyPs7lmeJwvcVD3SRoewy+b8OFmmnc2PM7VNcPjXM3zVmB4uF9OQFWB 4THMewfD4zyzq1eemHeb2PB2ISjjsPNnQbCRb6Vsc8ILhq3vSShWUSb2PsG4+Si/AX1CP2w7qiWJ WbdyQUVcOm0tZuVkdZ8rpDIaG4FfFPvaZgQbSlxwU4IB8MgBXwtP48hI4s+IgmRcbMxVb36VV7a6 Mhyy/u/pR3/UVDOcnumfr99zWcGn06eXfwNOHPkLZW5kc3RyZWFtCmVuZG9iagoyNTggMCBvYmoK NzQ1OQplbmRvYmoKMjYyIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVj dCBbMTI4LjE1OTk5OSAgNzkwLjYzOTk5OSAgMjY3LjM2MDAwMCAgODAxLjE5OTk5OSBdCi9Cb3Jk ZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkz Ni5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kj MmRELmlldGYjMmRodHRwYmlzIzJkcDcjMmRhdXRoCj4+CmVuZG9iagoyNjMgMCBvYmoKPDwKL1R5 cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9SZWN0IFszMTQuMzk5OTk5ICA1NjAuMjQwMDAwICAz NzIuOTU5OTk5ICA1NzAuNzk5OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJm IzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRo IzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDMjYxNgo+PgplbmRvYmoKMjY0IDAgb2JqCjw8 Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTI4LjE1OTk5OSAgNTQ4LjcxOTk5 OSAgMzA0Ljc5OTk5OSAgNTU5LjI3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMz YSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRv YXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlzIzJkcDEj MmRtZXNzYWdpbmcKPj4KZW5kb2JqCjI2MSAwIG9iago8PAovVHlwZSAvUGFnZQovUGFyZW50IDIg MCBSCi9Db250ZW50cyAyNjUgMCBSCi9SZXNvdXJjZXMgMjY3IDAgUgovQW5ub3RzIDI2OCAwIFIK L01lZGlhQm94IFswIDAgNTk1IDg0Ml0KPj4KZW5kb2JqCjI2NyAwIG9iago8PAovQ29sb3JTcGFj ZSA8PAovUENTcCA0IDAgUgovQ1NwIC9EZXZpY2VSR0IKL0NTcGcgL0RldmljZUdyYXkKPj4KL0V4 dEdTdGF0ZSA8PAovR1NhIDMgMCBSCj4+Ci9QYXR0ZXJuIDw8Cj4+Ci9Gb250IDw8Ci9GOSA5IDAg UgovRjcyIDcyIDAgUgovRjYgNiAwIFIKL0YzMCAzMCAwIFIKPj4KL1hPYmplY3QgPDwKPj4KPj4K ZW5kb2JqCjI2OCAwIG9iagpbIDI2MiAwIFIgMjYzIDAgUiAyNjQgMCBSIF0KZW5kb2JqCjI2NSAw IG9iago8PAovTGVuZ3RoIDI2NiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCnic 7V1Lr924Dd7fX3HWA8yN9baBokCSSQp0USCYAF0UXRQZtMWgGTSYRf9+/ZB1LFI+lGXKx+feZNDG kY9kPSjyI0VSb/708z8u//r98ub9z/+9fPF/v//5qXluTDf9uTT9fz8uC2T7rGQz/Lm0Qj1bN5Z+ +fr07fLt6dPTp/7/vz0JO1b0f/Uv508043+/f/nt6c308aep5Of3f+mf/neRlz/3//v18re/94W/ +PaGH3x9ajvb96NphOr/+Z/lP4XshHnuOyX68gb+c/jxv5/++sPlt6Fj8rkdOy+mDi7/+aNQjXTt s+7/Vd7lnGoCVxOy700jnOxHOj+rZ9FocxGiGx9sN5bqvqD1T1+ehLDPbWe0asJLG1e2vt3xt+Nz M9a4gKpNaLcZfxt9dJiqJqoc+vuln913P9yelG83puXd56c3H/uvqMvnf16mZflx+utzPxVK9P/q v2Mvn3+5/KFpZPfHy+dfnwbC9AV6LFChoHk7FrTXgo9jgbkWKFhlalTf+IWDjX6ABQa28Q5+VsIq qKeoSkGjqKdTGx8+97tpsQrP0yYe9nHTk/z8DAh25Vc5y5zxgXHpexJKr73UYO2b92BoAg3+I/wF XCb5ITkbW3Z4MTHLFg5osTQ7WjWgVZqsUAG5RURDzj1qdIUSr9Ssp0aFuLbagu2tp464G1sC7dWf 4Hdb0AbiGXgwaHtzMABIvyVjQZ9FVeBoM+iBXKlyvrNoQ8OOoZ6iCbLbv4La6Bg22SyHOrnaM7SF UEfoaUcTgqqg1UZfQRTDwmSaBoyfptQaNCTFxDFuiXvUEVSAPoPWDvWd5gc0dW9nsiVcJ3dh9hGE ciYmCDGNXzTX7wg4AbBAGNA1JcBoFNxm4i31C6ngjMApQp/NgIwkMpNvOWa1L+5nVTYuHm42XFnV LGSP7b+G5y6hWUg5awDDE9Asppc2rmx9u7NmIX2NWLOQw7up3f4JaBbjS98pu9QspnbraxZSzgQs PyICRrwVkkUOOyJZuJRwn8Bdj/HKexIVIXaE+lEAC+6j9HgQf2s3FqAREp0JBD1Ro7TMo7kxOesS SQVaoYWNZhDM6wI0upXx9se6iBaQIaipb1ftBIs4RLu0SCe3LtZOkL2CNmCglaBNHDSp5m4qFvAt lcunVbSJSCbLMtzT8iFEIOTuTsi2AuIm+R/mbizwVMqYZBKjQYyGVq0Z7IRImPFBPL2AeDoJ8UyA eAZDPBMgno4hnl5APJ2EeDpAPI0hng4QT8cQTx8E8UzQUaB1CS85h92nBvRK0O8xDIwDrkEpqd7C AiRYaSCFZpnFVoBWlx4/qSVkgC8GU2FiuEg1RmclB5FZwbxzSAEjDGAAiLwRFZECWwhIqyT6xruq YCOubAAeaGXd6oTQJlgaWhbA0+16NK05YM7EsRE5QGCBmkirZwh6oI7VUM/48Ixb4BmXxDNtwDMt xjNtwDMuxjNugWdcEs+4gGccxjMu4BkX4xl3EJ5pZ3aGxebjGnk4QMJ5dPgSQUPOexXJg3kiWju0 VDTDR0KD5omIn9FmEHr4HAebubS81yAFNneBQQ4bOdAMFZxj0ctPm+xoAEB3jBaJqFG4dBgA51pO eWBW51aJKhcRf7ctVwUv1awzqrmiGdWk0IwSM5oZngCamV7auLL17c5oRjUpNNOXzu02CM2ML32n IjQztVsfzShxrHUGrzD6LM0BaREJGd6aq9q+Qy0OvwXEmmnGu11pxpwYMR40pzR7ow1td7K205Zk 0lsEiyrEvGiARB+LkM4SOz1Oy203jYrZQ8YM1TjSqqRTYKhWgFUKjJWOD80o6XbTCK/+hyEBzTFp 0FDFeEXPB2qUVky2++RhlZJeObLRDMM75rL3Oih0FtAyyTMF8kmj54yWVDToKDBN3gl3F5iUyFnH E5QbDWBudJ38yn1Nxjx8WgcRisTSdsRQYNrDIjTDcoOOt2jAeBbfIqklmHcaMJ/aEq+MuuquRqd0 V2NmHbN/grqrCcrqtbL17Qbd1YiU7mpEaFcg3XV46TslIt11bPcA3dUE95JXHpZGi0Q6BqkYAWxR zOvgbg4bGc0BM87mab8vkoTw+DkskYgDFhiAz6Ka6p7RRLv/gXAW6ilD6MNayFUVq8L9PbgZ/S6U k6tzSEctZehdNHojd2pGPE1BbCiaZtQPesdUISpyHbKDMfaGAtmYQu61ugW7mxahicFsVwlKAAJH DCINEGibeh1p/4IYMZ/y0i6UlzapvLRBeWmx8tIGbaWNlZd2oby0SeWlDcpLi5WXNigvbay8tAcp L21QXqbFWEa+0fgFAQnaT5BDNymwm273Tsjw3uHgRbSTDFoGxOAL/FeRRQsxCdKjmUUDoH3VyEQO dc6zSOJH9IEXm8Pjt47y0pl493P4RJcInu3nPRm22CphTseaa3WzwWy43eOnYFPRZhbsIUkb52k4 /xr9zLi1COkATT2MK9Zp0C38hUImxIKjWhou0EdTXAhZiytC1iKFkLWYEfLwBBDy9NLGla1vd0bI WqQQcl8a2kUIeXzpOxUh5Knd+ghZi1lGqnfk6tAqH320xsCaUU99wrOFxg+PKvB5HUrLgsz7HSjQ sCBDNHOgzCrcfLvxPiO6nOO055AgqQwITaslVXwZC06uKuWOaAn2ULDp0JaSsFGc6Qj+gk8iyKuz spYpZ+WRf0+cWyFn5emljStb326QCDLlrNyXzu1K5Kw8vvSdipyVp3YPkAjqRYZendUGeOIAr8c5 8ssYHBJ4yCsQVTkkBUlJqDndsTqh5rKJGQRHhA9eOtQopBi8y4pniMeaodcjy0kIUAKrSD/KKi6v 5/WApvcUfdB8jHpP87qM9Hu0HbpALBcEBNWJEVUW7KntgUgn47r6xixX4Q/HIKrt2WpKYoa2n5Cv bWUeXm+D8LuvHX6L6Zpmbth0TZt770rcO72XnQOLeYjH6Gmi2zmI7CTRDHz2ALewELukhdgFC7HD FmIXDAAuthC7hYXYJS3ELliIHbYQu2AhdrGF2B1kIXbBBPSC7AEZGiPtNcohiTlMCOSGr2RT4HBo 5EgeW5CvrmbW+U2qCr3+dEDEyvrvdaLo4u1fR0bS9n46wJODhDhSAFa8L4IHvHYbAs0L+OGRE7LF yPA9BDA9ZXu9tx0gqgcPARzSMXwNzykEaJoZAQ5PAAFOL21c2fp2ZwRomhQC7EtDuwgBji99pyIE OLVbHwGaZoOPAJ2PldZOOfIRI82KZnDbVZyc9Ls0D+Tws6UZ2kmcN7JDyffGrzUx6WbYyIszDe49 aldxV1muGcKgqEqQl7ITiwh3TPCIFmtAq2elbz7hoxbCRyWFjwrCR2Hho4K0UbHwUQvho5LCRwXh o7DwUUH4qFj4qIOEjzq/8CFtpRnG07MSeJ3DRrqnd7JZnkVKbj9cqZKONyMYh+76igvzXvOEjtlD hvimKZeDUB8t/JzFtGDM6SM6xE/wK3RyQdrrnWHH4JifgoyWtJrB4FZVNYDjSkIaTog0UKBa+AsU 34lu0cyQUwV31mw/wdTo7hSUrpW0rNW5oKMgP8NLQgcv71oQHtZ+vTiFdDQqiujPxTo7R9PaeDQc gCkjkICMCcnQFtAhEQ1c+Jj7a8Xg3/HCSfGCmS4+vO5k5a81Fjfm/RDRjs+EcpEMD6cOF2u8bDjE Z3TrFka3Lml064LRrcNGty5Y2brY6NYtjG5d0ujWBaNbh41uXTC6dbHRrTvI6BYu8RA4b0qVuDc6 ZA8i/gznkztdZZ7hOrw9u2KGS0tByD6JxTJuXCzxasw4SCuwGtyKHt8hbYYdYaVZI0QUs6gXdpVd 7MnqLrAna5oEe7Ihd6z1uWMXPGZ6aePK1rc7syerXYI99aVzu/0TYE/jS99Bt2RPU7v12ZM1al5h dLHJMZGAd0qgzmAWTBwu0h5XDHYAfIRJXg+CF4YeLs01SI8bWqfLkSPbU70iWpao4CNcOxSEneFg d0jijnud+5vJlnjlEEUXNRTYLLZ7OtZxuSt20mTRQKxt8+HZMQa47SAIq5M5JQgXoP2ckR+qIEyT Ng5WubqlIPwDrSZtb85N07bzAGIyDS6Il16HAoZPb95jMpkXHFBuD+0qCSgtsPvTyITWvchfINsJ j6jqWkB1tN9yWrN4lo3/0z/r8Ay0jZVf5WD0jA+MQ3WSEA9tAO4azjGiSpRw5iOsIpOzcVnTs1g1 EQcGtIYaH3CtXAfWisbhK3E/t34BGxUry7sooGmGNiPBrzQoq9eKhF18trkf3Slh8ujuFp/dlC7k oWh3uC7nDrTrIRZNiHehGS1VPCkskKDk6Hd7+ouDYASHByep8OATFxYY4Vqwuic5DVw72eRRNLtu TQhkbPntUcn4+IG21tEG+oJAj/uE1NWxTeET9tzD8AeUTFIDuuWTTPdBIhYMqICrlsRhIuWMdFvB fJcks7UjZ24nZmPjOcyIceDgO1WSXdGS+pi4VGMgYRYwwO33AxTcupd9JsQiMp0w+RNSkFGjijP9 9ozKOTgU1cm97+pWLiuahtC2I3dqRmqDKnkrTgMZKsL/naxbdmBTFeP/10JUD+SwQyoI+IIExlM0 pzZMM40HCjAVn+OMM7N5m3ac8fnB9zvOuFYGxxnXqoTjjGu1d3AZnoDjzPTSxpWtb3d2nHFtk3Cc 6UtDuw10nBlf+k41S8eZqd36jjOutX6qE8lKGFwYMrb4d78+0I9j/PpO6wXCgTwPdWnaCRsmrfm6 ER/HL+o0XnAMgQmcoa9tI1bJjrxBMuMWrQJwRrvo0vo9Qy5DDnUuw3iDekpz4SNv1d0bHGsBkb28 MMVN004TGcf9xyhMB/YUpcs0DZRCbGEqrbjC2Vak4GwrZjg7PAE4O720cWXr253hbCtScLYvDe0i ODu+9J2K4OzUbn0424pZimI/cMQDtrv9ZAi8KnuAhnc17GZ1HOULsAvNeejP3ucaRQQz8C1z9JF4 jTuF8PkGsm/SfqWQLJEJhI/fSXfld7JN8TvZzXxJdojfjS9tXNn6dgO/kybF76QJ7RrE74aXvlMm 4ndjuwfwOzWDgO/8jiDwktTkx6DEghzJtEWbZpEF5o47+eLQ92rQPr4cMLKKmzSLDaF1MTfYqZs8 lB+FERKwwgf3JDYGDChjV6H13u4DgHM10NEpnEYTvSENCwdjXrlFam9OGTCYEjlEe+MWWDwQNH1d XnKHhLhkuF5vJ2WWZJEFzhoIHxR4wNK3XaBZL4A2cHDZzhs7jzMF3OsF16MWpFvdDroKlo6G3PTF BHLhq/RQkGIWSeE2sEeHFD446TogHmHnTNxqTY+3GlYFp69WBWdSVgU3X8w9PEGrwvjSxpWtbzdY FZxMWRUG0vPtSmRVGF76TsnIqjC2e4BVwc0eGgdZFWhHg4Jj9Cp2B7rr2z1pC/wMsLSmj83oa6S2 wyr8C1Li4Q2PWGkBjKCNlVX0HxrO8KXBuP/Jo2kaij3QN3Nvd4rMsP4htYP0TOHML8Wj/3ZqlWa2 Q+CdtybtdPHr5Gy6oF381CLd4S5p3vXy92t4tglp3oUcVp3PYbUQydNLG1e2vt1ZmndaJaR5Xxra VVCajy99p9RSmk/t1pfmnd4QS3Kf+zJKEu8WBJeQR37G+41dfSBR6klj4E8KVOmCVNw4f6eWqARd 4ZlI1gi9y5Afw0Gm8u1qbaV0WIechJacg5NcHwlXThYebvnM8NJeeLrvYeGib2pm4f2zxCy8L/Ws dnyKWbh/aePK1rcbWHjXpVh4Nx8fD0+QhQ8vZRNVDv09gIX335ljSmgWngA227NvstzBTGox2iJe ijKxbc+QhU3OdXIZ0PJmxUbE7A9Hn46i9acHw5KqbLsju/oJUuYxPoVHZvfiSGe44Ah3kl8oUr8g eSHmQ7kmCQ6NS/SNZZNMSTzod/+xvVRXLc+7aNQCaagk0lABaSiMNFRAGipGGiogjZ6+EkhjKJ3b lRBpTC9lE1UO/T0Eaah8pHFQ4oEjscnjHVXJMYvIYt0e/ahKWjCgg/IqsIRmNBb0vSDKjnaxLNgz tG83bXEpSKROGgr0NBYhbwgBmI8P6Z84X6+APeP4rkaqFtQ0NKyCLBR1uoq/i+w++H48tGn4bggT jQnOeCijU0Eo2nYogYBTgQsx0oFQhI/sYAGKEoIFLHxGKhXP8nn5DG2mpRMpkHnSMXuvEvCHGiXP NgvIEGcNr+Kox5cT9FZQLUlSWBeBBJNxAoFobCWTbO3kXcbKeFvi3U9PapVk7R8YWbu1q9/lCG2g g91pO1uBg2TBLdYclxZzeM9wRPYVXOFEu37QRlSWPB2YQjjOF/kY5M7YDt2CbVdAu3QGFXJj5jhM 0FNUQ4fIyF5Fi3J6UrcfjWObGIct4z0DUc28vBWrPSsQ/wW7jMSLfBa/Tl4tfl0iZH7wlJgtcx0M mfcvbVzZ+naDxa9LhMwPpaFdGDI/vfSdaiKLX3dIyHz/nZmxvEqL376MSA9sqylGDY9nI1VKx5Re 5Q4ABVP+f7+/IgvfuCZenJJQbo6QsRqeushiJOD5XbZBcK9q6uJZ1qQtCydRwwYxtCmKUTMLnhFC ZhPAoZr3PtFVoEVvl4cZB9pVrud6lZrI3tvpWkDtD6/O3Kry4lUTIcOl8/1z4tL5vtRnoRmfgGoy vbRxZevbnVUTIROXzg+loV146fz00ndqeem8b7e+aiJk8EGlDakchwTb6TnD27KESx6S9fsg/8ST JJvHvLkAVm5X786SEuChUuJ2Mt7+j5wS91xAlAdma7n63fuAV6xFIR8nGAiC9J0M4FElmff22F4k yUru/OVI1YyGf8xNG0rrzWRIAmI+NGcWaM4k0ZwJaM5gNGcCfDMxmjMLNGeSaM4ENGcwmjMBzZkY zZmD0Jxxq1uvSu55WiuAwX10PHOVfC04UXAG8iAVWjQ6Fg2XnLIXHShy0EqVXOFLh09uv/SOCc21 8fan/agygOdJ1IySDFcFuUu3J3TnE2e2vYoz26XEmZvPN4cnKM7GlzaubH27QZxZmxJn1s7tWovE 2fDSd8pG4mxs9wBx5mb0gYz8WE3AVoKCax/ojPx3Ojgt8IyiE6OhG6hWrtjmTYJx3/QszPGXBQlN 7nMGQnse1Lk3poq8Mw3gDyfI5xKG8mw6/wfLAvCO5ps3GhtnyN5OTCKbGRH4IEYLZwguBPXBQWyk v6jBF71FaesHVkekLRgRyiTSoLD0j3DPayhHOjAtMm3EKZ+WKW90vWkZDXmL9n00yI0h4jG/hZBb dSsgfDGV6Y1cPFFSm6oTJU0Tt58Ydfo6yfIh2a7ukJwGa4/0D5IYELl4HxuuPio3xNH0Wt0qI/Kq 2TKQSsJeYz8JC7uN6hjqF8wj9SzXSLk20kos9/rFOix3MaJHYrn1pmViudf2H5zlVpsoz3Kv7eNR r8DBvSy33pAmlrtYex8GeoPgkUMaLoB82+smt4ihQeoLqrNkcP1/l2/9DAg7DsX/9eVrqTPip8un p/8DwLgCa2VuZHN0cmVhbQplbmRvYmoKMjY2IDAgb2JqCjU1OTUKZW5kb2JqCjI3MCAwIG9iago8 PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzIyOS45MTk5OTkgIDc3MC40Nzk5 OTkgIDM2OS4xMjAwMDAgIDc4MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUj M2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJk b2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3 IzJkYXV0aAo+PgplbmRvYmoKMjcxIDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGlu awovUmVjdCBbNDMxLjUxOTk5OSAgNzcwLjQ3OTk5OSAgNDkwLjA3OTk5OSAgNzgxLjAzOTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRl bXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRt bCMyM1JGQzI2MTcKPj4KZW5kb2JqCjI3MiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUg L0xpbmsKL1JlY3QgWzM0Mi4yNDAwMDAgIDc1OC45NTk5OTkgIDQ4MS40Mzk5OTkgIDc2OS41MTk5 OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRvYmoKMjczIDAg b2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTgxLjkxOTk5OSAgNzAx LjM1OTk5OSAgMzIxLjEyMDAwMCAgNzExLjkxOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAv ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0kjMmRELmlldGYjMmRodHRwYmlz IzJkcDcjMmRhdXRoCj4+CmVuZG9iagoyNzQgMCBvYmoKPDwKL1R5cGUgL0Fubm90Ci9TdWJ0eXBl IC9MaW5rCi9SZWN0IFsxMjguMTU5OTk5ICAzNTMuODM5OTk5ICAxODYuNzE5OTk5ICAzNjQuMzk5 OTk5IF0KL0JvcmRlciBbMCAwIDBdCi9EZXN0IC9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzUkZDNTIzNAo+PgplbmRvYmoKMjc1IDAgb2JqCjw8Ci9UeXBlIC9Bbm5vdAovU3Vi dHlwZSAvTGluawovUmVjdCBbMTI4LjE1OTk5OSAgMTk0LjQ3OTk5OSAgMTg2LjcxOTk5OSAgMjA1 LjAzOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovRGVzdCAvZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRt cCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVy Lmh0bWwuaHRtbCMyM1JGQzI2MTcKPj4KZW5kb2JqCjI3NiAwIG9iago8PAovVHlwZSAvQW5ub3QK L1N1YnR5cGUgL0xpbmsKL1JlY3QgWzI1MC4wNzk5OTkgIDE3MC40Nzk5OTkgIDM4OS4yNzk5OTkg IDE4MS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3QgL2ZpbGUjM2EjMmYjMmYjMmZ2YXIj MmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJl YXJlci5odG1sLmh0bWwjMjNJIzJkRC5pZXRmIzJkaHR0cGJpcyMyZHA3IzJkYXV0aAo+PgplbmRv YmoKMjY5IDAgb2JqCjw8Ci9UeXBlIC9QYWdlCi9QYXJlbnQgMiAwIFIKL0NvbnRlbnRzIDI3NyAw IFIKL1Jlc291cmNlcyAyNzkgMCBSCi9Bbm5vdHMgMjgwIDAgUgovTWVkaWFCb3ggWzAgMCA1OTUg ODQyXQo+PgplbmRvYmoKMjc5IDAgb2JqCjw8Ci9Db2xvclNwYWNlIDw8Ci9QQ1NwIDQgMCBSCi9D U3AgL0RldmljZVJHQgovQ1NwZyAvRGV2aWNlR3JheQo+PgovRXh0R1N0YXRlIDw8Ci9HU2EgMyAw IFIKPj4KL1BhdHRlcm4gPDwKPj4KL0ZvbnQgPDwKL0Y5IDkgMCBSCi9GNzIgNzIgMCBSCi9GNiA2 IDAgUgovRjMwIDMwIDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKMjgwIDAgb2JqClsg MjcwIDAgUiAyNzEgMCBSIDI3MiAwIFIgMjczIDAgUiAyNzQgMCBSIDI3NSAwIFIgMjc2IDAgUiBd CmVuZG9iagoyNzcgMCBvYmoKPDwKL0xlbmd0aCAyNzggMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2Rl Cj4+CnN0cmVhbQp4nO1dS4/kthG+z6/oswHPim8SCAJ41usAOQRY7AI5BDkEaySBkTWy8CF/P2qJ Yov82F1sitR0t2cW9mgoqcRn1VfFquK7P336x+Ffvx3evf/038MX//v9p6fheVBu/jkM47/v1wXc Pgs+HH8OlolnbabSL1+fvh2+PX18+jj+/9sT09OL/td4c/nEMP377cuvT+/mjz/NJZ/e/2W8+t+B H/48/vfL4W9/Hwt/9vSOD3x9sk6P9RgGJsY//7P+k4lhkM92vB7Lh/TP48P/fvrrd4dfjxXjxxvH 1+YKrv/8nsmxZfpZDnxDlb9dePHl89O7n9xYwcPnfx7mGnw///r89Unx8Q82du3h88+HPwwD1388 fP7lSR2WAvYyFdhQwN9PBR8+j/1UUluGtR2/dxg/yuXYwcu1emaDVOOlmy60m0r1+H/rr748Maaf rVNSDOGmjl/Wnu707HTNpzcOyas80OXTs9FHx5u+UsvLob5fxkF9+a7TWDDBpsHgdulqNXW1CH0/ /JgMxmCnAnMqeJ8+8VMyoINOn6Bf+SF94iV9wqRPfEgL5rbI08RiU4G7oh5MpK0VVAfxgaoHPgHN TyvGePoK9Cl8RaY1hT6VaeOgk1OiOPopUfgs1oMmmjafzyPHxIUSnBAwdaF5aQewH9KqqRPrqV5l Uth4lYn36USE0YTGQB/BRHRp3eEJoEGPBMw7mET0/Ie2wLyjVyrQgCWTPiGGVlJDuJPUkENOaki2 cPfxKpUa000dv6w93SA1hMlJDWEWuuNVKjWON30FTSQ1Jro7SA0pfFdLvxiHC0MMAwhzD/g3vELP cFjy8ATwAHgChAIQJecv1pTk8BmG1oT3jNMtGiusa4XsBa5AL0/4LE2UZDVNekgPPO4hLwQaMA61 gpsqCzdVgJsK4aYKcFPFcFOt4KbKwk0V4KZCuKkC3FQx3FQ7wU21CMIM4wBJCGyhAhrSco4UJwXs icYbwGtI9FTAa+6Hb9I8AGhcjxXxs9B8EvafZcYVdd/GnZRLlkw77qRXsMZkYY0JsMYgrDEB1pgY 1ugVrNFZWKMDrNEIa3SANTqGNXonWGMWQcA/pOoBiChgG11EZTrnC1Q7IFqhLlyvYdcIdVLnZKlI wGEg+5S9J9koCB66T4F7FyiltLCCz5AiIPPdtGoFHQD8C1htWlCwHuArtOiBV0gcWNM4qCktRmFS NWPFdgUUbRYo2gAULQJFG4CijYGiXQFFmwWKNgBFi0DRBqBoY6BodwKKdl+LScE86sHgClgAqT7C E/IlbQs9wYHR0DAZ+hTGpQtwBBokj8yoGiwVq6m8h60Jnm5NFIxlhQGdHqkzknirndLEq479SONi errTNsUGNvUa4FWhW5xRE7f1u+d2Ygg2GpjNr2Qfpgf3+sXMuolRwU5iVLCcGBVsEaPHq0SMzjd1 /LL2dBcxKlhOjI6lgS6I0emmr1QkRme6/cWoYEGMAv9K5xGuNJrVVkDais27DykvsikkAKI0gqcx XvpZrFhaD0TFFbypwpa0y+qF5iMyo/k9TLoCvalakdgoE7mLl9DbcL/KcO/Euc7YDdrIdxHkexeT bQVPTbvsnAK0rf3Cirj97SS+XEl8mZX4Mkh8iRJfBokvY4kvVxJfZiW+DBJfosSXQeLLWOLLnSS+ 3HuHhTYN0rIX5nwFjqC1reu9EWq2KeAJMMhdLzZQHeVJ1ZlLXxFpxaCmdD2gAAyy17NeaAsQFWkB Nr9AjsDgQgEYcenGkOppQbfTm9tddHzFh5hB3Oz4cxgYeKV6TbWR5/q8PKd9KoDZlTqnNZCaZiU1 TVZqmiA1DUpNE6SmiaWmWUlNk5WaJkhNg1LTBKlpYqlpdpKaJoB8A1Kzx8ZehUMqTrUWxrOURoaz AmqgPZpS6VSlCFzvxInNAxrQzbSNnsbfpDJBG3qRgdFmvYrhpvujwCHienWTnhC34pC6ZrUbAx3k oM/JLwx0eGnE4Y/c9mu4ZhkOL8XCiY9XCYefb+r4Ze3pLhxecpvh8GPpQne8Sjj8dJMP0cuhvntw eCmk7+o3vYhci4+sFzXE4ytxLmFOpVuMUMDUdixd4BLYG49uZZKalzPJVjBYWn1iktbkmKQNzMxa YJLTTR2/rD3dwCStzDFJKwNdCUzSBq4YXg713YVJutD3sMUCE6t6q/qi9xI95aGgBS5qE4cES6uF D1QPF5EaWUTvTFeET9AwEIJ7AEoW+OKBhQHcKNPPNGRxKuwg0SxOriw9m1ickjywuJH3ZFickgsr UovN+8Sn5ps6fll7uguLU3LIsLixNNAdUhY33fSVGtYsbqbbn8UpGUC5S1lcFwWDhoG3635Kq481 FclP8ec55H78Ga9luE6m/ZmnSiZLwQemCXS0ReU3swYVzyCwU5/zir3AI/GV9Alh84ANhhbY24Wv sCtDJFuuRDkkK3FjhMVdTSLJedL4dIqg0zs5zRiMd1rwcJPoKFRjdk5vvNCudD3streeSKDJjogK alxNmBYNC8lXsHXdNlGUESdoZWQOWhm1QKDxKoVWJmCp08va0w3QyrActAphWcqHZUUfZQuWCi+H +u4CrYy5MWjVxCyDfIR2JiLNhfR0rfFRplVyOly9VHe8P9EruI2nKToow24+owAdgz4/4/V8SRaT rNrLEDDiXoMJ/FC/DuSTade/kpljnzVUn/KhD+/aGojM48ETYCxJsaNoCS1ccB5Mg1IyWzmkhlrj tEtPtBTSiR9JSAM7wDT4BJEIcgbiNAF8NtjK6SNW6VkFBVgzCFsCOzZ0GYkiaAfkmjhlEkTAfOip 4Wx0lTdDvFIL7Nx0l9GeGTfPeF9JcWzCd/VgY6otlM1tlv6K6b3nXqYW5Q4f8ko0dlYb1frk8KF1 zuFD68Xh43iVaKPzTR2/rD3dRRvVKufwMZYudBU4fEw3+RC9HOq7hzaq9eLwURBAglzhepe2AnUU fAubhBSBbQh4bQsoTeqnrxuns/Iv3sUQWBNTD15x0B8VeZPI0MeSjEY9xHUze5s26sThjM5xOLOk FTpepRxuuqnjl7WnGzicETkOZ0SgK4DDHW/6SomIw010d+Bwxi1D/GZvoybjm73ttextp2n6Zm/b 2d626vo3exshA2/O3nYavGLLSBu9z6mF6iNbU+7ZEAaOJ7Qh7HdmKq0YzE4Zjm6Yz8z+TKv1ToMk OmSWZN8yzasCBbvGAjXhmYYFqrRuSYcXNHAQeUBHlUuQ4FadTnD2Q7a+bkmxDGdBbzacZ/Rmwxf9 9niV6M3zTR2/rD3dRW82IznUm8fShS5zqd483eRD9HKo7x56s+GB4f2+ohwKgBUdHrtLrqESWUyz L1rFv5FwDNwuoNPrQtUrLJQ3kh2+HccTp7guI3JxXUYsexbHq5TjiSWua/Wy9nQDxxO5uK6xNNCF uK7ppq9UFNc1092B48nQ1btwvJqwe1rtr4g5pdVTmnvTGddJTozLuQGObhG32idnbY+8FJ3OdthF mu11YMSQLPa37NJXjxSdOrc6/XAbRVOps31YmrL4UvsfOf1wAUICGlflC9mGXfQKu+gsdtEBu2jE LjpgFx1jF73CLjqLXXTALhqxiw5gRcfYRe+EXUxg3+mA0g5CKLzpqUciXCBacHjAzab66JFNnfZq wbR5TfJBVejm9I4G6VJLW4EwTck8lmsjMG18J43ecIpBk+OuYCsBhhc6EZuHByp1cURVYoh5xq3k 2z1HdFtz+TBt8xobDFrNpJFbSSOXlUYuSCOH0sgFaeRiaeRW0shlpZEL0sihNHJB/LhYGrl9pJEN h5e3Ofm0Rw6kTgkFKlS0ivMCrt9QRiZHY3ZalNK4twKittCDK5Ig3o0hkHbdxG0t+kiZ0j3ajTEQ IweKGERF9i4QtRWmBDSD00AK6pHuyKp5OTB2/pGbbYxgDUZ3Yf8sSNoWeykkjkDefr2DdJOdIzo2 rds2puUnKGJ5DorYkHnScoAi800dv6w93QWKWJ6DImNpoAtQZLrpKxVBkZnuDlBEhPFL3X+7nBJa oOXSAKjiHElS0BRUrIV7ANTj+mMj+5i1aAAAKBMWPO2D0SJPMnmaLX62y+bCPsfLS6njdVqA9unm djH6VGT/q5A7ULF9TPgV+zM9TfhWqrPf7YF/muwT7rO2K/Y8WyxUrodkYOj10CZhaIVv4G3tWF6a IqRPU4FfNw0xaNFOq/LXH5fV5cTBnRSkLm5R+7JQXT6n6hL3Vpwi38UM9VhspmPsvbXlSXbFaipu Uk0dOyXZdSyXZNexRYV0DJLszjd1/LL2dBfV1LFckt2xNNCFJLvTTV+pKMnuTLe/aupYSIRQ4exe YeHcJ3t1F12kIurod+XaX2DLoHUT2iAAGyDpZ7EedFwizEI6sqlLiqdSALhR37UqWfx0FpQzaddB aG4UESOjjWqGZ9m+kp8T7ZBZzS+bIC03/ioFEQXQq4mJrAd8x9UNrCvlus0M3G6Vqt9lU/W7kKrf Yap+F1L1uzhVv1ul6nfZVP0upOp3mKrfhVT9Lk7V73ZK1e9Cbued4nR2OVYelzyEf3axAt3NJnAT dRT6lByXkigtMqyBZiMYG9BjW+WmonKcMif+pmyOv6klXvB4lfK36aaOX9aebuBvSuX4m1KBrgL+ drzpK6Ui/jbR3YG/6UW23kr+nrejSO4ltc4cun+aQXB6A548Qp8Akfbgwx0aIZxIum1bqM5dzRnp laDQ+LfjayqVySHux3aCcnWwhMseLOHCwRIOD5Zw4WAJFx8s4VYHS7jswRIuHCzh8GAJFw6WcPHB Em6ngyVcyDy+U/gqjeppc1GBA+0dSdvHZYti0PEcgwRVdAHCNRja66XvOaZ3iQZg+DNnt1+g4T/7 OmnrhIzH4rUs/RWe/BU75hWbe3SE2zl9cqMFVduEE8MmBG0L4A0q4kNe3OlQiEbSd+QjcpG+47VC 6TuW6llKTlex9PU3dfyy9nS99B2vOUrfY2mgyxPpO9/0leIr6evpdpe+43eWndXbSaR9fQoxZOI+ Ru3k0o6bAkAkXX0S/OLvOaIHU1HRmdka5uK8Q+xgbbxCUN7SqWYhw20DuU+nzWUy2+f7iHmj4257 KGv19Zm7ajx26bbQfUp7tLeADnqyO6xHuzQ7UIsdTD4ipFfBW5f8NUqh0lV4s0Gcfk0gd/12zdYz h5LhbQcEhToBQZE5b2AsNQtgE+l5A/6mjl/Wnm4AgiJz3sCxNNBNzxuYb/pKiQgIil3OGxi/ExJS 3woQfKjABXpF074R7djEHaIxZpNp+mbgruKsXmCLs4cHYGhvk2Rs9B79VcaOu5q80g5Jp7/t6BXb pVbdVpAa/sbM7m1QbsgLVxCq0gNLNnTT3WogFHGH3Np4bwuh7TF2Nam2ro/KRm9gMgoZ3aNpZ6kW 0Y4tdKs+R2GReLfL4SloKYTkR6AScJXOkCb7EMom7K6ivWRwVztV8pTUcbzO5K4YS+2i8kFSR39T xy9rTzeokrmkjsfSQDfNXTHf9JWSkSq5T1JHPpySOsKZmAUbZxXppbusJGCC12dczWxDFJQgL21x kGgLMVCRyZXuI9Lc8FqbvhXy+kwE+6bkZDUZSVtkU2+TtdomHIEOz0Ww2Uf/bGB/6iKPfZ60NppD SB5ZgNirM6n0BkbFR+RdUmHu93S7W/eT2TZTheXxTG2yo9Ii5RHJzN/Ee4EUpWtKL8QWyna7uEnO QhpIOgU5Hd7VRL5X2AXInREMOildRBuNPFzGvXxj/G4bRISvFOxT0xWhly7dOhoQXJ8F5Q3v0eK9 16kTnLFwRuB4nTkjcCxd9qSPV4mBYr6p45e1p7sYKNiQOSPwWLrQHdIzAuebfIheDvXdw0DBQqLX m9nrZmApaYIK4DOAtW/GXN4gDwwKLDptGekwUCCN03rg0SV0f1SkKN0tyJezU5be8Tpn6WRLlt7p KmUkS5be9cva0w2MJJel91ga6IKlk/HAOaIsvZ7uDozklKUXfKnaJMyg9Rh63bTIOnL9yd8Fcp6E UwUuewUuySR7bnM+DT0QdDo7ODmH3u+tOIbh+pQqNX6Qj5e3auvxNSbhGfS0w0cKPABI0douMx9n qjwzn2yUmY8zy0/iyGZy6oylQWzYNKeOv6njl7WnG8SRzeTUOZYGumlOnfmmr9QQiSO7S06d8Tsh BVbFpkoFz6/QsRpYLt7Mbn2Sfu9jMtnTHrjRCV2JeFXhqQnQGDr6o4V3MQ2tWpyrQHY7frZCEaRZ RsMotFfKacz5wMpbU6FwN0FftKnyoc+L3SeyRQxDMiFgAdBZE6EPyc0s9JYH32A6r2KFTZlWNWjw 3SXaoiIZ/UPPfpJRFxi1duLc7RZMrIo8K+d/YEmn92gAf4HYxB/02eMqpixWXC4pELzzg6bkEvXB o/6S/6JJvjjkz1SrbpGxSYu8k8gqrh5i4n9K2YRMBZxLusXHLjbrFsFc124R0y7nir6Pu7nQRGzz PNHXnrouLcGuzIux+o4ypm9HTQ4iK/qZVudDiqubJAfWtUlyTku0GnvAb+RkgOniw39a1VFxRTAi n3ZgHT/M01qDP5jfQl1VG95R6RMvfVsqh3mlB1NWd5YrWfLF1vPL85ZTi+6C5Uqt+naLGWL698py FRddO0pxG9Pvz3KVNH2bNJ8ksxr722O5fBY7QuyH/VjyxdbYj+mkRXfBiLgyfbtF85j+vTIiwVTX jhJ8iOn3Z0RCuL5NkjIZ+9tjRD41qwk+2W2wn3eSWO24pGDQ70yuctR0xn5LElr38CiXWxen1Okv XFzyxdYraZBJi+5CuAip+naLGpLcSXcqXKQP9u/VUdIHpwX6OxgWuOnbJMGTsW8sXMZ/h29jTZme Pul/fflamxvk4+Hj0/8B4aonFmVuZHN0cmVhbQplbmRvYmoKMjc4IDAgb2JqCjUxMzgKZW5kb2Jq CjI4MiAwIG9iagpbMTIgL1hZWiA0Ny41MTk5OTk5ICAKMzQ1LjE5OTk5OSAgMF0KZW5kb2JqCjI4 MyAwIG9iagpbMTIgL1hZWiA0Ny41MTk5OTk5ICAKMzc1LjkxOTk5OSAgMF0KZW5kb2JqCjI4NCAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzUyMi43MjAwMDAgIDM0 MS4zNTk5OTkgIDU0My44NDAwMDAgIDM0OS4wMzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Rlc3Qg L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MKPj4KZW5kb2JqCjI4NSAw IG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkgIDI5 Mi4zOTk5OTkgIDIxNy40Mzk5OTkgIDMwMC4wNzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0EgPDwK L1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKG1haWx0bzptYmpAbWljcm9zb2Z0LmNvbSkKPj4K Pj4KZW5kb2JqCjI4NiAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3Qg WzEzMS4wMzk5OTkgIDI4My43NTk5OTkgIDIyNy4wMzk5OTkgIDI5MS40Mzk5OTkgXQovQm9yZGVy IFswIDAgMF0KL0EgPDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly9zZWxmLWlz c3VlZC5pbmZvLykKPj4KPj4KZW5kb2JqCjI4NyAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5 cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkgIDI0NC4zOTk5OTkgIDIyOCAgMjUyLjA3OTk5OSBd Ci9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRv OmRpY2suaGFyZHRAZ21haWwuY29tKQo+Pgo+PgplbmRvYmoKMjg4IDAgb2JqCjw8Ci9UeXBlIC9B bm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTMxLjAzOTk5OSAgMjM0Ljc5OTk5OSAgMjIwLjMx OTk5OSAgMjQyLjQ3OTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlwZSAvQWN0aW9uCi9T IC9VUkkKL1VSSSAoaHR0cDovL2RpY2toYXJkdC5vcmcvKQo+Pgo+PgplbmRvYmoKMjg5IDAgb2Jq Cjw8Ci9UeXBlIC9Bbm5vdAovU3VidHlwZSAvTGluawovUmVjdCBbMTMxLjAzOTk5OSAgMTk1LjQz OTk5OSAgMTc3LjEyMDAwMCAgMjAzLjExOTk5OSBdCi9Cb3JkZXIgWzAgMCAwXQovQSA8PAovVHlw ZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOmRyQGZiLmNvbSkKPj4KPj4KZW5kb2JqCjI5 MCAwIG9iago8PAovVHlwZSAvQW5ub3QKL1N1YnR5cGUgL0xpbmsKL1JlY3QgWzEzMS4wMzk5OTkg IDE4Ni43OTk5OTkgIDI2OS4yNzk5OTkgIDE5NC40Nzk5OTkgXQovQm9yZGVyIFswIDAgMF0KL0Eg PDwKL1R5cGUgL0FjdGlvbgovUyAvVVJJCi9VUkkgKGh0dHA6Ly93d3cuZGF2aWRyZWNvcmRvbi5j b20vKQo+Pgo+PgplbmRvYmoKMjkzIDAgb2JqCjw8L1RpdGxlICj+/wBBAGIAcwB0AHIAYQBjAHQp CiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfNAogIC9Db3VudCAwCiAgL05l eHQgMjk0IDAgUgo+PgplbmRvYmoKMjk0IDAgb2JqCjw8L1RpdGxlICj+/wBTAHQAYQB0AHUAcwAg AG8AZgAgAHQAaABpAHMAIABNAGUAbQBvKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dL QU5DSE9SXzYKICAvQ291bnQgMAogIC9OZXh0IDI5NSAwIFIKICAvUHJldiAyOTMgMCBSCj4+CmVu ZG9iagoyOTUgMCBvYmoKPDwvVGl0bGUgKP7/AEMAbwBwAHkAcgBpAGcAaAB0ACAATgBvAHQAaQBj AGUpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfOAogIC9Db3VudCAwCiAg L05leHQgMjk2IDAgUgogIC9QcmV2IDI5NCAwIFIKPj4KZW5kb2JqCjI5NiAwIG9iago8PC9UaXRs ZSAo/v8AVABhAGIAbABlACAAbwBmACAAQwBvAG4AdABlAG4AdABzKQogIC9QYXJlbnQgMjkyIDAg UgogIC9EZXN0IC9fX1dLQU5DSE9SX2EKICAvQ291bnQgMAogIC9OZXh0IDI5NyAwIFIKICAvUHJl diAyOTUgMCBSCj4+CmVuZG9iagoyOTcgMCBvYmoKPDwvVGl0bGUgKP7/ADEALgCgACAASQBuAHQA cgBvAGQAdQBjAHQAaQBvAG4pCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1Jf YwogIC9Db3VudCAwCiAgL05leHQgMjk4IDAgUgogIC9QcmV2IDI5NiAwIFIKPj4KZW5kb2JqCjI5 OCAwIG9iago8PC9UaXRsZSAo/v8AMQAuADEALgCgACAATgBvAHQAYQB0AGkAbwBuAGEAbAAgAEMA bwBuAHYAZQBuAHQAaQBvAG4AcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hP Ul9lCiAgL0NvdW50IDAKICAvTmV4dCAyOTkgMCBSCiAgL1ByZXYgMjk3IDAgUgo+PgplbmRvYmoK Mjk5IDAgb2JqCjw8L1RpdGxlICj+/wAxAC4AMgAuAKAAIABUAGUAcgBtAGkAbgBvAGwAbwBnAHkp CiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfZwogIC9Db3VudCAwCiAgL05l eHQgMzAwIDAgUgogIC9QcmV2IDI5OCAwIFIKPj4KZW5kb2JqCjMwMCAwIG9iago8PC9UaXRsZSAo /v8AMQAuADMALgCgACAATwB2AGUAcgB2AGkAZQB3KQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0 IC9fX1dLQU5DSE9SX2kKICAvQ291bnQgMAogIC9OZXh0IDMwMSAwIFIKICAvUHJldiAyOTkgMCBS Cj4+CmVuZG9iagozMDEgMCBvYmoKPDwvVGl0bGUgKP7/ADIALgCgACAAQQB1AHQAaABlAG4AdABp AGMAYQB0AGUAZAAgAFIAZQBxAHUAZQBzAHQAcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAv X19XS0FOQ0hPUl9rCiAgL0NvdW50IDAKICAvTmV4dCAzMDIgMCBSCiAgL1ByZXYgMzAwIDAgUgo+ PgplbmRvYmoKMzAyIDAgb2JqCjw8L1RpdGxlICj+/wAyAC4AMQAuAKAAIABBAHUAdABoAG8AcgBp AHoAYQB0AGkAbwBuACAAUgBlAHEAdQBlAHMAdAAgAEgAZQBhAGQAZQByACAARgBpAGUAbABkKQog IC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SX20KICAvQ291bnQgMAogIC9OZXh0 IDMwMyAwIFIKICAvUHJldiAzMDEgMCBSCj4+CmVuZG9iagozMDMgMCBvYmoKPDwvVGl0bGUgKP7/ ADIALgAyAC4AoAAgAEYAbwByAG0ALQBFAG4AYwBvAGQAZQBkACAAQgBvAGQAeQAgAFAAYQByAGEA bQBlAHQAZQByKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SX28KICAvQ291 bnQgMAogIC9OZXh0IDMwNCAwIFIKICAvUHJldiAzMDIgMCBSCj4+CmVuZG9iagozMDQgMCBvYmoK PDwvVGl0bGUgKP7/ADIALgAzAC4AoAAgAFUAUgBJACAAUQB1AGUAcgB5ACAAUABhAHIAYQBtAGUA dABlAHIpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfcQogIC9Db3VudCAw CiAgL05leHQgMzA1IDAgUgogIC9QcmV2IDMwMyAwIFIKPj4KZW5kb2JqCjMwNSAwIG9iago8PC9U aXRsZSAo/v8AMwAuAKAAIABUAGgAZQAgAFcAVwBXAC0AQQB1AHQAaABlAG4AdABpAGMAYQB0AGUA IABSAGUAcwBwAG8AbgBzAGUAIABIAGUAYQBkAGUAcgAgAEYAaQBlAGwAZCkKICAvUGFyZW50IDI5 MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl9zCiAgL0NvdW50IDAKICAvTmV4dCAzMDYgMCBSCiAg L1ByZXYgMzA0IDAgUgo+PgplbmRvYmoKMzA2IDAgb2JqCjw8L1RpdGxlICj+/wAzAC4AMQAuAKAA IABFAHIAcgBvAHIAIABDAG8AZABlAHMpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tB TkNIT1JfdQogIC9Db3VudCAwCiAgL05leHQgMzA3IDAgUgogIC9QcmV2IDMwNSAwIFIKPj4KZW5k b2JqCjMwNyAwIG9iago8PC9UaXRsZSAo/v8ANAAuAKAAIABTAGUAYwB1AHIAaQB0AHkAIABDAG8A bgBzAGkAZABlAHIAYQB0AGkAbwBuAHMpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tB TkNIT1JfdwogIC9Db3VudCAwCiAgL05leHQgMzA4IDAgUgogIC9QcmV2IDMwNiAwIFIKPj4KZW5k b2JqCjMwOCAwIG9iago8PC9UaXRsZSAo/v8ANAAuADEALgCgACAAUwBlAGMAdQByAGkAdAB5ACAA VABoAHIAZQBhAHQAcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl95CiAg L0NvdW50IDAKICAvTmV4dCAzMDkgMCBSCiAgL1ByZXYgMzA3IDAgUgo+PgplbmRvYmoKMzA5IDAg b2JqCjw8L1RpdGxlICj+/wA0AC4AMgAuAKAAIABUAGgAcgBlAGEAdAAgAE0AaQB0AGkAZwBhAHQA aQBvAG4pCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfMTAKICAvQ291bnQg MAogIC9OZXh0IDMxMCAwIFIKICAvUHJldiAzMDggMCBSCj4+CmVuZG9iagozMTAgMCBvYmoKPDwv VGl0bGUgKP7/ADQALgAzAC4AoAAgAFMAdQBtAG0AYQByAHkAIABvAGYAIABSAGUAYwBvAG0AbQBl AG4AZABhAHQAaQBvAG4AcykKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl8x MgogIC9Db3VudCAwCiAgL05leHQgMzExIDAgUgogIC9QcmV2IDMwOSAwIFIKPj4KZW5kb2JqCjMx MSAwIG9iago8PC9UaXRsZSAo/v8ANQAuAKAAIABJAEEATgBBACAAQwBvAG4AcwBpAGQAZQByAGEA dABpAG8AbgBzKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzE0CiAgL0Nv dW50IDAKICAvTmV4dCAzMTIgMCBSCiAgL1ByZXYgMzEwIDAgUgo+PgplbmRvYmoKMzEyIDAgb2Jq Cjw8L1RpdGxlICj+/wA1AC4AMQAuAKAAIABPAEEAdQB0AGgAIABBAGMAYwBlAHMAcwAgAFQAbwBr AGUAbgAgAFQAeQBwAGUAIABSAGUAZwBpAHMAdAByAGEAdABpAG8AbikKICAvUGFyZW50IDI5MiAw IFIKICAvRGVzdCAvX19XS0FOQ0hPUl8xNgogIC9Db3VudCAwCiAgL05leHQgMzEzIDAgUgogIC9Q cmV2IDMxMSAwIFIKPj4KZW5kb2JqCjMxMyAwIG9iago8PC9UaXRsZSAo/v8ANQAuADEALgAxAC4A oAAgAFQAaABlACAAIgBCAGUAYQByAGUAcgAiACAATwBBAHUAdABoACAAQQBjAGMAZQBzAHMAIABU AG8AawBlAG4AIABUAHkAcABlKQogIC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9S XzE4CiAgL0NvdW50IDAKICAvTmV4dCAzMTQgMCBSCiAgL1ByZXYgMzEyIDAgUgo+PgplbmRvYmoK MzE0IDAgb2JqCjw8L1RpdGxlICj+/wA1AC4AMgAuAKAAIABBAHUAdABoAGUAbgB0AGkAYwBhAHQA aQBvAG4AIABTAGMAaABlAG0AZQAgAFIAZQBnAGkAcwB0AHIAYQB0AGkAbwBuKQogIC9QYXJlbnQg MjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFhCiAgL0NvdW50IDAKICAvTmV4dCAzMTUgMCBS CiAgL1ByZXYgMzEzIDAgUgo+PgplbmRvYmoKMzE1IDAgb2JqCjw8L1RpdGxlICj+/wA1AC4AMgAu ADEALgCgACAAVABoAGUAIAAiAEIAZQBhAHIAZQByACIAIABBAHUAdABoAGUAbgB0AGkAYwBhAHQA aQBvAG4AIABTAGMAaABlAG0AZSkKICAvUGFyZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hP Ul8xYwogIC9Db3VudCAwCiAgL05leHQgMzE2IDAgUgogIC9QcmV2IDMxNCAwIFIKPj4KZW5kb2Jq CjMxNiAwIG9iago8PC9UaXRsZSAo/v8ANgAuAKAAIABSAGUAZgBlAHIAZQBuAGMAZQBzKQogIC9Q YXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFlCiAgL0NvdW50IDAKICAvTmV4dCAz MTcgMCBSCiAgL1ByZXYgMzE1IDAgUgo+PgplbmRvYmoKMzE3IDAgb2JqCjw8L1RpdGxlICj+/wA2 AC4AMQAuAKAATgBvAHIAbQBhAHQAaQB2AGUAIABSAGUAZgBlAHIAZQBuAGMAZQBzKQogIC9QYXJl bnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFnCiAgL0NvdW50IDAKICAvTmV4dCAzMTgg MCBSCiAgL1ByZXYgMzE2IDAgUgo+PgplbmRvYmoKMzE4IDAgb2JqCjw8L1RpdGxlICj+/wA2AC4A MgAuAKAASQBuAGYAbwByAG0AYQB0AGkAdgBlACAAUgBlAGYAZQByAGUAbgBjAGUAcykKICAvUGFy ZW50IDI5MiAwIFIKICAvRGVzdCAvX19XS0FOQ0hPUl8xaQogIC9Db3VudCAwCiAgL05leHQgMzE5 IDAgUgogIC9QcmV2IDMxNyAwIFIKPj4KZW5kb2JqCjMxOSAwIG9iago8PC9UaXRsZSAo/v8AQQBw AHAAZQBuAGQAaQB4ACAAQQAuAKAAIABBAGMAawBuAG8AdwBsAGUAZABnAGUAbQBlAG4AdABzKQog IC9QYXJlbnQgMjkyIDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFrCiAgL0NvdW50IDAKICAvTmV4 dCAzMjAgMCBSCiAgL1ByZXYgMzE4IDAgUgo+PgplbmRvYmoKMzIwIDAgb2JqCjw8L1RpdGxlICj+ /wBBAHAAcABlAG4AZABpAHgAIABCAC4AoAAgAEQAbwBjAHUAbQBlAG4AdAAgAEgAaQBzAHQAbwBy AHkpCiAgL1BhcmVudCAyOTIgMCBSCiAgL0Rlc3QgL19fV0tBTkNIT1JfMW0KICAvQ291bnQgMAog IC9OZXh0IDMyMSAwIFIKICAvUHJldiAzMTkgMCBSCj4+CmVuZG9iagozMjEgMCBvYmoKPDwvVGl0 bGUgKP7/AEEAdQB0AGgAbwByAHMAJwAgAEEAZABkAHIAZQBzAHMAZQBzKQogIC9QYXJlbnQgMjky IDAgUgogIC9EZXN0IC9fX1dLQU5DSE9SXzFvCiAgL0NvdW50IDAKICAvUHJldiAzMjAgMCBSCj4+ CmVuZG9iagoyOTIgMCBvYmoKPDwvVGl0bGUgKP7/AFQAaABlACAATwBBAHUAdABoACAAMgAuADAA IABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAUAByAG8AdABvAGMAbwBsADoAIABCAGUAYQBy AGUAcgAgAFQAbwBrAGUAbgBzACAAZAByAGEAZgB0AC0AaQBlAHQAZgAtAG8AYQB1AHQAaAAtAHYA MgAtAGIAZQBhAHIAZQByAC0AMQA1KQogIC9QYXJlbnQgMjkxIDAgUgogIC9EZXN0IC9fX1dLQU5D SE9SXzIKICAvQ291bnQgMAogIC9GaXJzdCAyOTMgMCBSCiAgL0xhc3QgMzIxIDAgUgo+PgplbmRv YmoKMjkxIDAgb2JqCjw8L1R5cGUgL091dGxpbmVzIC9GaXJzdCAyOTIgMCBSCi9MYXN0IDI5MiAw IFI+PgplbmRvYmoKMzIyIDAgb2JqCjw8Ci9UeXBlIC9DYXRhbG9nCi9QYWdlcyAyIDAgUgovT3V0 bGluZXMgMjkxIDAgUgovUGFnZU1vZGUgL1VzZU91dGxpbmVzCi9EZXN0cyA8PAovX19XS0FOQ0hP Ul8xOCAxNTQgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzc2VjIzJk Y29uIDExOSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGly IzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjN0b2MgMTUg MCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYXV0aG4jMmRoZWFkZXIg MTA1IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM05JU1Q4MDAjMmQ2 MyAyMDEgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzcmZjLmF1dGhv cnMgMjgzIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIj MmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2F1dGh6IzJk aGVhZGVyIDc3IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5k aXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM3Jlc291 cmNlIzJkZXJyb3IjMmRjb2RlcyAxMTcgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzVzNDLlJFQyMyZGh0bWw0MDEjMmQxOTk5MTIyNCAxOTEgMCBSCi9maWxlIzNhIzJm IzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRo IzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZDNTIzNCAxOTMgMCBSCi9maWxlIzNhIzJmIzJm IzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJk djIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0ZiMyZGh0dHBiaXMjMmRwNyMyZGF1dGgg MTYyIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjEgMzIg MCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0 IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMiAzMyAwIFIK L2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRp ZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IzIDM1IDAgUgovZmls ZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYj MmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM2FuY2hvcjQgNzQgMCBSCi9fX1dLQU5D SE9SXzIgMTAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y NSA3NSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJm ZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I2IDE0 NSAwIFIKL19fV0tBTkNIT1JfNCAxMSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZD R0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1s Lmh0bWwjMjNhbmNob3I3IDE2MyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0 ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0 bWwjMjNhbmNob3I4IDE2NiAwIFIKL19fV0tBTkNIT1JfNiAxMiAwIFIKL2ZpbGUjM2EjMmYjMmYj MmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2 MiMyZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3I5IDE2NyAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2 YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMy ZGJlYXJlci5odG1sLmh0bWwjMjNhbmNob3IxMCAxNTUgMCBSCi9fX1dLQU5DSE9SXzggMTQgMCBS Ci9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJk aWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9yMTEgMTU2IDAgUgov ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzUyNDYgMTk1IDAgUgovZmls ZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYj MmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzI2MTYgMTk0IDAgUgovX19XS0FO Q0hPUl8xYSAxNTggMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZD MjYxNyAxOTYgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRp ciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYW5jaG9y MTQgMTk3IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIj MmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM21pdGlnYXRp b24gMTMxIDAgUgovX19XS0FOQ0hPUl8xYyAxNjAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJm dG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFy ZXIuaHRtbC5odG1sIzIzYW5jaG9yMTUgMTk4IDAgUgovX19XS0FOQ0hPUl8xZSAxNjEgMCBSCi9f X1dLQU5DSE9SXzFnIDE2NCAwIFIKL19fV0tBTkNIT1JfMWkgMjAyIDAgUgovX19XS0FOQ0hPUl8x ayAxODYgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMy ZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMyZEQuaWV0 ZiMyZGh0dHBiaXMjMmRwMSMyZG1lc3NhZ2luZyAxNTcgMCBSCi9fX1dLQU5DSE9SXzFtIDE4OSAw IFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQj MmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJlci5odG1sLmh0bWwjMjNxdWVyeSMyZHBhcmFtIDkw IDAgUgovX19XS0FOQ0hPUl8xbyAyODIgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJm Q0dJdGVtcDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRt bC5odG1sIzIzcmZjLnJlZmVyZW5jZXMxIDE1OSAwIFIKL2ZpbGUjM2EjMmYjMmYjMmZ2YXIjMmZ0 bXAjMmZDR0l0ZW1wNTA5MzYuZGlyIzJmZHJhZnQjMmRpZXRmIzJkb2F1dGgjMmR2MiMyZGJlYXJl ci5odG1sLmh0bWwjMjNyZmMucmVmZXJlbmNlczIgMTk5IDAgUgovZmlsZSMzYSMyZiMyZiMyZnZh ciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJk YmVhcmVyLmh0bWwuaHRtbCMyM3RocmVhdHMgMTI3IDAgUgovX19XS0FOQ0hPUl9hIDEzIDAgUgov ZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZkcmFmdCMyZGll dGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM1JGQzIyNDYgMTg3IDAgUgovX19X S0FOQ0hPUl9jIDMxIDAgUgovX19XS0FOQ0hPUl9lIDM0IDAgUgovX19XS0FOQ0hPUl9nIDM2IDAg UgovX19XS0FOQ0hPUl9pIDc2IDAgUgovX19XS0FOQ0hPUl9rIDc4IDAgUgovX19XS0FOQ0hPUl9t IDc5IDAgUgovX19XS0FOQ0hPUl9vIDkxIDAgUgovX19XS0FOQ0hPUl9xIDEwMyAwIFIKL19fV0tB TkNIT1JfcyAxMDQgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzUkZD Mzk4NiAyMDAgMCBSCi9fX1dLQU5DSE9SX3UgMTE4IDAgUgovX19XS0FOQ0hPUl93IDEyOCAwIFIK L19fV0tBTkNIT1JfeSAxMzAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVt cDUwOTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1s IzIzUkZDMjExOSAxOTAgMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUw OTM2LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIz UkZDNjEyNSAxODggMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2 LmRpciMyZmRyYWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzSSMy ZEQuaWV0ZiMyZG9hdXRoIzJkdjIgMTkyIDAgUgovX19XS0FOQ0hPUl8xMCAxMjkgMCBSCi9fX1dL QU5DSE9SXzEyIDE0NCAwIFIKL19fV0tBTkNIT1JfMTQgMTY1IDAgUgovX19XS0FOQ0hPUl8xNiAx NjggMCBSCi9maWxlIzNhIzJmIzJmIzJmdmFyIzJmdG1wIzJmQ0dJdGVtcDUwOTM2LmRpciMyZmRy YWZ0IzJkaWV0ZiMyZG9hdXRoIzJkdjIjMmRiZWFyZXIuaHRtbC5odG1sIzIzYm9keSMyZHBhcmFt IDkyIDAgUgovZmlsZSMzYSMyZiMyZiMyZnZhciMyZnRtcCMyZkNHSXRlbXA1MDkzNi5kaXIjMmZk cmFmdCMyZGlldGYjMmRvYXV0aCMyZHYyIzJkYmVhcmVyLmh0bWwuaHRtbCMyM0ZpZ3VyZSMyZDEg NzMgMCBSCj4+Cj4+CmVuZG9iagoyODEgMCBvYmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCAyIDAg UgovQ29udGVudHMgMzIzIDAgUgovUmVzb3VyY2VzIDMyNSAwIFIKL0Fubm90cyAzMjYgMCBSCi9N ZWRpYUJveCBbMCAwIDU5NSA4NDJdCj4+CmVuZG9iagozMjUgMCBvYmoKPDwKL0NvbG9yU3BhY2Ug PDwKL1BDU3AgNCAwIFIKL0NTcCAvRGV2aWNlUkdCCi9DU3BnIC9EZXZpY2VHcmF5Cj4+Ci9FeHRH U3RhdGUgPDwKL0dTYSAzIDAgUgo+PgovUGF0dGVybiA8PAo+PgovRm9udCA8PAovRjYgNiAwIFIK L0Y5IDkgMCBSCi9GOCA4IDAgUgo+PgovWE9iamVjdCA8PAo+Pgo+PgplbmRvYmoKMzI2IDAgb2Jq ClsgMjg0IDAgUiAyODUgMCBSIDI4NiAwIFIgMjg3IDAgUiAyODggMCBSIDI4OSAwIFIgMjkwIDAg UiBdCmVuZG9iagozMjMgMCBvYmoKPDwKL0xlbmd0aCAzMjQgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVj b2RlCj4+CnN0cmVhbQp4nO1dy47duBHd36/QegC3SVGkRCAIYPfYAbIIYLiBLIIsgp5MgoE9SGcW +f1QEkWRPNQtiZfSlT3dxkyrKbFUJOtxqvjQ2z99/kf1r9+qt4+f/1M929+Pny/sgUk9/lTM/Hvj F9Tdg6hZ/1N1XDyodih9/np5qV4uny6fzP9fLlwNFe0vc3N6BRv+/fb86+Xt+PLLWPL58S/m6n9V Xf3Z/PdL9be/m8KfLL3+ga+XTivDB2NcmD+/+H9y1jHxYJjippzFf/YP//vy1x+qX3vG6oduYJ6P DPp/vuFS1ZybmvVNLL/MVR8UE7o2dLvFa5+wEJafpmpl25qnGOem6aKR/TVj0pRr9tAM5aYPFG+G P+q4vG6HDqh9Ol8W6Pfd87PHsxb2Z/E64NnjTdl+H3j23qW4GoYq5i0sn9sy0/myQD/muVA/L/C8 xMPSuOzRz+mx/hr226p+TsvGkiyFPE9mQINSbNIt1TTmfsdaY04qLqv//tO85dOgOxkayod/PjNj yYKGvlyp+P7p8vajMiakevq5Gjl4M/56Grl+Y9jmXfX0U/WHnqk/Vk+/XHqDZAvqoaCdC8RQ0M0F TfzESOPDk2l9psl5uVJxaJCujJVMNIgL3jeoNnZ6ZEaoiF0o4O+2scuRXV73w1rXrZHe6bp74KyR Fed6uFB6KDX/N309Xj1fuJHiTstGMHdThZWVpTs8O1zLoUYVVZWOrhyeDV5qblqmpsqO32ejDe9/ 2HkwzC/b1d3Q1Xru+zoajJrFBaMwcU8i21gAf4wL3g8F8kqVD3GBHAqaKzRiVpFoTIOPT3A2l5Ad sOK98BoZP/EuLvgYE42fWNPNdK/Ca8A0QDdDlZgoSIQ1QOLKW4DT+C38kWKMx6+lq2C3g5RBAbQl lmVsPimpnEdCxh7TNAaTl63d0risQLuLtB+GDp6AxoD6g3A3MQ3ow9gp3FmFbhuZye42kxNEKwMq A60BuSPNHXYzDFVHvbbI+MeNEywebtD2D5TFwOZDF8aMYa8DUegPspNpxjgAHNpzkRYUO6iECRGq DgUV5QEGl/Tc39NYImNgqLarA0pM3GPlILH0ILFMQmLpILFESCwdJJYhJJYeJJZJSCwdJJYIiaWD xDKExPIgSKwmpyneU8pZBADRUO1OEBmUFeQ5NgkZkLl5T3YQKLwg1TlWtCUbeXhAcDY0c61HAKvS iJAOiHaEOzdiZs5C9T8NZjq5Fy0DiFu1ujHHoKhyjrbzHG2XdLSdc7QdOtrOOdoudLSd52i7pKPt nKPt0NF2ztF2oaPtDnK0+tXRLugzzSkUgBmBvMqrCyS7qJTKC1Y7lRdMJFResMaqZn8Vqfx4U4WV laU7qbxgLKHyptTRZbHKDzctU8xX+ZHu/iov2GTlax2DC1oZaef6XeeSawAGBazCt5P1LZF/OKhx uziaPXwCtKWcBeQz6BE8BXoEn0BPfxVbQD6BHq+ysnSdBeQp0GNKHV0APcNNy1QAeka6B1jA2oUX YAHBApASvyI0ug+C2cckch0XnAbTwFBBsETnIMGw0FN0e+RKVsxigbEGSEcnWOmpoRUYb3uHFJpf i5QZBLGOpWwFnKG9BInpffud37oh8y8aPbVFxW+J4zWrmAXcRitmt9E2KbfROvPeSnAbrfMTc2Vl 6Tq30fKU22i5o8vBbfQ3LVM8cBsD3QPcRttOgyFjPAKKBJaGxgH01AUZkhVB45pEPSRRWB1A22Y0 khnTQbR9j5FkDeu3Mnpse/oQidJjC+MCgw2ON7YRS4u7YOr3NuPV8CZUmGaUB86v9BkN6aETYbh3 QW8LCOBW79WGXYSZ/owIJtsVl4Wi9JQqqj+d+iZnPiwkKpILF7peb8rpKWXgHfSfHu1D1oKUGMsS jO1jmOquDge3HnvZC01WaAh0IumoEzB6+2iucFVFFp0YOEUowJFm9tpcaAELuWZkSF3dR1jtZOg8 EOIx7gA65IOxA1UEWAFPAI27OuIi5r1h7WJzSSwPk9LovGjzHj9hF+HdHr41JoD66q51Inxr6ml+ or+KwrfxpgorK0t3Ct8aWyMM35r+3kjXXEXh23DTMqX88G2ku3/41tTO6J8260catIS5ouU3dk/0 ogpo3YqpAbAjZCo80Rh6WvaYbBu9/oFeQ0MuIywB1+/VQfSqG/BNANdpyL/TIqPIHhwzqwUdgmoI S/lirdtvgUwj5qRfI1JJv0ZMSb/+KvYawrkJEST9errOa4hU0s+UOrqQ9BtuWqaCpN9I9wCvISag sGKBDNozMHkl0k10RJax44vOYG6fgcLZcvot9KQ0aVh22TWUkwa5kymmo/4McYAqdOaAnrXPWF8A jcsYqIUFGLfO2LShwVixzypj1QI5ZVcikbACqmTDvTLxm6xvGP9z5Ss3Bda/89zj9mB9xejTS+rp VBR00C6zBqJrIunfvqoJJZdGu7RZpidrSoBseoq0hGcDeSANOWaEdlHt2OauCEK3Q6FyIYXyQgqV DCmUCykUhhTKxRAqDCmUF1KoZEihXEihMKRQLqRQYUihDgoplFtHAIkoeso/YxK8xKIAcu9K1koh ujH0YgSaRoaPKLDq6+xbhm7DQ5CYpAPb7Zshcjr5mI1qTduFqoyNKbAvc4U5iO27+DEeh0O2w51G Yhb8XZmgo3sNOhbk4dsNOsrBHe3BHZ2EO9rBHY1wRzt8o0O4oz24o5NwRzu4oxHuaAd3dAh39EFw R082UtpVYOyKEMB4bRcTTLPQRnKXLOyr+u6vvitO2dk+l4sDVeD4HwQEQIMGdwth9o1gRqlQUZER YBUYgV6mUzUl0vQlhD0jRUAvAYbAJXuGoQh2kXxDyuhOUQe8BbJs271DMfcu69m9yzrl3qU7ZVLW 4N7HmyqsrCzdyb3LOuXeTamjC+59uGmZCtz7SHd/995Pe1hthe029GbI7WvtVshAhu+mzUjG7qoM m/AKKk4JKlZwSosUPS4ZM9sZoTpI4doN6rfueNChvchJZdJZx6wDcekJj+yRKOO9m8l74xoL2FxL y4TQlEXIOTBk+9bZFcm6Ahs0D1qXkbEegtZVstczApGGxxIDS5vEO2os91uJJqUHtGQSaLmzC6VE oCUdspIh0JIe0JJJoCUd0JIItKQDWjIEWvIgoCVPtxKNnkrOWCZbZK3lnaaNSkxgHHNYAr0TFDeY F9NwNe9QMMqV0vB22qHQX8Ua3k47FLzKytJ1Gq5SOxRM6URXwQ6F4aZlKtihMNI9QMPbycujiUZP kIFZXlWNQMIlzjxbcbw8JCnove/0QcfHbP06ZjaxxDHXYAKP1KAiOxRme5AA+SCZCx+iuRZug1Mg gUXOuRbw2oz4hAbXAIFUgYGYDHPnclwrtovCclv68woZX4bIyOLuNvUptefQdcqhK3ckomLg0Meb KqysLF3n0HXSoWvn0DU6dO0cug4duj7GoStWr9as82weec0wlvdwGevJYk4FjH7GrNR215sTbJRY c1sCeaydT7xx+lRHyk5vGEdWC2zAKWbOFZ8zMP03AhPm3J3vqDhkYMabKqysLN3JnCueysCYUkcX MjDDTctUkIEZ6R5gzvmGDMxpzzB9PWpyu0F7PWryaWPwWS6ku9E4jyf+zKr7+/qiyrdxzvuNp2Qq 42Esq+QpmcILC29zksYnOSfZspSTdKdZKnuape/phpsqrKwsXeckVZtykqqd6KoWnGR/0zLYBk5y oHuAk2zFNBgfSHhOfxBz+8QkaCvMMq6AY/SRR3sc4FiL+Al64yHYJrottHvL2GZ5lvNNaSf6er7p IX63Ca1BRiy64sxjwOEFRDnneK+1oWeRdKTqusXBhNZtP9pqhZTRmWQ4qu4kaaYVWy6/6zTTfQ4L 2euYYRapAydd3fYzSTL2qa2QmIzMXMZxKrTxyxjc7Wcbrg5ki5jHljmfkxGmr9jXTMdUEKjR31M/ JnGBKRVy2cedzi6HBSpLK1ZKRJCt+0j7asxxewTZSukiyFaqRATZyinSa6cP+s5h4HhThZWVpTtF kK0UiQjSlDq6Io4gh5uWKeFHkCPd/SPIVrqPXkjSftFnt2w/zeNep/XTQUWJxXMZngcMHv0JLzLE zjrJlExerQCAZ3Hn23eHvPqIm3yEs0oPNbM/i9eBKV/xPG0KN750MJTGQsvkMfbDfs2unuykVVD/ 8xptJBgW6IAcQCAEu+1ULG1ed3fxkDVp0+FxxuMADArgvVbdumVGoGCpymqvnenX2JXhkl0ox6uB S5IoF01I1X5jBT4VXpMy4PX0u7igjQqsYfeIxj66hsD+Xdq/evvxwc8/xnyATMSMbT0d/tpItWyP kXJUc0bqY9p9QPshpPKeWDCw61qnFlqnh1MvO3c0ihUQz2q0YAIgTP8Yjb91Y3Big8e7d5gke5Da /jj9TaFu0SPZrhMPsre2ZrSb1i/4cvnsmeuQZOgP8HWE7V8mdrVvJ8lxnYt9aZdKzn3ZxNpmpyJ9 1ABUYACs/wbL4IlXPMPJZVwlfsJOCEEqHuYIAEdcIcq9TfJ7GfbF8WHDKVCdbqYWLhykCsmSXSRb SyfZUvsF55Vs13McjmQB2YgL6niTGnSliK0mFIDQclhVFZsikGKctQNzBm8BXYmbD3ywhUUYV16L MxuggLE22Q7aGyalP840OF/NcmHSQk6huY3qFZyg3adHS+KEmSpYExon2FlGiJk8WWxiooD5AGss GOEifSjEHn04U4UuAyQJrQNoqcgnMohClXJoTM8LYk6OxnSjnM8azmV1Baf1WXPnokkmYZT9ytMV Kw6OEMcHoBjwEbvKBAaEKK2EYHyb+E27ndV3xW9adjN+437BeXXB9dyd8FsJFdxF41ATYEVoTBRU 8gRgrM1FOFfBWDbVa0Cia0oSnVjtFkM7wE01ZNMAe4A1hEwYSAngBkgNQZ6Hxm8L6bUi46DVHuPg qNYLmYlrPRT3oZ1pu9YhcYEF1gXQmWAuFjk5OjOc6skj8f542rngrB7J61y00bHBRVQEATKk175J hCNY7Vp4R4Rj2OCTPAku/YLzypPruXtlqEZx0hsKUEbhO4KxVcHVyYCjSHXClBWpGiuAFVSBFVvZ Gumn0T2oZf5VL0aEuBpkwf56/pqrvL3DuP5A9enyf782Qi5lbmRzdHJlYW0KZW5kb2JqCjMyNCAw IG9iagozODQwCmVuZG9iagozMjcgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250 TmFtZSAvUVBNQUFBK0xpYmVyYXRpb25TYW5zCi9GbGFncyA0IAovRm9udEJCb3ggWy0yMDMuMTI1 MDAwIC0zMDMuMjIyNjU2IDEwNTAuMjkyOTYgOTEwLjE1NjI1MCBdCi9JdGFsaWNBbmdsZSAwIAov QXNjZW50IDkwNS4yNzM0MzcgCi9EZXNjZW50IC0yMTEuOTE0MDYyIAovQ2FwSGVpZ2h0IDkwNS4y NzM0MzcgCi9TdGVtViA3My4yNDIxODc1IAovRm9udEZpbGUyIDMyOCAwIFIKPj4gZW5kb2JqCjMy OCAwIG9iago8PAovTGVuZ3RoMSA4NDQ4IAovTGVuZ3RoIDMzMSAwIFIKL0ZpbHRlciAvRmxhdGVE ZWNvZGUKPj4Kc3RyZWFtCnicpVgJdBzFma7q7rkkzYzmHklz9MxoTs3d0xqN7vuy7tO2MGYsjTSy rQNpjG0g2AJjjG2uHECyfgk51zGEJOAYEnAckk0cEhOul+y+5WWzu4TN2+AlDxY2xJbG+3dPS5Zl QjbZqdfTf1f/VfX/9X//UY0wQkiKDiISod7BUPSPxYcPQ89xuG6a2r1/UvLNsUtAX0RIX5tOJScm H+4wI2TwQ195GjqUeeL98DwBz6Xpmcy+p3+tugeej8Dzyd1z48l9ioVTCBnD8Dwyk9w3jwJoFzxz 7+nZ5Eyq/9cXKXg+CUIMI5J6Bj+IREgq+pyIQQiX5O7kq2iSUEtFRL6YIrgf9RgivtmH9l1Gwi/S MNiE6pHtMiF6PduPGUktfuomhL7wm39EiKoULXGrIQJaM0LEhAhWQhKEGJVN5bSpbM0EnS3Fj2bT ouFLjzdTLyGMQB4RDeN0CNmw3gBNp3KoGOxyQ2NVjIqqXFFgCpP41L8Ql0iSxMQT1LeiIW8gZF/e LFq63B6O+qKRAHni0gFYEo1euUgZqR7kQ3HQS2vgp2Si8fK4QSzhm8Pudqli0ME1fY7BoOOWcwgc EqxVF7pKE4m+PW0txZ9XWego09W9+93b73A5mxq2jKaO3DBWETfq8feU7e33BCJRX5nJTOE/jrS2 M2yJORTsCAQCIYdLb3zgflzyyK7pxkaLCeOyQFfP9M79xqOn+nqwXOl01TYkYQesV/5A+ER+VISQ ExZ321mVg2XijI7ROVSgAKMHOQmf1+eP/9MnDrH7fvrT4qK6omKjWZovluIPiNfueu+9u1aGe6w0 FlFiUPrKCuzpBaoSARZsDpLfSXdOMdKBGU1O45z+mo2P1MOvfkMmyZPkS2V5Ulm+5KlXsq8+9YxY KpZKpNAtk0j+4YWzEu5BBg26z32L+F6x1+MqCwfL3B6vdaUTLGYz2BxWl8vptNJWPfG7laJim93k sDudFoetmPgN2GnkytuUGeykQyyITIDeYnfO5oVOwSiSWK5n1Sw68TprQqPM+PZPvLOweUtNndWG 37rjhrGqhNl0VqN1usrjTS3xCrdHo8MGvdtZHqttqYh73DodYcn+9thxjB22tpZd0w8QIYztjta2 9M5jnxjsj0a0GqzRRaIDg7feMTAYiWq0WnU0MjgAVgI/Io6AvAEOzTHWxTeGk0dr0OqYcgFPUQ5L nNT2nMwG1f3gRqcwgcGZ1Aad2eT1JPRaTYHaaLTUlvlLzAUKTNbaS+12m9lkNJosVrrEoqkJBSym QjkmRcRXKQpjkznMNLX0r1wASY6Cp5GiCyif8xgJ5ywqzGBMhrOfPHT6NH7j9WwH/gV+ZyZ7QHRh OUnIs6GVR2CLkQwhyWHwtMq/jIprkMG16Fqn6He/fT+/QCErKFDk5xfI8/7nt9nk+ZVClTJfnq9Q 8SiRSsQfPPMBR3KwKVRiqUReoJQX/uk8ecDJxkLxRFV5mIk5l5dES8tL9TW1kSqmubmEtlrM5hID ObP8KUOJmd+I5haHjWVqq1iS9+17QY0a0JyPKRqW0ZGg+72nT58W0U88celfqcrLP8lZinwHLAX+ b1O5BAgJ5uBiy5rxtLzx9Ncajw9AZALnyYuKff7ahijrcGm0pzkjcjbEZBFt9XrKY21bG+rLfFoN 8WQvG7NblXK9weevqetfuY8ctLtKHTajQSrSG0osJqsm6HaaisCaekMg1NY5vhICXYazI+QfqE2o A02DVgL23fF18GZZx7qIxbW4a52gzGoIY8AxwDUAalqJWBO7VmHDBp8hSre1tzMxq03+HXVtdaom Gim1gxI6kwXCS0V7ur0zGNIZMDZoo+GervmFkcEQKM018nGCp+ZuDhiL3d4oy7ZEGKtNqcJYpaSt 0UgzyzJeT3FRdhRrNaX2aKS6eJPHqyp0O6urR570Ot0mS6HaYW9pTk/ec2d6qrPd7cQxNmmkLeYS rYaS6QxmS6nLtfzjNxcy5Pn5gd4YY4Qfw/b2z+/p7YtEtTrQI9LXAzaeuvK26DHRw6gFcLAxlEs2 2NwgJIH4KohZG2tTCVu7GnWmAmVbN99155N37kh2tMOmnCkudTFsU8vmgzfeVFNrobHN1lC/Y/vB gbbWRNxfZs6OEcOhuoaevm3bdz596PDo1rIAcf4rhw9t38ZEMBi6zF9d11XO+H0Wi6rQ4+3YNJU+ cDC9a1O3z48VcqPOXGzOPpYtDpf5bTaNFuOK8h3Jw3eDZndfeZt8G2I3l71U2muNFwe4cxaFiGNw 8CAGTKyBZDV+qnBlQV5Jkd9XV8dGXaUQ0k7z4QcAzBuQLLbSHl+MbR2rb/D5NFoI1wN9sXKAhMKg g1E1A8Ti8jccpS6bw2CUUAY9+KJJF3a6i0xyJTboQsH29hTxKmD4UHYUYng3SqAtHIaFHeXA6tAa eEGv8TfBQGv+xkQ/Ps7Hr8Z5jTYY6uqez4yOBkU8HDmHfBLnkEmBS/o8sUj9fHdXKKjVPF8gN1ki 0Y6aGOv26g2QzF2l5WzbpmjEYpIXEPbbp9KbNoEd/GUpolBlKDJZTdktIrG7tNRi0utkpFpdVGKy FDGuUqO+IM/jbetMpQ9O9PSUs2YTLlSFw0MjhzM9HCAN2GyqiPf15uoYMQHRtYKPOrzgQi3hwAIg oa0rcFbhuhp8MKMSjeT0USgVCpUi++nD2QfEQuZVFfKvTl3Ge8X5eTKZVEKSUkmBLD9Piuc/IJ9g 2FiACcci/lDUtVxP/kCp1Rj10GKVFfEQw7qWhyDWhrRWGvKwpbDQYrHRtFVLvgpFE0bPgfXuQG9w lSkDUfW5H73xBvTSgMQ0aARVqMguxKZVNLIqzoe0OXvhFx+fmbM/l2fQ26wet3eqpjr7Ln7JZI7F u3q0Wza/YG0IhixWuaK99RjZcmLZkervT1RZaC4nJWCNMxAFhzfg57pYeHULcyB3CVFwvbOvxrr1 jTyDTdZ4Rf9gentnd0Wl063+gr6j/WAiGnbYdRqsN3q8lVWtDfUQ56F+2pX++VO70uYvyYxGu8Pr D9xaWQWhUOd2xssbygJ+v89VajaBKcq6K6s9XoiTSrnNWs50W0c9XqlEp7FZIxHaqtOqFNpCvc5h Z5juT/d04bq6Y1qf2aQulEmcrk6/yazRyZWFkEULNXqjzV7mh504CztwO+w2ZwNw87PnREu8bcbw K0QvMc/1a1ibbgy/j1957DEuG3KVcwpGqJHz6u45oMpedavVreG6ctsoSuFY+di22+94aOVd/NqX jx6ZGK+I/wB7fB2dU+lbwWqVc9tvbGlxu4mXv333PVtvCIRESx7v0MjSXU/fPzXRWE9bLn+7tLSt dddOoYJbhDzbgbbnEBJfjcRxdkMIlrjXubyOL2o5iXTrzb3q/e619CdZjQfAjz//lf5B7PU01g8P jf43VM8mc1mgkvX6rLRaK3peZi5hmZ6uuZ+np3S6KqVSqXDQDidT6tIbCgpIsdnuCIYSVY7hxjq/ T6f7cVNldSBYVBIOakeGH9nZ2uRxK5UEVdUUClpMSrlEqtHaHFFVfXnM4zLotm3/VjbY5/GCY85L KRFWFJhLoAJgvWXgSaojtCUarqpkt1CERFZU7A90bAmFwW7gNUS16GfIwcVxB1fRs7F1YU93tfoS 66DSx9OnH300P89qijH91lJ7sUpvUHuNJfJCSvw6+cxyB/nMXbdWxiLuUoOOJMX3wjEI47wCjc5i cSfv4jwJrEH+DKxRc/XUE9evP/UI6WHNSOsKnpwXCbbCGoWctpbHum9qqFeekVksDNvRmTy4eUu8 oqgYq9U2a6CMZRIVVWNtrSxDWxXfVSQS090M+I9cQdi39fTGE+BKmI3tLmiuqQuGTGbs93V3pif3 zQwN1Nf4fcVFBXkYqqtAZXWTYisbA5phu3s4TA9fuUj+ASq8MrQpdxriSh9NoTNX8LBcBRRjr8mC glZ4Q6pkN+QUko0ODO3/xfYdGN9/6+BAlM+EQl58ghASyco/c6qHwy2tFazLodVotKWuWHlrYzhi pZWqJ9OBwNF7cRHB4kAwKTPojHrIFvjLlzVc5rDoDFKZFqr6kqISPH9zbx/DGowGPcsMDuxf7OuJ hg06CPkM0z/I6clHXMjyVytZPu7+6EfkrpdfXv7Myy+DRbeBf30INU6Ks6jgG/SGOLxe1Wvi4yrW NhZF7nU+tbFRH9od7e0zsw9n//SpT3m+K7eYmHBnx+RwW2uMMZusdCLR27e9urK6vCIUsZdqtF5P e/uO5OKdN97QUO92Gp9XFpVwZc/AjsZmt69QDSAqb2vtr2+sB/dgXE7YgLu3bNpUXmGm8Q1j33RW +INWm1qtlFst4WBTs98HZaDaUKBScKckH1diT7S3hoI6HdboPd7q2l5b1OspKVHIMS5UWyweX7DO 4y0pUcMUSggpJrPPl6iEfQvC+eg0xEVJzvMgUemIV76fNVGHqbcul1BvnTiB1n134E5RKht/irJx XxuSK+Jz54hL54j7VhZFSytPEEPcdwWen8rm+IFTZxOuk1Rg+ZNkdPkX5COipRPZ6s9ldSeA2wBn kN+DffkzGlQA3AGNO6PZsr/OvvFDvJR96DxW4IIXsw/hw/j5bDPhJxTZMfzVlfdXXuNWAxEpJayW x2Vkm0rEOrlFT+Cp7A9x99fw6Gep6jdPvXXZ+FnAUgh44zyveVVjqCUgpKx9zVglbOTNp1bSxN1n f5J9kJRI8/JlBZLsIyJZPtdE+D1cl30B1x0nzyx33U/uFcuVsLfa/JWLUrmiQCFXcN8W0LPZS3gJ aoVC8E+dAEuJg4Ohg8VLlCgvX16ouc1fbNz8xkm2zO902ezW+qbGBq6imAJJCwDR9ZxWV6PQVWfd mC7WTmSrC61poptiOjv6+/t6Guq8brUa4nu4Mh4MO116o+RZmY2uSgz270oPDiTiVgt3kItX1NTW 1JZX+PwG4jcH9mzd3NleW1NX09I0WhXy0xYVpAyLtSxYqdrU3MRAnQgxKRxta7+xrb4hUcWWM2yE YSAAJT7LeW8feKYD9LCiunV1i3iD621Mw/ZrPW/tK4YDO92NzVu2TqY3b61vdLpczsbGrVt2TWzd 3Njocp6B2tftiSfauxNVLq9Gq9N43YmKztbKCi/kJuKFnx89PjTidGHsKh0ZOn70wi+PHxsccNhs joHBY8d/+fc3zzY3mEtM5obm2Zu/9qW5uaYWk8ViammamxMqCK7CMyAfh1POC2wbdxyTq8a5WkZQ x7OfzHacIx7Zt22svo47wPjK6hvG8IMf6g1eX3V1V7YKvzRQXe12atVEx8ozoqUSM8N2brqxub6h vNztLlz5InmxPhS0wb6vfKjTOB3RyKqPPQTyyDgcc/4F8ujwFKlefucc+Z/UWyvvf37lx+BmnA0O XblImSFTeKH+QJiw5U4dq3iMxfnGpQotdzrmzxycRUjXtXnBcP1ZI7t4W/9gdDUnPAkJAg4bVGRo 4NYLO246i+UKKx0Kt7SVVzhcaji5CaeLxnCYtqqUhH3lZ4GyiWKT2VBUqKKkBsjQpaVu6r+yWywl Zm2xbioYOHo0++/zfb0sHG+5lBAbGNyX6e0LR6GeNOhj0cF+lPuKIXZAPh/l4tMG//jLXzGu/6Th uH4SEuXl64ucrngiGLLaC9VPX/3IYTCbXKXRUMNt7a1m0mgxez3RSMNAdaXbqVE/de2ov+YDSCS6 87pvIWvjdYCduvqBlfsQpz9/ffo7x9LbldUfcB/ON/6urGRHJIdF3Bcx8VonjJHUZntQk/Ql4GAk h/mZ1v98xEXULDqPTlKLaJRIIKvo/JUVoEeIU+gIhdBR6EOS+5AMn0f3Qv8R7p04gabgfjdch8Sn 0EngeQ54abgSQJ+FsWPr5jRD/yg/J/CJRtA26k0U5N4DfRLeGeDdCbhC8P5ZuHNz9/Hj3+Tn4Nbg vttrUTX6DPo+LsRp/A38In6R8BE1xINkiDxBvkfto35F/ZtII3pU9BXRt0Xvig+Kn5WUSB6QfFFa I+2TpqUHpF+Qfkd6UZYnm5W9llecF857LN8q7K0PcRW8sGPX/Ux4ZK3/RvR9gcZIiWsEmkASvE2g SVSM/06gKeD5lUCLUAGxOr8YKYgygZagW8mwQEuRlvylQMuQgpIKdD4yUf0CXYCC1AWBlqMDossC rUBl4tdhdUxBvEDP85JwNEYWbBZoAilwt0CTKIZTAk0BzxmBFiEj/g+BFiMTIRdoCXqfqBRoKfKQ jwu0DJnI3wt0PqqgDAJdgG6gZgVajrLUZYFWAH5uQ01oDs2j/WgBTUMeTKMMotHX4YqiMLQ4UANQ 6U3AvR0l4a0fqA40i8ahnqFRA9oNjV43epF/SsE9Bfdb+LEcZxeMakQtMFsDGgK6F/VA7zTPn4Qr A9xJ4E2hGbgvoF3QN4cmP3Z91DQ3v39heiqdob9OR8PhOD2QmqDbkxk/3TE7HqQbdu+m+deL9EJq MbVwS2oiSHd1NLYMNAx19PbQ04t0ks4sJCdSM8mFXfTc5LXjEQg9jXbwinBLT4NAs7D8IDzNguCo a3pHaiGZmZ6bpQeTs9DBiTqF9sCWcCqggdTUnt1JIBqAexzezfIKLsAcAX5LPnb2hsXx1OxEaoEO 0Nct9NcKNsLzLq5xRmD3OOuikdTCIscWCYbjHz3tR0z6cTL8/yyaw84UP0uGnzvHOc3PPQwcgzxX Hz+S29AMv9oszzX0ESv2woqTMJ7b/quc4/zcGXjOzTwHdFowzU4w4AIvwQQ/blW3RQ5x63b2L6AH IDc1vZhJLUDn9Cw9HBwM0n3JTGo2QydnJ+ihtYG9k5PT4ym+czy1kEkC81wmDXbfuWdhenFiepxb bTH4USjinHcB3HfuGiNcRU7T3ML8XE5cBDvH7dgt/D508+wZ3k/5IYOZ1C0pujuZyaQWOeY0/3oe VUIZH0J7+RaEQddKMC6sH+SpGa7kT2cy85Wh0N69e4NJQYxxkCI4PjcT+tunzUCEmuexkOJRPAW8 OUQH+TlnwOU+dunM/vnURGpxemoWAB9MZ2aAf5gPUqug5ACQA+9HA3uSv3NwW+RHZED0JA/QVdAv AnB2AHxSPGi4GeeEeTme3QIIZ4VVk6AEN5oD6yqQ96yz7V5ennH4p0H5OXjHjRnn55jnTTexbva/ VmaA0/BiigNtJg1AXgfryTlA6OLcZGZvciHFgXxxz46dqfEMnZkD3hS9G8A6C0OTUwup1AwH5z08 1vamp8fT9P65PXRyfDw1nwHYc+x/bubg3w6G3R+h6/8RBrvXpBEwgND/ArLqiBNlbmRzdHJlYW0K ZW5kb2JqCjMzMSAwIG9iago1NDQ2CmVuZG9iagozMjkgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1 YnR5cGUgL0NJREZvbnRUeXBlMgovQmFzZUZvbnQgL0xpYmVyYXRpb25TYW5zCi9DSURTeXN0ZW1J bmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoSWRlbnRpdHkpIC9TdXBwbGVtZW50 IDAgPj4KL0ZvbnREZXNjcmlwdG9yIDMyNyAwIFIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovVyBb MCBbMzYyIDcxNiA1NTIgMjc2IDcxNiA1NTIgMzMwIDQ5NiAyNzYgOTM2IDIyMCA1NTIgNTUyIDc3 MiA1NTIgNTUyIDgyNiAyNzYgNDk2IDQ5NiAyNzYgMzMwIDcxNiA1NTIgMjc2IDQ5NiA1NTIgMjc2 IDY2MiA2MDYgNzE2IDY2MiA0OTYgNTUyIDU1MiAyNzYgNTUyIDU1MiA3MTYgNjA2IDU1MiA4MjYg XQpdCj4+CmVuZG9iagozMzAgMCBvYmoKPDwgL0xlbmd0aCA2NTEgPj4Kc3RyZWFtCi9DSURJbml0 IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lE U3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1l bnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAy IGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5n ZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMjk+IFs8MDA0 RT4gPDAwNjU+IDwwMDc0PiA8MDA3Nz4gPDAwNkY+IDwwMDcyPiA8MDA2Qj4gPDAwMjA+IDwwMDU3 PiA8MDA2OT4gPDAwNkU+IDwwMDY3PiA8MDA0Nz4gPDAwNzU+IDwwMDcwPiA8MDA0RD4gPDAwMkU+ IDwwMDRBPiA8MDA3Mz4gPDAwNDk+IDwwMDJEPiA8MDA0ND4gPDAwNjE+IDwwMDY2PiA8MDA2Mz4g PDAwNjQ+IDwwMDNBPiA8MDA1Mz4gPDAwNTQ+IDwwMDQ4PiA8MDA0NT4gPDAwNzg+IDwwMDMxPiA8 MDAzND4gPDAwMkM+IDwwMDMyPiA8MDAzMD4gPDAwNTI+IDwwMDQ2PiA8MDA2Mj4gPDAwNkQ+IF0K ZW5kYmZyYW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJlc291 cmNlIHBvcAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKNyAwIG9iago8PCAvVHlwZSAvRm9udAov U3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9MaWJlcmF0aW9uU2FucwovRW5jb2RpbmcgL0lkZW50 aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzI5IDAgUl0KL1RvVW5pY29kZSAzMzAgMCBSPj4KZW5k b2JqCjMzMiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnROYW1lIC9RVU1BQUEr RGVqYVZ1U2Fucy1Cb2xkCi9GbGFncyA0IAovRm9udEJCb3ggWy0xMDY5LjMzNTkzIC00MTUuMDM5 MDYyIDE5NzUuMDk3NjUgMTE3NC4zMTY0MCBdCi9JdGFsaWNBbmdsZSAwIAovQXNjZW50IDkyOC4y MjI2NTYgCi9EZXNjZW50IC0yMzUuODM5ODQzIAovQ2FwSGVpZ2h0IDkyOC4yMjI2NTYgCi9TdGVt ViA0My45NDUzMTI1IAovRm9udEZpbGUyIDMzMyAwIFIKPj4gZW5kb2JqCjMzMyAwIG9iago8PAov TGVuZ3RoMSAxNjExMiAKL0xlbmd0aCAzMzYgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0 cmVhbQp4nO0bXW8bWfXaSbvlll22C6wQiOVuYKUWzTpLy65QC4iJM0m8dexgT9LtE4w91/a09ow1 M04aHhDiBSSQ4AEQH+KNN34ASOwbvCFekBAvoH1YELwhVloJpKXlnHPvfNlONk3SDyTixr5z53x/ 3TMnLisxxs6xr7EFxprt5ctvvfq9n8LOt+F3pz/c79370PonYf0X+F0bSMftvlF7mbGSAdevDGDj /Gee/Dpcu3D9icEovnPuY+wPcP1NpDoMug77OPsgXH8Xrs+OnDtjdoa9B65/CNfCd0YyfO4nQLv0 S8Y+9zIrLX6//DpAsDNXzvwIdp9Tnwt/ZL3yM4yVz59bWDi7WC4v/o1V7v2evX2Pf+LLl4AS2+pZ LhNM3Lt39gN3P1D68ROj0ptfZqV7oBn+lFnv7g8We2d+Blo+wdj7Lzx/4YXnLzzfW2TvRAsfeeev d3/wxFP/eis8e4mVWFB6vfxm+Q20x/sBJijH//l2+Y27f0Y6JfX761/8+Ddfet9n32aafOEn4VRi Z9M9wHlidPejjD3N7nXudRZ7RCn/U178HesttFgA6w+CzRSvMjAoJxRmfj5c+ny6/8PSZb0usfOl N/W6zBZL/9brBfZ0Wej1Iqzben2Gvbf8Vb0+y95X/rlen2MXwApqfZ59dOFFvX7ymZ9e/IZeP8U+ fe07ev00O3/tT3p9gS1eews4lhbR1y8Rd1yX2LOl3+o16Fb6h14vMFG6q9eLTJQ/pddn2IfKrl6f Zc+Vv6XX59hS+Vd6fZ5dLf9Tr5984erCdb1+ig2uvaDXT7Nnr/1Gry+wc9f+zqpg6THbZyHzWJ8N WAzRc5F12SX4vMxegtcVWHUAQrAVgIlZBL8hk8xhI2bAbo35AF+BlcmG8BKsldKK6ErCpwScXXh3 AZIfgesrKVcbOO0Cr1uA4wM0yuEAzv1xXIXVLcDbYROA6AKsQ9QkYTikkQAqPryPAaYDdD2AE4Af AHeH7nHGqsF4P/T6g1hc7F4Sl1966Yro7IsVL47iUDojQ9T8bkWYw6FoIVQkWjKS4a50K3wG9RVE tZ3d0a3A74sVZ3AA4qq85exMRHfg+H0ZCSeUwvPFeNIZel3hBiPH80GyooptUjCCbYXcdny4WAFl hqASWwmG7kEoIgPLIYtjo+yQLyKwYED2vQweuQIvtiPDyAt8cbly5UqRckL3xWm6SPbFeZL0iLgK gFiHZyJLL/DBnjG4h1GQxODiq2wZXq6msQs0KoAbwGcIbpdEL6QAqQBdCThsEMfjq8vLLhDdnVSi YBJ2ZS8I+7LiS7i9lpMgCagkqGdTB+9hkEoKdAk6BmwPYDGsTydYkdI63NkHmAFhenBvTHrFlBho tZAwMJWQ6u6UJaf1yJJxUkjGg7Th8JqnuwoJB1Z5q82WBQ4RcPwXP1KpOf0CN9/fmc4e3OG0imkH o3BEtr4NewF44N1kQc22iN6IqGXJ5ZFMA7ontV594uJrrxva78pbipuKMRXvBskVkPd9wh/rBFYc AqAa6xjzdBQ4RENZmmuaMUkxHU9dgsM4VNQTCgitZFexLCn/Vewt5aJkiTyHuC59RiRXF3AcrR+n LOhChI6ISkx3Evv0YDXUmXQxlTHjgDUN5Y8hflX0I8fMJrgzpqxxgUOXsBNpXNIgpljrwN2Y7ioe /BAOhs7mLkg2ISrKJnsUAwOqSrG2zIj28holOoSFqFTSTsiGRs47uB6RP5Wvea6CRIBtHKCHkeq5 TBVEEGWVD4q2p61a9P7hWieWU9KO04iOSa4s6jKN9sgeoyNxSLKhR1Xd1xrKHEeX3pGHQZ9oiVsA 0SV6CibxX49OIlXZEg91ibdLEnta0quUnbaWzgGKAVWGzAf5WpRZYLYS+AAf62yICrBJrmQWy9eA PJ4gnR2SnFNtLsaasoY6S5xD/BnQKSi070f0mdWPo/gippMIT1ZHa1QpWOowXLTJvj5bFHe0eY9k dHUkDSlOw3RHSYo2dXM+z0ddcoI6dCJ6VDOGdMVTjVySFP3l56zRL5yrilNSQx2KHhW7CY9p+0Tv qlMiJdcaZBHmkI+OLkGRz7Q95slmaH8PCc87oJrz1Dsh1VmH6kpGN9mJ0ohM8mX69JC6zknSIuG0 R1q5hL805zxcSvWexuBwLzltl3JRpnKmPnW+dCjfg5ysE50HSZzswl1vjsUku0N29nUmj+GlTi+H KqpMMfJ+VzInO3xupgyowgv6jLSMkiLpoDhJat282u3SSeCT3/P2mmdVnrNc3ofHzdVI9+9Ca5Jk W5JJ2DkM094j1BhFimOK6Nvw3tceU+chRhVPq+qDrFQHa9XRORLr87CXWmqDWcSnyRpwhXyacGWz G9BHtuheDfYE9HEtuLMDV6uwu0p+MekO3l+ibLwBa6TYZNtES9FowTvSvgk7SFvQNV5dB/gG0EJc i71GPCyg1gbJmrBG2puwW4dPS8MhRhV2tuEa1+sMu1DFrwFYNuUO4qEsSlIb9jOuRalqxDGRbBOu WkB/Q981gXaN6KH8BvVHuG5oOZXlWkQdbYSUkWYVJKrTFe5uw+cWwLXJnibprKRtkA5rcF/pYpEE yhNKoip8bgFvhFgHuWyyAnKyNaRBfkR9VgkfuV4nKCVZU3sZ1xmViralkgPtv5NybpP+dXgJ0t+G HZt8YwL9hG4SO+tEAeXmZI1t0s8kOzSJwwrBoRXRnvU04lo5r1TJXug3lHyVOJlkkfZcTRJqee/M iw6eclgn/SyyVJ2g22BHC+Br6Y6KxxrpWtW2VjRV3KuYqOesWyUd0bNfBK6WjimTbFfUAv10g+TP tFAeMPV7NWezzPsN7d1EHps423OscoNy0SIok3zdTnNkjfJ3U0u+nUZYVgO2dXw2U8mK9k3yKIE7 Su1QtBLeRQ+uUjzVtYTt1BoKgh9CV9UuC861Lj3nxGndLp7c+a4x60bzfaeRq7X5TkBV4XWCHU3B ZbvqaUmdWdmzTr53m/eEnTwdq14+6Xqz7kPVbvVMlO96XerPVQ8YpV1JQH1gkHYme3Q3O9PHenYS FJ7zkLNDZ7+R8krOooyW6isd6haQWzTHmgefUHzmyXBM573iskfrWHcmqN9Ew+L+V6aehpP5z6wP xFwfJLrM6xzy9g/J32P9LOWRhbGfrGi6IUueyzKboAXU3G005fUs+pDaVTY9VUAb9HOSu2RrztQM D3lyqlfJjOvRT51Oe8D9OM2DeGEeNN15Pbh5EJ87DxIPeR7EjzQPKnby3ZxM2awjgTzaBHXehIU/ srmSmJkr8f/PlXJzpWzC8L85V+KFE/bRzZX4nKe1x2GuxOfOlTKNHs5ciR8yL3g4cyXO7neulP3V 6TTnSlm+FedKB52+B0+X1PO56iQet+kSZ8Xp0vzpxsOZLvFDrCtyFny8p0ycYmy2m3n4Uyb+GE+Z +NSUKXvWfZhTJv6uUybx0KZM/D6mTOKBTZk42WAHqL5K0iprm3D/4c2O+FyfP6rZEZ+ZHYlHNjvi B86OshnQg58d8fuYHR1G98HOjpLKevCJMjvx4ceY+OSnNKc58eEnmvjMPrMdb+LDcxOfw+YOpzGh iWfof4FlkwZOfPCqwtgafUELv9eG34xLv0wnLkZSio4cBnuXKuII34KriPXh/ngQCW80DsJYuqIX BiNhhnJXfwks4UHfupuob93l2XCecd+RoSOUaOlX9/iLh/7w2S/5Hfn7gWKKsxdxR8Sh48qRE94W QW+aCudbMhx5EX2HzovEQIYSePVDxwfVDdAd1AI0sFjYl4aIA+H4+2IswwgQgk4MFvPABI7ogtAc IOOBTOzU7QajMYAjQDwA6mBl6UdgvSUyydIlIOYKJ4qCrucAP+4G3clI+rETozw9bwhOuogUCUG0 g168B+ZfukSShHIcBu6kK4mM64FiXmcSS5SBFxAMcHN3OHFRkj0vHgSTGIQZeZoRcgiVKYHsJAJ4 VMcQI4lacwqQaGDkeBjIczkIRSTBDwDtgaha/SnWKByQHaOhY65MR4z2BhBYMwjoht4k9IGhJEQ3 EFFgiGjSuSW7Me6gfr1gCMGGCnUD3/VQj+gq5zaQczrBriQNVBSRAGkQ+EEMbojULnplnEWAuiei gTMc8o7UVgMxIEucgp6BD3ERilEQyrlqi3h/LHsOMKoooYp3R84+ZAugu17Pw0BzhjGEHiyAqOO6 pLkyHSaoE4Jck6ETcmTkysjr+yRGX+UqIGGEOl0gEiFGIk80zQlJcmBABnOG8wlonESOjBqI5w/3 hZcLc47qhBK/f0+wuIjQkOiXJD0kxJwMCWkvCN1ILKV5uIS8kxt8CdN2iUwGnqnrfOlIyCSkOgEf oE12Ay8VTN6JIWOEMx5DejmdocQbSnegjAueOWXgxGLgREBR+gWbYNRl0e2Kie9qgTNROQmnNDzM q1EwxKwmt6GTHDHE6gG5kgCOne5tpw+KQR76AcdQvb+gKrCCggUiymEPhdqwxFqzYYt2c82+YbYs UWuLrVZzp7ZqrYolsw3XS4a4UbM3mtu2AIiW2bBviuaaMBs3xfVaY9UQ1mtbLavd5s2WqG1u1WsW 7NUa1fr2aq2xLlYAr9G0Rb22WbOBqN0kVE2qZrWR2KbVqm7ApblSq9fsmwZfq9kNoAnCtYQptsyW Xatu182W2NpubTXbFtBYBbKNWmOtBVysTQuUAELV5tbNVm19wzYAyYZNg9stc9XaNFvXDQHEmqBy SxBIBaQEGsLaQeT2hlmvi5Wa3bZblrmJsGid9UZz0+Jrze3GqmnXmg2xYoEq5krdUrKBKtW6Wds0 xKq5aa6jOgkTBFPqZObgiLBuNayWWTdEe8uq1nABdqy1rKpNkGB7sESdxK02G23ri9uwAXAJC4Pf 2LCIBShgwr8qSUbqN0BdpGM3W3Yqyo1a2zKE2aq10SNrrSaIi/5srlEEbIM90XkNLS/6CPdmowOg EFsruGqZdSDYRjFggxdgIbqsO105jjG2dXKr0khlVNVOg6JWFQEI4XUfElft0RKOJcgsOnVUdcsO bDyODVV6qXxAdMNJpEqvuyuhAkZYSoKQB1hM9ryIMh2OwFGgzjwROUNgBliYRQQFtdIZAlqUillI KJ4chuPQA5S90IuhmAhnAruh9xV9DIf6mCINRKYBcsmKg5I/lNEYTilvVw73KwAb4llGknh+LwhH WnUyXze+mrQKsegTcTeIeRD2K4Jz6rhO3Dod9f9HnE4fxFUfJI7TB/GsDxLH7IP4bB+ki3yXKEXJ mTGnQc0aFn6SXkkkvRJ/PHolrvzwwHolrhL2RL0SP8VeiWe9kjhmr8QLfcExeiV+UK8kjt4r8Vyv lE/fQrsE5zkUidNql7hul8SJ2iVeEJeeG0+7ZeJ+IE7cMvFTbZm4bpnE8VsmPt0yieO0THxuyyTu p2Xitrmz+WoTxTY3jtUd8Uzzk3RHPOmOxEm6I57vjsSxuiM+tzsSJ+mOMFgLiZI2PvzAxkfcR+PD D298xBEaH06NT7F3ePeGJk7gv0BNA6/AR+Uk/2dwmeZ2t+F3mWZnLv1Vr0J/Xx3DXvGvhYf/D8Pl Pe+2t+xBsbpTGQ/Gy7piHus/fjL2Xw11pMdlbmRzdHJlYW0KZW5kb2JqCjMzNiAwIG9iago0MTgy CmVuZG9iagozMzQgMCBvYmoKPDwgL1R5cGUgL0ZvbnQKL1N1YnR5cGUgL0NJREZvbnRUeXBlMgov QmFzZUZvbnQgL0RlamFWdVNhbnMtQm9sZAovQ0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFk b2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAwID4+Ci9Gb250RGVzY3JpcHRv ciAzMzIgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL1cgWzAgWzU5NSA0MTIgXQpdCj4+CmVu ZG9iagozMzUgMCBvYmoKPDwgL0xlbmd0aCAzNjggPj4Kc3RyZWFtCi9DSURJbml0IC9Qcm9jU2V0 IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAovQ0lEU3lzdGVtSW5m byA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBsZW1lbnQgMCA+PiBk ZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlwZSAyIGRlZgoxIGJl Z2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2VyYW5nZQoyIGJlZ2lu YmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMDE+IDwyMDExPgplbmRiZnJh bmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9w CmVuZAplbmQKZW5kc3RyZWFtCmVuZG9iagozMCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlw ZSAvVHlwZTAKL0Jhc2VGb250IC9EZWphVnVTYW5zLUJvbGQKL0VuY29kaW5nIC9JZGVudGl0eS1I Ci9EZXNjZW5kYW50Rm9udHMgWzMzNCAwIFJdCi9Ub1VuaWNvZGUgMzM1IDAgUj4+CmVuZG9iagoz MzcgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvUVpNQUFBK05pbWJ1 c1NhbkwtQm9sZAovRmxhZ3MgNCAKL0ZvbnRCQm94IFstMTczIC0zMDcgMTA5NyA5NzkgXQovSXRh bGljQW5nbGUgMCAKL0FzY2VudCA5NzkgCi9EZXNjZW50IC0zMDcgCi9DYXBIZWlnaHQgOTc5IAov U3RlbVYgNjkgCi9Gb250RmlsZTIgMzM4IDAgUgo+PiBlbmRvYmoKMzM4IDAgb2JqCjw8Ci9MZW5n dGgxIDYzMjAgCi9MZW5ndGggMzQxIDAgUgovRmlsdGVyIC9GbGF0ZURlY29kZQo+PgpzdHJlYW0K eJx9WAlUVMearv/e292AuAC9iIBNC3SLyNI03Q00+yb70uyrbLIoLSoiIoIgGhdi4o55cSEeNWgc Y3yaxOjTmGTGyVNjOIbh5ZhMni8xJudMnOQdJy9P6Mv8dbuJmJOZvl33VtWt5a+/vv/7/7oECCES EkcYEtLY0tlQ8OUFrCAbCZGeaVpWU9+wPU1DiGwh1hmasGJGhkMClqux7NtkWbtelCH1xvIWLH/T 0lpX85Ju79eEyJuwvNZSs34VicaxifwLLHuvrLEsW/B+mBrLE4TARQLEixDuY9EoSkBA5SJcrBQu jRfAR6DjRoFMkvEAbLcD2xVgu3mEuGGjMIPBYJQr5HK5jJY0arVmgVjisgOUSlNeaJXWccZMUK7W 9qYsP2YSjT4NYA4F5UaoABJnewSEWSuYh3eqFgZAaSnjg+sOnBzhdFw98SGLUQqDQR+mxgHVGjH+ ZFKcQxdKp1OJxT4L6BuN0aCT08kVnBZgrlvklf3mzj9tTU7qv9pReeKFanf+oefq7Jjq+TJXhpt3 3VCucpOJ4K6LbIb5oGmwJwAg//B/7nzhs33Z2qot+Ymp2mDPkpxrE6BdpEw3ojx5k3dFP4oeEw8S jPKIOQkVRCGW0zn9OCPKYtCrGRSEldM6+hYFU6v1VCus8ugkqdJlGT0APIxZuusQC9E3QrIM88FS V8cfqRpsiQAwWQbLqwYtkZGWQdFjaGow9u8fMhe+tr8vbIRhRnS9+4/kvQmBK5sb+H9C2sAHnWuv bk9N3fF+R/v729NRQj0hoiFh15xQQjcV4OWGf46phSjrBH/W+gNE1sN9vutDCOTv0R2AQCBMKu5k x+SnXAFnJm6E0O2mwouNmJHKdXKDUcYV8A+YykLdZeAfXP9j61A0Z7Zm1hfPh5vMzQn+3ZtQVNlP cTP5KdMkqicKnN8He/vIdC6MHw6gF4s1YrXa6KJjmo7xD3btYsAjME8jmz/Ly28+c4wzgT8/ds1a wo8DzHD+mGMBnDRpTBmOGY0YU4puEX+KRaplu6rtWJCIFSpUsRFVLhWK9Kbi3K2vOPvGNOVV9qSr YMnmt9e0nb8MwILrivqlFvDM3ttRuTFLw7JfAPEINeWYktpXbshoPt0ZD5Bw5TtXVfCGrQBdFtPS qo6C2PW9r9ahJP0owdsQQFibVcDb/B3QQQA/irqPRP35oJQyEkrRgXIwijkIRqo9g4uAC4mATrQN u5w+FLUCOnBFTPC6Gwmx0dAYd7tv3fWkLtDpEm5vMhZ6Ork4iyVOMyXzSqPb9Aq5yHGW49wy0S2o Livg/zbC955sXgmVVSfg4L+BtLBp5SOIMrrnWbakxa5rzJYlJEJr8Oj+2A3Lc+cmpBCUMxWtahda lRvRCHI+Z0tUp5LfQS/T1PvxS2lpL93q7fn3l7MA0nfd3hRZnewHoE6ujjBVJ/v6Jldz9ZB36C/b Bj4fzMkZ/GzbwBd/yP0Wwir783L6KkNDq/pzs/uqwlCLfSjGzyjBbDtn6ELlChe1D6pE3wfKCdlC L3enZUNBnHn8HJM5IeLAh4ENqz5H2ZFtYBjxzU7nJRjmH4CSJtpDNDqJr0gAIew1RLMjbSdTgUyl VwF7duIE8NYv2X3Wuwy2/s7a/egR00+1Eo5a0aJMC0k4IX4Upwgub1aAmy5UNgUrvCukdFNDjWK5 QgWCjvRqg1GApJHTqj0BHn7Fx7mDlHMPTjOcgnny2Qpvk67t5HHI1r6QcXkQZsrAyJ+CdktGHmSW 1nr6KqSzfLyjApiG02eA71sU6ePS6hXo7ODk4CSRep3dt7sg1HA0IEgOV3teSImNTXFz5RwkjhKb JrkqlNrVpknKvZR3baxLlQldK97F+43zq4aiBH0eqm1nmH+1FjEP37kJJWVDdO2HkTXmoFadEbuo LTsQNFS5LqpQilYN3IVNDSfXxQH843urBTGv7Fy3rpORJm2+3PbXx/A0AJ3DjVWr17QCSpWMugwU eJvAlJGy4ul8Tck6jILeaECyDnRM6zrd2P3BnwGSt97YWP96T9YM/rFndV7rBvDymFseW1Tlzlys H1plAsj9ln+44y/7skytQ/UrKgEuncgZ0AWGAFS12LyRHR82+xSQQVkOV/kIl+rB+T+PHcaDvw1h NFEr5vx52nd4clJEfZqceFPO0ankNsYxov8ReAfF90FmFazEhyrJnhtmhja9naTSa2TQ1b1yKSyJ TTjdbm1AdWU3twK0NvMXoLW1DaCtld8D+giPtMKyoJUXMpJ2L806EBmunyRQbM4vBLP1HNRVLa3F FXXiDteiLDNQZkFkI3I6/g/Rla0BB8jlLdDJv8ecYLVI5su7eXfmPBzHnibcBX/cBZ19F3zspi4w kEKELEQZXvCbKjmHgKYL1FDo486EKjgnJqn7zdYVp9dFK5Uz52si/KFIHwCr68KLPRRzHfhHYnCw PuyKTobP+QOmAKY06zbLPC7eUaMHXc22gogK79kKmXzGchd/77AIkLnNDlr8znu1oS8XjMY3u/gs CAyHAxR7JmTNCkHXi9DvqATwTpeUsqfgTmW/cafR1OQNBxrqz/Qkx0RE7qgLazhg+MlQHOcLvnEl YcayOJUqrkw0an1szoGyY591t43m5i2ZC9n5LAe6qr7szI3lIdryTVmZmyqpimjEw/ShJILn0qup O6EuBi1JJqNeTIWeq+8M5LgGyBYlL5y5e+DVV0F5hjNZCtGrMGMMA7Bj4IVrE/1sN46mh2Gmlrk6 hUSm1nqPCWSu8v9lj63SkZvEuGJQsawKmDvQzY/89b/5EejnzBNjrP/4OaqdTtTOHwSZFgkWrpfL jVPmqVbbgyu3Z3w9pZ1OUIYebK4b7k4FiDV6ZZfXaZsO6n4KK4n3BfCNLwlrrbFp52nA6vxsKDk6 umnVqHlhfNA8yDEzrtYh0FVuyszqqdDCQF9exsZyQUMDyKli0VnBfqhrZ0QyeATKa8n8dvb7CYXo LG+F69jOiMjzwXa+dO2UQo2CfJIFFGnPuRoqv5sKO//SB4y8OtHSBczGFUsbOP4hpGw619J2YyAT 3XHnyfolHTHBTIno7MSYPgKYvVs3vwzlpTVHVkVlDNzoaH1nazosCgIalpGEyRFks8cC7oWAUfMs TENESWzRIkLeRnRh2EDQpdEmJ3dfp89+MrTt3p4MgKD619aMDG4G5tiLR96Q8KOzIAq8dz84lg/B L33yfX5rLAZz2zv3HnXkZjXsizYXA8SsO9NSvKU6QebvWV9a3dTT+dNEfNfFtuLtBxYGzvIJNPkX 1gF0rEE5txEi1gusS6hBC55MIK33YCYyhgPoeC3/lP87jwbFDYy30yQaHa/gTiCdYf8u7H/IxrK2 yJtKPz1jU69wR2fQBcqGqtR8+PXBXD7VdDh20eHGkLzlSTbfsAypKSvBqnyWY2e99kcmpyC7AFyN 5h04axlqtwu1u0hgFY3al2qXkUldp7G7hFqpUQhrQgUjVojaHYKCi/knrw9ZL1RWvPX0yM5vTtY4 8qNz3ni57MUaHejqd1fk9i5WyGc7sPerBmLWdAJY7vBfXbrEf3VrReaeTzbveYX6hq6uD7an4klA aQyk5ko6+ASO6sCdBNo5fcpAwtTTTETxOwQCBymD6gbRSjYuAVdlgIdXVnmttnlQ95OhNNYX/OKL www2EuHM//yRia8sgeIjY5si2pZXa9SxaCnl5RE2Iukp12rLe3Myeyt0qCFXPobLRuv2QImobctk QrCn1shQNrk9eDUCq3n4hP8IDoNHeqaLat784HnuEQULvQJ9fFzhJnLAfdZvvI8R+yeiAYgcx0Qi fMyeM0MVnBIqEtaewsdjvE4jliicSfaMNgXSxCmmFqxRCVRK5zW6iJ4P7oxqyqVJ8Qcr61/fmBjb 8XpjcG56qj/4xZWF5TfN4cf04fFXe5/eXgLWp2HlSWqM95IqjGGF0RSrMUWc+UxNOZQd/7x3873B PJjtFxN8MCwvWhkfF1e32KAHOHKojuv4EgxL+zIzu0tCQkq6MzEI1NvZRJSO+He0876wfZwCYX/H eh41oxONTjiwvzwN4BxskQ5cnObZL9LIW/DsNk+nwsgbIzcQlvcrHdKlTwFzynkLhIBnBplK2Avh 2ODjA1f9QhZ4SVORzL0jcoJuz+S/T+69uLrtytZUWLuhrgLiO08399yMKWLACZycpRVxRZWAvnYH kr+Ik7flavMilfC3lW92xcd2vdHScy4qZl992d7GcICCnBXvu0ckewYZAerK7tO14+lMrEKMOE95 AAoUlZsb9wgi+bHhU/yD4fP8GISD+q2TiIWnrJim8XOs88QTuvcnUHfLURu+wllDiNEkYqlM4DiV nm6r8NMYKAlgrGKP5BQCDWP4BWNQXVuJLotzlM6GNN/5wHAz1DHhCyYg0lB/deIrJKC2uBRPA4CX u3taHJNbVCFdqAx10aeHB88zuoZrzT17GgI8XZaCa8nhiAaM/3Jhq4s8pNGYj9wDQkSNtlmG+BQ8 O+LTdmwX249AOjk9W4p+z7ObGu4sO92dBC5BER5ZZTW6T5eB0vrjbz07Zz5xCaD0yH/0mNa+lukf FzgXLlmvi+d8CaGVW3LQuU+3SYq1hOlRlO3iZmHs92frBYol5pSVRgsjTPDTAOYU9jmEXvq8DZ/w axe4xeyytjEPx7/DHv0Y7JqBCBg8jq15+wzPJlDBKHPLqme58Y+5iomxZz2AouBV5FKTPeJwkdLj MdWJWC6cLyg29S6cw66X974IKOCSjLxvdm77uiB9CdqF87YtAFu2sU8mnHsuJ6RnZaUnXO5hn6DW iyf3iH5GflYSA55jhHOyjQpV3s99rsCwSmEEiWK65o02bpCIzH5RAXO9DNkhN/gP+RvXQ7MMXggE Q1boDYhe827p+cPWB4eP+i0NqTpoiYi0DFZVDloiARLvBa7feSAz7+j+fsPdu4Ytz75cgNZw6hTD nDogdZv6WIFHyO031l3ZTvWATClpt3nC56xBNAZH+fe++js/8ug7/gqcAumTp+gBh7jq8eNcFRLD rvE2ijQt6j4Q4w0nMtP21QFPezRc81MBFzjIn7P+wKSAcpBP57dCFxPMdk9s+4m/Bgk/MBbs3cB+ yNbj7CL73rnp3Oz3Pv6hua0Ivua/Na8pEo3yP/O/oFt2sj2xZzzyjgZ5J5DE2GJsjZ1bbECnNPRc pGP/dEGdIvvcCRvruVkz5spmmv7UsX00URXk5Qza8LjR/pbzfUswpmh9tbJ0Wzx6E7FY2laSZPb8 eFk7A6rovCAdZZ0SM1eblLBQlo3xx1qLoX378dorTwsbWyHjpQ/XN55DU4pKDk9QK+fWWSA6ie9k dnVG1aSp/VKqTZ0W+hGAqFCDqchHM4RYhKqf6l/FjEETP3zhIj+Mz91QcvUKlGAU64fHmGzrfes9 KOGHUQ9H0braUIOz0dbxtBRKV+lqFL54+NDAxpd19TvKLCl48V/SS6rwpFaS/vUZ62WkGCmUA/An 3WIrmkDz5lnwaynNHw9gR4F34+X0JIl7A33C3pDn9mRqM+gXUbClT9YUjS6dHfU/hAi1v/nxMYiw x9hO/GsV9mHv8XcIcdxJyORbknZhpOm/CA5v3NfEC9MOro0EMhHI2xHELLpJ9FjXwZzBd20kGuv7 8WnCulTWi/RheQf2DcC6CKzrExWRw5hPofXY5xH2H8Zyp72PiY6DSY9lOhetH8BkxH4J4jNkm8SL dGGfMjon1rviMwXLAzheHx0DZXLC8gmsj6D1+DyEfY9j/jC+K5HsIh7YTsveIg34TMCkwndH4RFp EFYqJQlkJ173yT/BE1JgAF6BH5ggJoOpZtYz95if2flsOdvM9rAfsQ+4MK6TG+LOcR+KnETzRZWi t0QjYmdxvviIeESilaRKiiRvSu46qBwaHfocDjlccPjC0eBY5NjuuNfxH05yp0SnQkHTESSWenP7 Dv72J0KJWIL+CV+7YtmWBzIPS7Y8Q2bBYnuew/pIe15M5kMBSSStZBWenteQZtJImshaPMtXkBCi x1RIzKTYXtKSALwW/257LcpIL29Si2/+v/7eJIksI21C35VYUttr1mFqEUa2YG4ljmrCN4n2eVrw aiZ1WNOIuU5s1YRjeJMaUo/XMkxTMxdhXQvWrMB8itCzGVuvwpHXTZMr8VeZvDEuCMFLi9xky+lJ Nvax4Hjtwhz5OOJKIZeJq1mGErTjqDUo1//dbvobW30mjp+AUrSQ+v8FS18NZWVuZHN0cmVhbQpl bmRvYmoKMzQxIDAgb2JqCjQ2NjMKZW5kb2JqCjMzOSAwIG9iago8PCAvVHlwZSAvRm9udAovU3Vi dHlwZSAvQ0lERm9udFR5cGUyCi9CYXNlRm9udCAvTmltYnVzU2FuTC1Cb2xkCi9DSURTeXN0ZW1J bmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoSWRlbnRpdHkpIC9TdXBwbGVtZW50 IDAgPj4KL0ZvbnREZXNjcmlwdG9yIDMzNyAwIFIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovVyBb MCBbNDk2IDYwNiA2MDYgNTUyIDI3NiA3NzIgNzE2IDYwNiAzMzAgNTUyIDI3NiA1NTIgNjA2IDM4 NiAyNzYgNDk2IDU1MiA2MDYgNjYyIDU1MiAyNzYgMzMwIDcxNiA1NTIgNTUyIDYwNiAzMzAgMzMw IDU1MiA2MDYgNTUyIDU1MiA2NjIgODI2IDg4MiA3MTYgNjA2IDU1MiA2MDYgNzE2IDI3NiA1NTIg NzcyIDcxNiA2MDYgNzE2IDYwNiA2NjIgNzE2IDc3MiA5MzYgNTUyIDQ3MCA1NTIgNTUyIDcxNiAy MzYgXQpdCj4+CmVuZG9iagozNDAgMCBvYmoKPDwgL0xlbmd0aCA3NTYgPj4Kc3RyZWFtCi9DSURJ bml0IC9Qcm9jU2V0IGZpbmRyZXNvdXJjZSBiZWdpbgoxMiBkaWN0IGJlZ2luCmJlZ2luY21hcAov Q0lEU3lzdGVtSW5mbyA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKFVDUykgL1N1cHBs ZW1lbnQgMCA+PiBkZWYKL0NNYXBOYW1lIC9BZG9iZS1JZGVudGl0eS1VQ1MgZGVmCi9DTWFwVHlw ZSAyIGRlZgoxIGJlZ2luY29kZXNwYWNlcmFuZ2UKPDAwMDA+IDxGRkZGPgplbmRjb2Rlc3BhY2Vy YW5nZQoyIGJlZ2luYmZyYW5nZQo8MDAwMD4gPDAwMDA+IDwwMDAwPgo8MDAwMT4gPDAwMzg+IFs8 MDA1ND4gPDAwNjg+IDwwMDY1PiA8MDAyMD4gPDAwNEY+IDwwMDQxPiA8MDA3NT4gPDAwNzQ+IDww MDMyPiA8MDAyRT4gPDAwMzA+IDwwMDZGPiA8MDA3Mj4gPDAwNjk+IDwwMDdBPiA8MDA2MT4gPDAw NkU+IDwwMDUwPiA8MDA2Mz4gPDAwNkM+IDwwMDNBPiA8MDA0Mj4gPDAwNkI+IDwwMDczPiA8MDA2 ND4gPDAwNjY+IDwwMDJEPiA8MDA3Nj4gPDAwNjI+IDwwMDMxPiA8MDAzNT4gPDAwNTM+IDwwMDRE PiA8MDA2RD4gPDAwNDM+IDwwMDcwPiA8MDA3OT4gPDAwNjc+IDwwMDRFPiA8MDA0OT4gPDAwMzM+ IDwwMDc3PiA8MDA1Mj4gPDAwNzE+IDwwMDQ4PiA8MDA0Nj4gPDAwNDU+IDwwMDU1PiA8MDA1MT4g PDAwNTc+IDwwMDM0PiA8MDAyMj4gPDAwMzY+IDwwMDc4PiA8MDA0ND4gPDAwMjc+IF0KZW5kYmZy YW5nZQplbmRjbWFwCkNNYXBOYW1lIGN1cnJlbnRkaWN0IC9DTWFwIGRlZmluZXJlc291cmNlIHBv cAplbmQKZW5kCmVuZHN0cmVhbQplbmRvYmoKOCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlw ZSAvVHlwZTAKL0Jhc2VGb250IC9OaW1idXNTYW5MLUJvbGQKL0VuY29kaW5nIC9JZGVudGl0eS1I Ci9EZXNjZW5kYW50Rm9udHMgWzMzOSAwIFJdCi9Ub1VuaWNvZGUgMzQwIDAgUj4+CmVuZG9iagoz NDIgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvUUVOQUFBK0JpdHN0 cmVhbVZlcmFTYW5zLUJvbGQKL0ZsYWdzIDQgCi9Gb250QkJveCBbLTE5OS4yMTg3NTAgLTIzNS44 Mzk4NDMgMTQxNi45OTIxOCA5MjguMjIyNjU2IF0KL0l0YWxpY0FuZ2xlIDAgCi9Bc2NlbnQgOTI4 LjIyMjY1NiAKL0Rlc2NlbnQgLTIzNS44Mzk4NDMgCi9DYXBIZWlnaHQgOTI4LjIyMjY1NiAKL1N0 ZW1WIDEyNS45NzY1NjIgCi9Gb250RmlsZTIgMzQzIDAgUgo+PiBlbmRvYmoKMzQzIDAgb2JqCjw8 Ci9MZW5ndGgxIDE1MDk2IAovTGVuZ3RoIDM0NiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4K c3RyZWFtCnictXoJfFTVvfA5d5aEsA5kYZU7CSFEQvYFIgEmySQZSCZhMglJyAuZzJIMzMYsCQHC IpuIKIgIIsWwSpVaytMuGH2vD22rCJYqbRUBAX22NVqer4+nkDn5/ufceyeTiNbf7/u+Ge7cc8/5 n/++nRsQRghFog1IhlBldVrmK9v/twBmHoOrttXRaTv7+bK5MP4EoQkft1lNltYsnRGhiW/AXG4b TIyRRf4envvgeVqb079qx86ETIQm8QjhdIfbbLoj+/shhCZXwfoBp2mVB1WhVnjuhWfeZXJaf1F/ 4d8QmjICrs8Rlu/lepACyRWl8ncQIoXCnavGHGeL5LjhkTKZUs5x8g0I/XQM4hci8VNo9/sQj/h7 nDKaROMDEU58C6axuMwhG3lablMcAykjEBqnUqsS1Sq1TY76fLJJfZ+SpyNGff2VV5kMO6IQUixX XGZwAEO/UYpmoiLryRjFZXL1nl5+hmK09t9S2hS30Wg0FQjFRyjjlHGxebF5uTnZSdNl8rhY1ZgI pZpPmj6Oy8uV2U6bWjBuMZ0+3WIytZzGbe/Ah+wnz7xzEeOL78g/eHjT570bN2G8aWPv55sexnH4 wkWyl+y9cPHiBbwCr7h4gUpj67+paASaaoQSlRHKJMCuGpOXq86Mi41TTU+aniCykQVs5CkaV3j9 a8mjH3z44Qe4fa3fu8LR2ua72N6BcUf7RV9bq8Mwe9IUfOn32Iptl34/eUouOV+WEL95818+27wZ J6gXUoqfgTbkoI0opg0FU5tKfRsbyVG8FLuw8V4vjpK9WYaVZfdyyB3YcQmUMwdvov5E9XcJt5H9 eBPpoth6YK0AsIlrPXgjWa+4fHcmXTsFlMbK16DJ8KBS56hAi/SbAHLGUZoxuXm5WbFxsYqxZL8y cnTMtGmpK+drMDmAbVWNS12/tlm4F4K1bvzsrtl5E+NjxuGaJc8EP5A3HzOlp+L2VUBhEkKyY4pD KIZRgC81WJZKHZ80PUeVoMpScVl4JXkC81Mbf0kuvF9Xf+aM4hD5j35EEvWgqH5UX/c+voIRnify K+sFfik2UfUxEp951CCy3rTU9NQdukWURW1D3bqxMdHJsrTY4VF19ceDffLmXzqzMzCWyak31fXf UiQBtpA3xUSDGTMBFeCW8QPeRO3N/XpVwfz5BasC8wowLpgXwPyxI0eOkY/JtaPHjh2VralZ0n24 pra25nD3khqMDh4kvaT3IHxwNI4+eBCoLQU/GqWMRtFomqiLHOpO8YKzUu5lmYIjSx4lO0HtuKiu PvDulq0Yb93yrm9p3WHvvLlz53m9c+dhPG+urIer+6b3iDk1DR8/iuVYBr+p6X1vG6sPdxvh0324 2gh66wZJlfJmKifEYUy0gJ9+8yhNiZkEYKYbt2EO48gIVey0+DS3ZgG2kQOLGxod5yw2/DJ3ytP4 yKOpj+TPnZQwLhrX1hzgku91H2lJTetoBzp1/TflOaBRNZVQMlC0EKJ5qrDoSQRx5TkLyxZW7jMY jYZ91RULNTU1S5aQSy/CB6fV1RrlBeSjjAnjl9QfPFRbj/HE8ZnkCj9KhQ8ewLE4Bn5Hq0Cr4BHc WNCqLDx3nKI800vefK8bktNHYhwo7kAcDKNwTP+YRsNL3FTsJIbgDbJHcbkPydHdmZChWP5a0n9L /iZIMxKlAQLgPkYM85ycxAGF5U0HcbKY3WAmQkVdETIRd2Rl3hycNmuxpUSL7WRfWUPDxpccLoy3 b8Px7xUV7/S3mGt8fl8Ap23bgr/GiUk6bWISXljqSt4W3HjClppmsxx941+W4snG5CQcG5eKVZNH j8S4vVOIA1FqJjOTVxn9TS+VE2ysmAC2VjI5sRqrp2Ib5LZY3EpKSYe8ue+uTHmvm8l3UxEF8k1E CbAxRh0rJjHJUNQv1RAGCpoUwJIRiqi+V0fq9Y95VrV3bVi3YR159/kXMH7+OI7Hkc/9iOzG+XOb 7Qs0Y7gs27r58yGdFZPe9PET8bMHgL7q0I+e637SNr8AoJzA53LQbgtQzxriK3FxoL04cFGaI5JU sWJI0tREc1NOthAs8jj/ckeTLSNz+rSW+XhscxPevJncdbevWrvc6/Hbc7LxtOmO+X9vbl7dGWxx OcGbbqePHz9hUnZK7PioYdMqq17814aGsWOm4TE5EyZOmZyfPj52VOQDixcfP1Nbg0ePoZo8gpD8 OmT+B+CB+hXOFfgI2TkLlEODKYLTc7vvnePUuoR4XFIaWLrc0blxw/rVeMTep+bPfxtPIp/iSfhG 4fz5xW0QUIlJ5bhsZlxse8cfVttXnAZKLyAU8TLoIhUoiSmX5t/svOwcSffwKA5jwjOz/GzRssaV v7ZaMNnP4fgEvQ28DpL/VN7QljcbBm2FtcY2X0Od7ETr7FzIyTeDtVzZyFEjJ7XnZWOj8bngh1zZ 2VwY1h5kmbspIx3nzQHvaCRaxSh5J2SrbLHyxQvaz6KJNket4sBEyjAT5cikFBorptATNHdd3LJ1 65aLgfq6RZBZfvwi6VluajE3NdQ3/rTa0OspmDf3Ib9HyKmvQxrBR7rv3T3SnZrWcqJPRb56/Ams GqPGcXkTJlWUH5cpDdV7n9VX4WrD3r3VBmqjCaQEKlgzUkneTqMyIYe5TN4EcPxZUDtsJLm0qfnA u56lD84YHyVvDkZyX9/L7dEt+nzK5PKpgGU75K0vwdIgKYRabIwyTDSWIal/AtZY0RHjJQeQCw4g O/t0lZ4K96rfG/A4Vtjb9lcvxgbj0QNHdpeWYK12XVPTsqaVKz0OHP/kLq1WlpjU3PLUNZ8fR6um 4+RcqHQ52RZbTvbXkDH+pQaKZ0zsDDxxqmoMbmr+980GmsPLwEemgKQjqKTj2D+slsnUZbix5zU8 E65G8gHpfK2HdEKM98nkQTnXd69bxvURsCb0Esok1mFFUW+WqTH7yuQlwRPLSBeXjM9zyaQreBI/ 8w4eQ27TDoFL5AyhLgGyzXd1Caof2CU882R4l6CMDp4U2wTgD7KzErGeJx6oiIUwKUGlogQgzOJo zNGwGKeWUerc9c6c7OycziNkPVeOkx59BOOSsl2V8ws0l4jt57Pz5jTJ5s9KabOlzMRkI7kTPK+4 bDb/cW/Tsllj52s2kDrs8yTPwJTyUlLL/Hw0q8tSMydyMC6sREt+r+bOitXXy2rx6vAKLfg52S/r EIqvUIiDMwcq9LGj1Lm/uUM12wgZpgRsympSDE0yOVgdkF0KnuH0fbGcPnhe3nw3eKAf3eVs4TVs +ECtUwk9HTeb9nXB39HeLvhbbg5YrzO4TdwjPy/VvdAO+eigl2sNPkPhyVXyN3JVgHbjHu4Wd12q LG7OH3yMu06uSphu3Ie6hIs7du+KhI28QPfIUE9/v2I7s2ssSqbRJaSGhATVOLFth2EWDTpq4UTB 2Cykxi5NS8U4NW3p5Zu+ufn5D/lv3sS2tcVFGO9+kvwxuJErxLk7d2Rlyfbg5Bn68gdnkDeCPpyZ YW7OTCed3IRpppbH/rx8BVZcblp20bWoQvQyxs0IFEdlEP0qMYH2AlkSPz3cejzlmX0Y73uG3CJk Pd542T2voGCeW3F53Ya/9nZtwMG78tfJMjw7x2rJzWWagf7qHOCNYZqR/AeUIzWQYCHwl+3b583F G5/rJq+Ss4eeg3Zj468qq6oqfyVb37eR/MeBZ6FOzqOnHHKZnXLG0bqsSBArcSJtSGkUQNxSLxUT LTv5PPEAeeICO9TgVrzi/Nt4ueNtPIvsJrfoEWhZ0yvsBDTpnfPYSY81GI5Bu4Ov/GIpOa2UwyHo 9voN4hkIZIGTaOQepiMxo7JMgdUFeCU0hgj74OKwi3STYvJf5B+kWHH53jl5Ab2gdXLf2027Moip JqhnrNdNDK9XVCO0axondYZioHFjabrQLW0IXNy6ZcvWi4GGpcf9c+fNm+tnMXYk+LIyip0qjh4n QdJ39HhaqizPWHvoOWMtFmKM2hfiSZEFvHPQsyFM0xycMBKYm3JfkQZ8YgE+dfkyeSq4XL4/+ITs pT4D+Su5jcdgdu7aA/3QLNB7qCNRSh2JWBMSwzuSnPCOhJ4G5efXBNpbHy0snDWz/dg3djvevYe8 98Tjux5/fNvmrq7iollp2/Z+3Nq2axcetXrTRsUJ8kbulMnQDFTOVSfEqTNtra9+3bEaT5qUg7UV iUkPPqgvmZ44VZ1ub/vX66tWjY0WIzBiTphtaFOSwNrYv2EjrsV/JU+Rk/8gJ1kve0M2FQxS3HdF lnivh+5OgoDcCXmcnp5iWLsVI4QwRCAr7LKdv6mY8gDOJBfJgTNnbNY/KaM/nzSlSN+P+rplzRjp f16/BPAcAj1xwEWikAdixE6I9WzhDUGe1Lt8IHst2D4zdWYGVu3fh48/T65sWNO1ptPtaNlhqMS4 0rCjumnZCkgdn342PFL5yPZ//Pcj22nDj9NK4xO0Re3tEPUxcSlSLeoEGYSzseCdrAHGB3F38Cqn J3qyiDbDfT/DzwZJ8Ah+j8wCfzgne0HWxk7BEdS6Cewra/vi/BeQLy9zM+lFPWgdyJag+BKqQbrY 84edCUNeESE1aSByotQpgwtwn9oysrIybLYsOGRmZOH2Zcaayp8sax5TWFHe+OnOHfhHh8g35Opz hzHu+RUusbWYuBt4QdHDmxcUFi7Y/HDRAu4i6U2Ji8FNplfTJ47HW7Z+cHvXk/jNc3g59r7/3hiV 2N9DD0OzMAg/jvkBtAH4t8SB13z6F7wG7ifJlr5vyBaugEsgL+Py4PXgr3ELOUQzYH+/cg7Lx1Oo HkKOjFkyjBX7WZaKuYJHP1+3dm1Xb/B/8NPY+PyJDnsWfOyrTp4kp8ly+Zm+lQH/x9f8PowT0jN9 1s1bTrywaavFn57J6uqo/gLZ1xBNGrSY+lt4hy+GU4RIjuaDpJzYgTc5oT6f3qcLqqa2oDkvTmzC ZQFzZdXs8sTpPRNG/aGqEnrWQHlSYufq92vrG63exqVzFsxIennauHcAKG9l+VQ19nvfMjY0kAPF 6gQ8r+DnC6bFY22J4ue3kqLHjZ+YWqwfIW+oqVsbqKxKfzBvju5Jg3H0yAe+SI6Jo0fP5JKFI4ct aajb1Kovz86anbdo1+LFeOSY4NYpiUkZxemZmtjk6TlFObR9pJ6GTwvvW6if4dOih9G10+Qr2RTw XnZWpcEXoz7NOclneEJwjzL6xt3uGxRqB/mK+1qAwmracOSoua+De/AE8hkAf3VD0XyD5lioOU0A xfqWxLBXB1TFsiHpNokSkyHh3QHLq6sH5Vodzb6fiW8NWFbl/jg427YcAVocstO3GBAfPI2PPKk/ zpOOB2AstfQaDlIBHsLWhaU11dWnmptV2vKKhv/csRMfOogjcMLh7ld7yKv2ZhPeYMnOysq2WKmj qXF0SnQcbm56LXPCROitPrz95G78xptkP9n5h/exahT3dxozhfCh8UO7eOhPvgTNK8VuCqu3y63B s2Q7lxTMUFz+4J5cfpb2JF2gubHsLWI6WiBEeXjPlyjldLG5jxADnRZy5pXjosMqAEjGveXIfwjj h/Idy/PnzMknXduLtTt3YhUevXOntnTbvspyvGcvgSbqqb368mcaMjMa6zMzMjLrGzMyuYP0NOzK f+ihfJf7ofz1M2qNG14zm7HJ/PoGY+2MB5uW7bru8Xo913cta3oQz6xPh099XUYqTk+nMfYp/Ogh Fwx6+/Epfd1AL3kz6SIn6FtADpnAbmmhN6djBJOoxgiCYDBXonzgwC97KTtnbVd2Tk521xo4SD/c fZhcIX+mWevwc3gGTjzczfXiOL/X64fy+YnPDylgAtn51nmMz78F/YHv/FtvnafvgfsLuV4xErJw AjfqWvC/riouf0NP/05ylb2xVDC+ZQnjLuG2/71swZvIu2QHDgjVSskJ3abYhbB/sj5OSdzkKAjm hNEo/CQuxSX4Ke5uUIkJ4bi73BUyFd8QqqVyZeg9qlQraLM8E/9bMEM2gTwQfIk1zNc5dbCg70uu PPhyWJ+rkHRKt7De9p5e6ISl09TAO5YovAk/hnfgTcE/kRwAPCPX350JkD+FiJcrx9LzKVaDY+VR B1KLHieTkz89o1uIF+r24+QNCzQYa+aTr+58fO3KlRvX73xx85OPrt28RekdYxmBYRmXKzqeWkrW x9ZrFizQrMfJ+xbpdAv3k6++vHXz2kef3PzizvUbV65c+/iO8Bb7luIu2D9ROMsnDH2LnRRe6mjL pLi7+8Czx+mb7GvX8MNPPbptdRfU7P9c27Vq1dWHcrKSP+fq3FCd2Zts+7vvsjfZJZBT8fqHv/xi 48ZIpQrHYw7h/l6oV9dBV5EQeqIJVNH4OPQrRnwi+Fum/14uuq87uIMDu/fvJDb2vnok0z5NJAlC bw5W2LefXNDPXTUP1u/2kL8++ih0P8WFmxDX30NK2BuxkcKbAFW08BqAvc4S3pA5HBd+Ns82PRGL LwZfvtHe8TlOS92mROQjiJCt5NkIt6IbIsQKCgur+jRScNj7D/aiOSeLveibLh6F44WiKVU3lhPj xD1Jktmll9T0y+SSzc/JbqjLzcY4O7ehPisHH3igsLjuJ8sdDseLdcWFD1xaW1qC8eQH8pc9/sQJ //IV9XsXV+dm28ybNu5Zt25d/YquPXv3nT16fP2GomJcXLR+3ckTr1z/5S/WLEpKxEePkT8ncZPW lpSWlazpLC0pKSUNpUnJuGvt7367bi2ekVyyKbhonNV8yFxfu7CzqPABPt984OArex/eZGkBRtJS Fx9pyczBhQvWrT1x9PVXThzvokevmiXdLV5/F7m992n2dx648n782Ihlo+f+D/2D1tAP2FIbCYUN 4JShSdgT4STQfQyHPrs/K3JP6C9G0qdcfgHZuLfAbwIoSgljxXW4dqPPZFHoEncX9SjOoFOy99Ak 2VfolGI9qlOcRY0w1y1/HdVxr6NTyjMAYxPGijw0VeFEdfJzaDngOBJZi15g8HloAjxvj7CgMmUG iqI4lcmwD9bkJ1Ejw9GBemQG5KZ35QR4vgr39XABT5HvoQKAPQU4GhXn0J6IOwC7BiXB8yGFAZ2S z0TnYLxekYymKo+hHjlCozgfdAcn0Wm4doh7KU/b4eqSZaFP4d7CQbyAnE7lTJSkzAKaQJfyJ+47 ptwNujjf38vd7d/Jvd7fA1qHgzv09DFwvjajg+gVdA5dghNaMq7C2/Cb+BsukyvlmrmfcK9yv5eN ljXL9squyzPlNfLn5b+Rf6KIVVQrdit+DOfXDxV/UXJKnTKgPKi8ogxGzImoi/hxxO8ieiMfjCyJ bIh8MfLtyP5ha4ZtH3Zw2E+H/S1qdlR51M+ifjMcDR81fOrwBcMbhzuHPzz8+PDfjJCNmDQid8SS EbfFvweWIxutAmF/HQz/xOJRofn8EAyG82++OOaQHOnFsQyND83Lw8YKOBUZxLESxaImcRwBVf5n 4jgSjYr0iOPhaPywbeJ45LBxyA+YsXwYPPmHPSeOMZoeNU4ccygy6iFxLEPpoXl52FiBxkcViWMl SolaKo4jUPNwLI4j0eSJ68XxcJQ++SfieOTY6VHbityeTq+9tc3PzzAn85np6Vl8SydP/9Lq91pN zhRe5zKn8hqHgzdQKB9vsPqs3narJTUEw9davSa+2uTy8YVuh8VgdVhNPiufkZqRHoKhIBRiFoX4 QTRHRt2P6MioIWTtPt7E+70mi9Vp8q7g3bZv4xkZVWX1Ou0+n93tovBtVq8V6LV6TS6/1ZLC27xW K91objN5W60pvN/Nm1ydvMfq9cEGd4vfZHfZXa1AxwyMU0h/m5W3uV3AmMlsdjs9AE4B/G2A3WE3 W10g/oz4EgoRnwzILLzJ53Ob7Sagx1vc5oDT6vKb/JQfm91h9fEzKEa2ga922/wdJq81Pplx4rV6 vG5LwGxlaCx2EM3eEvBbGQ+DNqTwdpfZEbBQTjrs/jZ3wA/MOO0iIQrvFbQJaAM+gKfipPBOK5Pa E2hx2H1tKWE0UijNNLeX91nBFABtB1ZF8YeQpswBWg9VtF9UHSPU0eZ2fnsDNYMt4HUBQSvbaHHz PncK7wu0LLea/XRG0LHD4e6gApndLoudyuHLpwY1wqKpxd1uZTIIvsRYCDmCy+0HQ/iEWWoXz4AP CGu8r80EYrVYRb0BI3YXbxokqdsFnuHlnW6v9b6C8/5Oj9VmAkKpEluD152mTkrB6bbYbXbqbCaH H9wPBoDWZLEw6QX1AXGPyQucBRwmLyNlsfrsrS7GSKuj09Pmo5uol5rMgMRHd0gc+YZSErzOIijN 5Lg/AnGPxMcANmDP5ejk7YNcHcTxWun/5mCwdOCjqqS2kULECn5nFZjvcHstPj4+FI3xlLa0wMfT 4I0XlQbWKRejpsUK8UTxBsAOVIR2tz3EmnWVH+KGN3k8EGSmFoeVLgjSA+4hhmkz+fk2kw8wWl2D tQLkBnzcwgdcFpHl+MG5JV6Q8fst64N8BtHNTEcNZeIdNItAzEiAHpN5hakVRIN4dLlDOeSHu9Yg UpC4gEmrwyawVablSyr1Rr66ssS4RGPQ8rpqvspQWasr1hbz8ZpqeI5P4ZfojGWVNUYeIAwavbGe ryzhNfp6fpFOX5zCa+uqDNrqar7SwOsqqsp1WpjT6YvKa4p1+lK+EPbpK418ua5CZwSkxkq2VUSl 01ZTZBVaQ1EZPGoKdeU6Y30KX6Iz6inOEkCq4as0BqOuqKZcY+CragxVldVawFEMaPU6fYkBqGgr tCAEICqqrKo36ErLjCmwyQiTKbzRoCnWVmgMi1Ioh5UgsoFnIKnAJeDgtbV0c3WZprycL9QZq40G raaCwlLtlOorK6iOavTFGqOuUs8XakEUTWG5VuANRCkq1+gqUvhiTYWmVFs9QISCieIMqINuKNXq tQZNeQpfXaUt0tEB6FFn0BYZGSToHjRRztgtqtRXaxfXwATASSTAIGVaRgIE0MC/IsYZE18P4lI8 xkqDMcTKEl21NoXXGHTVlIUSQyWwS+0JO6iMNaBPajy9yC+1EZ37tncAFN0tClis1ZQDwmrKxrdg mX9pV5mtHj/1bzHIhSTJEqqQRVOY5wrJANy41AXhK8yxIfg0xBerQEKWGwgxWpxTxCRM0wh4OFQl IQlb2q2QCX00pUCMuGlS6bD7WLxDOXS6xfrnMzmAGOwKQUHONDlgmy/E5uCgkgqjx2uHLR1eux9S Cm8KwKzXvlosyV6xZA2VgFIZyr/X6vNAxbK3Wx2dqQDrpXWNcWJ32dxepyg6U5/Zny/lUj/fypBb QHC3tzW1ze/35KeldXR0pLZIFFIhFaIi5EYe1Im8yI5aURs0jTyaAW13MtwzodFMR1kwagEIHhUC jB/54PLCkdKEnCgFZnXIBfCpMNIgB3x5aFolXD72ZIW7Ffa0w68FIL+Nh0e1DMIEo2r4dbGdhcCb A3ZQDA4GSfHwKANwZABn38YjYZFwzArh+H8n50gU9YMlpbDfL62d7aQjP5uxwIoT7l60AubccMz4 IfzQq4rhdDKMPvh1w7qEv42tWUX5WhklF+CjXFJcNrZqDVE0ww7KQyvMpTDe3IxLF9vvYdh8IgU3 YPXDmh2e6NUqymMWNS7h9DMuKC03oy3IbWZwToAUsEsYKLTAuwPuZtjpEq0/A8WjkhCOeGZButfC 7j7Glxn2mET5eLjoTACoWNkuuiLpxwYjB7MbxSzxOECB+iPl3486mEasjOKATuiMB37dQCXA+Bzg xsIk8DOfa4FVP1uVaHw3hRRmN2pdB+yyhHTSwfygDaADbB/VjJPNhUsk4fcO8k2B2wDTYUqYdejY yewp2doDUC0Mtw92p3yHHCkhOdMAkxeefCxKHSHcdlGrg63//VJLmhO49YQ82j/E6wYk6mD6cP4g ClI02EAGL/NWH9szQNHCfimNFHanmlgOEGaGT4AJ92Mqr5vZRbCQmdG2MI7tIqf5oQg1ijtNgNXN csSAHcLz0oAWvp0RXADvFyPCNwhWipcBrYXngfB9PJPbJFqrRdTMgL8JGrGzfabvsSnFLOQML/Mi t6jlH2pxCtPJ+LWxTEBxp35LW9+3n+qlMySDk0WhncW0lNko/34x+wkzArdUr5Yw24d7nyC5h1ER dBYALCa2T5LKwrilNnOFaaQV4KhEbeKcNyyXmpgXCT4s0RiqI98/lSk811kGeZqJ2emHczCYzlB9 3I+3FNHmDrbP/j1Z3StmICvjyzkIrzTjC3mlFDdDq4hVzHfWQZrvYFJZ2P74+9TG+JDcQ3dQeKny xg/xNCF2yofUmhYW++4wfgNiPEhWaIdV+320ZkWrmK5dYkR74CtUMhPLrtbQjnDbC3x/f8S0sWzP s7tP5NHKvOm7fUWQ7n55nK4GGNRgLd9Ps3yY9sLt+H8Tsz6xP+NFaaSokyKKdhKOUC/iFXcMxuhh nr0CfltFqwn10cX0O7QP+f+Rtb5bqhYxVvxifbQN0lYZ0jJalUgPT5RWJTwZ0RLoMA1sTQdzPPR2 BliphadimC1m9tGwFboezyJzCYwpxkpUw3AJOAzwS3HXwwzFzbNn+rQI4PWAi+7VojpGQwvYqhmk geGugNlyuGtFOLqjCGZq4JmOSxHtTgV6ethlZDFE91FeBE6NMD9AdTBXOkZR4qwCngyAv0xc1QBu HcNH+U9hmqJjfYjPEpFTDdMRxUxxFgFH5eyJztbAvQrgqpk+NUxmgVs9k6EE1gVZtIwDwRICR0Vw rwLaFKIU+DIyLiglowiZwiSk8hSz/ZTqIjYrcFYpWpmOB7CkiroU+KD6rw1Rrmbyl8OXZ/IbYcbI bKMB/BJeyXdKGYaKkB/VMPk0TA+VjEIhW6NapPosD0EawqxSxPRF7UY5L2aUNEwj1feVRMI22Dr3 8w6JQimTT8s0Vc6gq0GPWoDXhWYEf9QxWYtE3Qo4Bb8XfKI8TLtFTEZq2cVAVSv6lIbpbrAUQoRQ /gekECygEX+LwnQ2YH29aN2ikK0rmZd9WytLWCxqGZSG2bo6pIUSFr8VIuc1YR4m2bFG9M/KEGeD 9SvFkQT3Q3KHgEuiPdiCxcyfykUOq0Pa+Od4B/KXFmqcmZ1//KH8PbiSh3eSAx1qeC+aEpZzwzsD IRuXMljnELiBWSFPC/Vr4AwU3svdr4pJJ2ehxx/ohKVuRMjhwlkpvBO2sJ5d6Al9oS5FqCPuUKfS wVYH6rtwOnQyiPDzn4/RFSQLiDuG4hL6TBPrHCg13320+X2VauiJ0cNqv0Clg439YpdC5QuIsHR+ 9ZBTsnfIKeuf2UCS5Z/p38vs7RHPWHamYdpfpop4vUg6rw3ohGrAxtacQ6w+4H0UWz4a2pdSHbSG cW4RLe5m/UUqO3/5gZt8ONWmgYboNxX8YagMqWJX+H8Ah8mYPWVuZHN0cmVhbQplbmRvYmoKMzQ2 IDAgb2JqCjg1MjMKZW5kb2JqCjM0NCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAvQ0lE Rm9udFR5cGUyCi9CYXNlRm9udCAvQml0c3RyZWFtVmVyYVNhbnMtQm9sZAovQ0lEU3lzdGVtSW5m byA8PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAw ID4+Ci9Gb250RGVzY3JpcHRvciAzNDIgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL1cgWzAg WzU5NSAzNDUgNjc3IDg0MyA3MjggNjkwIDM3NyAzNjkgNzA2IDQ3NCA0ODkgNjgyIDcxMCA3MDYg NTg4IDM0MCA4MzAgNjY5IDM0MCA2NDcgNjczIDU5MCA2OTAgMTAzNCA3MTAgNjQ3IDY5MCA5MTYg NzY4IDcwNiA3NjQgNzEwIDU3NyA4MzAgNjc4IDQxMiA2NzggNzU2IDcyNyA4MDYgODQzIDEwOTQg NzEwIDY5MCA3MTQgOTg3IDQzMiA2OTAgNjYwIDUxNyA2OTAgNjQwIDgyMyA0OTYgMzA0IDQ1MyA0 NTMgNzEwIDY5MCA2OTAgNjkwIDM5NyA2OTAgMzYyIDM3NyA3NjUgNzY5IDYzMiA3NjggNDUzIDQ1 MyA4MTQgNzE4IDM2OSAzNDAgOTkyIF0KXQo+PgplbmRvYmoKMzQ1IDAgb2JqCjw8IC9MZW5ndGgg ODg5ID4+CnN0cmVhbQovQ0lESW5pdCAvUHJvY1NldCBmaW5kcmVzb3VyY2UgYmVnaW4KMTIgZGlj dCBiZWdpbgpiZWdpbmNtYXAKL0NJRFN5c3RlbUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09y ZGVyaW5nIChVQ1MpIC9TdXBwbGVtZW50IDAgPj4gZGVmCi9DTWFwTmFtZSAvQWRvYmUtSWRlbnRp dHktVUNTIGRlZgovQ01hcFR5cGUgMiBkZWYKMSBiZWdpbmNvZGVzcGFjZXJhbmdlCjwwMDAwPiA8 RkZGRj4KZW5kY29kZXNwYWNlcmFuZ2UKMiBiZWdpbmJmcmFuZ2UKPDAwMDA+IDwwMDAwPiA8MDAw MD4KPDAwMDE+IDwwMDRCPiBbPDAwMjA+IDwwMDU0PiA8MDA0Rj4gPDAwNDM+IDwwMDMxPiA8MDAy RT4gPDAwNDk+IDwwMDZFPiA8MDA3ND4gPDAwNzI+IDwwMDZGPiA8MDA2ND4gPDAwNzU+IDwwMDYz PiA8MDA2OT4gPDAwNEU+IDwwMDYxPiA8MDA2Qz4gPDAwNzY+IDwwMDY1PiA8MDA3Mz4gPDAwMzI+ IDwwMDZEPiA8MDA2Nz4gPDAwNzk+IDwwMDMzPiA8MDA3Nz4gPDAwNDE+IDwwMDY4PiA8MDA1Mj4g PDAwNzE+IDwwMDdBPiA8MDA0OD4gPDAwNDY+IDwwMDJEPiA8MDA0NT4gPDAwNDI+IDwwMDUwPiA8 MDA1NT4gPDAwNTE+IDwwMDU3PiA8MDA3MD4gPDAwMzQ+IDwwMDUzPiA8MDA0RD4gPDAwNjY+IDww MDM1PiA8MDA2Qj4gPDAwMjI+IDwwMDM2PiA8MDA3OD4gPDAwNDQ+IDwwMEE3PiA8MDAyNz4gPDAw NUI+IDwwMDVEPiA8MDA2Mj4gPDAwMzk+IDwwMDM3PiA8MDAzOD4gPDAwM0E+IDwwMDMwPiA8MDAy Rj4gPDAwMkM+IDwwMDU4PiA8MDA0Qj4gPDAwNEM+IDwwMDU2PiA8MDAyOD4gPDAwMjk+IDwwMDQ3 PiA8MDA1OT4gPDAwNEE+IDwwMDZBPiA8MDA0MD4gXQplbmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5h bWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQKZW5kc3RyZWFt CmVuZG9iago2IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAovQmFzZUZvbnQg L0JpdHN0cmVhbVZlcmFTYW5zLUJvbGQKL0VuY29kaW5nIC9JZGVudGl0eS1ICi9EZXNjZW5kYW50 Rm9udHMgWzM0NCAwIFJdCi9Ub1VuaWNvZGUgMzQ1IDAgUj4+CmVuZG9iagozNDcgMCBvYmoKPDwg L1R5cGUgL0ZvbnREZXNjcmlwdG9yCi9Gb250TmFtZSAvUUpOQUFBK0xpYmVyYXRpb25Nb25vCi9G bGFncyA0IAovRm9udEJCb3ggWy0yNC40MTQwNjI1IC0zMDAuMjkyOTY4IDYwOC44ODY3MTggODMy LjUxOTUzMSBdCi9JdGFsaWNBbmdsZSAwIAovQXNjZW50IDgzMi41MTk1MzEgCi9EZXNjZW50IC0z MDAuMjkyOTY4IAovQ2FwSGVpZ2h0IDgzMi41MTk1MzEgCi9TdGVtViA0MS4wMTU2MjUwIAovRm9u dEZpbGUyIDM0OCAwIFIKPj4gZW5kb2JqCjM0OCAwIG9iago8PAovTGVuZ3RoMSAxMTcyMCAKL0xl bmd0aCAzNTEgMCBSCi9GaWx0ZXIgL0ZsYXRlRGVjb2RlCj4+CnN0cmVhbQp4nKV6CXgc1Zlgvarq bqnV6kN939X3fV+6j261ZNnWLUuyfMpS67BOS+3bYOyYyxcYCATDQAIM4OAAEyCEDTZXZhISmJCw mfl2svtBhp1kB5hZJiEzgK3y/lVdLcvCMMd2+blevfrfe//77/8vYQjDsBLsJozAsM7eUPRz995K GDkJbfv49P4xZ8tj90L/YwyzLkzkhkdH3mszYZhtO4wlJ2Cg7AbcB8/fgmf7xEx+X9OT3qPw/DKG IdH03Miw5gVrNbz6Kby/bWZ43zzWit2DYY4ueKZmh2dy+z/4/RfwPA9IbMAI8m10J8bDSnhneTFY wVi4E8PYGF5RwsMFZCmO83CS/DaGP9OI7buEcb9IU28Ga8Qsl3Dy9/SNuJN/Dh8HFB9+728xjKzm ZZndMIThWDOG4aM82AkTYFhMZpE5LDJLM07RdvQteoK34Yunmsm3ATKPPU8OkA9hZYCFzCazJCwy gFbiz9xND6In70ZP4tvpPnT+LnSe7rsLQ6gDvUPciM8zVEQJixJ14GH0zre/jSFcTg/gL/HeYt/A Grj8cXpAsPuzE/CINtADxEF4Z4EHhVrFXjani71SzlSSvWJ8AXvhMqU84GvJDF/cnMn6Ako1Qmpl wJfNbL44nGnxBeRKvOLE/gOL+blde+bnpvOLNx46c+cNB/O7Zqd37Z3btZjffxAOz1CLfAsoIsB0 GGYhLIQNxRDiNnVxewkICyk8vvT27T9G9P9Af1r6F3G5RFguKCV5glKhSCQW3Yd+gW6kj/KyX/yI +G8Ot8tmNWjLRXqD1eZyOeiNcLYuONvu4tm4VW2FEyUTcW67WOHMKmK3UuXzZ7KbXt2ezfp9KiXz mM1uf3VTNsM84oozh25czE/Pze/ZNZdfPLD/xG0H9+cXd83t3TU9uyt/8AbYBHvpykekmazGUgyl OXLGotyOQHq+mq9WwGVzJuACCtu409r4BXQSMjQjEhq0fm9DQyLqtCvkLyAc4Tj+XWjQI3Rmyu2N J1o2NTZ5vXIFWb3U0xVPmi3lYrUSJtX14IuXv2ezOy02tUZAqlVGg8mgDDtcWkO5BJgVCqxtzeG/ ZHC9eOUT4nNeH2bDMHkiJmdkywIIqmIqjuvKIm5WBq+L363eh56lu5Dfs8Pl93iA3hq11ebzx2LJ R7q7ifOnkY7+3emlfJfDiXgEjxTwebcLBCWCEpKXzXwTf5ilD3BeCxzxw54xGcOTGMePVJQTPhB1 jjU2a2F/GHrpBQJ+GsrsdSdjTT3pxmBAo0IvSCsMJrcnVBNLOFwqNXqe9xZ9IBaJBYMuh0ErLUcq dSDU2ja6FMJf7ExEKZNIpFJ7/XUN3UunGDk8AtxqIzswNcsvxbWcSOEFpIgiNhw1lKvYSrZZbPUN Q5t3zQ4M1TVYbQjddMM/frp3z8tKtcMdTzQ2pSqdHqVao/K4EvGqxqqkx61W4aY7JqayrRYbslla s1OTdyD1qRPoxEn69zf0dkcjCjmSKyPRnt4DN/b0RqJyhaIiGuntYSj4B6CgEnAOwAOD11UayVZL tLpIW3aAVIZiibq+THMgpNah5/nAmtJS/lOCEn6JgEcSPD1l8ntqqnpTqaSXuFcgIJHVVlXT0TFI k/iFVE1VIuZxazVmirJZbIa6WMRuBSxBGYGOdwBOOeBqKVYOdhTECEwVNFcipsT/ER267EWP06+h P/70p6dPnyZMp3/16qvMSe6GWX7QlVKwgglkYUyWRXk3fm7pMLF+qR//xe2E88Ttl//uBMOpw8Cp 2+DUbdg22CHKCafLyp24yBtmIFE0WqnEKjkSuIr0ALYqGfV0cDxMJTgIRjtVZLtEIhHbKJsjZneq 1CIRwTdaQNCrqtse7uxCHmdTQ29338flYr3R40tF3V6DsULBe7nUqI9G2tdN/WRsVKlc+rue+jqP G0h0sTJZ5QsYjCjgm8MROQ/qgMQio97jTiY8PoNJKkP9G+7b2ZJxO2VinKzJhIImg6RcUCJXWGxR WWMy7naqlVu2PUsHu9wePmUOh2qqExtJnF+i0QRC60A+GGo+x2gWUAgk2XIdBZLFE6zJScQY8YWm XK14ShkxulqfWLsD1gcRGovZ703EMz1NjX4fyO+X9InotTrtNotGXcJTqfUmg1n+JSUEPj4CWN4P ll+N2QFPZGP8WlHxixYaEXELyA/HGuICfdc/v4L+ft/QYF212YDkCq+vsWkTuvMz+h36E6TpqU7Z LTIJ3rD0Gi+r1YWjzdmB+rp6OIFTsvQU8fZ7tFcht1kCAdj92JWPyRagURTLAMn4nB4XzZ16hblb 6f1iRQIpUdE1WThfhdJIIXc6qlPrUqGA067Tih6SmS3xxPr28fzQ5voG0G8Ql+b0xoHtRzcPVVXp tLQjFIn5/AYTga8p1eodrkgU/Vt/y5pYQm9E4jK1kjLZA4FAyOZUaez21pbpnacemNrZ1Gg0eL3r 2ienDmvQr1C5xOGsbxre2tDgdMikjH4cpwdIHbkWi2G9cLJl/Y8v+28lXGpWEJhzxVMrNUYmTSWX va/1+lYOl6VjUY+TMmkKbgjhzxQcEueedCZwS5F448+3btuxHQfzpXA4Y8nG5nDUSJVLxOVmUzic rQaNdIF+rUVCEByrPag16nWaCikplCustnA0fSmJXtSaDHqjMeZya/XlYgRWUYU0d55een9PV2co qJQjrS6e7OyZmerojif0eoU8GunfAPL/BPDWTq7DBhjOXstIV0p17WFSRUu5Ms4pEk3gLCqPkpOQ 4kXakcGcquzundi2tr2y2uGqeFik17rs0UhVdTRitzPI6X3+2vqWpvqGSNREITS1883ObDaZcNrF j5So1Babxxv8E7hhlyuZbGpsyVSnnHaUaK+t9/hVarGIMiWi7eZKs1VaQfJLBSq51RyJUCalUiJW SJXwFIt03N3bg0ACzFQkmlX4jQaZlM+/L6Q3yhUiiVSmUFltyUo2ejwL0eN3MT6GpRIIJZAyTwxd fpz44Oz9aA7NnqW3MjEm4wErQSOqwB87r7UHLCGWLQh/BQWXFYXzlEeR39faMjS0bbhjfVXKZhW/ Kmto2t1fXWu1S2QIySR2a21V/3RrS8XFUqutsqqza+T41uHqWr0eNz06PdXUqNcCV72B6tqMeFMi rjfGkus7RnMdXalKgzERnxU11zUEQ2BB/d72tRNjjLzngNtjvCFMj/m+zO+iB2DcHiEtRJQyvIA8 OQZuLZ3Zun3fTdu2NzaZKWSzNjUOb73h344de7Oz674HOzpQV+f9j65tw889ffQbg0O+QCi4afDY 0SfOHz3Sv8HvQ+efpr+LxMeOInT0GP0H+g/Hj588AZRUgmX7IXizONg1G7EykiVsREzOiZCyQGJ5 caBIc3mM+OKtO0qEZSVlpUJhqbCs9J6fv/j9LQSfFJA8UiiC4ZJbXzvKKyuFd4hH8uFH5J5Ff6u3 WSm702mjrHYzHYBo8Dsarz8UBnIFPGCQFehJekBpdVg9QVMgEA76vTp827XSIQfRQIx0fADSMYTX vI0eOUvfRZ+5H5Ie1l7fBPbaCjYzuyJGsiybbWXRbHMnRKBbNpusaFUT8qIvsi2bdPImr6+ldeu2 cdqNHty9eVNTg80ilVlskVhmQ7ox4NOo6P+7rv3e937bXVVlt8uk3VpdMNyY7ryMhG0NdaGATosO TbSuCYQUSl5WrnB66ho2VEVi4IfN5aUGozeQqsLdO0MBejvIHuNoo0tPNPh9Jr24nLaKhEZDKMh4 zHmQoU6QoTqIKL5Ggr6kC0oQpVTRkjBxDtnuCIarazLZjltGRhvTIFOUuakxN3r7SPu6ypTToXnK mW2dHWpocHmkFai/93thr9tG6dRi+jfovZs1er1KLZEk4lu2HDl89vGjhzcOBAKMIQnU1jdXztTX Wm2Z5pHcEfqPx0+iUkG5UCwqRV3fZrjjhRN8h9eObcEOYHdhGK9o71Y7sqIbcF57uqLJW81C9bI3 LLpHJthCRaNZJAOfg2S4THDbKlc5VTLsdUAqYjCqjFa7zx9NVM92dEVjGh1Sq8AGxhsk5WJhGZ8P JtHvS6c3Zmuq/T6NhrESbWs7TJTJZnE6vF7KrDij8/kj3mjIo9VqlBqDkX4Zgg8IR11+u1Orl0jA Easbq1J+j06zdqizO90fDCGZlDJHw00uu9Vs1GlEZcIKqVYFHkdXoSgTGQ3xWDbbtb6xnolsKT3s ZHc6nHWVbICOkLTCaotEG1uTSZ/farOkItEwqFVwYGTHAd/JXfktSa0O0pzSW0UkH1IAo0EhLxMi kZg18k3VNV6dTms0OKzhyw+O7prPh9rWjyYCIYutQoHKSsGcV4AE7gL+7QEJbLqaey+7qNXRSCJ+ bTSywk8VAFG1Qu7zphu3NMQiHpfRoHrY6PZU16zvGDs1NpHOmi2UOZPOjZ4YbV9fmXI5dE9KtTq7 MxSt2djQ5PbIFfi5Y6NjLa02u0bjckFO19Ta1BxLmqlYZMumo0ceevzI4Y39oYDeGAjV1jc1Bf0+ cJBKsKUgm4w23QKWYjObA6zIAPD3uej/PfRriP3JZ08zscqVf2BzQB+2rqB5jB+RSR1RNmIB4WTa NbkyJ8ZFGhWVL7EqMyO2Rru690MEgm7b19sVZcOT5wvhyXmmz1xLv5WUU6ZwqDmbjDttiooKhc0R T2SbQmEzJZU9vTMYRiePIy2eQD7/MKlS6LRqVSl69JLcZbebTEp1CVkhYxirR9O7OrviCUilNJpE vK9v32JXRzgMMSIcItbdCxTpBO5OAHdzK+ym9TrRSOKaWORabn8pKlkdn10Tn0yYqfqm7SM3f3j0 G/aXRBqN11Nf27+mttrv1WiQ2RpPpJsz0Vg8GHJ7THBau72hoX9DbrG3m/HaipfLlGqrA4xwVzJp sZZL9NqQv742m6pMJWIBn5WCXGYBItV4wmDcvOkZR6U/aLZUVIjLjYZgoKHF7zMaKqQV5ZJypRyC Ikcs0rw9mwn4YBaSq9ye2vpOS9Tj1oMRRlKZwehyBWodTo1OIpOJJTKFkkk8UpWMJIGfIW8FT6pi PCmKoZVWiblQDP/5r+nOnyGRQFhSJiwVCHjgNoVlwhKkeBM8YKPaRFltJkqppMwWC2VS469zmUcO PFnFymoQ48e45QVX/RRjvMic27OufWb+BH0apf7s4P7eHr/3VYOxsnpD/+79j7w7MY4/e+7wkYFB X4CXRQ5Xd8+hG87fun1bfa3RcOmP6Jab4RzrOd8pWK7fKfG/vEhnyTh57tIAee7BB5nTfszlzmVM PiQAuJiMKYYRd9F3HXv+efSbd+k29NfojzvoOd5bl4fxcjq0dB8zjznPDli9jK0hKi1ce4S4b8mN P7g0SiBe9kF66CwdexCgXwfoOoAuZXBhIAEfJTqCP7a0+RXiIHmOrnho6QOYgHGU2gawCqYytBxb sVNW0GqFjye3IYOptn5o8wH696+gtw5t3VJfR5lf7el99F/p7voaj1MhJ/5iw/qO2lq7fYkGehlM 8WTbuq2H0o1L/4TUCqcjFgUcF0BfNhaqlGogwQKR+P7lXyh4739BFc/rLZwXzsnSiamHElNL//rK K7jwFXxu6Qwvu/QzPPnFjxj4ewB+J8BrmOqCRVZMdxJF+8oQ7c/Qi4pQpK6xpTXd1tbSUBcJ6x5H w2eIJY/VoQXJRPeABzF5vdFL688wtdJPgDy/QT4GQ2Zv9MlHyEf/GgYLb0Bm2Zoui1fh/UcsBCEp wCFsK2A1A3AstxFkhzH2H/EY/Qp94XX0ML34E+RH3jfpRfQYepluxv24mN6E/nzp06VfMfNHYP4o xOu9/36Wz17LWT7rNq55+HKtTSnD5Xx+uVipNlu1OrmitAydA9v5TWh4eUWFTmuzhgb9XgUuUyuM Brs9VOf16rTlQvQkNyvjcOFPdybiVrOkvBCzdS9952phgC9XafUGI5hSq0Enk4TDo0GnTacRl18t 0xVn9/U9uXQKZPE5yGvTZBfEaFuuyqKLXyz7KNSsk1CuPHkxqFld3xCsIpeSf60ZJtOQtAZDa9fP VEaiPj9lU/FYl/ECnP4ZznuQWsoE4WSkYWb92lBQIX9JVG4whaNrauKFgomiwm5PxLNrohGTQSzC rYfGJ9at8/oRuHy1ymaN4RKZSmMwGeiNPMLldJgMKmUpUaHQ6kxmbdzpgBhFiNyeNWvHJw6NdnQk 42BSFaHohv5b8+1doahCadRXprq7gS6nQFcawLdUYoNfke+mimWN1QXmFXGEYHVIt8rBkg1MspTe un1PT2NTLGa3q84baqs3t9XVQJilxpV2ZyAcT6WG13ckUwYTZa6t2Tgw99GBfT8Gr+qMJ1ua4gmb Xa6okNqtQJVIIuZ1G7T4K39x662bNgdDMqnNWpXq0m/2AIFs1nR6x/DREOMSIO23WcBz9eXG+/tq ay2Wx594pi3dGAOiIpXG7a2qyaararx+CMBgDUsswmjGcdCMdWxUUbS2X4qYlKsiJrUSLHLz8/QX TCkoGunuXDB4XB633aoCNro8gHo6EjVTTA77EXH+ch9x/rR2tK0lFAAvjxMEySPOMFVpRCBhmc4Q DK0Tnmbs5zjnaYRMNbSAC4rJYpBkWYhzzy8t4Ad/8jJ9Jy1Cn6IG+jXUcJI4cPm200RmaR0zO48G yQHi44IlkTNFUWhMcmYkPiAG77mHxu65h7E4SqKd+AFrLRn/Aikm04iTp93v08pTnveJdvzw0hH8 MFDmM/wy8d95P8fEAOdQ89QCgnClHCkeEcMfRiUB+ncv7b33wb0X6P8TQGWi28jHxo+1fbEG4Vew NZ+13TKFPAxWz135iEwXYzaEc+JkUzBqxHxUiafYi/nEoWBKTQXtW1k9/4q6Emjd6NiF/Ib+EFtn xNHToG7P4zgZ6u/b/caO4ZckErMlGE5n4gm7U65QyJ2gYE0N4TBlrpDiVvp/nzqF/L4dOr1RpZbK yBK10mQC5pH/RG80QtahV02Gg+j4Sfrv57s7E1GdBoxgorf/4N7OrmBYDrjEo72MPt0L+rTmq/Rp OX+6XmVE+XUmZvVh14Drq6rp6589tGlzXb2xUHzYtnnvmgZIQlwu9XljbX332tpar1eljmwczG/r 6qhMmUwvVlTYIUptiUaibo9Wp5C7HIl4pjERs9uYAnOub6Cu0WoLBfs3HNp//7O337Z5UySIJBKL LVnZad7kcTMZ5PDIkU1ACjNVWd3ZNZWpTDFZjrTCbIEcZ01jUySqN6pVHndNFYauXLpiJ3955Rjj 5wQgfTzyb/7n9u0gSWmwxreD9wIds6ykUaJ4xtR1wjV5DH/N6fKEozW1HTaDySzXaGQdrdlwBe19 FZUIZVKJRCQkCJFQKpZJRJcv7ujoSlYZTDgquZVAeE310QgZWrpR7/I4XGaqREiZnHZIb/AjwDXG m0bY/GlFbWL5Kn7pK16JVep/zecAtnSRiCnJSIXCRDk9brAEJkquQM8gZQVldsGIy2E2KiogmHW4 kpWZ5lQVwwv+D8ucjob6jQO7pjcONtTbrEt3vEF8mI0n3B6L1WA2mKw2tzeViUGKaTGbYcBm9bqT Ka/XaJBI5AqIt+N1oo3t65IJyqTRBMOZ7KWX33wTQ8vfSNMr6kkrv45eU1e6esrlylLBkF+tLr0z wWM/9ZQIKqRyaaFXQu58590LMwIBpLA8iYwZg8afeWaGx3b5JWD7CPZTHn/iAvqGXKc1GyxmU7a9 vcVkthhMECXQN/Cyly+k6+ojVbHmZgNlMhmNejW6g96l1hsNJhNlaM6CmMei9XVJIsPYktMgRSZy HdaGTTK6tsJnLSe/CdtqFVxZi79OWRt4L/8q5eOogI9vymSZqqzoh9Lq1JbKUMBilksRrjCYgUOV rWNr1gRDCvaLdjjYvn52fkNPkOBq3U8Vat07p6yQHHsi8XhzmHEM8KNM0XA6Ho96XDoNPYgUcrs1 GqnVrnN7ZFKXo7a2/3WQW4NJWmGhmjO50duOjo+1Zp2gzMMaymTUK+RkqVJtNNmdzst/9cFCnnhn vqszGlarQP+jHV3zuzs6gyGQQsAp3LGeiUHP0gPEBbDEgmIkDx7iLG6jz6A55qP+ic+/cwJonATp OQHSo8fMAEcAHGGTM82WiEGzgEQwLQbjFjnxSAaR9D8MzvbT3+yb7Xvzt5l/QYKNs4NoanB28N2l xizamSGa6Dem6QnmLxTQt6ZR3XShR09M02+gOsBLDHhFOLwKyb8MiQGnM4DbwAn+thOfnQB7coir uZmxRubvIL5UuV2V9gpWSf1ygFKsLvIYle2EBCzdvHFobGJwqDHtcDod6fTQxqnRocF02un4AYR1 Lneqak17VY3TI1co5R5XVeXalupKj1OtpAc/wh9949gt3b1Wu93a23XLzW+8dcvN3Z2UGYGt7Oy+ +Za3Hpra2dCg0yKk1Tc0TE499MDEZGOT3oiQUd/UODnxwL7PPwd9PQ0eksmwHCvi1OKp2GLGteUd WYysA2dQXTu0eX9+YKCqxmB8BYnLKFMi3tVTlbRZJeXoIvrw9uEdtfUGI9Jra6u2bbmVmLn8vR3N zB9agCcM+tpaJ4gWoD1BfxN/oZCXIDnkFcQ5VEq/CYP3Lu1kDAkqtO//ovHYNkntn5g/tln9u3IJ tPKXwD/E1IS5H8zhn1u6H2QJstQrO8hfFuzSil+GfBtj/lolT76NOuCOkW/jcuj3F/qoC+4vQbvI 3Y9C+wO0O6DdDe0maM9BewTazdCOQ3uisB4LOwZNyT0zMLug+bj7LRx8J7Qs9349tI+5/uvcfYG7 3wP4fFJo2FZoI9zep7h1xrlzMPt9xr27j3z7yiW4p7k5WAF3dBbuSbiL4X4I2mnoA/UhZ/ZjVXC1 YkewF7B/Rs3oRvSXuBmfxI/hZwkfcSNxgfSST/FivBbeI7yP+Gl+P//HAkcJr2Sq5KaST0vvLP1R 6adCgdAmrBZ2CU8KHxA+J/xfwg+FdJmp7F6RVfSU6JNySbmtvLJ8qPxn4m7xFvGfS+SSm6RmaVQ6 Jb1R+pHMI6tiuZTB7mbkgeP+6p8B9S+Pb8Uucn2ESRhdZvs4JkBbuD6B6dADXJ8EmL/h+jxMhBfX 52Ni3Mf1BdgBIsz1SzAF8WuuX4qJyRKuX4YZyG6uL8KC5Ftcvxw7zLvE9cWYj/8u7I7IUnh6mcWE 6SPMhIxcH8fEqJ3rE1gc5bg+CTA/4Po8TIN+x/X5mAEv5/oC7FO8muuXYG7iKa5fihmID7l+GVZJ qrm+CNtMznL9cowmL3F9MdbPPwgUn8Pmsf3YAvi1cWwCy2MUdg5aFAvDlYJeD5bDRuG+BhuGt37o tWGzkNMHodeETcNFrZi9yD7l4J6D+x52LgO5HmalIeLpgTl90O/EOmB0koUfhpYH6GGAzWEzcF/A pmBsDhv72v2xzNz8/oXJ8Yk8dY6KhsMpqic3Sq0ZzvupttmRINU0PU2xrxephdxibmFPbjRIrW9L Z3ua+to6O6jJRWqYyi8Mj+ZmhhemqLmxa+djgPQktoM9CLP1JCA0C9u3s/c5eD25I7cwnJ+cm6Xa 52ZhgEF1HNsNJGGOgPXkxndPD0OnCY45Au9m2QMuwBoBliRfu3rT4khudjS3QAWoL230n0Wsn4Vd XIaMAPUY7mL9uYVFBiwSDKeuv+x1Fv06HP7/OFqQnXF2lTy7dgFykl17A0D0slBd7EyGoHl2t1kW qu86O3bCjmMwnyH/VcgRdu08PBdWnoP+BMeancDABRaDUXZe8WyLjMStoOy/Iz0gcuOTi/ncAgxO zlIbgr1Bqms4n5vNU8Ozo1Tf8sTOsbHJkRw7OJJbyA8D8Fx+Avi+c/fC5OLo5Aiz22LwelLEKO8C qO/cNUy4KjmZuYX5uQK6GFCOodgelg7tLHie1VN2Sm8+tydHtQ/n87lFBniCfT2PVWMhuPayVxAm XYvBCLd/kO3NACQ2kc/PV4dCe/fuDQ5zaIwAFsGRuZnQf33ZPFioeVYWcqwUjwNsQaKD7JozoHJf u3V+/3xuNLc4OT4LAh+cyM8A/AbWSBWFkhGAgvBeX7DH2DsjbovsjDygPswKaFHoF0FwdoD45Fih YVac49ZlYKY5IZzldh2GQzCzGWEtCvLuFbzdy+IzAv9TcPg5eMfMGWHXmGdZN7pi9f8sziBOGxZz jNDmJ0CQV4j12BxI6OLcWH7v8EKOEfLF3Tt25kbyVH4OYHPUNAjrLEwdHl/I5WYYcd7NytreicmR CWr/3G5qeGQkN58HsWfAv2rl4H9dGKavc9b/oBhML2PDyQCG/T8cekgUZW5kc3RyZWFtCmVuZG9i agozNTEgMCBvYmoKNzY5MwplbmRvYmoKMzQ5IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBl IC9DSURGb250VHlwZTIKL0Jhc2VGb250IC9MaWJlcmF0aW9uTW9ubwovQ0lEU3lzdGVtSW5mbyA8 PCAvUmVnaXN0cnkgKEFkb2JlKSAvT3JkZXJpbmcgKElkZW50aXR5KSAvU3VwcGxlbWVudCAwID4+ Ci9Gb250RGVzY3JpcHRvciAzNDcgMCBSCi9DSURUb0dJRE1hcCAvSWRlbnRpdHkKL0RXIDU5NSA+ PgplbmRvYmoKMzUwIDAgb2JqCjw8IC9MZW5ndGggODI2ID4+CnN0cmVhbQovQ0lESW5pdCAvUHJv Y1NldCBmaW5kcmVzb3VyY2UgYmVnaW4KMTIgZGljdCBiZWdpbgpiZWdpbmNtYXAKL0NJRFN5c3Rl bUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChVQ1MpIC9TdXBwbGVtZW50IDAg Pj4gZGVmCi9DTWFwTmFtZSAvQWRvYmUtSWRlbnRpdHktVUNTIGRlZgovQ01hcFR5cGUgMiBkZWYK MSBiZWdpbmNvZGVzcGFjZXJhbmdlCjwwMDAwPiA8RkZGRj4KZW5kY29kZXNwYWNlcmFuZ2UKMiBi ZWdpbmJmcmFuZ2UKPDAwMDA+IDwwMDAwPiA8MDAwMD4KPDAwMDE+IDwwMDQyPiBbPDAwMkI+IDww MDJEPiA8MDAyMD4gPDAwN0M+IDwwMDI4PiA8MDA0MT4gPDAwMjk+IDwwMDc1PiA8MDA3ND4gPDAw Njg+IDwwMDZGPiA8MDA3Mj4gPDAwNjk+IDwwMDdBPiA8MDA2MT4gPDAwNkU+IDwwMDUyPiA8MDA2 NT4gPDAwNzE+IDwwMDczPiA8MDAzRT4gPDAwNjM+IDwwMDRGPiA8MDA3Nz4gPDAwM0M+IDwwMDQy PiA8MDA0Nz4gPDAwMjY+IDwwMDQzPiA8MDA2Qz4gPDAwNjQ+IDwwMDUzPiA8MDA3Nj4gPDAwNDQ+ IDwwMDU0PiA8MDA2Qj4gPDAwNDU+IDwwMDQ2PiA8MDA1MD4gPDAwMkY+IDwwMDQ4PiA8MDAzMT4g PDAwMkU+IDwwMDNBPiA8MDA3OD4gPDAwNkQ+IDwwMDcwPiA8MDAzOT4gPDAwNjY+IDwwMDM0PiA8 MDAzRD4gPDAwMjI+IDwwMDJBPiA8MDA2Mj4gPDAwMzY+IDwwMDVGPiA8MDA3OT4gPDAwM0Y+IDww MDU3PiA8MDA2Nz4gPDAwNUI+IDwwMDIzPiA8MDA1RD4gPDAwMzA+IDwwMDU1PiA8MDAyQz4gXQpl bmRiZnJhbmdlCmVuZGNtYXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3Vy Y2UgcG9wCmVuZAplbmQKZW5kc3RyZWFtCmVuZG9iago3MiAwIG9iago8PCAvVHlwZSAvRm9udAov U3VidHlwZSAvVHlwZTAKL0Jhc2VGb250IC9MaWJlcmF0aW9uTW9ubwovRW5jb2RpbmcgL0lkZW50 aXR5LUgKL0Rlc2NlbmRhbnRGb250cyBbMzQ5IDAgUl0KL1RvVW5pY29kZSAzNTAgMCBSPj4KZW5k b2JqCjM1MiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IKL0ZvbnROYW1lIC9RT05BQUEr Qml0c3RyZWFtVmVyYVNhbnMtUm9tYW4KL0ZsYWdzIDQgCi9Gb250QkJveCBbLTE4My4xMDU0Njgg LTIzNS44Mzk4NDMgMTI4Ny4xMDkzNyA5MjguMjIyNjU2IF0KL0l0YWxpY0FuZ2xlIDAgCi9Bc2Nl bnQgOTI4LjIyMjY1NiAKL0Rlc2NlbnQgLTIzNS44Mzk4NDMgCi9DYXBIZWlnaHQgOTI4LjIyMjY1 NiAKL1N0ZW1WIDY5LjgyNDIxODcgCi9Gb250RmlsZTIgMzUzIDAgUgo+PiBlbmRvYmoKMzUzIDAg b2JqCjw8Ci9MZW5ndGgxIDE1MzQ4IAovTGVuZ3RoIDM1NiAwIFIKL0ZpbHRlciAvRmxhdGVEZWNv ZGUKPj4Kc3RyZWFtCnictXoJXFNXvvA5994ExLogIF2mzwsRqRVBQUrVugQIEgwBk7CqQMgC0Wxm EamtuFSRamutS6tSpNRx/DHWcZy2D23tvK4u2M6rjl+HOu08ZRzbN77W1+n0s0gu73/OvQkBbevv 974v8d6ce87//PftXEQYIRSJ1iIWoSJ9Wvpr1d+ZYGYrXKV19kbr0Z1/sML4rwjdf6jeYjRbiwo2 IPQAWX+kHiZGr4oshOf34XlivcO36sXs1BJ4/hIhvMTuMhmTs1MNCD2YC+tHHcZVbrQU5cPzd/DM O40OS89bp19H6F9iYe4vCHOj8XNIhjjZAu4cQkK2+Mvo0TbGGskwI+UsG8kxDLcWod+MRXwBkj7Z Np8XzUf8LUYeK8TivREO3AvTWFpmkFXYzVllB0DKCIRiohOikxKiE6wc6veyD/RfFXZHjL75rUc+ GeGBPoS4r2QXCRybEJcQrYhOkHPfBL7uDnwtu9jZd1E2heA9AVBmeSyKhwcAmZQ8SSGPkMfBMCP6 kaxHssbHj+fMXXjO3Cd2l5QeP55dWb7yHZOJORBYwrS1FRfhqppXAs3y2ECbOWM6xitXER7fAVyN gFPkMYPgilO80wUfruZWuzz2K6DrGrjCnuJWowyAjQOqyYlAVR4/Ph7+jY+LjZAnJ8JkJjxkpGc9 kkkg4N+krEnAU3r8eHaL1mCofDpHhdOn7Zr3vl63+slPK421dquptnbdgjw8PePX83+tKcR4hftj a2UFN+/IQ7Ex+OGHDUrFJH70wxrt5tbFS/C4sRPffuS+B6ZO0RVMTp40ZuJC9YaXykrwmDFEihNC KXcAOIxFExFKokKAQjKAePTYCLlCnjwJE20RvmNFLrH3+PFZFeWrz61talp7bnV5BfMo1pVs36Ez GHQ7tpfoDgWOyKM6TenTOjqEm8LNjg6cnoavn/V7vf6z3V4fWJ5B7oErXBNQvR8piGYSQAFZgDor DqySzCdPihkrKiBCoh3BNfUfG1lv/VebxVRrrrMtE/6xrw3v2tl/5an1/8ro9Jv3La4axVRV/r7W gu+/L/PIw+PjcWsrjsLjXmnH259//4XKyrLyl4gnuAd62WtAOUGyCPUDItl4ibwCLBLNZD1CeGKv abXFRb8zwed3RcVabaFOv1TYuQu/uAtHlCwq5jIPPxwfh92ejz52e3B8bErnxHHj9u/Ho3F020t4 bAyhlwZKvgleEkfoUTXGiW6qyMzInAGaZm4eNScl4zThk+NHj5aVnZTH7nlocp1pW38a+8k27Zul JcRKj4O+pgLXowg+LBkji7CcmQWYiNbAUpngNhkJmZJUEZmSIZm3/6OkVDnftWfpYtzVNa+quvlV sxWvXXMLM1hneKFm8RK9uaZq8T9WrWIyMjJW186cjbHT/tpkTWBdp3VaOsa1NR0na2rGrVmgwuPj UzuTY2PWrCGyZQFr38raqGzRRCqiRwgC0GAmkS8aN+DVwsZJE30nT15ctKi5WdYmvLst0N6SnLy3 uOg8U7MNzyXSrQDp/CDdGDRhUDrialkkIECCGEYUMBrcgvHuKiktLdm1o7QE45LSHTdaNmO8ueXG t80tLc3sX7y+M2eIk5055fe+1NoqXBf+q7UN47ZWHINjW1uDuQCo3SEXxN11LuBqjgRTgch/JdiY xhCGlCJaJFFkmJgASwJlzhD9me3o6ppdVvFEd9PatU3dT1SUBU7T4DEYaCCxbzBVP1w/ZElLxxA+ kTiyo2NaujCeRk83jSRRDrYA5CDaJ3oKFyIDhIhnC3jFpCkv6QwQr0uXbIqJH/8g+9q4EREYm61v B46BCNZ0EIHjaB4AGQ6ADGOoDMNDflhKSI4DOuzVIWEf2DYkKcw6fpxJCwt6Rjc0I1gOATGQohQh eSZXg+4hOTSG/sMKllWUdv3tas/frnYJl3r++9serqZ/N7uMXLfa2d39y8jOVwd6uXLYGU8qREZ0 0GWC6ideeKRr7pwnd5aXgNvnllX43zVZ8AnmYMC4v6i4uuqXzOpb7Yet09NXrZK8ohVYiqK5HGdg rADvOHGcSfp74Aiz/Ebg1HF5bL8N9wa+CxxmFIHPYc8ZhGSzofaMpHsSCGW4K86cZb44ezaQeFZ2 MdDKmPumMKcCM4mOAZ57BuCjRN+jKYdoOonkmnjCM6QFvEN4plCDsabwGeFRfLpvfRPGTev7hLOy tMAfcIG6eWOB+iDknEtfuFcEDhHvgwxeSaOHWG6Yo+FhjhgPUanAaeHOxniHeOLsri4mLczTAr8Z 6oamzh++B6regSuyHtkNKWaBSgwjUo5hwD94MWaTeJEym/z52g0Yb1j7+Z/XEXHW/RnPPPkmxm+e FE4J77958uSbMg1+5YBwVbj6yoEDr+AH8AMHXvnl+T8K+4X95/+Iz5/Htdj4x/NEh2NB5/WgQ4ZY CuMETNwlgVUwbwlfM0nC6qvMzPObA9WbL8pGB+5jj/RNwU3COrDVbtB9AfBLqhykKpIb6TdYYDKl qCFFmXxxC/NOv8Zz+sMMY3ISBk/fWG1b3tC43Fbx5dNPJyoW379xU2dn58qzp2bbCwsKVmoWJiTk nJt2/33Y639niU7vfvDprUD1EvB4BAmkW8uCxHjpwgVBIFJsgmjbFtJeoqg9ks+jx4oZj0QayXgx UImYLa3aYoyLta2tUIOKW/s2PfXUpr5bT23CeNNTsuI9+4SPhHMv7sN434t4Bs7Yt6f9w9NCs9D8 4WmMT3+IG3Hj6Q+BlzlCCdTcGhQNGiReAQmaxEsW8fUMZkeRuuCJHXbNww9nJAiz38NVuOq9+tNz 5uK9EyduMnDa/p2snUTdUeFbZrV8HMGCpdIZrwAlklqWxaxunq/Mnr+p/QX1wgL1i/Jxf7t8+dq1 K71X/9575fIXvVeuE9k/YDsZ0rHRvgmLIRONXZ3MxE4ImIvMFHIBpQNAySVSismQAiRCIdnsQPvu hWqM1Qt3t2/Mno/x/Gz5uOtXer+4fKX371d7r1y7dvkyGhIbM4DWDClLSjESDzpOGNJ/BQtpWLSw HTrDzl2L9PpFu3YadF1Na4VbtSWli4qLtfrXKytnlVc88fEa+Hz8REX5rC5mzimXA2OH69Rph9Pp +E/h8tNbx4ya8LuUuLjqqt8vNk1Pp5WIw2zbS9PTazvFvBPxIHD4MPAnVZ940MeMwao04w65nZus qqne8JvqKnx85kz/czr98ZmzVj4LP8fnVpQ93lhWwrY8MXsWxo2rr5Cy1V6kFcsW09ahhdwSLGEk /8+ZS3wDooP4hpzoGpOYmiO6gLCkD3KvgT18q51Yv21gHH4P/FlG/ZlVxNy4cGCdTjgs/BueT9YH e2LaEUM3LI/94ToScyXeQa1OV86chezYR3tzM/4L08RsoCsQmWbmgcBVZsMBki8HBmRHab6kHUYG L2aXhKQEkl/AekkJeMd3OPO5ZzF+9jmhW8jG+/Fvz53F584JxYJRlnarYesWnIZTtm45+Nobwjph zetvYKADeLnrFO94NJn2LsGMOThMTkhOIB5A0kGwVwdqOLeDxGCH8BaesqMgP79gh3DxLMNde/IJ PF+5Gjxkc0tf4EvmTODz3OytW3KzGasw99Esj3tmFj5YU/PblkW6mARz3QvgHpjITrJoMuSBYDea zIupICnYDCs40RtJhZAlW72+9cJAcwvGLc0Yr/d5rcv9DU8Jr74HH6zfuGqlrPZi1bRU3Nom9Ah/ gg45LbXmQv7EifiTP+A6XAf3xCSgegisTXKonGocCl3CIfbfAlcuYCGQIbtY2rcODk0sehrq6xaa o6ah+YPRTpMGKCiJnFNmiB4bF6YlUnfp+YWVD5Yi4sDMFvBTve655/Q6rNMLv9ywoACvbfrii7VN +QVrt+sXPbXp+5sbIKfpdc8X4IL8DesL1OqC9RvyC5gPoBg2b9YUajXNzYWasgmV5euO2eowrrMd W1deOUFRa372M1KwPnvWXKvA8/zzlcr5fq+YFkgWWAvZthkk4UESlJUpHTZiwrtmcKhoUrCAeRxW PonAlzVa7cJTy21jZpdX2P9j/QbQfS9moes8eEi4WlioxXM3FxcVFW9u0UJSmNA1MSYWN2/EMaWp aWCmTdevbt1C0zEpZGPGMC8sXdrRXr10aXV7x9KlYlyAlsUegrTQ0nWGPRq4n/QNzM3+uXCQFfI6 A72dErwC4EeEwSvOsJUBN1McOHqWgOZ3BrKk7iQjCEm6UrgpzuCxzO73hRuBZe/LLt6awF3um8Jd vjWBaOkG2Pg9TiHmZVKtyHn2xoULpGZxCoGczgeymWNiDJMUwUR2Bm5Czv7BAWuzga9GyCAjSVUG lyL/IJNwZmE57uwRTggnevDvBE8PnownczWBvwTewV1CPlPAjBdW4G2E/hH2K9YB2GUUhyIzJoOV 0TteR5IM3kvu7Fev4nnCO6/S++27aE5KoneMBnfJLtIMdTiYpwZ2C1aajUbRbES6WrEaZp45a62/ Ujhv46NZkJ52CP/d+HjnwoXvgnxQTrhKmjNQVkK0LDMpg6hewAXCHmw5iwv6D3Ry3vyu/L6LncCV GaAP0C5lFO1S2AyiTFLrMlm5wGAhU7h48UygSpbU38t+1J9xSGjHNe+BPAOXhFKaQUeJdS86VuRt PO1syfuFRfrX8qbbJiVh+p5h66fVNa04fdoe+UPkfQPUVuySLCRWVbGkShmYW0Y1RbtV8LGzzKf9 1SAnsCx2pzIDrMejRAAndShGwZL2iPLNQXSTtig6eC5TsM/Mnzdn7kc9vy9QLWj481l8GqM1a/D8 nMDTwnYNqc2a7cxb8Qvy1wj1uGlX+vRAi+wiXrb8T88sXcoUBb7OzdmwPjcb+GqG6OyA6Ay+IwnG HX1HQvJv0pAaPUN6R0IPz5ChuXyfpa7qYHnlY7N+9fgV+zK8fYfw5fKVjU2PN6z0HK6uysndu7rX bNm65Z/1TofswAdZDzwwX+k3T8+YcF/Kcufrn7lW4HvvTfv3vERFbk6TY94c/t6pNTW//tDjiaHn k3I4ZV0CvxbjDZPWESesYJcFNMxr/U8yrwUsXM2h/ks7DrFJoENaH2kMEXgxhmiVvEDcEKIo0BOq lblQ+Q+Cvu8J1lwSUxA3uefwLDyzl9w+EloE4QPhXQFidRz3Nbn6psjG9t2Q7CmfIO1PAB8j9lbQ EJ+Kn8RNeOoHQlO30ARx3h/J3oR9E/oRh/ouk72/HeiVTYa9caKPib1nZjQNhQTy/uVYd1nZe++U l3U/97xwTfjrtucxoPHfsC3HeLntBrulf4lwaeeuXTsxkdor3JTOApNuPwvEYAXJ/snBQiYdDW47 EszDUd99njh23FjxQIAfE48IdbY7HA36/l34/BsGMxj/8Tw2kqMBPSvc6joOsd0Pfn4NZIsEy1Gl gmK4HtyG9/UEbnRDPOxlrP3fQmY9JWlRtkyMa3LuI4rE9AjXhrnAA+z9wveBDHKQa2EaAvn9vcwf AtNB4m3gs7ul2jjkfQxxz5AXs9KxmTYPQfnJC5kDtFa00LqBRxRqtJrTtuWjZ1WW2y9vWL+55bLQ v7nl0K/wL2CBnQ0F4+Wl1RhXL30ZSgbT2KWIjWluFr4pS0vd3PL3v23ZKnX5oIUxY4gPgl/Ey94G HyRniwQ4HLEJkEXBc+mliKFXZgK9uHjhcwNOyq3HE23tdfhR4WUdnivsq2+vEy7VvVwvfIBrDMLb 2GZlNwrH2GbBiPcLxr3CsT1CLW4j1x6s3Yv3E022gk68oJMZYvYg2SJJLkVuVvDtppRmZww7dZHe np33nH4RfuFF4cvqWotNbzE5T1pMePHSXx55Y2dx0SL9C4aqao/XYq64CuUV5+WzSbyx9rnPGx/H ODZ60nvp996PFy7c9hQcCw4+NmuFd+6ccTFJr02IHkvahCcNpZD3Vgz0RkymVuPRdPQIyhva1dDU EtbF0MaAAsgH388qkkiUJqQPvr4liUj2Sdn09PTpZSXp06enl7xUBfW99eUlS8Fm+2/dLIW2H9bK oNmenlHCNrf3V7azB/sbX6quWlrd1r54KVh1O1YXPLVBvXChesN6jXotdjjffMvudNrfetPlYIxw zlm/UV1QoN64buHCph/+IR8F6yehh3Q63jrhdIid+RXODH6cJPUFQcUCkwlBK4ReOBDVf87eF2if MnXK1L7nt+Pdu4VvqmtMdZU1NcsPW83kDdFhXdEiA2knnh8TGYE3t/znt3DgjB7Ld6fH34uXLG7d t2QxKHhoVwCxjjtpW0C6AvkOiMbrwoNcrHCYViTInVzsrT8Jh7dtg33Bkzx0oQli9mMKAh9ewD34 s/OBU5Dx4rmvxBPCnPD3LFh8NwP/1vVgL/b3CDyDeoQlQsVnTJx0gMzov8msDmxkHwyeWMuhokZQ zZCMnHAUH7pxQ4DJbT/0byMwp+hZM1Y8kSaQdySZjEso/+YbeezNL7bJuW1Sr0764STynhxiJ1o+ NKrjadhDAx89Nn58Aqiae094gxnnf+aZduHl9z/88H1cvX3jeveKJ9dsEf5r89NPb8Yxy0r0F/H2 g4Em/cMpGH98Djuw4+NzEyfmfVo1fdqePcInwvk9e3DsOMTgTFKiqZahsiTRyhLNKlic2d3dHdsR J0CJCKwQ9mELQNB3MxHLqZ9P/Pm3MyQ7KH7+FQ1+LOv4X/fc1YsavFq4CXzQN3TysdBR/AI4+dG3 dNC1KTIT4Hb76zompbtbaOzuvvNrO9mcs2fPgmV6UJXsEneQeBL0nnE4E8su3brJRfYJMoa9IWwX dryBPzmIP0FDYWMyKWyPjOkTODl74w0h7aCQ9gZ2EFX34BrZJbZD+utOQhz9UlBysR2HbnTSv1fB 9fy7fGX1mMf+Sf4wN/wDneaDEQfBFphQlD6wJ8IhgHNGrRyoHaiNOBj6y1fwU8Z9hKxc70CfbBw6 wcxE73BTkIvZAnEQi05w19EKzopWMJ+gNO4aWs0qUBZ3Fa0gsLC+gi2gvyfkW1ApzB3hOmDMoTPc BXSGrMs1yCtrRGNl8Wg34LwEv83cW2gOOwEdZY9ADzkBHSBwEd1AC+YBpo3wwCxBZ5heZJZPBjxP wrUb8MSjQ3BtgWudbDTQ2Avz/QB3DN2AC8H+2VwS8AAXs2RgN8BdhsvMzBy4xGSgDzg/wG+jfDVz Gagc9rRFfIVy5ddg7hI6RngFPfTL5sFzPNomfw21wW9rxF6QNx74IjTQwHUqz2pJhgnolDwDedlM nEllBR3Avp7gBfqNQw8hHXTpr8P3BvRLFrwZX8D/l0llypjnmePMP9lx7ExWzy5nd7OfcKO4yZyZ c3Od3Efc1zJGNlHml3XJzsn+LPtK9r2clafJffLfyN+NSI7wRzwT0RFxIqI7oieiLzIuclqkOrIm 8snI1sjOyBOR349QjVgywjPi+RFHR3wa9S9RmVHFUW1Rn42cMnLPyP8z8urIb++JuGfSPY/eU3BP yz377+kdFT9q6ijlKAP1jjK0gHTuYX8lDf+Mx6ND87NCMBjFwBOW/qYqQ9XSmA2b58LGMuglzdJY DlFbKI0joMt5VRpHotGRdmk8Et07YoM0HjUiBrkBM+YgPyHfiH3SGKNJUWOkMYOioiqkMRs2z4WN ZejeKJM0lqPUqExpHIFqov4pjSPRL+73SuORaNovXpbGo8ZNilqd43I3emx19T7+IdNkPn3atAy+ tpEnf3H2eSxGRwqvdppSeaXdzusIlJfXWbwWz0qLOTUEw5daPEZeb3R6Q1NkhkxM1bkcRqfOYrcY vRZ+eur0aXdFb1TUnQiOihpG0ubljbzPYzRbHEbPct5lvR3PqKhii8dh83ptLieBr7d4LECvzmN0 +izmFN7qsVjIRlO90VNnSeF9Lt7obOTdFo8XNrhqfUab0+asAzomYJxA+uotvNXlBMaMJpPL4QZw AuCrB+x2m8niBEEfSswjEImTAZmZN3q9LpPNCPR4s8vkd1icPqOP8GO12S1e/iGCkW7g9S6rr8Ho sSROppx4LG6Py+w3WSgasw1Es9X6fRbKw5ANKbzNabL7zYSTBpuv3uX3ATMOm0SIwHtEbQJavxfg iTgpvMNCpXb7a+02b31KGI0UQjPN5eG9FjAFQNuAVUn8YaQJc4DWTRTtk1RHCTXUuxy3byBmsPo9 TiBooRvNLt7rSuG9/tplFpOPzIg6tttdDUQgk8tpthE5vLOIQQ2waKx1rbRQGURfoiyEHMHp8oEh vOIssYt70AfENd5bbwSxai2S3oARm5M3DpHU5QTP8PAOl8dyR8F5X6PbYjUCodQgW0PXHcZGQsHh MtusNuJsRrsP3A8GgNZoNlPpRfUBcbfRA5z57UYPJWW2eG11TspInb3RXe8lm4iXGk2AxEt2BDny Dqckep1ZVJrRfmcE0p4gH4PYgD2nvZG3DXF1EMdjIf+jhcKSgZeoktgmGCIW8DuLyHyDy2P28omh aEwktIMLfCIJ3kRJaWAdjRQ1tRaIJ4LXD3YgIqx02UKsWVb5IG54o9sNQWastVvIgig94B5mmHqj j683egGjxTlUK0Bu0MfNvN9pllhOHJpbEkUZf9qyXpedRDc1HTGUkbeTLAIxEwR0G03LjXUgGsSj 0xXKIXfvWkNIQeICJi12q8hWvorPK9IaeH1RnqFMqVPxaj1frCsqVeeqcvlEpR6eE1P4MrUhv6jE wAOETqk1VPBFebxSW8EvVGtzU3hVebFOpdfzRTpeXVisUatgTq3N0ZTkqrUL+GzYpy0y8Bp1odoA SA1FdKuESq3SE2SFKl1OPjwqs9UataEihc9TG7QEZx4gVfLFSp1BnVOiUer44hJdcZFeBThyAa1W rc3TARVVoQqEAEQ5RcUVOvWCfEMKbDLAZApv0ClzVYVK3cIUwmERiKzjKUgqcAk4eFUp2azPV2o0 fLbaoDfoVMpCAku0s0BbVEh0VKLNVRrURVo+WwWiKLM1KpE3ECVHo1QXpvC5ykLlApV+kAgBk8QZ VAfZsEClVemUmhReX6zKUZMB6FGtU+UYKCToHjShoezmFGn1qkUlMAFwQRJgkHwVJQECKOFfDuWM iq8FcQkeQ5HOEGKlTK1XpfBKnVpPWMjTFQG7xJ6wg8hYAvokxtNK/BIbkbnbvQOgyG5JwFyVUgMI 9YSN22Cpf6lWmSxuH/FvKcjFJEkTqphFU6jniskA3HiBE8JXnKND8GmIL1qBxCw3GGKkOKdISZik EfBwqEpiEjavtEAm9JKUAjHiIkmlweal8Q7l0OGS6p/XaAdisCsEBTnTaIdt3hCbQ4MqWBjdHhts afDYfJBSeKMfZj22x6WS7JFK1nAJCJXh/HssXjdULNtKi70xFWA9pK5RTmxOq8vjkESn6jP5ZgVz qY+vo8jNILjLU5da7/O5Z6WlNTQ0pNYGKaRCKkQ5yAVNYiPyIBuqQ/XIB8fCh5AJTYbfdGgyp6EM GNUCBI+yAcaHvHB5kAUZkQOlwKwaOQE+FUZKZIcvD218EJeXPlng1wJ7VsLdDJC34+FRKYUwwkgP dyes3g4VhAlCTAXcLpgnT4SKncIRWuRlUipc0/4fyjcKRd21hAT2p6W00Z1k5KMzZlghknjQcphz Ietd8UOuYorTQTF64e6C9SD+erpmkeSro5ScgI9wSXBZ6aolRNEEOwgPdTCXQnlzUS6ddL+bYvNK FFyA1QdrNngiV50kj0nSeBCnj3JBaLkobVFuE4VzAKSIPYiBQIu82+HXBDudkkUfQokoL4QjkVqQ 7DXTXy/lywR7jJJ8PFxkxg9ULHQXWQnqxwojO7UbwRzkcZAC8UPCvw81UI1YKMVBnZAZN9xdQMVP +Rzkxkwl8FGfq4VVH10N0vhxCinUbsS6dthlDumkgfpBPUD76T6iGQedC5coiN8zxDdFbv1Uhylh 1iFjB7Vn0NZugKqluL2wO+VH5EgJyZkGmDzw5KWRZw/htklaHWr9n5Y6qDmRW3fIo33DvG5Qogaq D8ddUQhGgxVk8FBv9dI9gxTN9E5opNBfoollAGGi+ESYcD8m8rqoXUQLmShtM+XYJnE6KxShBmmn EbC6aI4YtEN4XhrUwu0ZwQnwPikivENgg/EyqLXwPBC+j6dyGyVr1UqaGfQ3USM2us/4EzYlmMWc 4aFe5JK0fLcWJzCNlF8rzQQEd+pt2vqp/UQvjSEZHDQKbTSmg5mN8O+Tsp84I3JL9GoOs32494mS uykVUWd+wGKk+4JSmSm3xGbOMI3UARyRqF6a84TlUiP1ItGHgzSG68j7szKF5zrzEE8zUjvdPQdD 6QzXx514S5Fsbqf7bD+R1T1SBrJQvhxD8AZnvCGvDMbN8CpikfKdZYjmG6hUZro/8Q61MTEk9/Ad BD5YeROHeZoYO5phtaaWxr4rjF+/FA9BK6yEVdsdtGZBq6iunVJEu+ErVjIjza6W0I5w24t8/3TE 1NNsz9Nfr8SjhXrTj/uKKN2d8jhZ9VOooVq+k2b5MO2F2/F/E7NemkWDtXsw6oIRRToJe6gX8Ug7 hmJ0U89eDvc6yWpifXRS/Q7vQ/5/ZK0fl6pWihWfVB+tQ7SVj1SUVhHSwhOhVQRPBlQGHaaOrqlh jofeTgcrpfCUC7O51D5KukLWE2lklsGYYCxCJRSXiEMHd4K7AmYIbp4+k6eFAK8FXGSvCpVTGirA pqeQOoq7EGY18KuS4MiOHJgpgWcyXoBIdyrS08IuA40hso/wInJqgPlBqkO5UlOKQc4K4UkH+POl VSXgVlN8hP8Uqiky1ob4zJM4VVIdEcwEZw5wpKFPZLYEfosBTk/1qaQyi9xqqQx5sC7KoqIciJYQ OcqB32KgTSAWAF8GygWhZJAgU6iERJ5cup9QXUhnRc6KJCuT8SCWVEmXIh9E/6Uhynoqvwa+PJXf ADMGahsl4A/iDfrOAoqhMORHJVQ+JdVDEaWQTdeIFok+NSFIXZhVcqi+iN0I57mUkpJqRH9HSYLY hlrnTt4RpLCAyqeimtJQaD3oUQXw6tCM6I9qKmuOpFsRp+j3ok9owrSbQ2Ukll0EVFWSTymp7oZK IUYI4X9QCtECSumeE6azQetrJevmhGxdRL3sdq2U0VhUUSgltbU+pIU8Gr+FEuclYR4WtGOJ5J9F Ic6G6jcYR0G4u8kdIq4g7aEWzKX+pJE41Ie08fN4B/OXCmqciZ5/fKH8PbSSh3eSgx1qeC+aEpZz wzsDMRsvoLCOYXCDs2KeFuvX4BkovJe7UxULnpzFHn+wEw52I2IOF89K4Z2wmfbsYk/oDXUpYh1x hTqVBro6WN/F06GDQoSf/7yUriiZX9oxHJfYZxpp50Coee+gzZ+qVMNPjG5a+0UqDXTsk7oUIp9f giXzjw87JXuGnbJ+zgZBWX5O/x5qb7d0xrJRDZP+MlXC60HB89qgTogGrHTNMczqg95HsM1Cw/tS ooO6MM7NksVdtL9IpecvH3AzC061aaAh8k0FfxguQ6rUFf4PSWBhqGVuZHN0cmVhbQplbmRvYmoK MzU2IDAgb2JqCjg1NzcKZW5kb2JqCjM1NCAwIG9iago8PCAvVHlwZSAvRm9udAovU3VidHlwZSAv Q0lERm9udFR5cGUyCi9CYXNlRm9udCAvQml0c3RyZWFtVmVyYVNhbnMtUm9tYW4KL0NJRFN5c3Rl bUluZm8gPDwgL1JlZ2lzdHJ5IChBZG9iZSkgL09yZGVyaW5nIChJZGVudGl0eSkgL1N1cHBsZW1l bnQgMCA+PgovRm9udERlc2NyaXB0b3IgMzUyIDAgUgovQ0lEVG9HSURNYXAgL0lkZW50aXR5Ci9X IFswIFs1OTUgNjA2IDYyOSAyNzYgNTE3IDMxNSA2MzAgNjEwIDU0NSAzNDkgNjA4IDM4OSA2MDcg NjI5IDYzMCA0MDggNjMwIDgxMSA2MjkgNTc0IDc0NiA1OTggNjMwIDc4MSA2NzkgNjMxIDMxNSA2 MzEgNTg3IDM4NyA0NTYgMzg3IDYzMCA5NjYgNTg3IDMxNSAyNzYgMjkzIDM1OCA3NjQgNjgxIDY5 MyA2MzEgNjMxIDYzMSA2MjcgNTcxIDc0MiAzMzQgMzM0IDU4NyA1MTQgNTE0IDI5MyA2MzEgNjMx IDI3NiAyNzMgNTUzIDY4OSA2MzAgNTIxIDMzNCA5ODEgODU2IDcyNiA3ODEgNjA2IDY1MSA2MzEg ODMxIDYzMSA5NDMgNjMxIDMzNCA0OTYgNjc5IDY4MCAzODcgMzg3IDc2OSAzOTggNzgxIDYyOSA4 MzEgODMxIDgzMSBdCl0KPj4KZW5kb2JqCjM1NSAwIG9iago8PCAvTGVuZ3RoIDk2NiA+PgpzdHJl YW0KL0NJREluaXQgL1Byb2NTZXQgZmluZHJlc291cmNlIGJlZ2luCjEyIGRpY3QgYmVnaW4KYmVn aW5jbWFwCi9DSURTeXN0ZW1JbmZvIDw8IC9SZWdpc3RyeSAoQWRvYmUpIC9PcmRlcmluZyAoVUNT KSAvU3VwcGxlbWVudCAwID4+IGRlZgovQ01hcE5hbWUgL0Fkb2JlLUlkZW50aXR5LVVDUyBkZWYK L0NNYXBUeXBlIDIgZGVmCjEgYmVnaW5jb2Rlc3BhY2VyYW5nZQo8MDAwMD4gPEZGRkY+CmVuZGNv ZGVzcGFjZXJhbmdlCjIgYmVnaW5iZnJhbmdlCjwwMDAwPiA8MDAwMD4gPDAwMDA+CjwwMDAxPiA8 MDA1Nj4gWzwwMDU0PiA8MDA2OD4gPDAwNjk+IDwwMDczPiA8MDAyMD4gPDAwNzA+IDwwMDY1PiA8 MDA2Mz4gPDAwNjY+IDwwMDYxPiA8MDA3ND4gPDAwNkY+IDwwMDZFPiA8MDA2ND4gPDAwNzI+IDww MDYyPiA8MDA3Nz4gPDAwNzU+IDwwMDZCPiA8MDA0OD4gPDAwNTA+IDwwMDcxPiA8MDA0Rj4gPDAw NDE+IDwwMDMyPiA8MDAyRT4gPDAwMzA+IDwwMDc5PiA8MDAyOD4gPDAwMjI+IDwwMDI5PiA8MDA2 Nz4gPDAwNkQ+IDwwMDc2PiA8MDAyQz4gPDAwNkM+IDwwMDQ5PiA8MDAyRD4gPDAwNDQ+IDwwMDQy PiA8MDA0Mz4gPDAwMzc+IDwwMDM4PiA8MDAzOT4gPDAwNDU+IDwwMDQ2PiA8MDA0RT4gPDAwM0E+ IDwwMDJGPiA8MDA3OD4gPDIwMUM+IDwyMDFEPiA8MDA0QT4gPDAwMzE+IDwwMDM0PiA8MDA2QT4g PDAwMjc+IDwwMDRDPiA8MDA1Mj4gPDAwNTM+IDwwMDdBPiA8MDAzQj4gPDAwNTc+IDwwMDREPiA8 MDA1NT4gPDAwNTE+IDwwMDU5PiA8MDA0Qj4gPDAwMzY+IDwwMDIzPiA8MDAzMz4gPDAwMjU+IDww MDM1PiA8MDA1Qz4gPDAwNUY+IDwwMDU2PiA8MDA1OD4gPDAwNUI+IDwwMDVEPiA8MDA0Nz4gPDAw MjE+IDwwMEQzPiA8MDBGQz4gPDAwM0M+IDwwMDNFPiA8MDAzRD4gXQplbmRiZnJhbmdlCmVuZGNt YXAKQ01hcE5hbWUgY3VycmVudGRpY3QgL0NNYXAgZGVmaW5lcmVzb3VyY2UgcG9wCmVuZAplbmQK ZW5kc3RyZWFtCmVuZG9iago5IDAgb2JqCjw8IC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAov QmFzZUZvbnQgL0JpdHN0cmVhbVZlcmFTYW5zLVJvbWFuCi9FbmNvZGluZyAvSWRlbnRpdHktSAov RGVzY2VuZGFudEZvbnRzIFszNTQgMCBSXQovVG9Vbmljb2RlIDM1NSAwIFI+PgplbmRvYmoKMiAw IG9iago8PAovVHlwZSAvUGFnZXMKL0tpZHMgClsKNSAwIFIKMjkgMCBSCjcxIDAgUgo4OSAwIFIK MTAyIDAgUgoxMTYgMCBSCjEyNiAwIFIKMTQzIDAgUgoxNTMgMCBSCjE4NSAwIFIKMjYxIDAgUgoy NjkgMCBSCjI4MSAwIFIKXQovQ291bnQgMTMKL1Byb2NTZXQgWy9QREYgL1RleHQgL0ltYWdlQiAv SW1hZ2VDXQo+PgplbmRvYmoKeHJlZgowIDM1NwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAw MDkgMDAwMDAgbiAKMDAwMDE2MjI3NiAwMDAwMCBuIAowMDAwMDAwMjM1IDAwMDAwIG4gCjAwMDAw MDAzMzAgMDAwMDAgbiAKMDAwMDAwMjc3MiAwMDAwMCBuIAowMDAwMTQyMTA5IDAwMDAwIG4gCjAw MDAxMTk4NDcgMDAwMDAgbiAKMDAwMDEzMTU4MyAwMDAwMCBuIAowMDAwMTYyMTI1IDAwMDAwIG4g CjAwMDAwMDAzNjcgMDAwMDAgbiAKMDAwMDAwMDQxOSAwMDAwMCBuIAowMDAwMDAwNDcxIDAwMDAw IG4gCjAwMDAwMDA1MjMgMDAwMDAgbiAKMDAwMDAwMDU3NSAwMDAwMCBuIAowMDAwMDAwNjI3IDAw MDAwIG4gCjAwMDAwMDA2NzkgMDAwMDAgbiAKMDAwMDAwMDkwNiAwMDAwMCBuIAowMDAwMDAxMTM3 IDAwMDAwIG4gCjAwMDAwMDEzNjggMDAwMDAgbiAKMDAwMDAwMTU5OSAwMDAwMCBuIAowMDAwMDAx ODMwIDAwMDAwIG4gCjAwMDAwMDIwNjEgMDAwMDAgbiAKMDAwMDAwMjI5OSAwMDAwMCBuIAowMDAw MDAyNTM1IDAwMDAwIG4gCjAwMDAwMDMxNzIgMDAwMDAgbiAKMDAwMDAwNjkxOSAwMDAwMCBuIAow MDAwMDAyODkzIDAwMDAwIG4gCjAwMDAwMDMwODkgMDAwMDAgbiAKMDAwMDAxNDM3MSAwMDAwMCBu IAowMDAwMTI1MTk4IDAwMDAwIG4gCjAwMDAwMDY5NDAgMDAwMDAgbiAKMDAwMDAwNjk5MiAwMDAw MCBuIAowMDAwMDA3MDQ0IDAwMDAwIG4gCjAwMDAwMDcwOTYgMDAwMDAgbiAKMDAwMDAwNzE0OCAw MDAwMCBuIAowMDAwMDA3MjAwIDAwMDAwIG4gCjAwMDAwMDcyNTIgMDAwMDAgbiAKMDAwMDAwNzQ5 MCAwMDAwMCBuIAowMDAwMDA3NzM4IDAwMDAwIG4gCjAwMDAwMDc5NzEgMDAwMDAgbiAKMDAwMDAw ODIwMiAwMDAwMCBuIAowMDAwMDA4NDM2IDAwMDAwIG4gCjAwMDAwMDg2NjcgMDAwMDAgbiAKMDAw MDAwODg5MSAwMDAwMCBuIAowMDAwMDA5MTIyIDAwMDAwIG4gCjAwMDAwMDkzNTMgMDAwMDAgbiAK MDAwMDAwOTU4NSAwMDAwMCBuIAowMDAwMDA5ODE3IDAwMDAwIG4gCjAwMDAwMTAwNTYgMDAwMDAg biAKMDAwMDAxMDI5NSAwMDAwMCBuIAowMDAwMDEwNTM0IDAwMDAwIG4gCjAwMDAwMTA3NjYgMDAw MDAgbiAKMDAwMDAxMDk5OCAwMDAwMCBuIAowMDAwMDExMjMzIDAwMDAwIG4gCjAwMDAwMTE0NjAg MDAwMDAgbiAKMDAwMDAxMTcwNyAwMDAwMCBuIAowMDAwMDExOTY4IDAwMDAwIG4gCjAwMDAwMTIx OTkgMDAwMDAgbiAKMDAwMDAxMjQ0NiAwMDAwMCBuIAowMDAwMDEyNjczIDAwMDAwIG4gCjAwMDAw MTI5MDQgMDAwMDAgbiAKMDAwMDAxMzE2NSAwMDAwMCBuIAowMDAwMDEzMzk2IDAwMDAwIG4gCjAw MDAwMTM2NTIgMDAwMDAgbiAKMDAwMDAxMzkxMyAwMDAwMCBuIAowMDAwMDE0MTQ0IDAwMDAwIG4g CjAwMDAwMTQ5MjEgMDAwMDAgbiAKMDAwMDAxOTQ3MSAwMDAwMCBuIAowMDAwMDE0NDkzIDAwMDAw IG4gCjAwMDAwMTQ2OTEgMDAwMDAgbiAKMDAwMDAyMTAxOCAwMDAwMCBuIAowMDAwMTUxNDI0IDAw MDAwIG4gCjAwMDAwMTk0OTIgMDAwMDAgbiAKMDAwMDAxOTU0NCAwMDAwMCBuIAowMDAwMDE5NTk2 IDAwMDAwIG4gCjAwMDAwMTk2NDggMDAwMDAgbiAKMDAwMDAxOTcwMCAwMDAwMCBuIAowMDAwMDE5 NzUyIDAwMDAwIG4gCjAwMDAwMTk4MDQgMDAwMDAgbiAKMDAwMDAxOTg1NiAwMDAwMCBuIAowMDAw MDIwMTAzIDAwMDAwIG4gCjAwMDAwMjAzMzAgMDAwMDAgbiAKMDAwMDAyMDU2NCAwMDAwMCBuIAow MDAwMDIwNzkxIDAwMDAwIG4gCjAwMDAwMjE0MDUgMDAwMDAgbiAKMDAwMDAyNTEwNCAwMDAwMCBu IAowMDAwMDIxMTQwIDAwMDAwIG4gCjAwMDAwMjEzNTAgMDAwMDAgbiAKMDAwMDAyNjUyOCAwMDAw MCBuIAowMDAwMDI1MTI1IDAwMDAwIG4gCjAwMDAwMjUxNzcgMDAwMDAgbiAKMDAwMDAyNTIyOSAw MDAwMCBuIAowMDAwMDI1MjgxIDAwMDAwIG4gCjAwMDAwMjU1MzcgMDAwMDAgbiAKMDAwMDAyNTc5 MyAwMDAwMCBuIAowMDAwMDI2MDQ5IDAwMDAwIG4gCjAwMDAwMjYyNzYgMDAwMDAgbiAKMDAwMDAy NjkxOSAwMDAwMCBuIAowMDAwMDMxMDEzIDAwMDAwIG4gCjAwMDAwMjY2NTIgMDAwMDAgbiAKMDAw MDAyNjg2MyAwMDAwMCBuIAowMDAwMDMyNjI5IDAwMDAwIG4gCjAwMDAwMzEwMzQgMDAwMDAgbiAK MDAwMDAzMTA4NyAwMDAwMCBuIAowMDAwMDMxMTQwIDAwMDAwIG4gCjAwMDAwMzExOTMgMDAwMDAg biAKMDAwMDAzMTQyMSAwMDAwMCBuIAowMDAwMDMxNjUzIDAwMDAwIG4gCjAwMDAwMzE4ODcgMDAw MDAgbiAKMDAwMDAzMjExNSAwMDAwMCBuIAowMDAwMDMyMzcyIDAwMDAwIG4gCjAwMDAwMzMwMzUg MDAwMDAgbiAKMDAwMDAzNzE0MCAwMDAwMCBuIAowMDAwMDMyNzU1IDAwMDAwIG4gCjAwMDAwMzI5 NjYgMDAwMDAgbiAKMDAwMDAzNzc5OCAwMDAwMCBuIAowMDAwMDM3MTYyIDAwMDAwIG4gCjAwMDAw MzcyMTUgMDAwMDAgbiAKMDAwMDAzNzI2OCAwMDAwMCBuIAowMDAwMDM3MzIxIDAwMDAwIG4gCjAw MDAwMzc1NzAgMDAwMDAgbiAKMDAwMDAzODE2MCAwMDAwMCBuIAowMDAwMDQxOTE4IDAwMDAwIG4g CjAwMDAwMzc5MjQgMDAwMDAgbiAKMDAwMDAzODEyMyAwMDAwMCBuIAowMDAwMDQzODIyIDAwMDAw IG4gCjAwMDAwNDE5NDAgMDAwMDAgbiAKMDAwMDA0MTk5MyAwMDAwMCBuIAowMDAwMDQyMDQ2IDAw MDAwIG4gCjAwMDAwNDIwOTkgMDAwMDAgbiAKMDAwMDA0MjE1MiAwMDAwMCBuIAowMDAwMDQyMjA1 IDAwMDAwIG4gCjAwMDAwNDI0MzMgMDAwMDAgbiAKMDAwMDA0MjY2MSAwMDAwMCBuIAowMDAwMDQy ODk4IDAwMDAwIG4gCjAwMDAwNDMxMjYgMDAwMDAgbiAKMDAwMDA0MzM1OCAwMDAwMCBuIAowMDAw MDQzNTkwIDAwMDAwIG4gCjAwMDAwNDQyMjQgMDAwMDAgbiAKMDAwMDA0ODcxMCAwMDAwMCBuIAow MDAwMDQzOTQ4IDAwMDAwIG4gCjAwMDAwNDQxNDcgMDAwMDAgbiAKMDAwMDA0OTUzMCAwMDAwMCBu IAowMDAwMDQ4NzMyIDAwMDAwIG4gCjAwMDAwNDg3ODUgMDAwMDAgbiAKMDAwMDA0ODgzOCAwMDAw MCBuIAowMDAwMDQ5MDcwIDAwMDAwIG4gCjAwMDAwNDkyOTggMDAwMDAgbiAKMDAwMDA0OTg4OCAw MDAwMCBuIAowMDAwMDU0OTI4IDAwMDAwIG4gCjAwMDAwNDk2NTYgMDAwMDAgbiAKMDAwMDA0OTg0 MyAwMDAwMCBuIAowMDAwMDU4NTA2IDAwMDAwIG4gCjAwMDAwNTQ5NTAgMDAwMDAgbiAKMDAwMDA1 NTAwMyAwMDAwMCBuIAowMDAwMDU1MDU2IDAwMDAwIG4gCjAwMDAwNTUxMDkgMDAwMDAgbiAKMDAw MDA1NTE2MiAwMDAwMCBuIAowMDAwMDU1MjE1IDAwMDAwIG4gCjAwMDAwNTUyNjggMDAwMDAgbiAK MDAwMDA1NTMyMSAwMDAwMCBuIAowMDAwMDU1Mzc0IDAwMDAwIG4gCjAwMDAwNTU0MjcgMDAwMDAg biAKMDAwMDA1NTQ4MCAwMDAwMCBuIAowMDAwMDU1NTMzIDAwMDAwIG4gCjAwMDAwNTU1ODYgMDAw MDAgbiAKMDAwMDA1NTYzOSAwMDAwMCBuIAowMDAwMDU1NjkyIDAwMDAwIG4gCjAwMDAwNTU3NDUg MDAwMDAgbiAKMDAwMDA1NTk3MyAwMDAwMCBuIAowMDAwMDU2MjAxIDAwMDAwIG4gCjAwMDAwNTY0 MjkgMDAwMDAgbiAKMDAwMDA1NjY1NyAwMDAwMCBuIAowMDAwMDU2OTE0IDAwMDAwIG4gCjAwMDAw NTcxNDIgMDAwMDAgbiAKMDAwMDA1NzM3MCAwMDAwMCBuIAowMDAwMDU3NTk4IDAwMDAwIG4gCjAw MDAwNTc4MjEgMDAwMDAgbiAKMDAwMDA1ODA1NyAwMDAwMCBuIAowMDAwMDU4Mjc1IDAwMDAwIG4g CjAwMDAwNTg5NDggMDAwMDAgbiAKMDAwMDA2MjQ0MyAwMDAwMCBuIAowMDAwMDU4NjMyIDAwMDAw IG4gCjAwMDAwNTg4MzEgMDAwMDAgbiAKMDAwMDA3NDE1NSAwMDAwMCBuIAowMDAwMDYyNDY1IDAw MDAwIG4gCjAwMDAwNjI1MTggMDAwMDAgbiAKMDAwMDA2MjU3MSAwMDAwMCBuIAowMDAwMDYyNjI0 IDAwMDAwIG4gCjAwMDAwNjI2NzcgMDAwMDAgbiAKMDAwMDA2MjczMCAwMDAwMCBuIAowMDAwMDYy NzgzIDAwMDAwIG4gCjAwMDAwNjI4MzYgMDAwMDAgbiAKMDAwMDA2Mjg4OSAwMDAwMCBuIAowMDAw MDYyOTQyIDAwMDAwIG4gCjAwMDAwNjI5OTUgMDAwMDAgbiAKMDAwMDA2MzA0OCAwMDAwMCBuIAow MDAwMDYzMTAxIDAwMDAwIG4gCjAwMDAwNjMxNTQgMDAwMDAgbiAKMDAwMDA2MzIwNyAwMDAwMCBu IAowMDAwMDYzMjYwIDAwMDAwIG4gCjAwMDAwNjMzMTMgMDAwMDAgbiAKMDAwMDA2MzM2NiAwMDAw MCBuIAowMDAwMDYzNTk0IDAwMDAwIG4gCjAwMDAwNjM4MjIgMDAwMDAgbiAKMDAwMDA2NDA1MCAw MDAwMCBuIAowMDAwMDY0MjYxIDAwMDAwIG4gCjAwMDAwNjQ0ODUgMDAwMDAgbiAKMDAwMDA2NDcw OSAwMDAwMCBuIAowMDAwMDY0ODkzIDAwMDAwIG4gCjAwMDAwNjUwODkgMDAwMDAgbiAKMDAwMDA2 NTI4NSAwMDAwMCBuIAowMDAwMDY1NDk5IDAwMDAwIG4gCjAwMDAwNjU3MTEgMDAwMDAgbiAKMDAw MDA2NTkwMCAwMDAwMCBuIAowMDAwMDY2MDg4IDAwMDAwIG4gCjAwMDAwNjYyODQgMDAwMDAgbiAK MDAwMDA2NjQ4NyAwMDAwMCBuIAowMDAwMDY2NjY4IDAwMDAwIG4gCjAwMDAwNjY4NTQgMDAwMDAg biAKMDAwMDA2NzAzNCAwMDAwMCBuIAowMDAwMDY3MjIzIDAwMDAwIG4gCjAwMDAwNjc0MjYgMDAw MDAgbiAKMDAwMDA2NzY0MCAwMDAwMCBuIAowMDAwMDY3ODUyIDAwMDAwIG4gCjAwMDAwNjgwNDgg MDAwMDAgbiAKMDAwMDA2ODI1MSAwMDAwMCBuIAowMDAwMDY4NDQ3IDAwMDAwIG4gCjAwMDAwNjg2 NTAgMDAwMDAgbiAKMDAwMDA2ODg0NiAwMDAwMCBuIAowMDAwMDY5MDQ5IDAwMDAwIG4gCjAwMDAw NjkyNTcgMDAwMDAgbiAKMDAwMDA2OTQ2NSAwMDAwMCBuIAowMDAwMDY5NjkzIDAwMDAwIG4gCjAw MDAwNjk4ODIgMDAwMDAgbiAKMDAwMDA3MDA2MCAwMDAwMCBuIAowMDAwMDcwMjQ2IDAwMDAwIG4g CjAwMDAwNzA0MjkgMDAwMDAgbiAKMDAwMDA3MDYyMSAwMDAwMCBuIAowMDAwMDcwODEwIDAwMDAw IG4gCjAwMDAwNzA5OTEgMDAwMDAgbiAKMDAwMDA3MTE4NyAwMDAwMCBuIAowMDAwMDcxMzkwIDAw MDAwIG4gCjAwMDAwNzE1ODUgMDAwMDAgbiAKMDAwMDA3MTc4OCAwMDAwMCBuIAowMDAwMDcyMDAy IDAwMDAwIG4gCjAwMDAwNzIyMTQgMDAwMDAgbiAKMDAwMDA3MjQwMCAwMDAwMCBuIAowMDAwMDcy NTg4IDAwMDAwIG4gCjAwMDAwNzI3NzUgMDAwMDAgbiAKMDAwMDA3Mjk1NyAwMDAwMCBuIAowMDAw MDczMTQ2IDAwMDAwIG4gCjAwMDAwNzMzMzAgMDAwMDAgbiAKMDAwMDA3MzUyNiAwMDAwMCBuIAow MDAwMDczNzI5IDAwMDAwIG4gCjAwMDAwNzM5NDMgMDAwMDAgbiAKMDAwMDA3NDkzMyAwMDAwMCBu IAowMDAwMDgyNDY5IDAwMDAwIG4gCjAwMDAwNzQyODEgMDAwMDAgbiAKMDAwMDA3NDQ4MCAwMDAw MCBuIAowMDAwMDgzMjQyIDAwMDAwIG4gCjAwMDAwODI0OTEgMDAwMDAgbiAKMDAwMDA4Mjc0OCAw MDAwMCBuIAowMDAwMDgyOTgwIDAwMDAwIG4gCjAwMDAwODM2MTQgMDAwMDAgbiAKMDAwMDA4OTI4 NiAwMDAwMCBuIAowMDAwMDgzMzY4IDAwMDAwIG4gCjAwMDAwODM1NjkgMDAwMDAgbiAKMDAwMDA5 MTAzMiAwMDAwMCBuIAowMDAwMDg5MzA4IDAwMDAwIG4gCjAwMDAwODk1NjUgMDAwMDAgbiAKMDAw MDA4OTc5NyAwMDAwMCBuIAowMDAwMDkwMDU0IDAwMDAwIG4gCjAwMDAwOTAzMTEgMDAwMDAgbiAK MDAwMDA5MDU0MyAwMDAwMCBuIAowMDAwMDkwNzc1IDAwMDAwIG4gCjAwMDAwOTE0MzYgMDAwMDAg biAKMDAwMDA5NjY1MSAwMDAwMCBuIAowMDAwMDkxMTU4IDAwMDAwIG4gCjAwMDAwOTEzNTkgMDAw MDAgbiAKMDAwMDEwODYwNSAwMDAwMCBuIAowMDAwMDk2NjczIDAwMDAwIG4gCjAwMDAwOTY3Mjcg MDAwMDAgbiAKMDAwMDA5Njc4MSAwMDAwMCBuIAowMDAwMDk3MDA5IDAwMDAwIG4gCjAwMDAwOTcx OTUgMDAwMDAgbiAKMDAwMDA5NzM4MSAwMDAwMCBuIAowMDAwMDk3NTYzIDAwMDAwIG4gCjAwMDAw OTc3NDYgMDAwMDAgbiAKMDAwMDA5NzkyNCAwMDAwMCBuIAowMDAwMTAzMjg3IDAwMDAwIG4gCjAw MDAxMDMwMDcgMDAwMDAgbiAKMDAwMDA5ODExNSAwMDAwMCBuIAowMDAwMDk4MjMyIDAwMDAwIG4g CjAwMDAwOTgzODcgMDAwMDAgbiAKMDAwMDA5ODUzNiAwMDAwMCBuIAowMDAwMDk4Njg3IDAwMDAw IG4gCjAwMDAwOTg4MzYgMDAwMDAgbiAKMDAwMDA5OTAwOSAwMDAwMCBuIAowMDAwMDk5MTYwIDAw MDAwIG4gCjAwMDAwOTkzMDUgMDAwMDAgbiAKMDAwMDA5OTQ3NCAwMDAwMCBuIAowMDAwMDk5Njcx IDAwMDAwIG4gCjAwMDAwOTk4NTQgMDAwMDAgbiAKMDAwMDEwMDAyMSAwMDAwMCBuIAowMDAwMTAw MjMwIDAwMDAwIG4gCjAwMDAxMDAzODEgMDAwMDAgbiAKMDAwMDEwMDU1MiAwMDAwMCBuIAowMDAw MTAwNzEzIDAwMDAwIG4gCjAwMDAxMDA4NzcgMDAwMDAgbiAKMDAwMDEwMTA1OSAwMDAwMCBuIAow MDAwMTAxMjIzIDAwMDAwIG4gCjAwMDAxMDE0MjUgMDAwMDAgbiAKMDAwMDEwMTYzMSAwMDAwMCBu IAowMDAwMTAxODI5IDAwMDAwIG4gCjAwMDAxMDIwMzEgMDAwMDAgbiAKMDAwMDEwMjE3NyAwMDAw MCBuIAowMDAwMTAyMzQ1IDAwMDAwIG4gCjAwMDAxMDI1MTcgMDAwMDAgbiAKMDAwMDEwMjY5MyAw MDAwMCBuIAowMDAwMTAyODY5IDAwMDAwIG4gCjAwMDAxMDMzNTMgMDAwMDAgbiAKMDAwMDEwODk5 NSAwMDAwMCBuIAowMDAwMTEyOTEyIDAwMDAwIG4gCjAwMDAxMDg3MzEgMDAwMDAgbiAKMDAwMDEw ODkxOCAwMDAwMCBuIAowMDAwMTEyOTM0IDAwMDAwIG4gCjAwMDAxMTMyMDAgMDAwMDAgbiAKMDAw MDExODc2MCAwMDAwMCBuIAowMDAwMTE5MTQ0IDAwMDAwIG4gCjAwMDAxMTg3MzggMDAwMDAgbiAK MDAwMDExOTk4OSAwMDAwMCBuIAowMDAwMTIwMjU2IDAwMDAwIG4gCjAwMDAxMjQ1NTMgMDAwMDAg biAKMDAwMDEyNDc3OCAwMDAwMCBuIAowMDAwMTI0NTMxIDAwMDAwIG4gCjAwMDAxMjUzNDIgMDAw MDAgbiAKMDAwMDEyNTU1MyAwMDAwMCBuIAowMDAwMTMwMzMwIDAwMDAwIG4gCjAwMDAxMzA3NzUg MDAwMDAgbiAKMDAwMDEzMDMwOCAwMDAwMCBuIAowMDAwMTMxNzI2IDAwMDAwIG4gCjAwMDAxMzIw MDAgMDAwMDAgbiAKMDAwMDE0MDYzOCAwMDAwMCBuIAowMDAwMTQxMTY4IDAwMDAwIG4gCjAwMDAx NDA2MTYgMDAwMDAgbiAKMDAwMDE0MjI1OSAwMDAwMCBuIAowMDAwMTQyNTI1IDAwMDAwIG4gCjAw MDAxNTAzMzMgMDAwMDAgbiAKMDAwMDE1MDU0NiAwMDAwMCBuIAowMDAwMTUwMzExIDAwMDAwIG4g CjAwMDAxNTE1NjcgMDAwMDAgbiAKMDAwMDE1MTg0MiAwMDAwMCBuIAowMDAwMTYwNTM0IDAwMDAw IG4gCjAwMDAxNjExMDcgMDAwMDAgbiAKMDAwMDE2MDUxMiAwMDAwMCBuIAp0cmFpbGVyCjw8Ci9T aXplIDM1NwovSW5mbyAxIDAgUgovUm9vdCAzMjIgMCBSCj4+CnN0YXJ0eHJlZgoxNjI0NjgKJSVF T0YK --_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_ Content-Type: text/xml; name="draft-ietf-oauth-v2-bearer-15 preliminary.xml" Content-Description: draft-ietf-oauth-v2-bearer-15 preliminary.xml Content-Disposition: attachment; filename="draft-ietf-oauth-v2-bearer-15 preliminary.xml"; size=48682; creation-date="Mon, 12 Dec 2011 16:33:14 GMT"; modification-date="Mon, 12 Dec 2011 16:04:21 GMT" Content-Transfer-Encoding: base64 PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnID8+CjwhRE9DVFlQRSByZmMgU1lT VEVNICdyZmMyNjI5LmR0ZCc+Cjw/eG1sLXN0eWxlc2hlZXQgdHlwZT0ndGV4dC94c2wnIGhyZWY9 J3JmYzI2MjkueHNsdCcgPz4KCjxyZmMgY2F0ZWdvcnk9J3N0ZCcgaXByPSd0cnVzdDIwMDkwMicg ZG9jTmFtZT0nZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTUnPgogIDw/cmZjIHN0cmljdD0n eWVzJyA/PgogIDw/cmZjIHRvYz0neWVzJyA/PgogIDw/cmZjIHRvY2RlcHRoPSczJyA/PgogIDw/ cmZjIHN5bXJlZnM9J3llcycgPz4KICA8P3JmYyBzb3J0cmVmcz0neWVzJyA/PgogIDw/cmZjIGNv bXBhY3Q9J3llcycgPz4KICA8P3JmYyBzdWJjb21wYWN0PSdubycgPz4KCiAgPGZyb250PgogICAg PHRpdGxlIGFiYnJldj0nT0F1dGggMi4wIEJlYXJlciBUb2tlbnMnPlRoZSBPQXV0aCAyLjAgQXV0 aG9yaXphdGlvbiBQcm90b2NvbDogQmVhcmVyIFRva2VuczwvdGl0bGU+CgogICAgPGF1dGhvciBm dWxsbmFtZT0iTWljaGFlbCBCLiBKb25lcyIgc3VybmFtZT0iSm9uZXMiIGluaXRpYWxzPSJNLkIu Ij4gPCEtLSByb2xlPSJlZGl0b3IiIC0tPgogICAgICA8b3JnYW5pemF0aW9uPk1pY3Jvc29mdDwv b3JnYW5pemF0aW9uPgogICAgICA8YWRkcmVzcz4KICAgICAgICA8ZW1haWw+bWJqQG1pY3Jvc29m dC5jb208L2VtYWlsPgogICAgICAgIDx1cmk+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vPC91cmk+ CiAgICAgIDwvYWRkcmVzcz4KICAgIDwvYXV0aG9yPgogICAgPGF1dGhvciBmdWxsbmFtZT0nRGlj ayBIYXJkdCcgc3VybmFtZT0nSGFyZHQnIGluaXRpYWxzPSdEJz4KICAgICAgPG9yZ2FuaXphdGlv bj5pbmRlcGVuZGVudDwvb3JnYW5pemF0aW9uPgogICAgICA8YWRkcmVzcz4KICAgICAgICA8ZW1h aWw+ZGljay5oYXJkdEBnbWFpbC5jb208L2VtYWlsPgogICAgICAgIDx1cmk+aHR0cDovL2RpY2to YXJkdC5vcmcvPC91cmk+CiAgICAgIDwvYWRkcmVzcz4KICAgIDwvYXV0aG9yPgogICAgPGF1dGhv ciBmdWxsbmFtZT0nRGF2aWQgUmVjb3Jkb24nIHN1cm5hbWU9J1JlY29yZG9uJyBpbml0aWFscz0n RCc+CiAgICAgIDxvcmdhbml6YXRpb24+RmFjZWJvb2s8L29yZ2FuaXphdGlvbj4KICAgICAgPGFk ZHJlc3M+CiAgICAgICAgPGVtYWlsPmRyQGZiLmNvbTwvZW1haWw+CiAgICAgICAgPHVyaT5odHRw Oi8vd3d3LmRhdmlkcmVjb3Jkb24uY29tLzwvdXJpPgogICAgICA8L2FkZHJlc3M+CiAgICA8L2F1 dGhvcj4KCiAgICA8ZGF0ZSB5ZWFyPSIyMDExIiBtb250aD0iRGVjZW1iZXIiIGRheT0iMTIiIC8+ CgogICAgPGFic3RyYWN0PgogICAgICA8dD4KICAgICAgICBUaGlzIHNwZWNpZmljYXRpb24gZGVz Y3JpYmVzIGhvdyB0byB1c2UgYmVhcmVyIHRva2VucyBpbiBIVFRQCiAgICAgICAgcmVxdWVzdHMg dG8gYWNjZXNzIE9BdXRoIDIuMCBwcm90ZWN0ZWQgcmVzb3VyY2VzLiAgQW55IHBhcnR5CiAgICAg ICAgaW4gcG9zc2Vzc2lvbiBvZiBhIGJlYXJlciB0b2tlbiAoYSAiYmVhcmVyIikgY2FuIHVzZSBp dCB0byBnZXQKICAgICAgICBhY2Nlc3MgdG8gdGhlIGFzc29jaWF0ZWQgcmVzb3VyY2VzICh3aXRo b3V0IGRlbW9uc3RyYXRpbmcgcG9zc2Vzc2lvbgogICAgICAgIG9mIGEgY3J5cHRvZ3JhcGhpYyBr ZXkpLiAgVG8gcHJldmVudCBtaXN1c2UsIGJlYXJlciB0b2tlbnMKICAgICAgICBuZWVkIHRvIGJl IHByb3RlY3RlZCBmcm9tIGRpc2Nsb3N1cmUgaW4gc3RvcmFnZSBhbmQgaW4gdHJhbnNwb3J0Lgog ICAgICA8L3Q+CiAgICA8L2Fic3RyYWN0PgogIDwvZnJvbnQ+CgogIDxtaWRkbGU+CgogICAgPHNl Y3Rpb24gdGl0bGU9J0ludHJvZHVjdGlvbic+CiAgICAgIDx0PgogICAgICAgIE9BdXRoIGVuYWJs ZXMgY2xpZW50cyB0byBhY2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcyBieQogICAgICAgIG9idGFp bmluZyBhbiBhY2Nlc3MgdG9rZW4sIHdoaWNoIGlzIGRlZmluZWQgaW4KCU9BdXRoIDIuMCBBdXRo b3JpemF0aW9uIDx4cmVmIHRhcmdldD0iSS1ELmlldGYtb2F1dGgtdjIiLz4KCWFzICJhIHN0cmlu ZyByZXByZXNlbnRpbmcgYW4gYWNjZXNzCiAgICAgICAgYXV0aG9yaXphdGlvbiBpc3N1ZWQgdG8g dGhlIGNsaWVudCIsIHJhdGhlciB0aGFuIHVzaW5nIHRoZQogICAgICAgIHJlc291cmNlIG93bmVy J3MgY3JlZGVudGlhbHMgZGlyZWN0bHkuCiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgVG9r ZW5zIGFyZSBpc3N1ZWQgdG8gY2xpZW50cyBieSBhbiBhdXRob3JpemF0aW9uIHNlcnZlciB3aXRo IHRoZSBhcHByb3ZhbCBvZgogICAgICAgIHRoZSByZXNvdXJjZSBvd25lci4gVGhlIGNsaWVudCB1 c2VzIHRoZSBhY2Nlc3MgdG9rZW4gdG8gYWNjZXNzIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2VzCiAg ICAgICAgaG9zdGVkIGJ5IHRoZSByZXNvdXJjZSBzZXJ2ZXIuIFRoaXMgc3BlY2lmaWNhdGlvbiBk ZXNjcmliZXMgaG93IHRvIG1ha2UgcHJvdGVjdGVkIHJlc291cmNlCiAgICAgICAgcmVxdWVzdHMg d2hlbiB0aGUgT0F1dGggYWNjZXNzIHRva2VuIGlzIGEgYmVhcmVyIHRva2VuLgogICAgICA8L3Q+ CiAgICAgIDx0PgogICAgICAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkZWZpbmVzIHRoZSB1c2Ugb2Yg YmVhcmVyIHRva2VucyBvdmVyCiAgICAgICAgSFRUUC8xLjEgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0 Zi1odHRwYmlzLXAxLW1lc3NhZ2luZycgLz4KCXVzaW5nCglUTFMgPHhyZWYgdGFyZ2V0PSdSRkM1 MjQ2JyAvPiB0byBhY2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcy4KCVRMUyBpcyBtYW5kYXRvcnkg dG8gaW1wbGVtZW50CiAgICAgICAgYW5kIHVzZSB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbjsgb3Ro ZXIgc3BlY2lmaWNhdGlvbnMgbWF5CiAgICAgICAgZXh0ZW5kIHRoaXMgc3BlY2lmaWNhdGlvbiBm b3IgdXNlIHdpdGggb3RoZXIgdHJhbnNwb3J0CiAgICAgICAgcHJvdG9jb2xzLgoJV2hpbGUgZGVz aWduZWQgZm9yIHVzZSB3aXRoIGFjY2VzcyB0b2tlbnMgcmVzdWx0aW5nIGZyb20KCU9BdXRoIDIu MCBBdXRob3JpemF0aW9uIDx4cmVmIHRhcmdldD0iSS1ELmlldGYtb2F1dGgtdjIiIC8+CglmbG93 cyB0byBhY2Nlc3MgT0F1dGggcHJvdGVjdGVkIHJlc291cmNlcywgdGhpcwoJc3BlY2lmaWNhdGlv biBhY3R1YWxseSBkZWZpbmVzIGEgZ2VuZXJhbCBIVFRQIGF1dGhvcml6YXRpb24KCW1ldGhvZCB0 aGF0IGNhbiBiZSB1c2VkIHdpdGggYmVhcmVyIHRva2VucyBmcm9tIGFueSBzb3VyY2UKCXRvIGFj Y2VzcyBhbnkgcmVzb3VyY2VzIHByb3RlY3RlZCBieSB0aG9zZSBiZWFyZXIgdG9rZW5zLgogICAg ICA8L3Q+CgogICAgICA8c2VjdGlvbiB0aXRsZT0nTm90YXRpb25hbCBDb252ZW50aW9ucyc+CiAg ICAgICAgPHQ+CiAgICAgICAgICBUaGUga2V5IHdvcmRzICdNVVNUJywgJ01VU1QgTk9UJywgJ1JF UVVJUkVEJywgJ1NIQUxMJywgJ1NIQUxMIE5PVCcsICdTSE9VTEQnLCAnU0hPVUxECiAgICAgICAg ICBOT1QnLCAnUkVDT01NRU5ERUQnLCAnTUFZJywgYW5kICdPUFRJT05BTCcgaW4gdGhpcyBkb2N1 bWVudCBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQgYXMKICAgICAgICAgIGRlc2NyaWJlZCBpbgoJICBL ZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlIFJlcXVpcmVtZW50IExldmVscyA8 eHJlZiB0YXJnZXQ9J1JGQzIxMTknIC8+LgogICAgICAgIDwvdD4KICAgICAgICA8dD4KICAgICAg ICAgIFRoaXMgZG9jdW1lbnQgdXNlcyB0aGUgQXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFC TkYpCiAgICAgICAgICBub3RhdGlvbiBvZgoJICBIVFRQLzEuMSwgUGFydCAxIDx4cmVmIHRhcmdl dD0nSS1ELmlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmcnIC8+LAogICAgICAgICAgd2hpY2ggaXMg YmFzZWQgdXBvbiB0aGUKCSAgQXVnbWVudGVkIEJhY2t1cy1OYXVyIEZvcm0gKEFCTkYpIDx4cmVm IHRhcmdldD0nUkZDNTIzNCcgLz4KCSAgbm90YXRpb24uICBBZGRpdGlvbmFsbHksIHRoZSBmb2xs b3dpbmcgcnVsZXMgYXJlIGluY2x1ZGVkIGZyb20KCSAgSFRUUC8xLjEsIFBhcnQgNyA8eHJlZiB0 YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz46CgkgIGI2NHRva2VuLCBhdXRoLXBh cmFtLCBhbmQgcmVhbG07IGZyb20KCSAgSFRUUC8xLjEsIFBhcnQgMSA8eHJlZiB0YXJnZXQ9J0kt RC5pZXRmLWh0dHBiaXMtcDEtbWVzc2FnaW5nJyAvPjoKCSAgcXVvdGVkLXN0cmluZzsgYW5kIGZy b20KCSAgVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpIDx4cmVmIHRhcmdldD0nUkZD Mzk4NicgLz46CgkgIFVSSS1SZWZlcmVuY2UuCiAgICAgICAgPC90PgogICAgICAgIDx0PgogICAg ICAgICAgVW5sZXNzIG90aGVyd2lzZSBub3RlZCwgYWxsIHRoZSBwcm90b2NvbCBwYXJhbWV0ZXIg bmFtZXMgYW5kIHZhbHVlcyBhcmUgY2FzZSBzZW5zaXRpdmUuCiAgICAgICAgPC90PgogICAgICA8 L3NlY3Rpb24+CgogICAgICA8c2VjdGlvbiB0aXRsZT0nVGVybWlub2xvZ3knPgogICAgICAgIDx0 PgogICAgICAgICAgPGxpc3Qgc3R5bGU9J2hhbmdpbmcnPgogICAgICAgICAgICA8dCBoYW5nVGV4 dD0iQmVhcmVyIFRva2VuIj4KICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAg QSBzZWN1cml0eSB0b2tlbiB3aXRoIHRoZSBwcm9wZXJ0eSB0aGF0IGFueSBwYXJ0eSBpbgogICAg ICAgICAgICAgIHBvc3Nlc3Npb24gb2YgdGhlIHRva2VuIChhICJiZWFyZXIiKSBjYW4gdXNlIHRo ZSB0b2tlbgogICAgICAgICAgICAgIGluIGFueSB3YXkgdGhhdCBhbnkgb3RoZXIgcGFydHkgaW4g cG9zc2Vzc2lvbiBvZiBpdCBjYW4uCiAgICAgICAgICAgICAgVXNpbmcgYSBiZWFyZXIgdG9rZW4g ZG9lcyBub3QgcmVxdWlyZSBhIGJlYXJlciB0byBwcm92ZQogICAgICAgICAgICAgIHBvc3Nlc3Np b24gb2YgY3J5cHRvZ3JhcGhpYyBrZXkgbWF0ZXJpYWwKICAgICAgICAgICAgICAocHJvb2Ytb2Yt cG9zc2Vzc2lvbikuCiAgICAgICAgICAgIDwvdD4KICAgICAgICAgIDwvbGlzdD4KICAgICAgICA8 L3Q+CiAgICAgICAgPHQ+CiAgICAgICAgICBBbGwgb3RoZXIgdGVybXMgYXJlIGFzIGRlZmluZWQg aW4KCSAgT0F1dGggMi4wIEF1dGhvcml6YXRpb24gPHhyZWYgdGFyZ2V0PSJJLUQuaWV0Zi1vYXV0 aC12MiIgLz4uCiAgICAgICAgPC90PgogICAgICA8L3NlY3Rpb24+CgogICAgICA8c2VjdGlvbiB0 aXRsZT0nT3ZlcnZpZXcnPgogICAgICAgIDx0PgogICAgICAgICAgT0F1dGggcHJvdmlkZXMgYSBt ZXRob2QgZm9yIGNsaWVudHMgdG8gYWNjZXNzIGEgcHJvdGVjdGVkIHJlc291cmNlIG9uIGJlaGFs ZiBvZiBhCiAgICAgICAgICByZXNvdXJjZSBvd25lci4gSW4gdGhlIGdlbmVyYWwgY2FzZSwKCSAg YmVmb3JlIGEgY2xpZW50IGNhbiBhY2Nlc3MgYSBwcm90ZWN0ZWQgcmVzb3VyY2UsIGl0IG11c3Qg Zmlyc3Qgb2J0YWluCiAgICAgICAgICBhbiBhdXRob3JpemF0aW9uIGdyYW50IGZyb20gdGhlIHJl c291cmNlIG93bmVyIGFuZCB0aGVuIGV4Y2hhbmdlIHRoZSBhdXRob3JpemF0aW9uIGdyYW50IGZv cgogICAgICAgICAgYW4gYWNjZXNzIHRva2VuLgoJICBUaGUgYWNjZXNzIHRva2VuIHJlcHJlc2Vu dHMgdGhlIGdyYW50J3Mgc2NvcGUsIGR1cmF0aW9uLCBhbmQKCSAgb3RoZXIgYXR0cmlidXRlcyBn cmFudGVkIGJ5IHRoZSBhdXRob3JpemF0aW9uIGdyYW50LiBUaGUKCSAgY2xpZW50IGFjY2Vzc2Vz IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UgYnkgcHJlc2VudGluZyB0aGUKCSAgYWNjZXNzIHRva2Vu IHRvIHRoZSByZXNvdXJjZSBzZXJ2ZXIuCgkgIEluIHNvbWUgY2FzZXMsIGEgY2xpZW50IGNhbiBk aXJlY3RseSBwcmVzZW50IGl0cyBvd24KCSAgY3JlZGVudGlhbHMgdG8gYW4gYXV0aG9yaXphdGlv biBzZXJ2ZXIgdG8gb2J0YWluIGFuIGFjY2VzcwoJICB0b2tlbiB3aXRob3V0IGhhdmluZyB0byBm aXJzdCBvYnRhaW4gYW4gYXV0aG9yaXphdGlvbiBncmFudCBmcm9tIGEKCSAgcmVzb3VyY2Ugb3du ZXIuCiAgICAgICAgPC90PgogICAgICAgIDx0PgogICAgICAgICAgVGhlIGFjY2VzcyB0b2tlbiBw cm92aWRlcyBhbiBhYnN0cmFjdGlvbiwgcmVwbGFjaW5nIGRpZmZlcmVudCBhdXRob3JpemF0aW9u CiAgICAgICAgICBjb25zdHJ1Y3RzIChlLmcuIHVzZXJuYW1lIGFuZCBwYXNzd29yZCwgYXNzZXJ0 aW9uKSBmb3IgYSBzaW5nbGUgdG9rZW4gdW5kZXJzdG9vZCBieSB0aGUKICAgICAgICAgIHJlc291 cmNlIHNlcnZlci4gVGhpcyBhYnN0cmFjdGlvbiBlbmFibGVzIGlzc3VpbmcgYWNjZXNzIHRva2Vu cyB2YWxpZCBmb3IgYSBzaG9ydCB0aW1lCiAgICAgICAgICBwZXJpb2QsIGFzIHdlbGwgYXMgcmVt b3ZpbmcgdGhlIHJlc291cmNlIHNlcnZlcidzIG5lZWQgdG8gdW5kZXJzdGFuZCBhIHdpZGUgcmFu Z2Ugb2YKICAgICAgICAgIGF1dGhlbnRpY2F0aW9uIHNjaGVtZXMuCiAgICAgICAgPC90PgogICAg ICAgIDxmaWd1cmUgdGl0bGU9J0Fic3RyYWN0IFByb3RvY29sIEZsb3cnIGFuY2hvcj0nRmlndXJl LTEnPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBWystLS0tLS0tLSsgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfC0tKEEpLSBBdXRo b3JpemF0aW9uIFJlcXVlc3QgLT58ICAgUmVzb3VyY2UgICAgfAp8ICAgICAgICB8ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIHwgICAgIE93bmVyICAgICB8CnwgICAgICAgIHw8LShCKS0t IEF1dGhvcml6YXRpb24gR3JhbnQgLS0tfCAgICAgICAgICAgICAgIHwKfCAgICAgICAgfCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKwp8ICAgICAgICB8Cnwg ICAgICAgIHwgICAgICAgIEF1dGhvcml6YXRpb24gR3JhbnQgJiAgKy0tLS0tLS0tLS0tLS0tLSsK fCAgICAgICAgfC0tKEMpLS0tIENsaWVudCBDcmVkZW50aWFscyAtLT58IEF1dGhvcml6YXRpb24g fAp8IENsaWVudCB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIFNlcnZlciAg ICB8CnwgICAgICAgIHw8LShEKS0tLS0tIEFjY2VzcyBUb2tlbiAtLS0tLS0tfCAgICAgICAgICAg ICAgIHwKfCAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0t LS0tLS0tKwp8ICAgICAgICB8CnwgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgKy0tLS0tLS0tLS0tLS0tLSsKfCAgICAgICAgfC0tKEUpLS0tLS0gQWNjZXNzIFRva2VuIC0t LS0tLT58ICAgIFJlc291cmNlICAgfAp8ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHwgICAgIFNlcnZlciAgICB8CnwgICAgICAgIHw8LShGKS0tLSBQcm90ZWN0ZWQgUmVz b3VyY2UgLS0tfCAgICAgICAgICAgICAgIHwKKy0tLS0tLS0tKyAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tK11dPgogICAgICAgICAgPC9hcnR3b3JrPgogICAg ICAgIDwvZmlndXJlPgogICAgICAgIDx0PgogICAgICAgICAgVGhlIGFic3RyYWN0IGZsb3cgaWxs dXN0cmF0ZWQgaW4gPHhyZWYgdGFyZ2V0PSdGaWd1cmUtMScgLz4gZGVzY3JpYmVzIHRoZSBvdmVy YWxsCiAgICAgICAgICBPQXV0aCAyLjAgcHJvdG9jb2wgYXJjaGl0ZWN0dXJlLiBUaGUgZm9sbG93 aW5nIHN0ZXBzIGFyZSBzcGVjaWZpZWQgd2l0aGluIHRoaXMKICAgICAgICAgIGRvY3VtZW50OgoK ICAgICAgICAgIDxsaXN0PgogICAgICAgICAgICA8dD4KICAgICAgICAgICAgICBFKSBUaGUgY2xp ZW50IG1ha2VzIGEgcHJvdGVjdGVkIHJlc291cmNlIHJlcXVlc3QgdG8gdGhlIHJlc291cmNlIHNl cnZlciBieSBwcmVzZW50aW5nCiAgICAgICAgICAgICAgdGhlIGFjY2VzcyB0b2tlbi4KICAgICAg ICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAgICAgICAgICAgICBGKSBUaGUgcmVzb3VyY2Ug c2VydmVyIHZhbGlkYXRlcyB0aGUgYWNjZXNzIHRva2VuLCBhbmQgaWYgdmFsaWQsIHNlcnZlcyB0 aGUgcmVxdWVzdC4KICAgICAgICAgICAgPC90PgogICAgICAgICAgPC9saXN0PgogICAgICAgIDwv dD4KICAgICAgPC9zZWN0aW9uPgogICAgPC9zZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxlPSdB dXRoZW50aWNhdGVkIFJlcXVlc3RzJz4KICAgICAgPHQ+CglUaGlzIHNlY3Rpb24gZGVmaW5lcyB0 aHJlZQoJbWV0aG9kcyBvZiBzZW5kaW5nIGJlYXJlciBhY2Nlc3MgdG9rZW5zIGluIHJlc291cmNl IHJlcXVlc3RzCgl0byByZXNvdXJjZSBzZXJ2ZXJzLiAgQ2xpZW50cyBNVVNUIE5PVCB1c2UgbW9y ZSB0aGFuIG9uZQoJbWV0aG9kIHRvIHRyYW5zbWl0IHRoZSB0b2tlbiBpbiBlYWNoIHJlcXVlc3Qu CiAgICAgIDwvdD4KCiAgICAgIDxzZWN0aW9uIHRpdGxlPSdBdXRob3JpemF0aW9uIFJlcXVlc3Qg SGVhZGVyIEZpZWxkJyBhbmNob3I9J2F1dGh6LWhlYWRlcic+CiAgICAgICAgPHQ+CgkgIFdoZW4g c2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSA8c3BhbngKCSAgc3R5bGU9J3ZlcmInPkF1 dGhvcml6YXRpb248L3NwYW54PiByZXF1ZXN0IGhlYWRlciBmaWVsZAoJICBkZWZpbmVkIGJ5Cgkg IEhUVFAvMS4xLCBQYXJ0IDcgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgn IC8+LAoJICB0aGUKCSAgY2xpZW50IHVzZXMgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+QmVhcmVy PC9zcGFueD4KCSAgYXV0aGVudGljYXRpb24gc2NoZW1lIHRvIHRyYW5zbWl0IHRoZSBhY2Nlc3Mg dG9rZW4uCiAgICAgICAgPC90PgogICAgICAgIDxmaWd1cmU+CiAgICAgICAgICA8cHJlYW1ibGU+ CiAgICAgICAgICAgIEZvciBleGFtcGxlOgogICAgICAgICAgPC9wcmVhbWJsZT4KICAgICAgICAg IDxhcnR3b3JrPgo8IVtDREFUQVtHRVQgL3Jlc291cmNlIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5l eGFtcGxlLmNvbQpBdXRob3JpemF0aW9uOiBCZWFyZXIgdkY5ZGZ0NHFtVF1dPgogICAgICAgICAg PC9hcnR3b3JrPgogICAgICAgIDwvZmlndXJlPgogICAgICAgIDx0PgogICAgICAgICAgVGhlIDxz cGFueCBzdHlsZT0ndmVyYic+QXV0aG9yaXphdGlvbjwvc3Bhbng+IGhlYWRlciBmaWVsZCB1c2Vz IHRoZSBmcmFtZXdvcmsgZGVmaW5lZCBieQogICAgICAgICAgSFRUUC8xLjEsIFBhcnQgNyA8eHJl ZiB0YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4KCSAgYXMgZm9sbG93czoKICAg ICAgICA8L3Q+CiAgICAgICAgPGZpZ3VyZT4KICAgICAgICAgIDxhcnR3b3JrPgo8IVtDREFUQVtj cmVkZW50aWFscyA9ICJCZWFyZXIiIDEqU1AgYjY0dG9rZW5dXT4KICAgICAgICAgIDwvYXJ0d29y az4KICAgICAgICA8L2ZpZ3VyZT4KCTx0PgoJICBUaGUgYjY0dG9rZW4gc3ludGF4IHdhcyBjaG9z ZW4gb3ZlciB0aGUgYWx0ZXJuYXRpdmUKCSAgI2F1dGgtcGFyYW0gc3ludGF4IGFsc28gZGVmaW5l ZCBieQoJICBIVFRQLzEuMSwgUGFydCA3IDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1w Ny1hdXRoJyAvPgoJICBib3RoIGZvciBzaW1wbGljaXR5CgkgIGFuZCBmb3IgY29tcGF0aWJpbGl0 eSB3aXRoIGV4aXN0aW5nIGltcGxlbWVudGF0aW9ucy4KCSAgSWYgYWRkaXRpb25hbCBwYXJhbWV0 ZXJzIGFyZSBuZWVkZWQgaW4gdGhlIGZ1dHVyZSwgYQoJICBkaWZmZXJlbnQgc2NoZW1lIHdvdWxk IG5lZWQgdG8gYmUgZGVmaW5lZC4KCTwvdD4KCTx0PgoJICBDbGllbnRzIFNIT1VMRCBtYWtlIGF1 dGhlbnRpY2F0ZWQgcmVxdWVzdHMgd2l0aCBhIGJlYXJlcgoJICB0b2tlbiB1c2luZyB0aGUgPHNw YW54IHN0eWxlPSd2ZXJiJz5BdXRob3JpemF0aW9uPC9zcGFueD4KCSAgcmVxdWVzdCBoZWFkZXIg ZmllbGQgd2l0aCB0aGUgPHNwYW54CgkgIHN0eWxlPSd2ZXJiJz5CZWFyZXI8L3NwYW54PiBIVFRQ IGF1dGhvcml6YXRpb24gc2NoZW1lLgoJICBSZXNvdXJjZSBzZXJ2ZXJzIE1VU1Qgc3VwcG9ydCB0 aGlzIG1ldGhvZC4KCTwvdD4KICAgICAgPC9zZWN0aW9uPgoKICAgICAgPHNlY3Rpb24gdGl0bGU9 J0Zvcm0tRW5jb2RlZCBCb2R5IFBhcmFtZXRlcicgYW5jaG9yPSdib2R5LXBhcmFtJz4KICAgICAg ICA8dD4KICAgICAgICAgIFdoZW4gc2VuZGluZyB0aGUgYWNjZXNzIHRva2VuIGluIHRoZSBIVFRQ IHJlcXVlc3QKICAgICAgICAgIGVudGl0eS1ib2R5LCB0aGUgY2xpZW50IGFkZHMgdGhlIGFjY2Vz cyB0b2tlbiB0byB0aGUgcmVxdWVzdAogICAgICAgICAgYm9keSB1c2luZyB0aGUgPHNwYW54IHN0 eWxlPSd2ZXJiJz5hY2Nlc3NfdG9rZW48L3NwYW54PgogICAgICAgICAgcGFyYW1ldGVyLiAgVGhl IGNsaWVudCBNVVNUIE5PVCB1c2UgdGhpcyBtZXRob2QgdW5sZXNzCgkgIGFsbCBvZiB0aGUgZm9s bG93aW5nIGNvbmRpdGlvbnMgYXJlIG1ldDoKICAgICAgICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xz Jz4KICAgICAgICAgICAgPHQ+CiAgICAgICAgICAgICAgVGhlIEhUVFAgcmVxdWVzdCBlbnRpdHkt Ym9keSBpcyBzaW5nbGUtcGFydC4KICAgICAgICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAg ICAgICAgICAgICBUaGUgZW50aXR5LWJvZHkgZm9sbG93cyB0aGUgZW5jb2RpbmcgcmVxdWlyZW1l bnRzIG9mIHRoZQogICAgICAgICAgICAgIDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGljYXRpb24v eC13d3ctZm9ybS11cmxlbmNvZGVkPC9zcGFueD4gY29udGVudC10eXBlIGFzCiAgICAgICAgICAg ICAgZGVmaW5lZCBieQoJICAgICAgSFRNTCA0LjAxIDx4cmVmIHRhcmdldD0nVzNDLlJFQy1odG1s NDAxLTE5OTkxMjI0JyAvPi4KICAgICAgICAgICAgPC90PgogICAgICAgICAgICA8dD4KICAgICAg ICAgICAgICBUaGUgSFRUUCByZXF1ZXN0IGVudGl0eS1oZWFkZXIgaW5jbHVkZXMgdGhlIDxzcGFu eCBzdHlsZT0ndmVyYic+Q29udGVudC1UeXBlPC9zcGFueD4KICAgICAgICAgICAgICBoZWFkZXIg ZmllbGQgc2V0IHRvIDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGljYXRpb24veC13d3ctZm9ybS11 cmxlbmNvZGVkPC9zcGFueD4uCiAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAgPHQ+CiAgICAg ICAgICAgICAgVGhlIEhUVFAgcmVxdWVzdCBtZXRob2QgaXMgb25lIGZvciB3aGljaCB0aGUgcmVx dWVzdAogICAgICAgICAgICAgIGJvZHkgaGFzIGRlZmluZWQgc2VtYW50aWNzLiAgSW4gcGFydGlj dWxhciwKICAgICAgICAgICAgICB0aGlzIG1lYW5zIHRoYXQgdGhlIDxzcGFueCBzdHlsZT0ndmVy Yic+R0VUPC9zcGFueD4KICAgICAgICAgICAgICBtZXRob2QgTVVTVCBOT1QgYmUgdXNlZC4KICAg ICAgICAgICAgPC90PgoJICAgIDx0PgoJICAgICAgVGhlIGNvbnRlbnQgdG8gYmUgZW5jb2RlZCBp biB0aGUgZW50aXR5LWJvZHkgTVVTVAoJICAgICAgY29uc2lzdCBlbnRpcmVseSBvZiBBU0NJSSBj aGFyYWN0ZXJzLgoJICAgIDwvdD4KICAgICAgICAgIDwvbGlzdD4KICAgICAgICA8L3Q+CiAgICAg ICAgPHQ+CiAgICAgICAgICBUaGUgZW50aXR5LWJvZHkgTUFZIGluY2x1ZGUgb3RoZXIgcmVxdWVz dC1zcGVjaWZpYwogICAgICAgICAgcGFyYW1ldGVycywgaW4gd2hpY2ggY2FzZSwgdGhlIDxzcGFu eAogICAgICAgICAgc3R5bGU9J3ZlcmInPmFjY2Vzc190b2tlbjwvc3Bhbng+IHBhcmFtZXRlciBN VVNUIGJlIHByb3Blcmx5CiAgICAgICAgICBzZXBhcmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVj aWZpYyBwYXJhbWV0ZXJzIHVzaW5nIDxzcGFueAogICAgICAgICAgc3R5bGU9J3ZlcmInPiZhbXA7 PC9zcGFueD4gY2hhcmFjdGVyKHMpIChBU0NJSSBjb2RlIDM4KS4KICAgICAgICA8L3Q+CiAgICAg ICAgPGZpZ3VyZT4KICAgICAgICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGUs IHRoZSBjbGllbnQgbWFrZXMgdGhlIGZvbGxvd2luZyBIVFRQIHJlcXVlc3QgdXNpbmcgdHJhbnNw b3J0LWxheWVyCiAgICAgICAgICAgIHNlY3VyaXR5OgogICAgICAgICAgPC9wcmVhbWJsZT4KICAg ICAgICAgIDxhcnR3b3JrPgo8IVtDREFUQVtQT1NUIC9yZXNvdXJjZSBIVFRQLzEuMQpIb3N0OiBz ZXJ2ZXIuZXhhbXBsZS5jb20KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVy bGVuY29kZWQKCmFjY2Vzc190b2tlbj12RjlkZnQ0cW1UXV0+CiAgICAgICAgICA8L2FydHdvcms+ CiAgICAgICAgPC9maWd1cmU+Cgk8dD4KCSAgVGhlIDxzcGFueCBzdHlsZT0ndmVyYic+YXBwbGlj YXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkPC9zcGFueD4KCSAgbWV0aG9kIFNIT1VMRCBOT1Qg YmUgdXNlZCBleGNlcHQgaW4gYXBwbGljYXRpb24gY29udGV4dHMKCSAgd2hlcmUgcGFydGljaXBh dGluZyBicm93c2VycyBkbyBub3QgaGF2ZSBhY2Nlc3MgdG8gdGhlCgkgIDxzcGFueCBzdHlsZT0n dmVyYic+QXV0aG9yaXphdGlvbjwvc3Bhbng+IHJlcXVlc3QgaGVhZGVyCgkgIGZpZWxkLiAgUmVz b3VyY2Ugc2VydmVycyBNQVkgc3VwcG9ydCB0aGlzIG1ldGhvZC4KCTwvdD4KICAgICAgPC9zZWN0 aW9uPgoKICAgICAgPHNlY3Rpb24gdGl0bGU9J1VSSSBRdWVyeSBQYXJhbWV0ZXInIGFuY2hvcj0n cXVlcnktcGFyYW0nPgogICAgICAgIDx0PgogICAgICAgICAgV2hlbiBzZW5kaW5nIHRoZSBhY2Nl c3MgdG9rZW4gaW4gdGhlIEhUVFAgcmVxdWVzdCBVUkksIHRoZSBjbGllbnQgYWRkcyB0aGUgYWNj ZXNzCiAgICAgICAgICB0b2tlbiB0byB0aGUgcmVxdWVzdCBVUkkgcXVlcnkgY29tcG9uZW50IGFz IGRlZmluZWQgYnkKCSAgVW5pZm9ybSBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpIDx4cmVmIHRh cmdldD0nUkZDMzk4NicgLz4KCSAgdXNpbmcKICAgICAgICAgIHRoZSA8c3Bhbnggc3R5bGU9J3Zl cmInPmFjY2Vzc190b2tlbjwvc3Bhbng+IHBhcmFtZXRlci4KICAgICAgICA8L3Q+CiAgICAgICAg PGZpZ3VyZT4KICAgICAgICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGUsIHRo ZSBjbGllbnQgbWFrZXMgdGhlIGZvbGxvd2luZyBIVFRQIHJlcXVlc3QgdXNpbmcgdHJhbnNwb3J0 LWxheWVyCiAgICAgICAgICAgIHNlY3VyaXR5OgogICAgICAgICAgPC9wcmVhbWJsZT4KICAgICAg ICAgIDxhcnR3b3JrPgo8IVtDREFUQVtHRVQgL3Jlc291cmNlP2FjY2Vzc190b2tlbj12RjlkZnQ0 cW1UIEhUVFAvMS4xCkhvc3Q6IHNlcnZlci5leGFtcGxlLmNvbV1dPgogICAgICAgICAgPC9hcnR3 b3JrPgogICAgICAgIDwvZmlndXJlPgogICAgICAgIDx0PgogICAgICAgICAgVGhlIEhUVFAgcmVx dWVzdCBVUkkgcXVlcnkgY2FuIGluY2x1ZGUgb3RoZXIKICAgICAgICAgIHJlcXVlc3Qtc3BlY2lm aWMgcGFyYW1ldGVycywgaW4gd2hpY2ggY2FzZSwgdGhlIDxzcGFueAogICAgICAgICAgc3R5bGU9 J3ZlcmInPmFjY2Vzc190b2tlbjwvc3Bhbng+IHBhcmFtZXRlciBNVVNUIGJlIHByb3Blcmx5CiAg ICAgICAgICBzZXBhcmF0ZWQgZnJvbSB0aGUgcmVxdWVzdC1zcGVjaWZpYyBwYXJhbWV0ZXJzIHVz aW5nIDxzcGFueAogICAgICAgICAgc3R5bGU9J3ZlcmInPiZhbXA7PC9zcGFueD4gY2hhcmFjdGVy KHMpIChBU0NJSSBjb2RlIDM4KS4KICAgICAgICA8L3Q+CiAgICAgICAgPGZpZ3VyZT4KICAgICAg ICAgIDxwcmVhbWJsZT4KICAgICAgICAgICAgRm9yIGV4YW1wbGU6CiAgICAgICAgICA8L3ByZWFt YmxlPgogICAgICAgICAgPGFydHdvcms+CjwhW0NEQVRBW2h0dHBzOi8vc2VydmVyLmV4YW1wbGUu Y29tL3Jlc291cmNlP3g9eSZhY2Nlc3NfdG9rZW49dkY5ZGZ0NHFtVCZwPXFdXT4KICAgICAgICAg IDwvYXJ0d29yaz4KICAgICAgICA8L2ZpZ3VyZT4KCTx0PgoJICBCZWNhdXNlIG9mIHRoZSBzZWN1 cml0eSB3ZWFrbmVzc2VzIGFzc29jaWF0ZWQgd2l0aCB0aGUgVVJJCgkgIG1ldGhvZCAoc2VlIDx4 cmVmIHRhcmdldD0ic2VjLWNvbiIgLz4pLCBpbmNsdWRpbmcgdGhlIGhpZ2gKCSAgbGlrZWxpaG9v ZCB0aGF0IHRoZSBVUkwgY29udGFpbmluZyB0aGUgYWNjZXNzIHRva2VuIHdpbGwgYmUKCSAgbG9n Z2VkLCBpdCBTSE9VTEQgTk9UIGJlIHVzZWQgdW5sZXNzIGl0IGlzIGltcG9zc2libGUgdG8KCSAg dHJhbnNwb3J0IHRoZSBhY2Nlc3MgdG9rZW4gaW4gdGhlIDxzcGFueAoJICBzdHlsZT0ndmVyYic+ QXV0aG9yaXphdGlvbjwvc3Bhbng+IHJlcXVlc3QgaGVhZGVyIGZpZWxkIG9yCgkgIHRoZSBIVFRQ IHJlcXVlc3QgZW50aXR5LWJvZHkuICBSZXNvdXJjZSBzZXJ2ZXJzIE1BWSBzdXBwb3J0CgkgIHRo aXMgbWV0aG9kLgoJPC90PgogICAgICA8L3NlY3Rpb24+CgogICAgPC9zZWN0aW9uPgoKICAgIDxz ZWN0aW9uIHRpdGxlPSdUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQn IGFuY2hvcj0nYXV0aG4taGVhZGVyJz4KICAgICAgPHQ+CglJZiB0aGUgcHJvdGVjdGVkIHJlc291 cmNlIHJlcXVlc3QgZG9lcyBub3QgaW5jbHVkZQoJYXV0aGVudGljYXRpb24gY3JlZGVudGlhbHMg b3IgZG9lcyBub3QgY29udGFpbiBhbiBhY2Nlc3MKCXRva2VuIHRoYXQgZW5hYmxlcyBhY2Nlc3Mg dG8gdGhlIHByb3RlY3RlZCByZXNvdXJjZSwKCXRoZSByZXNvdXJjZSBzZXJ2ZXIgTVVTVCBpbmNs dWRlIHRoZSBIVFRQIDxzcGFueAoJc3R5bGU9J3ZlcmInPldXVy1BdXRoZW50aWNhdGU8L3NwYW54 PiByZXNwb25zZSBoZWFkZXIgZmllbGQ7CglpdCBNQVkgaW5jbHVkZSBpdCBpbiByZXNwb25zZSB0 byBvdGhlciBjb25kaXRpb25zIGFzIHdlbGwuCglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5XV1ct QXV0aGVudGljYXRlPC9zcGFueD4gaGVhZGVyCglmaWVsZCB1c2VzIHRoZSBmcmFtZXdvcmsgZGVm aW5lZCBieQoJSFRUUC8xLjEsIFBhcnQgNyA8eHJlZiB0YXJnZXQ9J0ktRC5pZXRmLWh0dHBiaXMt cDctYXV0aCcgLz4KCWFzIGZvbGxvd3M6CiAgICAgIDwvdD4KICAgICAgPGZpZ3VyZT4KCTxhcnR3 b3JrPgo8IVtDREFUQVtjaGFsbGVuZ2UgICAgICAgPSAiQmVhcmVyIiBbIDEqU1AgMSNwYXJhbSBd CgpwYXJhbSAgICAgICAgICAgPSByZWFsbSAvIHNjb3BlIC8KICAgICAgICAgICAgICAgICAgZXJy b3IgLyBlcnJvci1kZXNjIC8gZXJyb3ItdXJpIC8KICAgICAgICAgICAgICAgICAgYXV0aC1wYXJh bQoKc2NvcGUgICAgICAgICAgID0gInNjb3BlIiAiPSIgcXVvdGVkLXN0cmluZwplcnJvciAgICAg ICAgICAgPSAiZXJyb3IiICI9IiBxdW90ZWQtc3RyaW5nCmVycm9yLWRlc2MgICAgICA9ICJlcnJv cl9kZXNjcmlwdGlvbiIgIj0iIHF1b3RlZC1zdHJpbmcKZXJyb3ItdXJpICAgICAgID0gImVycm9y X3VyaSIgIj0iIHF1b3RlZC1zdHJpbmddXT4KCTwvYXJ0d29yaz4KICAgICAgPC9maWd1cmU+CiAg ICAgIDx0PgoJQSA8c3Bhbnggc3R5bGU9J3ZlcmInPnJlYWxtPC9zcGFueD4gYXR0cmlidXRlIE1B WSBiZSBpbmNsdWRlZAoJdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24gaW4gdGhl IG1hbm5lciBkZXNjcmliZWQgaW4KCUhUVFAvMS4xLCBQYXJ0IDcgPHhyZWYgdGFyZ2V0PSdJLUQu aWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+LgoJVGhlIDxzcGFueCBzdHlsZT0ndmVyYic+cmVhbG08 L3NwYW54PiBhdHRyaWJ1dGUgTVVTVCBOT1QgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLgoJVGhlIDxz cGFueCBzdHlsZT0ndmVyYic+cmVhbG08L3NwYW54PiB2YWx1ZSBpcyBpbnRlbmRlZCBmb3IKCXBy b2dyYW1tYXRpYyB1c2UgYW5kIGlzIG5vdCBtZWFudCB0byBiZSBkaXNwbGF5ZWQgdG8KCWVuZCB1 c2Vycy4KICAgICAgPC90PgoKICAgICAgPHQ+CglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29w ZTwvc3Bhbng+IGF0dHJpYnV0ZSBpcyBhIHNwYWNlLWRlbGltaXRlZCBsaXN0IG9mIHNjb3BlIHZh bHVlcwoJaW5kaWNhdGluZyB0aGUgcmVxdWlyZWQgc2NvcGUgb2YgdGhlIGFjY2VzcyB0b2tlbiBm b3IgYWNjZXNzaW5nIHRoZSByZXF1ZXN0ZWQgcmVzb3VyY2UuCglJbiBzb21lIGNhc2VzLCB0aGUg PHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IHZhbHVlCgl3aWxsIGJlIHVzZWQgd2hl biByZXF1ZXN0aW5nIGEgbmV3IGFjY2VzcyB0b2tlbiB3aXRoCglzdWZmaWNpZW50IHNjb3BlIG9m IGFjY2VzcyB0byB1dGlsaXplIHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UuCglUaGUgPHNwYW54IHN0 eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IGF0dHJpYnV0ZSBNVVNUIE5PVCBhcHBlYXIgbW9yZSB0 aGFuIG9uY2UuCglUaGUgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IHZhbHVlIGlz IGludGVuZGVkIGZvcgoJcHJvZ3JhbW1hdGljIHVzZSBhbmQgaXMgbm90IG1lYW50IHRvIGJlIGRp c3BsYXllZCB0bwoJZW5kIHVzZXJzLgogICAgICA8L3Q+CiAgICAgIDx0PgoJSWYgdGhlIHByb3Rl Y3RlZCByZXNvdXJjZSByZXF1ZXN0IGluY2x1ZGVkIGFuIGFjY2VzcyB0b2tlbiBhbmQgZmFpbGVk IGF1dGhlbnRpY2F0aW9uLCB0aGUKCXJlc291cmNlIHNlcnZlciBTSE9VTEQgaW5jbHVkZSB0aGUg PHNwYW54IHN0eWxlPSd2ZXJiJz5lcnJvcjwvc3Bhbng+IGF0dHJpYnV0ZSB0byBwcm92aWRlCgl0 aGUgY2xpZW50IHdpdGggdGhlIHJlYXNvbiB3aHkgdGhlIGFjY2VzcyByZXF1ZXN0IHdhcyBkZWNs aW5lZC4gVGhlIHBhcmFtZXRlciB2YWx1ZSBpcwoJZGVzY3JpYmVkIGluIDx4cmVmIHRhcmdldD0n cmVzb3VyY2UtZXJyb3ItY29kZXMnIC8+LgoJSW4gYWRkaXRpb24sIHRoZSByZXNvdXJjZSBzZXJ2 ZXIgTUFZIGluY2x1ZGUgdGhlIDxzcGFueAoJc3R5bGU9J3ZlcmInPmVycm9yX2Rlc2NyaXB0aW9u PC9zcGFueD4gYXR0cmlidXRlIHRvIHByb3ZpZGUKCWRldmVsb3BlcnMgYSBodW1hbi1yZWFkYWJs ZSBleHBsYW5hdGlvbiB0aGF0IGlzIG5vdCBtZWFudAoJdG8gYmUgZGlzcGxheWVkIHRvIGVuZCB1 c2Vycy4KCUl0IGFsc28gTUFZIGluY2x1ZGUKCXRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPmVycm9y X3VyaTwvc3Bhbng+IGF0dHJpYnV0ZSB3aXRoCglhbiBhYnNvbHV0ZSBVUkkgaWRlbnRpZnlpbmcg YSBodW1hbi1yZWFkYWJsZSB3ZWIgcGFnZSBleHBsYWluaW5nIHRoZSBlcnJvci4KCVRoZSA8c3Bh bnggc3R5bGU9J3ZlcmInPmVycm9yPC9zcGFueD4sIDxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3Jf ZGVzY3JpcHRpb248L3NwYW54PiwgYW5kCgk8c3Bhbnggc3R5bGU9J3ZlcmInPmVycm9yX3VyaTwv c3Bhbng+IGF0dHJpYnV0ZXMgTVVTVCBOT1QgYXBwZWFyIG1vcmUgdGhhbiBvbmNlLgogICAgICA8 L3Q+CiAgICAgIDx0PgoJUHJvZHVjZXJzIG9mIDxzcGFueCBzdHlsZT0ndmVyYic+c2NvcGU8L3Nw YW54PiBzdHJpbmdzIE1VU1QKCU5PVCB1c2UgY2hhcmFjdGVycyBvdXRzaWRlIHRoZSBzZXQgJXgy MSAvICV4MjMtNUIgLyAleDVELTdFCglmb3IgcmVwcmVzZW50aW5nIHRoZSBzY29wZSB2YWx1ZXMg YW5kICV4MjAgZm9yIHRoZSBkZWxpbWl0ZXIuCglQcm9kdWNlcnMgb2YgPHNwYW54IHN0eWxlPSd2 ZXJiJz5lcnJvcjwvc3Bhbng+IGFuZCA8c3BhbngKCXN0eWxlPSd2ZXJiJz5lcnJvcl9kZXNjcmlw dGlvbjwvc3Bhbng+IHN0cmluZ3MgTVVTVCBOT1QgdXNlCgljaGFyYWN0ZXJzIG91dHNpZGUgdGhl IHNldCAleDIwLTIxIC8gJXgyMy01QiAvICV4NUQtN0UgZm9yCglyZXByZXNlbnRpbmcgdGhlc2Ug dmFsdWVzLgoJUHJvZHVjZXJzIG9mIDxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3ItdXJpPC9zcGFu eD4gc3RyaW5ncwoJTVVTVCBOT1QgdXNlIGNoYXJhY3RlcnMgb3V0c2lkZSB0aGUgc2V0ICV4MjEg LyAleDIzLTVCIC8KCSV4NUQtN0UgZm9yIHJlcHJlc2VudGluZyB0aGVzZSB2YWx1ZXMuICBGdXJ0 aGVybW9yZSwKCTxzcGFueCBzdHlsZT0ndmVyYic+ZXJyb3ItdXJpPC9zcGFueD4gc3RyaW5ncyBN VVNUIGNvbmZvcm0KCXRvIHRoZSBVUkktUmVmZXJlbmNlIHN5bnRheC4KCUluIGFsbCB0aGVzZSBj YXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwgYXMKCXNlbmRlcnMgYXJlIHBy b2hpYml0ZWQgZnJvbSB1c2luZyB0aGUgJTVDICgnXCcpIGNoYXJhY3Rlci4KICAgICAgPC90Pgog ICAgICA8ZmlndXJlPgoJPHByZWFtYmxlPgoJICBGb3IgZXhhbXBsZSwgaW4gcmVzcG9uc2UgdG8g YSBwcm90ZWN0ZWQgcmVzb3VyY2UgcmVxdWVzdCB3aXRob3V0IGF1dGhlbnRpY2F0aW9uOgoJPC9w cmVhbWJsZT4KCTxhcnR3b3JrPgo8IVtDREFUQVtIVFRQLzEuMSA0MDEgVW5hdXRob3JpemVkCldX Vy1BdXRoZW50aWNhdGU6IEJlYXJlciByZWFsbT0iZXhhbXBsZSJdXT4KICAgICAgICAgIDwvYXJ0 d29yaz4KICAgICAgICA8L2ZpZ3VyZT4KICAgICAgICA8ZmlndXJlPgogICAgICAgICAgPHByZWFt YmxlPgogICAgICAgICAgICBBbmQgaW4gcmVzcG9uc2UgdG8gYSBwcm90ZWN0ZWQgcmVzb3VyY2Ug cmVxdWVzdCB3aXRoIGFuIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHQgdXNpbmcgYW4KICAgICAgICAg ICAgZXhwaXJlZCBhY2Nlc3MgdG9rZW46CiAgICAgICAgICA8L3ByZWFtYmxlPgogICAgICAgICAg PGFydHdvcms+CjwhW0NEQVRBW0hUVFAvMS4xIDQwMSBVbmF1dGhvcml6ZWQKV1dXLUF1dGhlbnRp Y2F0ZTogQmVhcmVyIHJlYWxtPSJleGFtcGxlIiwKICAgICAgICAgICAgICAgICAgZXJyb3I9Imlu dmFsaWRfdG9rZW4iLAogICAgICAgICAgICAgICAgICBlcnJvcl9kZXNjcmlwdGlvbj0iVGhlIGFj Y2VzcyB0b2tlbiBleHBpcmVkIl1dPgoJPC9hcnR3b3JrPgogICAgICA8L2ZpZ3VyZT4KCiAgICAg IDxzZWN0aW9uIHRpdGxlPSdFcnJvciBDb2RlcycgYW5jaG9yPSdyZXNvdXJjZS1lcnJvci1jb2Rl cyc+Cgk8dD4KCSAgV2hlbiBhIHJlcXVlc3QgZmFpbHMsIHRoZSByZXNvdXJjZSBzZXJ2ZXIgcmVz cG9uZHMgdXNpbmcgdGhlIGFwcHJvcHJpYXRlIEhUVFAgc3RhdHVzCgkgIGNvZGUgKHR5cGljYWxs eSwgNDAwLCA0MDEsIDQwMywgb3IgNDA1KSwKCSAgYW5kIGluY2x1ZGVzIG9uZSBvZiB0aGUgZm9s bG93aW5nIGVycm9yIGNvZGVzIGluCgkgIHRoZSByZXNwb25zZToKCgkgIDxsaXN0IHN0eWxlPSdo YW5naW5nJyBoYW5nSW5kZW50PSc2Jz4KCSAgICA8dCBoYW5nVGV4dD0naW52YWxpZF9yZXF1ZXN0 Jz4KCSAgICAgIDx2c3BhY2UgLz4KCSAgICAgIFRoZSByZXF1ZXN0IGlzIG1pc3NpbmcgYSByZXF1 aXJlZCBwYXJhbWV0ZXIsIGluY2x1ZGVzIGFuIHVuc3VwcG9ydGVkIHBhcmFtZXRlciBvcgoJICAg ICAgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIHRoZSBzYW1lIHBhcmFtZXRlciwgdXNlcyBtb3Jl IHRoYW4gb25lIG1ldGhvZCBmb3IKCSAgICAgIGluY2x1ZGluZyBhbiBhY2Nlc3MgdG9rZW4sIG9y IGlzIG90aGVyd2lzZSBtYWxmb3JtZWQuIFRoZSByZXNvdXJjZSBzZXJ2ZXIgU0hPVUxECgkgICAg ICByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAwIChCYWQgUmVxdWVzdCkgc3RhdHVzIGNvZGUuCgkg ICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSdpbnZhbGlkX3Rva2VuJz4KCSAgICAgIDx2c3BhY2Ug Lz4KCSAgICAgIFRoZSBhY2Nlc3MgdG9rZW4gcHJvdmlkZWQgaXMgZXhwaXJlZCwgcmV2b2tlZCwg bWFsZm9ybWVkLCBvciBpbnZhbGlkIGZvciBvdGhlcgoJICAgICAgcmVhc29ucy4gVGhlIHJlc291 cmNlIFNIT1VMRCByZXNwb25kIHdpdGggdGhlIEhUVFAgNDAxIChVbmF1dGhvcml6ZWQpIHN0YXR1 cwoJICAgICAgY29kZS4gVGhlIGNsaWVudCBNQVkgcmVxdWVzdCBhIG5ldyBhY2Nlc3MgdG9rZW4g YW5kIHJldHJ5IHRoZSBwcm90ZWN0ZWQgcmVzb3VyY2UKCSAgICAgIHJlcXVlc3QuCgkgICAgPC90 PgoJICAgIDx0IGhhbmdUZXh0PSdpbnN1ZmZpY2llbnRfc2NvcGUnPgoJICAgICAgPHZzcGFjZSAv PgoJICAgICAgVGhlIHJlcXVlc3QgcmVxdWlyZXMgaGlnaGVyIHByaXZpbGVnZXMgdGhhbiBwcm92 aWRlZCBieSB0aGUgYWNjZXNzIHRva2VuLiBUaGUKCSAgICAgIHJlc291cmNlIHNlcnZlciBTSE9V TEQgcmVzcG9uZCB3aXRoIHRoZSBIVFRQIDQwMyAoRm9yYmlkZGVuKSBzdGF0dXMgY29kZSBhbmQg TUFZCgkgICAgICBpbmNsdWRlIHRoZSA8c3Bhbnggc3R5bGU9J3ZlcmInPnNjb3BlPC9zcGFueD4g YXR0cmlidXRlIHdpdGggdGhlIHNjb3BlIG5lY2Vzc2FyeSB0bwoJICAgICAgYWNjZXNzIHRoZSBw cm90ZWN0ZWQgcmVzb3VyY2UuCgkgICAgPC90PgoJICA8L2xpc3Q+Cgk8L3Q+Cgk8dD4KCSAgSWYg dGhlIHJlcXVlc3QgbGFja3MgYW55IGF1dGhlbnRpY2F0aW9uIGluZm9ybWF0aW9uIChpLmUuIHRo ZSBjbGllbnQgd2FzIHVuYXdhcmUKCSAgYXV0aGVudGljYXRpb24gaXMgbmVjZXNzYXJ5IG9yIGF0 dGVtcHRlZCB1c2luZyBhbiB1bnN1cHBvcnRlZCBhdXRoZW50aWNhdGlvbiBtZXRob2QpLAoJICB0 aGUgcmVzb3VyY2Ugc2VydmVyIFNIT1VMRCBOT1QgaW5jbHVkZSBhbiBlcnJvciBjb2RlIG9yIG90 aGVyIGVycm9yIGluZm9ybWF0aW9uLgoJPC90PgoJPGZpZ3VyZT4KCSAgPHByZWFtYmxlPgoJICAg IEZvciBleGFtcGxlOgoJICA8L3ByZWFtYmxlPgoJICA8YXJ0d29yaz4KPCFbQ0RBVEFbSFRUUC8x LjEgNDAxIFVuYXV0aG9yaXplZApXV1ctQXV0aGVudGljYXRlOiBCZWFyZXIgcmVhbG09ImV4YW1w bGUiXV0+CgkgIDwvYXJ0d29yaz4KCTwvZmlndXJlPgogICAgICA8L3NlY3Rpb24+CgogICAgPC9z ZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxlPSdTZWN1cml0eSBDb25zaWRlcmF0aW9ucycgYW5j aG9yPSJzZWMtY29uIj4KCiAgICAgIDx0PgoJVGhpcyBzZWN0aW9uIGRlc2NyaWJlcyB0aGUgcmVs ZXZhbnQgc2VjdXJpdHkgdGhyZWF0cyByZWdhcmRpbmcKCXRva2VuIGhhbmRsaW5nIHdoZW4gdXNp bmcgYmVhcmVyIHRva2VucyBhbmQgZGVzY3JpYmVzIGhvdyB0bwoJbWl0aWdhdGUgdGhlc2UgdGhy ZWF0cy4KICAgICAgPC90PgoKICAgICAgPHNlY3Rpb24gdGl0bGU9IlNlY3VyaXR5IFRocmVhdHMi IGFuY2hvcj0idGhyZWF0cyI+CgoJPHQ+CgkgIFRoZSBmb2xsb3dpbmcgbGlzdCBwcmVzZW50cyBz ZXZlcmFsIGNvbW1vbiB0aHJlYXRzIGFnYWluc3QKCSAgcHJvdG9jb2xzIHV0aWxpemluZyBzb21l IGZvcm0gb2YgdG9rZW5zLiBUaGlzIGxpc3Qgb2YKCSAgdGhyZWF0cyBpcyBiYXNlZCBvbgoJICBO SVNUIFNwZWNpYWwgUHVibGljYXRpb24gODAwLTYzIDx4cmVmIHRhcmdldD0iTklTVDgwMC02MyIv Pi4KCSAgU2luY2UgdGhpcyBkb2N1bWVudCBidWlsZHMgb24gdGhlCgkgIE9BdXRoIDIuMCBzcGVj aWZpY2F0aW9uLCB3ZSBleGNsdWRlIGEgZGlzY3Vzc2lvbiBvZiB0aHJlYXRzCgkgIHRoYXQgYXJl IGRlc2NyaWJlZCB0aGVyZSBvciBpbiByZWxhdGVkIGRvY3VtZW50cy4KCTwvdD4KCgk8dD4KCSAg PGxpc3Qgc3R5bGU9ImhhbmdpbmciPgoJICAgIDx0IGhhbmdUZXh0PSJUb2tlbiBtYW51ZmFjdHVy ZS9tb2RpZmljYXRpb246Ij4KCSAgICAgIEFuIGF0dGFja2VyIG1heSBnZW5lcmF0ZSBhIGJvZ3Vz IHRva2VuIG9yIG1vZGlmeSB0aGUKCSAgICAgIHRva2VuIGNvbnRlbnRzIChzdWNoIGFzIHRoZSBh dXRoZW50aWNhdGlvbiBvciBhdHRyaWJ1dGUKCSAgICAgIHN0YXRlbWVudHMpIG9mIGFuIGV4aXN0 aW5nIHRva2VuLCBjYXVzaW5nIHRoZSByZXNvdXJjZQoJICAgICAgc2VydmVyIHRvIGdyYW50IGlu YXBwcm9wcmlhdGUgYWNjZXNzIHRvIHRoZSBjbGllbnQuCgkgICAgICBGb3IgZXhhbXBsZSwgYW4g YXR0YWNrZXIgbWF5IG1vZGlmeSB0aGUgdG9rZW4gdG8gZXh0ZW5kCgkgICAgICB0aGUgdmFsaWRp dHkgcGVyaW9kOyBhIG1hbGljaW91cyBjbGllbnQgbWF5IG1vZGlmeSB0aGUKCSAgICAgIGFzc2Vy dGlvbiB0byBnYWluIGFjY2VzcyB0byBpbmZvcm1hdGlvbiB0aGF0IHRoZXkKCSAgICAgIHNob3Vs ZCBub3QgYmUgYWJsZSB0byB2aWV3LgoJICAgIDwvdD4KCSAgICA8dCBoYW5nVGV4dD0iVG9rZW4g ZGlzY2xvc3VyZToiPgoJICAgICAgVG9rZW5zIG1heSBjb250YWluIGF1dGhlbnRpY2F0aW9uIGFu ZCBhdHRyaWJ1dGUKCSAgICAgIHN0YXRlbWVudHMgdGhhdCBpbmNsdWRlIHNlbnNpdGl2ZSBpbmZv cm1hdGlvbi4KCSAgICA8L3Q+CgkgICAgPHQgaGFuZ1RleHQ9IlRva2VuIHJlZGlyZWN0OiI+Cgkg ICAgICBBbiBhdHRhY2tlciB1c2VzIGEgdG9rZW4gZ2VuZXJhdGVkIGZvciBjb25zdW1wdGlvbiBi eSAKCSAgICAgIG9uZSByZXNvdXJjZSBzZXJ2ZXIgdG8gZ2FpbiBhY2Nlc3MgdG8gYSBkaWZmZXJl bnQKCSAgICAgIHJlc291cmNlIHNlcnZlciB0aGF0IG1pc3Rha2VubHkgYmVsaWV2ZXMgdGhlIHRv a2VuIHRvIGJlCgkgICAgICBmb3IgaXQuCgkgICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSJUb2tl biByZXBsYXk6Ij4KCSAgICAgIEFuIGF0dGFja2VyIGF0dGVtcHRzIHRvIHVzZSBhIHRva2VuIHRo YXQgaGFzIGFscmVhZHkKCSAgICAgIGJlZW4gdXNlZCB3aXRoIHRoYXQgcmVzb3VyY2Ugc2VydmVy IGluIHRoZSBwYXN0LgoJICAgIDwvdD4KCSAgPC9saXN0PiAKCTwvdD4KICAgICAgPC9zZWN0aW9u PiAKCiAgICAgIDxzZWN0aW9uIHRpdGxlPSJUaHJlYXQgTWl0aWdhdGlvbiIgYW5jaG9yPSJtaXRp Z2F0aW9uIj4gCgoJPHQ+CgkgIEEgbGFyZ2UgcmFuZ2Ugb2YgdGhyZWF0cyBjYW4gYmUgbWl0aWdh dGVkIGJ5IHByb3RlY3RpbmcgdGhlCgkgIGNvbnRlbnRzIG9mIHRoZSB0b2tlbiBieSB1c2luZyBh IGRpZ2l0YWwgc2lnbmF0dXJlIG9yIGEKCSAgTWVzc2FnZSBBdXRoZW50aWNhdGlvbiBDb2RlIChN QUMpLgoJICBBbHRlcm5hdGl2ZWx5LCBhIGJlYXJlciB0b2tlbiBjYW4gY29udGFpbiBhIHJlZmVy ZW5jZSB0bwoJICBhdXRob3JpemF0aW9uIGluZm9ybWF0aW9uLCByYXRoZXIgdGhhbiBlbmNvZGlu ZyB0aGUKCSAgaW5mb3JtYXRpb24gZGlyZWN0bHkuIFN1Y2ggcmVmZXJlbmNlcyBNVVNUIGJlIGlu ZmVhc2libGUgZm9yCgkgIGFuIGF0dGFja2VyIHRvIGd1ZXNzOyB1c2luZyBhIHJlZmVyZW5jZSBt YXkgcmVxdWlyZSBhbiBleHRyYQoJICBpbnRlcmFjdGlvbiBiZXR3ZWVuIGEgc2VydmVyIGFuZCB0 aGUgdG9rZW4gaXNzdWVyIHRvIHJlc29sdmUKCSAgdGhlIHJlZmVyZW5jZSB0byB0aGUgYXV0aG9y aXphdGlvbiBpbmZvcm1hdGlvbi4KCSAgVGhlIG1lY2hhbmljcyBvZiBzdWNoIGFuIGludGVyYWN0 aW9uIGFyZSBub3QgZGVmaW5lZCBieSB0aGlzCgkgIHNwZWNpZmljYXRpb24uCgk8L3Q+Cgk8dD4K CSAgVGhpcyBkb2N1bWVudCBkb2VzIG5vdCBzcGVjaWZ5IHRoZSBlbmNvZGluZyBvciB0aGUgY29u dGVudHMKCSAgb2YgdGhlIHRva2VuOyBoZW5jZSBkZXRhaWxlZCByZWNvbW1lbmRhdGlvbnMgYWJv dXQgdGhlIG1lYW5zCgkgIG9mIGd1YXJhbnRlZWluZyB0b2tlbiBpbnRlZ3JpdHkgcHJvdGVjdGlv biBhcmUgb3V0c2lkZSB0aGUKCSAgc2NvcGUgb2YgdGhpcyBkb2N1bWVudC4gIFRoZSB0b2tlbiBp bnRlZ3JpdHkgcHJvdGVjdGlvbiBNVVNUCgkgIGJlIHN1ZmZpY2llbnQgdG8gcHJldmVudCB0aGUg dG9rZW4gZnJvbSBiZWluZyBtb2RpZmllZC4KCTwvdD4KCTx0PgoJICBUbyBkZWFsIHdpdGggdG9r ZW4gcmVkaXJlY3QsIGl0IGlzIGltcG9ydGFudCBmb3IgdGhlCgkgIGF1dGhvcml6YXRpb24gc2Vy dmVyIHRvIGluY2x1ZGUgdGhlIGlkZW50aXR5IG9mIHRoZSBpbnRlbmRlZAoJICByZWNpcGllbnRz ICh0aGUgYXVkaWVuY2UpLCB0eXBpY2FsbHkgYSBzaW5nbGUgcmVzb3VyY2UKCSAgc2VydmVyIChv ciBhIGxpc3Qgb2YgcmVzb3VyY2Ugc2VydmVycyksIGluIHRoZSB0b2tlbi4KCSAgUmVzdHJpY3Rp bmcgdGhlIHVzZSBvZiB0aGUgdG9rZW4gdG8gYSBzcGVjaWZpYyBzY29wZSBpcyBhbHNvCgkgIFJF Q09NTUVOREVELgoJPC90PgoJPHQ+CgkgIFRoZSBhdXRob3JpemF0aW9uIHNlcnZlciBNVVNUIGlt cGxlbWVudCBUTFMuCgkgIFdoaWNoIHZlcnNpb24ocykgb3VnaHQgdG8gYmUgaW1wbGVtZW50ZWQg d2lsbCB2YXJ5IG92ZXIKCSAgdGltZSwgYW5kIGRlcGVuZCBvbiB0aGUgd2lkZXNwcmVhZCBkZXBs b3ltZW50IGFuZCBrbm93bgoJICBzZWN1cml0eSB2dWxuZXJhYmlsaXRpZXMgYXQgdGhlIHRpbWUg b2YgaW1wbGVtZW50YXRpb24uCgkgIEF0IHRoZSB0aW1lIG9mIHRoaXMgd3JpdGluZywKCSAgVExT IHZlcnNpb24gMS4yIDx4cmVmIHRhcmdldD0nUkZDNTI0NicgLz4KCSAgaXMgdGhlIG1vc3QgcmVj ZW50IHZlcnNpb24sIGJ1dCBoYXMgdmVyeSBsaW1pdGVkIGFjdHVhbAoJICBkZXBsb3ltZW50LCBh bmQgbWlnaHQgbm90IGJlIHJlYWRpbHkgYXZhaWxhYmxlIGluCgkgIGltcGxlbWVudGF0aW9uIHRv b2xraXRzLgoJICBUTFMgdmVyc2lvbiAxLjAgPHhyZWYgdGFyZ2V0PSdSRkMyMjQ2JyAvPgoJICBp cyB0aGUgbW9zdCB3aWRlbHkgZGVwbG95ZWQgdmVyc2lvbiwgYW5kIHdpbGwgZ2l2ZSB0aGUKCSAg YnJvYWRlc3QgaW50ZXJvcGVyYWJpbGl0eS4KCTwvdD4KCTx0PgoJICBUbyBwcm90ZWN0IGFnYWlu c3QgdG9rZW4gZGlzY2xvc3VyZSwgY29uZmlkZW50aWFsaXR5CgkgIHByb3RlY3Rpb24gTVVTVCBi ZSBhcHBsaWVkIHVzaW5nCgkgIFRMUyA8eHJlZiB0YXJnZXQ9J1JGQzUyNDYnIC8+CgkgIHdpdGgg YSBjaXBoZXJzdWl0ZSB0aGF0IHByb3ZpZGVzIGNvbmZpZGVudGlhbGl0eSBhbmQKCSAgaW50ZWdy aXR5IHByb3RlY3Rpb24uICBUaGlzCgkgIHJlcXVpcmVzIHRoYXQgdGhlIGNvbW11bmljYXRpb24g aW50ZXJhY3Rpb24gYmV0d2VlbiB0aGUKCSAgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXphdGlvbiBz ZXJ2ZXIsIGFzIHdlbGwgYXMgdGhlCgkgIGludGVyYWN0aW9uIGJldHdlZW4gdGhlIGNsaWVudCBh bmQgdGhlIHJlc291cmNlIHNlcnZlciwKCSAgdXRpbGl6ZSBjb25maWRlbnRpYWxpdHkgYW5kIGlu dGVncml0eSBwcm90ZWN0aW9uLgoJICBTaW5jZSBUTFMgaXMgbWFuZGF0b3J5IHRvCgkgIGltcGxl bWVudCBhbmQgdG8gdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0aW9uLCBpdCBpcyB0aGUKCSAgcHJl ZmVycmVkIGFwcHJvYWNoIGZvciBwcmV2ZW50aW5nIHRva2VuIGRpc2Nsb3N1cmUgdmlhIHRoZQoJ ICBjb21tdW5pY2F0aW9uIGNoYW5uZWwuIEZvciB0aG9zZSBjYXNlcyB3aGVyZSB0aGUgY2xpZW50 CgkgIGlzIHByZXZlbnRlZCBmcm9tIG9ic2VydmluZyB0aGUgY29udGVudHMgb2YgdGhlIHRva2Vu LCB0b2tlbgoJICBlbmNyeXB0aW9uIE1VU1QgYmUgYXBwbGllZCBpbiBhZGRpdGlvbiB0byB0aGUg dXNhZ2Ugb2YgVExTCgkgIHByb3RlY3Rpb24uCgkgIEFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWlu c3QgdG9rZW4gZGlzY2xvc3VyZSwgdGhlIGNsaWVudAoJICBNVVNUIHZhbGlkYXRlIHRoZSBUTFMg Y2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcgcmVxdWVzdHMKCSAgdG8gcHJvdGVjdGVkIHJl c291cmNlcy4KCTwvdD4KCTx0PgoJICBDb29raWVzIGFyZSB0eXBpY2FsbHkgdHJhbnNtaXR0ZWQg aW4gdGhlIGNsZWFyLiAgVGh1cywgYW55CgkgIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGVt IGlzIGF0IHJpc2sgb2YgZGlzY2xvc3VyZS4KCSAgVGhlcmVmb3JlLCBiZWFyZXIgdG9rZW5zIE1V U1QgTk9UIGJlIHN0b3JlZCBpbiBjb29raWVzIHRoYXQKCSAgY2FuIGJlIHNlbnQgaW4gdGhlIGNs ZWFyLgoJPC90PgoJPHQ+CgkgIEluIHNvbWUgZGVwbG95bWVudHMsIGluY2x1ZGluZyB0aG9zZSB1 dGlsaXppbmcgbG9hZAoJICBiYWxhbmNlcnMsIHRoZSBUTFMgY29ubmVjdGlvbiB0byB0aGUgcmVz b3VyY2Ugc2VydmVyCgkgIHRlcm1pbmF0ZXMgcHJpb3IgdG8gdGhlIGFjdHVhbCBzZXJ2ZXIgdGhh dCBwcm92aWRlcyB0aGUKCSAgcmVzb3VyY2UuICBUaGlzIGNvdWxkIGxlYXZlIHRoZSB0b2tlbiB1 bnByb3RlY3RlZCBiZXR3ZWVuCgkgIHRoZSBmcm9udCBlbmQgc2VydmVyIHdoZXJlIHRoZSBUTFMg Y29ubmVjdGlvbiB0ZXJtaW5hdGVzIGFuZAoJICB0aGUgYmFjayBlbmQgc2VydmVyIHRoYXQgcHJv dmlkZXMgdGhlIHJlc291cmNlLiAgSW4gc3VjaAoJICBkZXBsb3ltZW50cywgc3VmZmljaWVudCBt ZWFzdXJlcyBNVVNUIGJlIGVtcGxveWVkIHRvIGVuc3VyZQoJICBjb25maWRlbnRpYWxpdHkgb2Yg dGhlIHRva2VuIGJldHdlZW4gdGhlIGZyb250IGVuZCBhbmQKCSAgYmFjayBlbmQgc2VydmVyczsg ZW5jcnlwdGlvbiBvZiB0aGUgdG9rZW4gaXMgb25lIHBvc3NpYmxlCgkgIHN1Y2ggbWVhc3VyZS4K CTwvdD4KCTx0PgoJICBUbyBkZWFsIHdpdGggdG9rZW4gY2FwdHVyZSBhbmQgcmVwbGF5LAoJICB0 aGUgZm9sbG93aW5nIHJlY29tbWVuZGF0aW9ucyBhcmUKCSAgbWFkZTogRmlyc3QsIHRoZSBsaWZl dGltZSBvZiB0aGUgdG9rZW4gTVVTVCBiZSBsaW1pdGVkOwoJICBvbmUgbWVhbnMgb2YgYWNoaWV2 aW5nIHRoaXMgaXMgYnkKCSAgcHV0dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5zaWRlIHRo ZSBwcm90ZWN0ZWQgcGFydCBvZgoJICB0aGUgdG9rZW4uICBOb3RlIHRoYXQgdXNpbmcgc2hvcnQt bGl2ZWQgKG9uZSBob3VyIG9yIGxlc3MpCgkgIHRva2VucyByZWR1Y2VzIHRoZSBpbXBhY3Qgb2Yg dGhlbSBiZWluZwoJICBsZWFrZWQuICBTZWNvbmQsIGNvbmZpZGVudGlhbGl0eSBwcm90ZWN0aW9u IG9mIHRoZSBleGNoYW5nZXMKCSAgYmV0d2VlbiB0aGUgY2xpZW50IGFuZCB0aGUgYXV0aG9yaXph dGlvbiBzZXJ2ZXIgYW5kIGJldHdlZW4KCSAgdGhlIGNsaWVudCBhbmQgdGhlIHJlc291cmNlIHNl cnZlciBNVVNUIGJlIGFwcGxpZWQuCgkgIEFzIGEKCSAgY29uc2VxdWVuY2UsIG5vIGVhdmVzZHJv cHBlciBhbG9uZyB0aGUgY29tbXVuaWNhdGlvbiBwYXRoIGlzCgkgIGFibGUgdG8gb2JzZXJ2ZSB0 aGUgdG9rZW4gZXhjaGFuZ2UuIENvbnNlcXVlbnRseSwgc3VjaCBhbgoJICBvbi1wYXRoIGFkdmVy c2FyeSBjYW5ub3QgcmVwbGF5IHRoZSB0b2tlbi4KCSAgRnVydGhlcm1vcmUsIHdoZW4KCSAgcHJl c2VudGluZyB0aGUgdG9rZW4gdG8gYSByZXNvdXJjZSBzZXJ2ZXIsIHRoZSBjbGllbnQgTVVTVAoJ ICB2ZXJpZnkgdGhlIGlkZW50aXR5IG9mIHRoYXQgcmVzb3VyY2Ugc2VydmVyLCBhcyBwZXIKCSAg UmVwcmVzZW50YXRpb24gYW5kIFZlcmlmaWNhdGlvbiBvZiBEb21haW4tQmFzZWQgQXBwbGljYXRp b24gU2VydmljZQoJICBJZGVudGl0eSB3aXRoaW4gSW50ZXJuZXQgUHVibGljIEtleSBJbmZyYXN0 cnVjdHVyZSBVc2luZyBYLjUwOSAoUEtJWCkKCSAgQ2VydGlmaWNhdGVzIGluIHRoZSBDb250ZXh0 IG9mIFRyYW5zcG9ydCBMYXllciBTZWN1cml0eSAoVExTKQoJICA8eHJlZiB0YXJnZXQ9IlJGQzYx MjUiIC8+LgoJICBOb3RlIHRoYXQgdGhlCgkgIGNsaWVudCBNVVNUIHZhbGlkYXRlIHRoZSBUTFMg Y2VydGlmaWNhdGUgY2hhaW4gd2hlbiBtYWtpbmcKCSAgdGhlc2UgcmVxdWVzdHMgdG8gcHJvdGVj dGVkIHJlc291cmNlcy4gIFByZXNlbnRpbmcgdGhlIHRva2VuCgkgIHRvIGFuIHVuYXV0aGVudGlj YXRlZCBhbmQgdW5hdXRob3JpemVkIHJlc291cmNlIHNlcnZlciBvcgoJICBmYWlsaW5nIHRvIHZh bGlkYXRlIHRoZSBjZXJ0aWZpY2F0ZSBjaGFpbiB3aWxsIGFsbG93CgkgIGFkdmVyc2FyaWVzIHRv IHN0ZWFsIHRoZSB0b2tlbiBhbmQgZ2FpbiB1bmF1dGhvcml6ZWQgYWNjZXNzCgkgIHRvIHByb3Rl Y3RlZCByZXNvdXJjZXMuCgk8L3Q+CiAgICAgIDwvc2VjdGlvbj4gCiAKICAgICAgPHNlY3Rpb24g dGl0bGU9IlN1bW1hcnkgb2YgUmVjb21tZW5kYXRpb25zIj4KCTx0PgoJICA8bGlzdCBzdHlsZT0i aGFuZ2luZyI+CgkgICAgPHQgaGFuZ1RleHQ9IlNhZmVndWFyZCBiZWFyZXIgdG9rZW5zOiI+Cgkg ICAgICBDbGllbnQgaW1wbGVtZW50YXRpb25zIE1VU1QgZW5zdXJlIHRoYXQgYmVhcmVyIHRva2Vu cwoJICAgICAgYXJlIG5vdCBsZWFrZWQgdG8gdW5pbnRlbmRlZCBwYXJ0aWVzLCBhcyB0aGV5IHdp bGwgYmUKCSAgICAgIGFibGUgdG8gdXNlIHRoZW0gdG8gZ2FpbiBhY2Nlc3MgdG8gcHJvdGVjdGVk IHJlc291cmNlcy4KCSAgICAgIFRoaXMgaXMgdGhlIHByaW1hcnkgc2VjdXJpdHkgY29uc2lkZXJh dGlvbiB3aGVuIHVzaW5nCgkgICAgICBiZWFyZXIgdG9rZW5zIGFuZCB1bmRlcmxpZXMgYWxsIHRo ZSBtb3JlCgkgICAgICBzcGVjaWZpYyByZWNvbW1lbmRhdGlvbnMgdGhhdCBmb2xsb3cuCgkgICAg PC90PgoJICAgIDx0IGhhbmdUZXh0PSJWYWxpZGF0ZSBTU0wgY2VydGlmaWNhdGUgY2hhaW5zOiI+ CgkgICAgICBUaGUgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFp biB3aGVuCgkgICAgICBtYWtpbmcgcmVxdWVzdHMgdG8gcHJvdGVjdGVkIHJlc291cmNlcy4gIEZh aWxpbmcgdG8gZG8KCSAgICAgIHNvIG1heSBlbmFibGUgRE5TIGhpamFja2luZyBhdHRhY2tzIHRv IHN0ZWFsIHRoZSB0b2tlbgoJICAgICAgYW5kIGdhaW4gdW5pbnRlbmRlZCBhY2Nlc3MuCgkgICAg PC90PgoJICAgIDx0IGhhbmdUZXh0PSJBbHdheXMgdXNlIFRMUyAoaHR0cHMpOiI+CgkgICAgICBD bGllbnRzIE1VU1QgYWx3YXlzIHVzZQoJICAgICAgVExTIDx4cmVmIHRhcmdldD0nUkZDNTI0Nicg Lz4KCSAgICAgIChodHRwcykgb3IgZXF1aXZhbGVudCB0cmFuc3BvcnQgc2VjdXJpdHkgd2hlbiBt YWtpbmcgcmVxdWVzdHMKCSAgICAgIHdpdGggYmVhcmVyIHRva2Vucy4gIEZhaWxpbmcgdG8gZG8g c28gZXhwb3NlcyB0aGUgdG9rZW4KCSAgICAgIHRvIG51bWVyb3VzIGF0dGFja3MgdGhhdCBjb3Vs ZCBnaXZlIGF0dGFja2VycyB1bmludGVuZGVkCgkgICAgICBhY2Nlc3MuCgkgICAgPC90PgoJICAg IDx0IGhhbmdUZXh0PSJEb24ndCBzdG9yZSBiZWFyZXIgdG9rZW5zIGluIGNvb2tpZXM6Ij4KCSAg ICAgIEltcGxlbWVudGF0aW9ucyBNVVNUIE5PVCBzdG9yZSBiZWFyZXIgdG9rZW5zIHdpdGhpbgoJ ICAgICAgY29va2llcyB0aGF0IGNhbiBiZSBzZW50IGluIHRoZSBjbGVhciAod2hpY2ggaXMgdGhl CgkgICAgICBkZWZhdWx0IHRyYW5zbWlzc2lvbiBtb2RlIGZvciBjb29raWVzKS4KCSAgICAgIElt cGxlbWVudGF0aW9ucyB0aGF0IGRvIHN0b3JlIGJlYXJlciB0b2tlbnMgaW4gY29va2llcwoJICAg ICAgTVVTVCB0YWtlIHByZWNhdXRpb25zIGFnYWluc3QgY3Jvc3Mgc2l0ZSByZXF1ZXN0IGZvcmdl cnkuCgkgICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSJJc3N1ZSBzaG9ydC1saXZlZCBiZWFyZXIg dG9rZW5zOiI+CgkgICAgICBUb2tlbiBzZXJ2ZXJzIFNIT1VMRCBpc3N1ZSBzaG9ydC1saXZlZCAo b25lIGhvdXIgb3IKCSAgICAgIGxlc3MpIGJlYXJlciB0b2tlbnMsIHBhcnRpY3VsYXJseSB3aGVu IGlzc3VpbmcgdG9rZW5zIHRvCgkgICAgICBjbGllbnRzIHRoYXQgcnVuIHdpdGhpbiBhIHdlYiBi cm93c2VyIG9yIG90aGVyCgkgICAgICBlbnZpcm9ubWVudHMgd2hlcmUgaW5mb3JtYXRpb24gbGVh a2FnZSBtYXkgb2NjdXIuICBVc2luZwoJICAgICAgc2hvcnQtbGl2ZWQgYmVhcmVyIHRva2VucyBj YW4gcmVkdWNlIHRoZSBpbXBhY3Qgb2YgdGhlbQoJICAgICAgYmVpbmcgbGVha2VkLgoJICAgIDwv dD4KCSAgICA8dCBoYW5nVGV4dD0iSXNzdWUgc2NvcGVkIGJlYXJlciB0b2tlbnM6Ij4KCSAgICAg IFRva2VuIHNlcnZlcnMgU0hPVUxEIGlzc3VlIGJlYXJlciB0b2tlbnMgdGhhdCBjb250YWluIGFu IGF1ZGllbmNlCgkgICAgICByZXN0cmljdGlvbiwgc2NvcGluZyB0aGVpciB1c2UgdG8gdGhlIGlu dGVuZGVkIHJlbHlpbmcKCSAgICAgIHBhcnR5IG9yIHNldCBvZiByZWx5aW5nIHBhcnRpZXMuCgkg ICAgPC90PgoJICAgIDx0IGhhbmdUZXh0PSJEb24ndCBwYXNzIGJlYXJlciB0b2tlbnMgaW4gcGFn ZSBVUkxzOiI+CgkgICAgICBCZWFyZXIgdG9rZW5zIFNIT1VMRCBOT1QgYmUgcGFzc2VkIGluIHBh Z2UgVVJMcyAoZm9yCgkgICAgICBleGFtcGxlIGFzIHF1ZXJ5IHN0cmluZyBwYXJhbWV0ZXJzKS4g SW5zdGVhZCwgYmVhcmVyCgkgICAgICB0b2tlbnMgU0hPVUxEIGJlIHBhc3NlZCBpbiBIVFRQIG1l c3NhZ2UgaGVhZGVycyBvcgoJICAgICAgbWVzc2FnZSBib2RpZXMgZm9yIHdoaWNoIGNvbmZpZGVu dGlhbGl0eSBtZWFzdXJlcyBhcmUKCSAgICAgIHRha2VuLiBCcm93c2Vycywgd2ViIHNlcnZlcnMs IGFuZCBvdGhlciBzb2Z0d2FyZSBtYXkgbm90CgkgICAgICBhZGVxdWF0ZWx5IHNlY3VyZSBVUkxz IGluIHRoZSBicm93c2VyIGhpc3RvcnksIHdlYgoJICAgICAgc2VydmVyIGxvZ3MsIGFuZCBvdGhl ciBkYXRhIHN0cnVjdHVyZXMuIElmIGJlYXJlciB0b2tlbnMKCSAgICAgIGFyZSBwYXNzZWQgaW4g cGFnZSBVUkxzLCBhdHRhY2tlcnMgbWlnaHQgYmUgYWJsZSB0bwoJICAgICAgc3RlYWwgdGhlbSBm cm9tIHRoZSBoaXN0b3J5IGRhdGEsIGxvZ3MsIG9yIG90aGVyCgkgICAgICB1bnNlY3VyZWQgbG9j YXRpb25zLgoJICAgIDwvdD4KCSAgPC9saXN0PgoJPC90PgogICAgICA8L3NlY3Rpb24+CiAgICA8 L3NlY3Rpb24+CgogICAgPHNlY3Rpb24gdGl0bGU9J0lBTkEgQ29uc2lkZXJhdGlvbnMnPiAgIAoK ICAgICAgPHNlY3Rpb24gdGl0bGU9J09BdXRoIEFjY2VzcyBUb2tlbiBUeXBlIFJlZ2lzdHJhdGlv bic+CiAgICAgICAgPHQ+CiAgICAgICAgICBUaGlzIHNwZWNpZmljYXRpb24gcmVnaXN0ZXJzIHRo ZSBmb2xsb3dpbmcgYWNjZXNzIHRva2VuIHR5cGUgaW4gdGhlIE9BdXRoIEFjY2VzcyBUb2tlbgog ICAgICAgICAgVHlwZSBSZWdpc3RyeS4KICAgICAgICA8L3Q+CgogICAgICAgIDxzZWN0aW9uIHRp dGxlPSdUaGUgIkJlYXJlciIgT0F1dGggQWNjZXNzIFRva2VuIFR5cGUnPgogICAgICAgICAgPHQ+ CiAgICAgICAgICAgIDxsaXN0IHN0eWxlPSdoYW5naW5nJz4KICAgICAgICAgICAgICA8dCBoYW5n VGV4dD0nVHlwZSBuYW1lOic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAg ICAgICBCZWFyZXIKICAgICAgICAgICAgICA8L3Q+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9 J0FkZGl0aW9uYWwgVG9rZW4gRW5kcG9pbnQgUmVzcG9uc2UgUGFyYW1ldGVyczonPgogICAgICAg ICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAgICAgICAgKG5vbmUpCiAgICAgICAgICAgICAg PC90PgogICAgICAgICAgICAgIDx0IGhhbmdUZXh0PSdIVFRQIEF1dGhlbnRpY2F0aW9uIFNjaGVt ZShzKTonPgogICAgICAgICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAgICAgICAgQmVhcmVy CiAgICAgICAgICAgICAgPC90PgogICAgICAgICAgICAgIDx0IGhhbmdUZXh0PSdDaGFuZ2UgY29u dHJvbGxlcjonPgogICAgICAgICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAgICAgICAgSUVU RgogICAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAgICA8dCBoYW5nVGV4dD0nU3BlY2lmaWNh dGlvbiBkb2N1bWVudChzKTonPgogICAgICAgICAgICAgICAgPHZzcGFjZSAvPgogICAgICAgICAg ICAgICAgW1sgdGhpcyBkb2N1bWVudCBdXQogICAgICAgICAgICAgIDwvdD4KICAgICAgICAgICAg PC9saXN0PgogICAgICAgICAgPC90PgogICAgICAgIDwvc2VjdGlvbj4KICAgICAgPC9zZWN0aW9u PgoKICAgICAgPHNlY3Rpb24gdGl0bGU9J0F1dGhlbnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyYXRp b24nPgogICAgICAgIDx0PgogICAgICAgICAgVGhpcyBzcGVjaWZpY2F0aW9uIHJlZ2lzdGVycyB0 aGUgZm9sbG93aW5nIGF1dGhlbnRpY2F0aW9uCiAgICAgICAgICBzY2hlbWUgaW4gdGhlIEF1dGhl bnRpY2F0aW9uIFNjaGVtZSBSZWdpc3RyeSBkZWZpbmVkIGluCiAgICAgICAgICBIVFRQLzEuMSwg UGFydCA3IDx4cmVmIHRhcmdldD0nSS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KICAgICAg ICA8L3Q+CgogICAgICAgIDxzZWN0aW9uIHRpdGxlPSdUaGUgIkJlYXJlciIgQXV0aGVudGljYXRp b24gU2NoZW1lJz4KICAgICAgICAgIDx0PgogICAgICAgICAgICA8bGlzdCBzdHlsZT0naGFuZ2lu Zyc+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9J0F1dGhlbnRpY2F0aW9uIFNjaGVtZSBOYW1l Oic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAgICAgICBCZWFyZXIKICAg ICAgICAgICAgICA8L3Q+CiAgICAgICAgICAgICAgPHQgaGFuZ1RleHQ9J1BvaW50ZXIgdG8gc3Bl Y2lmaWNhdGlvbiB0ZXh0Oic+CiAgICAgICAgICAgICAgICA8dnNwYWNlIC8+CiAgICAgICAgICAg ICAgICBbWyB0aGlzIGRvY3VtZW50IF1dCiAgICAgICAgICAgICAgPC90PgogICAgICAgICAgICAg IDx0IGhhbmdUZXh0PSdOb3RlcyAob3B0aW9uYWwpOic+CiAgICAgICAgICAgICAgICA8dnNwYWNl IC8+CiAgICAgICAgICAgICAgICAobm9uZSkKICAgICAgICAgICAgICA8L3Q+CiAgICAgICAgICAg IDwvbGlzdD4KICAgICAgICAgIDwvdD4KICAgICAgICA8L3NlY3Rpb24+CiAgICAgIDwvc2VjdGlv bj4KCiAgICA8L3NlY3Rpb24+IAoKICA8L21pZGRsZT4KCiAgPGJhY2s+CgogICAgPHJlZmVyZW5j ZXMgdGl0bGU9J05vcm1hdGl2ZSBSZWZlcmVuY2VzJz4KCiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0 dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuMjEx OS54bWwnID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1 YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuMjI0Ni54bWwnID8+CiAgICAgIDw/cmZjIGlu Y2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5j ZS5SRkMuMzk4Ni54bWwnID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3Vy Y2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuNTIzNC54bWwnID8+CiAgICAg IDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1s L3JlZmVyZW5jZS5SRkMuNTI0Ni54bWwnID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94 bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmlieG1sL3JlZmVyZW5jZS5SRkMuNjEyNS54bWwn ID8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9y ZmMvYmlieG1sNC9yZWZlcmVuY2UuVzNDLlJFQy1odG1sNDAxLTE5OTkxMjI0LnhtbCcgPz4KCiAg ICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9yZmMvYmli eG1sMy9yZWZlcmVuY2UuSS1ELmRyYWZ0LWlldGYtaHR0cGJpcy1wMS1tZXNzYWdpbmctMTcueG1s Jz8+CiAgICAgIDw/cmZjIGluY2x1ZGU9J2h0dHA6Ly94bWwucmVzb3VyY2Uub3JnL3B1YmxpYy9y ZmMvYmlieG1sMy9yZWZlcmVuY2UuSS1ELmRyYWZ0LWlldGYtaHR0cGJpcy1wNy1hdXRoLTE3Lnht bCc/PgogICAgICA8P3JmYyBpbmNsdWRlPSdodHRwOi8veG1sLnJlc291cmNlLm9yZy9wdWJsaWMv cmZjL2JpYnhtbDMvcmVmZXJlbmNlLkktRC5kcmFmdC1pZXRmLW9hdXRoLXYyLTIyLnhtbCcgPz4K CiAgICA8L3JlZmVyZW5jZXM+CgogICAgPHJlZmVyZW5jZXMgdGl0bGU9IkluZm9ybWF0aXZlIFJl ZmVyZW5jZXMiPgoKICAgICAgPD9yZmMgaW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcv cHVibGljL3JmYy9iaWJ4bWwvcmVmZXJlbmNlLlJGQy4yNjE2LnhtbCcgPz4KICAgICAgPD9yZmMg aW5jbHVkZT0naHR0cDovL3htbC5yZXNvdXJjZS5vcmcvcHVibGljL3JmYy9iaWJ4bWwvcmVmZXJl bmNlLlJGQy4yNjE3LnhtbCcgPz4KCiAgICAgIDxyZWZlcmVuY2UgYW5jaG9yPSJOSVNUODAwLTYz Ij4KICAgICAgICA8ZnJvbnQ+CiAgICAgICAgICA8dGl0bGU+TklTVCBTcGVjaWFsIFB1YmxpY2F0 aW9uIDgwMC02My0xLCBJTkZPUk1BVElPTiBTRUNVUklUWTwvdGl0bGU+CiAgICAgICAgICA8YXV0 aG9yIGZ1bGxuYW1lPSJXaWxsaWFtIEUuIEJ1cnIiIGluaXRpYWxzPSJXLiIgc3VybmFtZT0iQnVy ciI+CiAgICAgICAgICAgIDxvcmdhbml6YXRpb24+TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAg ICAgPC9hdXRob3I+CiAgICAgICAgICA8YXV0aG9yIGZ1bGxuYW1lPSJEb25uYSBGLiBEb2Rzb24i IGluaXRpYWxzPSJELiIgc3VybmFtZT0iRG9kc29uIj4KICAgICAgICAgICAgPG9yZ2FuaXphdGlv bj5OSVNUPC9vcmdhbml6YXRpb24+CiAgICAgICAgICA8L2F1dGhvcj4KICAgICAgICAgIDxhdXRo b3IgZnVsbG5hbWU9IlJheSBBLiBQZXJsbmVyIiBpbml0aWFscz0iUi4iIHN1cm5hbWU9IlBlcmxu ZXIiPgogICAgICAgICAgICA8b3JnYW5pemF0aW9uPk5JU1Q8L29yZ2FuaXphdGlvbj4KICAgICAg ICAgIDwvYXV0aG9yPgogICAgICAgICAgPGF1dGhvciBmdWxsbmFtZT0iVy4gVGltb3RoeSBQb2xr IiBpbml0aWFscz0iVC4iIHN1cm5hbWU9IlBvbGsiPgogICAgICAgICAgICA8b3JnYW5pemF0aW9u Pk5JU1Q8L29yZ2FuaXphdGlvbj4KICAgICAgICAgIDwvYXV0aG9yPgogICAgICAgICAgPGF1dGhv ciBmdWxsbmFtZT0iU2FyYmFyaSBHdXB0YSIgaW5pdGlhbHM9IlMuIiBzdXJuYW1lPSJHdXB0YSI+ CiAgICAgICAgICAgIDxvcmdhbml6YXRpb24+TklTVDwvb3JnYW5pemF0aW9uPgogICAgICAgICAg PC9hdXRob3I+CiAgICAgICAgICA8YXV0aG9yIGZ1bGxuYW1lPSJFbWFkIEEuIE5hYmJ1cyIgaW5p dGlhbHM9IkUuIiBzdXJuYW1lPSJOYWJidXMiPgogICAgICAgICAgICA8b3JnYW5pemF0aW9uPk5J U1Q8L29yZ2FuaXphdGlvbj4KICAgICAgICAgIDwvYXV0aG9yPgogICAgICAgICAgPGRhdGUgbW9u dGg9IkRlY2VtYmVyIiB5ZWFyPSIyMDA4Ii8+CiAgICAgICAgPC9mcm9udD4KICAgICAgICA8Zm9y bWF0IHRhcmdldD0iaHR0cDovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL1B1YnNEcmFmdHMu aHRtbCNTUC04MDAtNjMtUmV2LiUyMDEiIHR5cGU9IkhUTUwiLz4KICAgICAgPC9yZWZlcmVuY2U+ CgogICAgPC9yZWZlcmVuY2VzPiAKCiAgICA8c2VjdGlvbiB0aXRsZT0nQWNrbm93bGVkZ2VtZW50 cyc+CiAgICAgIDx0PgogICAgICAgIFRoZSBmb2xsb3dpbmcgcGVvcGxlIGNvbnRyaWJ1dGVkIHRv IHByZWxpbWluYXJ5IHZlcnNpb25zIG9mIHRoaXMgZG9jdW1lbnQ6CiAgICAgICAgQmxhaW5lIENv b2sgKEJUKSwgQnJpYW4gRWF0b24gKEdvb2dsZSksIFlhcm9uIFkuIEdvbGFuZCAoTWljcm9zb2Z0 KSwgQnJlbnQgR29sZG1hbiAoRmFjZWJvb2spLAogICAgICAgIFJhZmZpIEtyaWtvcmlhbiAoVHdp dHRlciksIEx1a2UgU2hlcGFyZCAoRmFjZWJvb2spLCBhbmQgQWxsZW4gVG9tIChZYWhvbyEpLiBU aGUgY29udGVudCBhbmQKICAgICAgICBjb25jZXB0cyB3aXRoaW4gYXJlIGEgcHJvZHVjdCBvZiB0 aGUgT0F1dGggY29tbXVuaXR5LCB0aGUgV1JBUCBjb21tdW5pdHksIGFuZCB0aGUgT0F1dGggV29y a2luZwogICAgICAgIEdyb3VwLgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIFRoZSBPQXV0 aCBXb3JraW5nIEdyb3VwIGhhcyBkb3plbnMgb2YgdmVyeSBhY3RpdmUgY29udHJpYnV0b3JzIHdo byBwcm9wb3NlZCBpZGVhcyBhbmQKICAgICAgICB3b3JkaW5nIGZvciB0aGlzIGRvY3VtZW50LCBp bmNsdWRpbmc6CglNaWNoYWVsIEFkYW1zLCBBbWFuZGEgQW5nYW5lcywgQW5kcmV3IEFybm90dCwg RGlyayBCYWxmYW56LAoJSm9obiBCcmFkbGV5LCBCcmlhbiBDYW1wYmVsbCwgTGVhaCBDdWx2ZXIs IEJpbGwgZGUgaMOTcmEsCglCcmlhbiBFbGxpbiwgSWdvciBGYXluYmVyZywgU3RlcGhlbiBGYXJy ZWxsLCBHZW9yZ2UgRmxldGNoZXIsCglUaW0gRnJlZW1hbiwgRXZhbiBHaWxiZXJ0LCBZYXJvbiBZ LiBHb2xhbmQsIFRob21hcyBIYXJkam9ubywKCUp1c3RpbiBIYXJ0LCBQaGlsIEh1bnQsIEpvaG4g S2VtcCwgRXJhbiBIYW1tZXItTGFoYXYsCglDaGFzZW4gTGUgSGFyYSwgQmFycnkgTGVpYmEsIE1p Y2hhZWwgQi4gSm9uZXMsCglUb3JzdGVuIExvZGRlcnN0ZWR0LCBFdmUgTWFsZXIsIEphbWVzIE1h bmdlciwgTGF1cmVuY2UgTWlhbywKCVdpbGxpYW0gSi4gTWlsbHMsIENodWNrIE1vcnRpbW9yZSwg QW50aG9ueSBOYWRhbGluLAoJSnVsaWFuIFJlc2Noa2UsIEp1c3RpbiBSaWNoZXIsIFBldGVyIFNh aW50LUFuZHJlLCBOYXQgU2FraW11cmEsCglSb2IgU2F5cmUsIE1hcml1cyBTY3VydGVzY3UsIE5h aXRpayBTaGFoLCBKdXN0aW4gU21pdGgsCglKZXJlbXkgU3VyaWVsLCBDaHJpc3RpYW4gU3TDvGJu ZXIsIFBhdWwgVGFyamFuLAoJSGFubmVzIFRzY2hvZmVuaWcsIEZyYW5rbGluIFRzZSwgYW5kIFNo YW5lIFdlZWRlbi4KICAgICAgPC90PgogICAgPC9zZWN0aW9uPgoKICAgIDxzZWN0aW9uIHRpdGxl PSdEb2N1bWVudCBIaXN0b3J5Jz4KICAgICAgPHQ+CiAgICAgICAgW1sgdG8gYmUgcmVtb3ZlZCBi eSB0aGUgUkZDIGVkaXRvciBiZWZvcmUgcHVibGljYXRpb24gYXMgYW4gUkZDIF1dCiAgICAgIDwv dD4KICAgICAgPHQ+CiAgICAgICAgLTE1CiAgICAgICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJ ICA8dD4KCSAgICBDbGFyaWZpZWQgdGhhdCBmb3JtLWVuY29kZWQgY29udGVudCBtdXN0IGNvbnNp c3QgZW50aXJlbHkKCSAgICBvZiBBU0NJSSBjaGFyYWN0ZXJzLgoJICA8L3Q+CgkgIDx0PgoJICAg IEFkZGVkIFRMUyB2ZXJzaW9uIHJlcXVpcmVtZW50cy4KCSAgPC90PgoJICA8dD4KCSAgICBBcHBs aWVkIGVkaXRvcmlhbCBpbXByb3ZlbWVudHMgc3VnZ2VzdGVkIGJ5IE1hcmsKCSAgICBOb3R0aW5n aGFtIGR1cmluZyB0aGUgQVBQUyBhcmVhIHJldmlldy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4K ICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMTQKICAgICAgICA8bGlzdCBzdHlsZT0nc3lt Ym9scyc+CgkgIDx0PgoJICAgIENoYW5nZXMgbWFkZSBpbiByZXNwb25zZSB0byByZXZpZXcgY29t bWVudHMgYnkgU2VjdXJpdHkKCSAgICBBcmVhIERpcmVjdG9yIFN0ZXBoZW4gRmFycmVsbC4gIFNw ZWNpZmljYWxseToKCSAgPC90PgoJICA8dD4KCSAgICBTdHJlbmd0aGVuZWQgd2FybmluZ3MgYWJv dXQgcGFzc2luZyBhbiBhY2Nlc3MgdG9rZW4gYXMgYQoJICAgIHF1ZXJ5IHBhcmFtZXRlciBhbmQg bW9yZSBwcmVjaXNlbHkgZGVzY3JpYmVkIHRoZQoJICAgIGxpbWl0YXRpb25zIHBsYWNlZCB1cG9u IHRoZSB1c2Ugb2YgdGhpcyBtZXRob2QuCgkgIDwvdD4KCSAgPHQ+CgkgICAgQ2xhcmlmaWVkIHRo YXQgdGhlIDxzcGFueCBzdHlsZT0ndmVyYic+cmVhbG08L3NwYW54PgoJICAgIGF0dHJpYnV0ZSBN QVkgaW5jbHVkZWQgdG8gaW5kaWNhdGUgdGhlIHNjb3BlIG9mIHByb3RlY3Rpb24KCSAgICBpbiB0 aGUgbWFubmVyIGRlc2NyaWJlZCBpbgoJICAgIEhUVFAvMS4xLCBQYXJ0IDcgPHhyZWYgdGFyZ2V0 PSdJLUQuaWV0Zi1odHRwYmlzLXA3LWF1dGgnIC8+LgoJICA8L3Q+CgkgIDx0PgoJICAgIE5vcm1h dGl2ZWx5IHN0YXRlZCB0aGF0ICJ0aGUgdG9rZW4gaW50ZWdyaXR5IHByb3RlY3Rpb24KCSAgICBN VVNUIGJlIHN1ZmZpY2llbnQgdG8gcHJldmVudCB0aGUgdG9rZW4gZnJvbSBiZWluZwoJICAgIG1v ZGlmaWVkIi4KCSAgPC90PgoJICA8dD4KCSAgICBBZGRlZCBzdGF0ZW1lbnQgdGhhdCAiVExTIGlz IG1hbmRhdG9yeSB0byBpbXBsZW1lbnQgYW5kCgkgICAgdXNlIHdpdGggdGhpcyBzcGVjaWZpY2F0 aW9uIiB0byB0aGUgaW50cm9kdWN0aW9uLgoJICA8L3Q+CgkgIDx0PgoJICAgIFN0YXRlZCB0aGF0 IFRMUyBNVVNUIGJlIHVzZWQgd2l0aCAiYSBjaXBoZXJzdWl0ZSB0aGF0CgkgICAgcHJvdmlkZXMg Y29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3JpdHkgcHJvdGVjdGlvbiIuCgkgIDwvdD4KCSAgPHQ+ CgkgICAgQWRkZWQgIkFzIGEgZnVydGhlciBkZWZlbnNlIGFnYWluc3QgdG9rZW4gZGlzY2xvc3Vy ZSwgdGhlCgkgICAgY2xpZW50IE1VU1QgdmFsaWRhdGUgdGhlIFRMUyBjZXJ0aWZpY2F0ZSBjaGFp biB3aGVuIG1ha2luZwoJICAgIHJlcXVlc3RzIHRvIHByb3RlY3RlZCByZXNvdXJjZXMiIHRvIHRo ZSBUaHJlYXQgTWl0aWdhdGlvbgoJICAgIHNlY3Rpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgQ2xh cmlmaWVkIHRoYXQgcHV0dGluZyBhIHZhbGlkaXR5IHRpbWUgZmllbGQgaW5zaWRlIHRoZQoJICAg IHByb3RlY3RlZCBwYXJ0IG9mIHRoZSB0b2tlbiBpcyBvbmUgbWVhbnMsIGJ1dCBub3QgdGhlIG9u bHkKCSAgICBtZWFucywgb2YgbGltaXRpbmcgdGhlIGxpZmV0aW1lIG9mIHRoZSB0b2tlbi4KCSAg PC90PgoJICA8dD4KCSAgICBEcm9wcGVkIHRoZSBjb25mdXNpbmcgcGhyYXNlICJmb3IgaW5zdGFu Y2UsIHRocm91Z2ggdGhlCgkgICAgdXNlIG9mIFRMUyIgZnJvbSB0aGUgc2VudGVuY2UgYWJvdXQg Y29uZmlkZW50aWFsaXR5CgkgICAgcHJvdGVjdGlvbiBvZiB0aGUgZXhjaGFuZ2VzLgoJICA8L3Q+ CgkgIDx0PgoJICAgIFJlZmVyZW5jZSBSRkMgNjEyNSBmb3IgaWRlbnRpdHkgdmVyaWZpY2F0aW9u LCByYXRoZXIgdGhhbgoJICAgIFJGQyAyODE4LgoJICA8L3Q+CgkgIDx0PgoJICAgIFN0YXRlZCB0 aGF0IHRoZSB0b2tlbiBNVVNUIGJlIHByb3RlY3RlZCBiZXR3ZWVuIGZyb250IGVuZAoJICAgIGFu ZCBiYWNrIGVuZCBzZXJ2ZXJzIHdoZW4gdGhlIFRMUyBjb25uZWN0aW9uIHRlcm1pbmF0ZXMgYXQK CSAgICBhIGZyb250IGVuZCBzZXJ2ZXIgdGhhdCBpcyBkaXN0aW5jdCBmcm9tIHRoZSBhY3R1YWwg c2VydmVyCgkgICAgdGhhdCBwcm92aWRlcyB0aGUgcmVzb3VyY2UuCgkgIDwvdD4KCSAgPHQ+Cgkg ICAgU3RhdGVkIHRoYXQgYmVhcmVyIHRva2VucyBNVVNUIG5vdCBiZSBzdG9yZWQgaW4gY29va2ll cwoJICAgIHRoYXQgY2FuIGJlIHNlbnQgaW4gdGhlIGNsZWFyIGluIHRoZSBUaHJlYXQgTWl0aWdh dGlvbgoJICAgIHNlY3Rpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVwbGFjZWQgc29sZSByZW1h aW5pbmcgcmVmZXJlbmNlIHRvIDx4cmVmIHRhcmdldD0nUkZDMjYxNicgLz4gd2l0aAoJICAgIEhU VFBiaXMgPHhyZWYgdGFyZ2V0PSdJLUQuaWV0Zi1odHRwYmlzLXAxLW1lc3NhZ2luZycgLz4KCSAg ICByZWZlcmVuY2UuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVwbGFjZWQgYWxsIHJlZmVyZW5jZXMg d2hlcmUgdGhlIHJlZmVyZW5jZSBpcyB1c2VkIGFzIGlmCgkgICAgaXQgd2VyZSBwYXJ0IG9mIHRo ZSBzZW50ZW5jZSAoc3VjaCBhcyAiZGVmaW5lZCBieQoJICAgIFtJLUQud2hhdGV2ZXJdIikgd2l0 aCBvbmVzIHdoZXJlIHRoZSBzcGVjaWZpY2F0aW9uIG5hbWUgaXMKCSAgICB1c2VkLCBmb2xsb3dl ZCBieSB0aGUgcmVmZXJlbmNlIChzdWNoIGFzICJkZWZpbmVkIGJ5CgkgICAgV2hhdGV2ZXIgW0kt RC53aGF0ZXZlcl0iKS4KCSAgPC90PgoJICA8dD4KCSAgICBPdGhlciBvbi1ub3JtYXRpdmUgZWRp dG9yaWFsIGltcHJvdmVtZW50cy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90Pgog ICAgICA8dD4KICAgICAgICAtMTMKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0 PgoJICAgIEF0IHRoZSByZXF1ZXN0IG9mIEhhbm5lcyBUc2Nob2ZlbmlnLCBtYWRlIEFCTkYgY2hh bmdlcyB0bwoJICAgIG1ha2UgaXQgY2xlYXIgdGhhdCBubyBzcGVjaWFsIFdXVy1BdXRoZW50aWNh dGUgcmVzcG9uc2UKCSAgICBoZWFkZXIgZmllbGQgcGFyc2VycyBhcmUgbmVlZGVkLiAgVGhlIDxz cGFueAoJICAgIHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+LCA8c3BhbngKCSAgICBzdHlsZT0n dmVyYic+ZXJyb3ItZGVzY3JpcHRpb248L3NwYW54PiwgYW5kIDxzcGFueAoJICAgIHN0eWxlPSd2 ZXJiJz5lcnJvci11cmk8L3NwYW54PiBwYXJhbWV0ZXJzIGFyZSBhbGwgbm93CgkgICAgZGVmaW5l ZCBhcyBxdW90ZWQtc3RyaW5nIGluIHRoZSBBQk5GIChhcyA8c3BhbngKCSAgICBzdHlsZT0ndmVy Yic+ZXJyb3I8L3NwYW54PiBhbHJlYWR5IHdhcykuICBSZXN0cmljdGlvbnMgb24KCSAgICB0aGVz ZSB2YWx1ZXMgdGhhdCB3ZXJlIGZvcm1lcmx5IGRlc2NyaWJlZCBpbiB0aGUgQUJORnMgYXJlCgkg ICAgbm93IGRlc2NyaWJlZCBpbiBub3JtYXRpdmUgdGV4dCBpbnN0ZWFkLgoJICA8L3Q+CiAgICAg ICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIC0xMgogICAgICAgIDxsaXN0 IHN0eWxlPSdzeW1ib2xzJz4KCSAgPHQ+CgkgICAgTWFkZSBub24tbm9ybWF0aXZlIGVkaXRvcmlh bCBjaGFuZ2VzIHRoYXQgSGFubmVzCgkgICAgVHNjaG9mZW5pZyByZXF1ZXN0ZWQgYmUgYXBwbGll ZCBwcmlvciB0byBmb3J3YXJkaW5nIHRoZQoJICAgIHNwZWNpZmljYXRpb24gdG8gdGhlIElFU0cu CgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgcmF0aW9uYWxlIGZvciB0aGUgY2hvaWNlIG9mIHRo ZSBiNjR0b2tlbiBzeW50YXguCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgcmF0aW9uYWxlIHN0 YXRpbmcgdGhhdCByZWNlaXZlcnMgYXJlIGZyZWUgdG8gcGFyc2UKCSAgICB0aGUgPHNwYW54IHN0 eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+IGF0dHJpYnV0ZSB1c2luZyBhCgkgICAgc3RhbmRhcmQg cXVvdGVkLXN0cmluZyBwYXJzZXIsIHNpbmNlIGl0IHdpbGwgY29ycmVjdGx5CgkgICAgcHJvY2Vz cyBhbGwgbGVnYWwgPHNwYW54IHN0eWxlPSd2ZXJiJz5zY29wZTwvc3Bhbng+CgkgICAgdmFsdWVz LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIGFkZGl0aW9uYWwgYWN0aXZlIHdvcmtpbmcgZ3Jv dXAgY29udHJpYnV0b3JzIHRvIHRoZQoJICAgIEFja25vd2xlZGdlbWVudHMgc2VjdGlvbi4KCSAg PC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMTEKICAg ICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIFJlcGxhY2VkIHVzZXMgb2Yg Jmx0OyImZ3Q7IHdpdGggRFFVT1RFIHRvIHBhc3MgQUJORiBzeW50YXggY2hlY2suCgkgIDwvdD4K ICAgICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTEwCiAgICAgICAg PGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJICA8dD4KCSAgICBSZW1vdmVkIHRoZSAjYXV0aC1wYXJh bSBvcHRpb24gZnJvbSBBdXRob3JpemF0aW9uIGhlYWRlcgoJICAgIHN5bnRheCAobGVhdmluZyBv bmx5IHRoZSBiNjR0b2tlbiBzeW50YXgpLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlc3RyaWN0ZWQg dGhlIDxzcGFueCBzdHlsZT0ndmVyYic+c2NvcGU8L3NwYW54PiB2YWx1ZQoJICAgIGNoYXJhY3Rl ciBzZXQgdG8gJXgyMSAvICV4MjMtNUIgLyAleDVELTdFIChwcmludGFibGUgQVNDSUkKCSAgICBj aGFyYWN0ZXJzIGV4Y2x1ZGluZyBkb3VibGUtcXVvdGUgYW5kIGJhY2tzbGFzaCkuCgkgICAgSW5k aWNhdGVkIHRoYXQgc2NvcGUgaXMgaW50ZW5kZWQgZm9yIHByb2dyYW1tYXRpYyB1c2UgYW5kCgkg ICAgaXMgbm90IG1lYW50IHRvIGJlIGRpc3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIDwvdD4KCSAg PHQ+CgkgICAgUmVzdHJpY3RlZCB0aGUgY2hhcmFjdGVyIHNldCBmb3IgPHNwYW54CgkgICAgc3R5 bGU9J3ZlcmInPmVycm9yX2Rlc2NyaXB0aW9uPC9zcGFueD4gc3RyaW5ncyB0byBTUCAvCgkgICAg VkNIQVIgYW5kIGluZGljYXRlZCB0aGF0IHRoZXkgYXJlIG5vdCBtZWFudCB0byBiZQoJICAgIGRp c3BsYXllZCB0byBlbmQgdXNlcnMuCgkgIDwvdD4KCSAgPHQ+CgkgICAgSW5jbHVkZWQgbW9yZSBk ZXNjcmlwdGlvbiBpbiB0aGUgQWJzdHJhY3QsIHNpbmNlIEhhbm5lcwoJICAgIFRzY2hvZmVuaWcg aW5kaWNhdGVkIHRoYXQgdGhlIFJGQyBlZGl0b3Igd291bGQgcmVxdWlyZQoJICAgIHRoaXMuCgkg IDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFuZ2VkICJBY2Nlc3MgR3JhbnQiIHRv ICJBdXRob3JpemF0aW9uIEdyYW50IiwgYXMgd2FzCiAgICAgICAgICAgIGRvbmUgaW4gdGhlIGNv cmUgc3BlYy4KCSAgPC90PgoJICA8dD4KCSAgICBTaW1wbGlmaWVkIHRoZSBpbnRyb2R1Y3Rpb24g dG8gdGhlIEF1dGhlbnRpY2F0ZWQgUmVxdWVzdHMKCSAgICBzZWN0aW9uLgoJICA8L3Q+CiAgICAg ICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIC0wOQogICAgICAgIDxsaXN0 IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgIDx0PgogICAgICAgICAgICBJbmNvcnBvcmF0ZWQg d29ya2luZyBncm91cCBsYXN0IGNhbGwgY29tbWVudHMuICBTcGVjaWZpYyBjaGFuZ2VzIHdlcmU6 CgkgIDwvdD4KCSAgPHQ+CgkgICAgVXNlIGRlZmluaXRpb25zIGZyb20gPHhyZWYKCSAgICB0YXJn ZXQ9J0ktRC5pZXRmLWh0dHBiaXMtcDctYXV0aCcgLz4gcmF0aGVyIHRoYW4gPHhyZWYKCSAgICB0 YXJnZXQ9J1JGQzI2MTcnIC8+LgoJICA8L3Q+CgkgIDx0PgoJICAgIFVwZGF0ZSBjcmVkZW50aWFs cyBkZWZpbml0aW9uIHRvIGNvbmZvcm0gdG8gPHhyZWYKCSAgICB0YXJnZXQ9J0ktRC5pZXRmLWh0 dHBiaXMtcDctYXV0aCcgLz4uCgkgIDwvdD4KCSAgPHQ+CgkgICAgRnVydGhlciBjbGFyaWZpZWQg dGhhdCBxdWVyeSBwYXJhbWV0ZXJzIG1heSBvY2N1ciBpbiBhbnkgb3JkZXIuCgkgIDwvdD4KCSAg PHQ+CgkgICAgU3BlY2lmeSB0aGF0IGVycm9yX2Rlc2NyaXB0aW9uIGlzIFVURi04IGVuY29kZWQK CSAgICAobWF0Y2hpbmcgdGhlIGNvcmUgc3BlY2lmaWNhdGlvbikuCgkgIDwvdD4KCSAgPHQ+Cgkg ICAgUmVnaXN0ZXJlZCAiQmVhcmVyIiBBdXRoZW50aWNhdGlvbiBTY2hlbWUgaW4KCSAgICBBdXRo ZW50aWNhdGlvbiBTY2hlbWUgUmVnaXN0cnkgZGVmaW5lZCBieQoJICAgIDx4cmVmIHRhcmdldD0n SS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KCSAgPC90PgogICAgICAgICAgPHQ+CiAgICAg ICAgICAgIFVwZGF0ZWQgcmVmZXJlbmNlcyB0byBvYXV0aC12MiwgaHR0cGJpcy1wMS1tZXNzYWdp bmcsIGFuZAogICAgICAgICAgICBodHRwYmlzLXA3LWF1dGggZHJhZnRzLgoJICA8L3Q+CgkgIDx0 PgoJICAgIE90aGVyIHdvcmRpbmcgaW1wcm92ZW1lbnRzIG5vdCBpbnRyb2R1Y2luZyBub3JtYXRp dmUgY2hhbmdlcy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4K ICAgICAgICAtMDgKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4K ICAgICAgICAgICAgVXBkYXRlZCByZWZlcmVuY2VzIHRvIG9hdXRoLXYyIGFuZCBIVFRQYmlzIGRy YWZ0cy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAg ICAtMDcKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4KICAgICAg ICAgICAgQWRkZWQgbWlzc2luZyBjb21tYSBpbiBlcnJvciByZXNwb25zZSBleGFtcGxlLgoJICA8 L3Q+CiAgICAgICAgPC9saXN0PgogICAgICA8L3Q+CiAgICAgIDx0PgogICAgICAgIC0wNgogICAg ICAgIDxsaXN0IHN0eWxlPSdzeW1ib2xzJz4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFu Z2VkIHBhcmFtZXRlciBuYW1lIDxzcGFueAogICAgICAgICAgICBzdHlsZT0idmVyYiI+YmVhcmVy X3Rva2VuPC9zcGFueD4gdG8gPHNwYW54CiAgICAgICAgICAgIHN0eWxlPSJ2ZXJiIj5hY2Nlc3Nf dG9rZW48L3NwYW54PiwgcGVyIHdvcmtpbmcgZ3JvdXAKICAgICAgICAgICAgY29uc2Vuc3VzLgoJ ICA8L3Q+CgkgIDx0PgoJICAgIENoYW5nZWQgSFRUUCBzdGF0dXMgY29kZSBmb3IgPHNwYW54Cgkg ICAgc3R5bGU9InZlcmIiPmludmFsaWRfcmVxdWVzdDwvc3Bhbng+IGVycm9yIGNvZGUgZnJvbSBI VFRQCgkgICAgNDAxIChVbmF1dGhvcml6ZWQpIGJhY2sgdG8gSFRUUCA0MDAgKEJhZCBSZXF1ZXN0 KSwgcGVyCgkgICAgaW5wdXQgZnJvbSBIVFRQIHdvcmtpbmcgZ3JvdXAgZXhwZXJ0cy4KCSAgPC90 PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDUKICAgICAg ICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CgkgIDx0PgoJICAgIFJlbW92ZWQgT0F1dGggRXJyb3Jz IFJlZ2lzdHJ5LCBwZXIgZGVzaWduIHRlYW0gaW5wdXQuCgkgIDwvdD4KCSAgPHQ+CgkgICAgQ2hh bmdlZCBIVFRQIHN0YXR1cyBjb2RlIGZvciA8c3BhbngKCSAgICBzdHlsZT0idmVyYiI+aW52YWxp ZF9yZXF1ZXN0PC9zcGFueD4gZXJyb3IgY29kZSBmcm9tIEhUVFAKCSAgICA0MDAgKEJhZCBSZXF1 ZXN0KSB0byBIVFRQIDQwMSAoVW5hdXRob3JpemVkKSB0byBtYXRjaCBIVFRQCgkgICAgdXNhZ2Ug W1sgY2hhbmdlIHBlbmRpbmcgd29ya2luZyBncm91cCBjb25zZW5zdXMgXV0uCgkgIDwvdD4KCSAg PHQ+CgkgICAgQWRkZWQgbWlzc2luZyBxdW90YXRpb24gbWFya3MgaW4gZXJyb3ItdXJpIGRlZmlu aXRpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgQWRkZWQgbm90ZSB0byBhZGQgbGFuZ3VhZ2UgYW5k IGVuY29kaW5nIGluZm9ybWF0aW9uIHRvCgkgICAgZXJyb3JfZGVzY3JpcHRpb24gaWYgdGhlIGNv cmUgc3BlY2lmaWNhdGlvbiBkb2VzLgoJICA8L3Q+CgkgIDx0PgoJICAgIEV4cGxpY2l0bHkgcmVm ZXJlbmNlIHRoZSBBdWdtZW50ZWQgQmFja3VzLU5hdXIgRm9ybSAoQUJORikKCSAgICBkZWZpbmVk IGluIDx4cmVmIHRhcmdldD0nUkZDNTIzNCcgLz4uCgkgIDwvdD4KCSAgPHQ+CgkgICAgVXNlIGF1 dGgtcGFyYW0gaW5zdGVhZCBvZiByZXBlYXRpbmcgaXRzIGRlZmluaXRpb24sIHdoaWNoCgkgICAg aXMgKCB0b2tlbiAiPSIgKCB0b2tlbiAvIHF1b3RlZC1zdHJpbmcgKSApLgoJICA8L3Q+CgkgIDx0 PgoJICAgIENsYXJpZnkgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgYWJvdXQgaW5jbHVkaW5nIGFu CgkgICAgYXVkaWVuY2UgcmVzdHJpY3Rpb24gaW4gdGhlIHRva2VuIGFuZCBpbmNsdWRlIGEKCSAg ICByZWNvbW1lbmRhdGlvbiB0byBpc3N1ZSBzY29wZWQgYmVhcmVyIHRva2VucyBpbiB0aGUKCSAg ICBzdW1tYXJ5IG9mIHJlY29tbWVuZGF0aW9ucy4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAg ICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDQKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9s cyc+CgkgIDx0PgoJICAgIEVkaXRzIHJlc3BvbmRpbmcgdG8gd29ya2luZyBncm91cCBsYXN0IGNh bGwgZmVlZGJhY2sgb24KCSAgICAtMDMuICBTcGVjaWZpYyBlZGl0cyBlbnVtZXJhdGVkIGJlbG93 LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIEJlYXJlciBUb2tlbiBkZWZpbml0aW9uIGluIFRl cm1pbm9sb2d5IHNlY3Rpb24uCgkgIDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBDaGFu Z2VkIHBhcmFtZXRlciBuYW1lIDxzcGFueAogICAgICAgICAgICBzdHlsZT0idmVyYiI+b2F1dGhf dG9rZW48L3NwYW54PiB0byA8c3BhbngKICAgICAgICAgICAgc3R5bGU9InZlcmIiPmJlYXJlcl90 b2tlbjwvc3Bhbng+LgoJICA8L3Q+CgkgIDx0PgoJICAgIEFkZGVkIHJlYWxtIHBhcmFtZXRlciB0 byA8c3BhbngKCSAgICBzdHlsZT0ndmVyYic+V1dXLUF1dGhlbnRpY2F0ZTwvc3Bhbng+IHJlc3Bv bnNlIHRvIGNvbXBseQoJICAgIHdpdGggPHhyZWYgdGFyZ2V0PSdSRkMyNjE3JyAvPi4KCSAgPC90 PgoJICA8dD4KCSAgICBSZW1vdmVkICJbIFJXUyAxI2F1dGgtcGFyYW0gXSIgZnJvbSA8c3BhbngK CSAgICBzdHlsZT0idmVyYiI+Y3JlZGVudGlhbHM8L3NwYW54PiBkZWZpbml0aW9uIHNpbmNlIGl0 IGRpZAoJICAgIG5vdCBjb21wbHkgd2l0aCB0aGUgQUJORiBpbiA8eHJlZgoJICAgIHRhcmdldD0n SS1ELmlldGYtaHR0cGJpcy1wNy1hdXRoJyAvPi4KCSAgPC90PgoJICA8dD4KCSAgICBSZW1vdmVk IHJlc3RyaWN0aW9uIHRoYXQgdGhlIDxzcGFueAoJICAgIHN0eWxlPSJ2ZXJiIj5iZWFyZXJfdG9r ZW48L3NwYW54PiAoZm9ybWVybHkgPHNwYW54CgkgICAgc3R5bGU9InZlcmIiPm9hdXRoX3Rva2Vu PC9zcGFueD4pIHBhcmFtZXRlciBiZSB0aGUgbGFzdAoJICAgIHBhcmFtZXRlciBpbiB0aGUgZW50 aXR5LWJvZHkgYW5kIHRoZSBIVFRQIHJlcXVlc3QgVVJJCgkgICAgcXVlcnkuCgkgIDwvdD4KCSAg PHQ+CgkgICAgRG8gbm90IHJlcXVpcmUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBpbiBhIHJl cGx5IHRvIGEKCSAgICBtYWxmb3JtZWQgcmVxdWVzdCwgYXMgYW4gSFRUUCA0MDAgQmFkIFJlcXVl c3QgcmVzcG9uc2UKCSAgICB3aXRob3V0IGEgV1dXLUF1dGhlbnRpY2F0ZSBoZWFkZXIgaXMgbGlr ZWx5IHRoZSByaWdodAoJICAgIHJlc3BvbnNlIGluIHNvbWUgY2FzZXMgb2YgbWFsZm9ybWVkIHJl cXVlc3RzLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlbW92ZWQgT0F1dGggUGFyYW1ldGVycyByZWdp c3RyeSBleHRlbnNpb24uCgkgIDwvdD4KCSAgPHQ+CgkgICAgTnVtZXJvdXMgZWRpdG9yaWFsIGlt cHJvdmVtZW50cyBzdWdnZXN0ZWQgYnkgd29ya2luZyBncm91cAoJICAgIG1lbWJlcnMuCgkgIDwv dD4KICAgICAgICA8L2xpc3Q+CiAgICAgIDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTAzCiAgICAg ICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMnPgoJICA8dD4KCSAgICBSZXN0b3JlZCB0aGUgV1dXLUF1 dGhlbnRpY2F0ZSByZXNwb25zZSBoZWFkZXIKCSAgICBmdW5jdGlvbmFsaXR5IGRlbGV0ZWQgZnJv bSB0aGUgZnJhbWV3b3JrIHNwZWNpZmljYXRpb24gaW4KCSAgICBkcmFmdCAxMiBiYXNlZCB1cG9u IHRoZSBzcGVjaWZpY2F0aW9uIHRleHQgZnJvbSBkcmFmdCAxMS4KCSAgPC90PgoJICA8dD4KCSAg ICBBdWdtZW50ZWQgdGhlIE9BdXRoIFBhcmFtZXRlcnMgcmVnaXN0cnkgYnkgYWRkaW5nIHR3bwoJ ICAgIGFkZGl0aW9uYWwgcGFyYW1ldGVyIHVzYWdlIGxvY2F0aW9uczogInJlc291cmNlIHJlcXVl c3QiCgkgICAgYW5kICJyZXNvdXJjZSByZXNwb25zZSIuCgkgIDwvdD4KICAgICAgICAgIDx0Pgog ICAgICAgICAgICBSZWdpc3RlcmVkIHRoZSAib2F1dGhfdG9rZW4iIE9BdXRoIHBhcmFtZXRlciB3 aXRoIHVzYWdlCiAgICAgICAgICAgIGxvY2F0aW9uICJyZXNvdXJjZSByZXF1ZXN0Ii4KICAgICAg ICAgIDwvdD4KICAgICAgICAgIDx0PgogICAgICAgICAgICBSZWdpc3RlcmVkIHRoZSAiZXJyb3Ii IE9BdXRoIHBhcmFtZXRlci4KICAgICAgICAgIDwvdD4KCSAgPHQ+CgkgICAgQ3JlYXRlZCB0aGUg T0F1dGggRXJyb3IgcmVnaXN0cnkgYW5kIHJlZ2lzdGVyZWQgZXJyb3JzLgoJICA8L3Q+CgkgIDx0 PgoJICAgIENoYW5nZWQgdGhlICJPQXV0aDIiIE9BdXRoIGFjY2VzcyB0b2tlbiB0eXBlIG5hbWUg dG8KCSAgICAiQmVhcmVyIi4KCSAgPC90PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAg ICA8dD4KICAgICAgICAtMDIKICAgICAgICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAg ICA8dD4KICAgICAgICAgICAgSW5jb3Jwb3JhdGVkIGZlZWRiYWNrIHJlY2VpdmVkIG9uIGRyYWZ0 IDAxLiAgTW9zdCBjaGFuZ2VzCiAgICAgICAgICAgIHdlcmUgdG8gdGhlIHNlY3VyaXR5IGNvbnNp ZGVyYXRpb25zIHNlY3Rpb24uICBObyBub3JtYXRpdmUKICAgICAgICAgICAgY2hhbmdlcyB3ZXJl IG1hZGUuICBTcGVjaWZpYyBjaGFuZ2VzIGluY2x1ZGVkOgogICAgICAgICAgPC90PgoJICA8dD4K CSAgICBDaGFuZ2VkIHRlcm1pbm9sb2d5IGZyb20gInRva2VuIHJldXNlIiB0byAidG9rZW4gY2Fw dHVyZQoJICAgIGFuZCByZXBsYXkiLgoJICA8L3Q+CgkgIDx0PgoJICAgIFJlbW92ZWQgc2VudGVu Y2UgIkVuY3J5cHRpbmcgdGhlIHRva2VuIGNvbnRlbnRzIGlzIGFub3RoZXIKCSAgICBhbHRlcm5h dGl2ZSIgZnJvbSB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgc2luY2UgaXQgd2FzCgkgICAg cmVkdW5kYW50IGFuZCBwb3RlbnRpYWxseSBjb25mdXNpbmcuCgkgIDwvdD4KCSAgPHQ+CgkgICAg Q29ycmVjdGVkIHNvbWUgcmVmZXJlbmNlcyB0byAicmVzb3VyY2Ugc2VydmVyIiB0byBiZQoJICAg ICJhdXRob3JpemF0aW9uIHNlcnZlciIgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLgoJ ICA8L3Q+CgkgIDx0PgoJICAgIEdlbmVyYWxpemVkIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGxh bmd1YWdlIGFib3V0CgkgICAgb2J0YWluaW5nIGNvbnNlbnQgb2YgdGhlIHJlc291cmNlIG93bmVy LgoJICA8L3Q+CgkgIDx0PgoJICAgIEJyb2FkZW5lZCBzY29wZSBvZiBzZWN1cml0eSBjb25zaWRl cmF0aW9ucyBkZXNjcmlwdGlvbiBmb3IKCSAgICByZWNvbW1lbmRhdGlvbiAiRG9uJ3QgcGFzcyBi ZWFyZXIgdG9rZW5zIGluIHBhZ2UgVVJMcyIuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVtb3ZlZCB1 bnVzZWQgcmVmZXJlbmNlIHRvIE9BdXRoIDEuMC4KCSAgPC90PgoJICA8dD4KCSAgICBVcGRhdGVk IHJlZmVyZW5jZSB0byBmcmFtZXdvcmsgc3BlY2lmaWNhdGlvbiBhbmQgdXBkYXRlZAoJICAgIERh dmlkIFJlY29yZG9uJ3MgZS1tYWlsIGFkZHJlc3MuCgkgIDwvdD4KCSAgPHQ+CgkgICAgUmVtb3Zl ZCBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyB0ZXh0IG9uIGF1dGhlbnRpY2F0aW5nCgkgICAgY2xp ZW50cy4KCSAgPC90PgoJICA8dD4KCSAgICBSZWdpc3RlcmVkIHRoZSAiT0F1dGgyIiBPQXV0aCBh Y2Nlc3MgdG9rZW4gdHlwZSBhbmQKCSAgICAib2F1dGhfdG9rZW4iIHBhcmFtZXRlci4KCSAgPC90 PgogICAgICAgIDwvbGlzdD4KICAgICAgPC90PgogICAgICA8dD4KICAgICAgICAtMDEKICAgICAg ICA8bGlzdCBzdHlsZT0nc3ltYm9scyc+CiAgICAgICAgICA8dD4KICAgICAgICAgICAgRmlyc3Qg cHVibGljIGRyYWZ0LCB3aGljaCBpbmNvcnBvcmF0ZXMgZmVlZGJhY2sgcmVjZWl2ZWQKICAgICAg ICAgICAgb24gLTAwIGluY2x1ZGluZyBlbmhhbmNlZCBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBj b250ZW50LgogICAgICAgICAgICBUaGlzIHZlcnNpb24gaXMgaW50ZW5kZWQgdG8gYWNjb21wYW55 IE9BdXRoIDIuMCBkcmFmdCAxMS4KICAgICAgICAgIDwvdD4KICAgICAgICA8L2xpc3Q+CiAgICAg IDwvdD4KICAgICAgPHQ+CiAgICAgICAgLTAwCiAgICAgICAgPGxpc3Qgc3R5bGU9J3N5bWJvbHMn PgogICAgICAgICAgPHQ+CiAgICAgICAgICAgIEluaXRpYWwgZHJhZnQgYmFzZWQgb24gcHJlbGlt aW5hcnkgdmVyc2lvbiBvZiBPQXV0aCAyLjAgZHJhZnQgMTEuCiAgICAgICAgICA8L3Q+CiAgICAg ICAgPC9saXN0PgogICAgICA8L3Q+CiAgICA8L3NlY3Rpb24+ICAgICAKCiAgPC9iYWNrPgoKPC9y ZmM+Cg== --_007_4E1F6AAD24975D4BA5B16804296739435F763122TK5EX14MBXC283r_-- From mnot@mnot.net Wed Dec 14 18:36:50 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3BEE1F0C47 for ; Wed, 14 Dec 2011 18:36:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.154 X-Spam-Level: X-Spam-Status: No, score=-105.154 tagged_above=-999 required=5 tests=[AWL=-2.555, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOj7TLPzL43K for ; Wed, 14 Dec 2011 18:36:49 -0800 (PST) Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id 2668F21F8A55 for ; Wed, 14 Dec 2011 18:36:49 -0800 (PST) Received: from mnot-mini.mnot.net (unknown [118.209.24.155]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 9EAFD22E1F4; Wed, 14 Dec 2011 21:36:40 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: Mark Nottingham In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> Date: Thu, 15 Dec 2011 13:36:37 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> To: Mike Jones X-Mailer: Apple Mail (2.1251.1) Cc: Barry Leiba , OAuth WG Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 02:36:50 -0000 Hi Mike - It's not my function to object (or not) to the publication of the draft; = I merely provided the APPS review, which will be considered by the = responsible AD (like all other Last Call comments), and potentially the = IESG. If you're asking whether my concerns have been addressed, see some = specifics below. Regards, On 15/12/2011, at 1:13 PM, Mike Jones wrote: > Mark, Stephen, Hannes, and Barry, > =20 > Any objections to posting the updated Bearer draft incorporating the = results of the APPS Area review and the TLS requirements? > =20 > -- Mike > =20 > From: Mike Jones=20 > Sent: Monday, December 12, 2011 8:51 AM > To: Mark Nottingham; 'Stephen Farrell'; oauth@ietf.org > Subject: RE: [OAUTH-WG] FW: [apps-discuss] APPS Area review of = draft-ietf-oauth-v2-bearer-14 > =20 > Thanks for the detailed review, Mark. > =20 > Preliminary draft 15 of the OAuth Bearer specification is attached. = It resolves the form encoding issues raised by Julian Reschke in the = manner discussed at the working group meeting in Taipei, incorporates = the consensus text on TLS version requirements, and contains several = improvements suggested by Mark Nottingham during APPS area review. > =20 > Mark, comments on all your proposed changes follow below: > =20 >> * Section 2.3 URI Query Parameter >> =20 >> This section effectively reserves a URI query parameter for the = draft's use. This should not be done lightly, since this would be a = precedent for the IETF encroaching upon a server's URIs (done previously = in RFC5785, but in a much more limited fashion, as a tactic to prevent = further, uncontrolled encroachment). >> =20 >> Given that the draft already discourages the use of this mechanism, = I'd recommend dropping it altogether. If the Working Group wishes it to = remain, this issues should be vetted both through the APPS area and the = W3C liaison. >> =20 >> (The same criticism could be leveled at Section 2.2 Form-Encoded Body = Parameter, but that at least isn't surfaced in an identifier) >> =20 > There are some contexts, especially limited browsers and/or = development environments What does "developmental environments" mean here? > , where query parameters are usable but the other methods are not. = Thus, the query parameter method must be retained. Also, Justin = Richter=92s comments describing the value to him of the query parameter = method are pertinent: =93A URL with all parameters including = authorization is a powerful artifact which can be passed around between = systems as a unit=94. > =20 > As to using a standard parameter name, this is essential for = interoperability. I find it hard to believe that you could not find or design a mechanism = to discover a URI. > It is not =93reserved=94 in any contexts other than when the Bearer = spec is employed, which is a voluntary act by both parties. Thus, this = poses no undue burdens or namespace restrictions on implementations in = practice. > =20 > Finally, you=92ll find that OAuth 1.0 [RFC 5849] similarly defined, = not one, but two standard query parameter values: oauth_token and = oauth_verifier. As this didn=92t cause any problems in practice then, = I=92m sure that defining an access_token parameter within the Bearer = spec for interoperability purposes won=92t cause a problem either. The fact that a non-standards-track document did something that's = potentially harmful doesn't make it OK. Saying that problems won't occur = based upon such short-term implementation experience with this type of = issue is ludicrous; the nature of the issue is long-term encroachment = and setting precedent. >> * Section 3 The WWW-Authenticate Response Header Field >> =20 >> The draft references the quoted-string ABNF from HTTP, but changes = its processing in a later paragraph: >> =20 >> """In all these cases, no character quoting will occur, as senders = are prohibited from using the %5C ('\') character.""" >> =20 >> This is at best surprising (as many readers will reasonably surmise = that using the quoted-string ABNF implies that the same code can be = used). >> Please either use quoted-string as defined (i.e., with escaping). >> =20 > This parameter definition was a result of significant working group = discussion and reflects a solid consensus position. Using the quoted = string BNF makes it clear, per Julian Reschke=92s suggestions, that = generic parameter parsing code can be safely used. Whereas prohibiting = the use of backslash quoting by senders also makes it clear that custom = implementations can directly utilize the parameter values as transmitted = without performing any quote processing. > =20 > In short, the spec doesn=92t change the processing of quoted strings. = It simply restricts the set of legal input characters within the quoted = strings. See follow-up discussion with Julian. >> * Section 3 The WWW-Authenticate Response Header Field >> =20 >> The difference between a realm and a scope is not explained. Are the = functionally equivalent, just a single value vs. a list? >> =20 > Realm is as defined by HTTPbis. It says that =93The realm value is a = string, generally assigned by the origin server, which can have = additional semantics specific to the authentication scheme.=94 Yes... > The Bearer specification intentionally adds no extra semantics to the = realm definition. Whereas the scope parameter is defined as an = order-independent space-separated list of scope values. The contextual = meaning of both the realm and scope parameters is deployment-dependent. That's not a great story for interop. How are people actually supposed = to use them? Can you at least give an example? >> Do you really intend to disallow *all* extension parameters on the = challenge? > =20 > Yes. There was an explicit working group consensus decision to do so. It would be good to note this. >> Also, the scope, error, error_description and error_uri parameters = all specify only a quoted-string serialisation. HTTPbis strongly = suggests that new schemes allow both forms, because implementation = experience has shown that implementations will likely support both, no = matter how defined; this improves interoperability (see p7 2.3.1). > =20 > Once again, the current text reflects a consensus decision of the = working group. It was viewed that requiring support for multiple ways = of doing the same thing unnecessarily complicated implementations = without any compensating benefit; better to support one syntax for each = semantic operation and require all implementations to use it. And I'm sure you're aware that the goal of this text in HTTPbis is to = encourage reuse of code, rather than having multiple implementations of = slightly different things. This is doubly true when you're not actually = defining the syntax, but instead reusing syntax from elsewhere (HTTP), = which already has parsers and generators implemented.=20 >> * General >> =20 >> The draft currently doesn't mention whether Bearer is suitable for = use as a proxy authentication scheme. I suspect it *may*; it would be = worth discussing this with some proxy implementers to gauge their = interest (e.g., Squid). >> =20 > Who would you recommend review the draft from this perspective? The easiest way would be to ask on the ietf-http-wg@w3.org mailing list; = there are several intermediary implementers active there. Regards, -- Mark Nottingham http://www.mnot.net/ From barryleiba.mailing.lists@gmail.com Thu Dec 15 06:30:05 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393D321F89B8 for ; Thu, 15 Dec 2011 06:30:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.998 X-Spam-Level: X-Spam-Status: No, score=-102.998 tagged_above=-999 required=5 tests=[AWL=-0.021, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOrBrEFQHKws for ; Thu, 15 Dec 2011 06:30:04 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9385621F8464 for ; Thu, 15 Dec 2011 06:30:04 -0800 (PST) Received: by yhjj72 with SMTP id j72so2648861yhj.31 for ; Thu, 15 Dec 2011 06:30:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=aiJfPOMJCVByDJYD2vSiGeOannMRZWwAdDCxXiGLvBQ=; b=pY+3kZprLzZrrrA5/412U4idC+xVHL0J0OhKR68RmxjBYAY98c6bVCt3MgnFIriYmX cnzfAxmlw9+/duNmJLY2arpDbf6KBLU3ZyixO1FH2bo5+NNcTtIwxpuNE/GC2TaZwvsk miKgZwUK/qQ8aLBL1Q+zgQYAqcI/+vWSzF3SM= MIME-Version: 1.0 Received: by 10.236.190.137 with SMTP id e9mr5387957yhn.36.1323959402161; Thu, 15 Dec 2011 06:30:02 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.107.8 with HTTP; Thu, 15 Dec 2011 06:30:02 -0800 (PST) In-Reply-To: References: Date: Thu, 15 Dec 2011 09:30:02 -0500 X-Google-Sender-Auth: YwaYJyVViI6XoPteD_WhkZeK4Ug Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 14:30:05 -0000 > Working group last call begins today on the threat model document: > http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01 > > Please review this version and post last call comments by 9 December. Sorry, folks: I got a little behind here. Working-group last call is now over. There were no comments in response to this thread, so it looks like we're mostly done here. Mike Thomas pointed out to me that his message here: http://www.ietf.org/mail-archive/web/oauth/current/msg07780.html ...was in reference to this document -- that might not have been clear because of the change in subject line. Torsten, et al, consider that message to be your only working-group last call comment, and handle it accordingly. When that's worked out and there's another version, we should be ready to send this up to the IESG. Barry, as chair From mark.mcgloin@ie.ibm.com Thu Dec 15 09:32:49 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9D021F8A35 for ; Thu, 15 Dec 2011 09:32:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3QMRf9alNyC for ; Thu, 15 Dec 2011 09:32:48 -0800 (PST) Received: from e06smtp18.uk.ibm.com (e06smtp18.uk.ibm.com [195.75.94.114]) by ietfa.amsl.com (Postfix) with ESMTP id C767821F8A7A for ; Thu, 15 Dec 2011 09:32:47 -0800 (PST) Received: from /spool/local by e06smtp18.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 15 Dec 2011 17:32:46 -0000 Received: from d06nrmr1407.portsmouth.uk.ibm.com ([9.149.38.185]) by e06smtp18.uk.ibm.com ([192.168.101.148]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 15 Dec 2011 17:32:09 -0000 Received: from d06av09.portsmouth.uk.ibm.com (d06av09.portsmouth.uk.ibm.com [9.149.37.250]) by d06nrmr1407.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pBFHW97p2343120 for ; Thu, 15 Dec 2011 17:32:09 GMT Received: from d06av09.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av09.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pBFHW8hS007696 for ; Thu, 15 Dec 2011 10:32:08 -0700 Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av09.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id pBFHW84E007691 for ; Thu, 15 Dec 2011 10:32:08 -0700 X-KeepSent: C81B6CF6:738D246C-80257967:005EFB87; type=4; name=$KeepSent To: OAuth WG X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010 Message-ID: From: Mark Mcgloin Date: Thu, 15 Dec 2011 17:32:02 +0000 X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 15/12/2011 17:32:03 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII x-cbid: 11121517-6892-0000-0000-0000007A2396 Subject: Re: [OAUTH-WG] client embedded browsers (was: I-D Action: draft-ietf-oauth-v2-threatmodel-01.txt) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 17:32:49 -0000 Hi Michael We reviewed the threat model document in light of the concerns you raised (originally in a thread called "Problem Statement") and decided that we already provided enough information on threats and countermeasures from malicious applications. In addition, the consensus from the Oauth WG on that email thread ("Problem Statement") was that the issue of users installing malware or any malicious client is not an oauth specific problem and is not something we need to educate users on, over and above what is stated already in section 4.1.4 of the threat model. Based on that consensus, I would consider this issue closed and we will not be making any changes to the threat model Regards Mark McGloin On Wed, 26 Oct 2011 13:17:58 , "Michael Thomas" wrote: First, I think that this threat should be elevated to something more than a threat because it is a fundamental assumption of the protocol that the browser is trustworthy. I have heard far too many people on this list say that that's silly because it is "obvious" but it is not obvious to the uninitiated, who are the remaining 7*10^9-100 people in this world. Second, I think it's worth explicitly pointing out that this PERTAINS TO APPS too. The world has changed significantly since OAUTH was conceived, and native phone, etc apps continue to grow explosively after a long, long decline leading up to OAUTH's birth. I would venture to say that a sizable if not majority of uses of OAUTH will be in app settings. A few inline comments: 4.1.4. Threat: End-user credentials phished using compromised or embedded browser A malicious application could attempt to phish end-user passwords by misusing an embedded browser in the end-user authorization process, or by presenting its own user-interface instead of allowing trusted system browser to render the authorization user interface. By doing so, the usual visual trust mechanisms may be bypassed (e.g. TLS confirmation, web site mechanisms). By using an embedded or internal client application user interface, the client application has access to additional information it should not have access to (e.g. uid/ password). [mat] I think it's also worth mentioning either here, or in another threat that there is a further social engineering misuse/attack where an app offers/demands to keep your credentials so that you don't have to go through the authorization rigmarole. Users are already conditioned to give their credentials up to do things -- just this morning I noticed facebook asking for my email password which they promise with sugar on top to not store. It might be worth mentioning that things like CAPTCHA could be deployed to defend against that sort of attack/misuse. Impact: If the client application or the communication is compromised, the user would not be aware and all information in the authorization exchange could be captured such as username and password. Countermeasures: o Client developers and end-user can be educated to trust an external System-Browser only. [mat] I assume that this is in here just for the amusement factor because it is not a credible countermeasure. o Client applications could be validated prior publication in a application market. [mat] How would this be done in practice? o Client developers should not collect authentication information directly from users and should instead use redirects to and back from a trusted external system-browser. [mat] How would the resource/authentication server enforce such a thing? The main problem here is that the countermeasures -- if they are practical at all -- are deep and complex problems unto themselves. To just handwave them away does no justice to the seriousness of the threat. I realize that this strays more into BCP land but there isn't any B-C-P, and I'm not terribly convinced there ever will be. In that respect, I think this threat and its potential countermeasures need to be discussed in much more detail. If there is anything about OAUTH that will cause it to be junked, it's this threat. Mike ---------------------------------------------------------------------------------------------------- Mark McGloin e-mail: mark.mcgloin@ie.ibm.com Tel: +353 1 8155263 Mobile: +353 87 9932662 Security Architect, LotusLive and Cloud Business Support Systems IBM Software Group Building 6, IBM Technology campus, Damastown Industrial Estate, Mulhuddart, Dublin 15 IBM International Holdings BV registered in Ireland with number 903924. Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge, Dublin 4 From mark.mcgloin@ie.ibm.com Thu Dec 15 09:33:42 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CBE821F84DF for ; Thu, 15 Dec 2011 09:33:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLyN70v-MLe4 for ; Thu, 15 Dec 2011 09:33:41 -0800 (PST) Received: from e06smtp17.uk.ibm.com (e06smtp17.uk.ibm.com [195.75.94.113]) by ietfa.amsl.com (Postfix) with ESMTP id 3892B21F84DA for ; Thu, 15 Dec 2011 09:33:41 -0800 (PST) Received: from /spool/local by e06smtp17.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 15 Dec 2011 17:33:37 -0000 Received: from d06nrmr1707.portsmouth.uk.ibm.com ([9.149.39.225]) by e06smtp17.uk.ibm.com ([192.168.101.147]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 15 Dec 2011 17:33:35 -0000 Received: from d06av06.portsmouth.uk.ibm.com (d06av06.portsmouth.uk.ibm.com [9.149.37.217]) by d06nrmr1707.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pBFHXZSw2502878; Thu, 15 Dec 2011 17:33:35 GMT Received: from d06av06.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pBFHXQcR009008; Thu, 15 Dec 2011 10:33:26 -0700 Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id pBFHXQXr008994; Thu, 15 Dec 2011 10:33:26 -0700 In-Reply-To: References: X-KeepSent: 40B0C85B:DCE28229-80257967:00605772; type=4; name=$KeepSent To: Barry Leiba X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010 Message-ID: From: Mark Mcgloin Date: Thu, 15 Dec 2011 17:33:28 +0000 X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 15/12/2011 17:33:30 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII x-cbid: 11121517-0542-0000-0000-000000646E56 Cc: oauth WG , oauth-bounces@ietf.org Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 17:33:42 -0000 Thanks Barry - I just responded to that thread. We will not be making any changes to the threat model based on that comment Regards Mark oauth-bounces@ietf.org wrote on 15/12/2011 14:30:02: > From: > > Barry Leiba > > To: > > oauth WG > > Date: > > 15/12/2011 14:30 > > Subject: > > Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 > > Sent by: > > oauth-bounces@ietf.org > > > Working group last call begins today on the threat model document: > > http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01 > > > > Please review this version and post last call comments by 9 December. > > Sorry, folks: I got a little behind here. > > Working-group last call is now over. There were no comments in > response to this thread, so it looks like we're mostly done here. > Mike Thomas pointed out to me that his message here: > > http://www.ietf.org/mail-archive/web/oauth/current/msg07780.html > > ...was in reference to this document -- that might not have been clear > because of the change in subject line. Torsten, et al, consider that > message to be your only working-group last call comment, and handle it > accordingly. When that's worked out and there's another version, we > should be ready to send this up to the IESG. > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From andredemarre@gmail.com Thu Dec 15 09:35:33 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A71DA21F8AE9 for ; Thu, 15 Dec 2011 09:35:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.999 X-Spam-Level: X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmWOCFjKHFM2 for ; Thu, 15 Dec 2011 09:35:33 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 02C6921F84DF for ; Thu, 15 Dec 2011 09:35:32 -0800 (PST) Received: by iaek3 with SMTP id k3so3751101iae.31 for ; Thu, 15 Dec 2011 09:35:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9820s9EwmArAaj0Om9GcIwzsq0MAUejhFrHWx7X0d3c=; b=uABKpeOdWmxwjfPJbDShYrKwPYXlsHRzdhjdaWyGXM4fu0cg3pfnduHAnd/hv397Bx f8Df2AZFZu+R8c1ZfRzLeCITlSKlkjtvOAgr5NbigsGkdc5zVMBg1F7DbgpZrjR9AYVO NE66w55ru9aSRjx68ZjixaZgrst72+LyDPes8= MIME-Version: 1.0 Received: by 10.50.169.71 with SMTP id ac7mr3728511igc.18.1323970530828; Thu, 15 Dec 2011 09:35:30 -0800 (PST) Received: by 10.42.228.9 with HTTP; Thu, 15 Dec 2011 09:35:30 -0800 (PST) In-Reply-To: References: Date: Thu, 15 Dec 2011 09:35:30 -0800 Message-ID: From: =?ISO-8859-1?Q?Andr=E9_DeMarre?= To: Barry Leiba Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: oauth WG Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 17:35:33 -0000 This hasn't been addressed: http://www.ietf.org/mail-archive/web/oauth/current/msg07867.html Perhaps no one thinks it is a problem? There are several grammatical nits that should be fixed. I've had all the best intentions of reporting those last week but simply have not yet had the time. Regards, Andre DeMarre On Thu, Dec 15, 2011 at 6:30 AM, Barry Leiba wrot= e: >> Working group last call begins today on the threat model document: >> http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01 >> >> Please review this version and post last call comments by 9 December. > > Sorry, folks: I got a little behind here. > > Working-group last call is now over. =A0There were no comments in > response to this thread, so it looks like we're mostly done here. > Mike Thomas pointed out to me that his message here: > > =A0 http://www.ietf.org/mail-archive/web/oauth/current/msg07780.html > > ...was in reference to this document -- that might not have been clear > because of the change in subject line. =A0Torsten, et al, consider that > message to be your only working-group last call comment, and handle it > accordingly. =A0When that's worked out and there's another version, we > should be ready to send this up to the IESG. > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From mike@mtcc.com Thu Dec 15 09:43:24 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96ED721F84A3 for ; Thu, 15 Dec 2011 09:43:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYLKzWa9Il1y for ; Thu, 15 Dec 2011 09:43:23 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id A063521F8467 for ; Thu, 15 Dec 2011 09:43:23 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBFHhI2u009030 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 15 Dec 2011 09:43:18 -0800 Message-ID: <4EEA31B6.3070106@mtcc.com> Date: Thu, 15 Dec 2011 09:43:18 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Mark Mcgloin References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5904; t=1323971000; x=1324835000; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20client=20embedded=20browse rs=20(was=3A=20I-D=20Action=3A=09draft-ietf-oauth-v2-threatm odel-01.txt) |Sender:=20 |To:=20Mark=20Mcgloin=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=TdDU43iX5NbMhx2T5c2KkrzeA0mG96pdAt0FZ7J+Ovw=; b=Y33RImUxZSMppaDfn0nguPPSIrvG4cSvI7XG+dbMqdt9UZNioBULF/gysr KzpP/Sk4z1N31Qv6tRa8SEITJNxYCxFsE8eNKd8B/sZA/6vOsaSjt8Z/b2Ma iVJFyBZzp1ln+9eyWhoIMm0LZ5VGXe4ST/4hFBEP6KGCQGFWqMDNk=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: OAuth WG Subject: Re: [OAUTH-WG] client embedded browsers (was: I-D Action: draft-ietf-oauth-v2-threatmodel-01.txt) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 17:43:24 -0000 On 12/15/2011 09:32 AM, Mark Mcgloin wrote: > Hi Michael > > We reviewed the threat model document in light of the concerns you raised > (originally in a thread called "Problem Statement") and decided that we > already provided enough information on threats and countermeasures from > malicious applications. > > In addition, the consensus from the Oauth WG on that email thread ("Problem > Statement") was that the issue of users installing malware or any malicious > client is not an oauth specific problem and is not something we need to > educate users on, over and above what is stated already in section 4.1.4 of > the threat model. Based on that consensus, I would consider this issue > closed and we will not be making any changes to the threat model > > Excuse me, but I was told that my comments would be better addressed in the threats document, and now you tell me that you can't be bothered to address them in the threats document either. I find this completely dismissive of the real life problems that this protocol will face. This *is* an OAUTH specific problem because OAUTH is being deployed massively into the threat environment it claims to protect against. It doesn't protect them, and as far as I can see there is nothing but hand waving dismissal rather than advice about how to deal with the problem. The bad guys don't care about your head-in-sand dismissal, and the reemergence native apps are a fact of life now. Mike > > Regards > Mark McGloin > > On Wed, 26 Oct 2011 13:17:58 , "Michael Thomas" wrote: > > First, I think that this threat should be elevated to something more than > a threat because it is a fundamental assumption of the protocol that the > browser is trustworthy. I have heard far too many people on this list say > that that's silly because it is "obvious" but it is not obvious to the > uninitiated, who are the remaining 7*10^9-100 people in this world. > > Second, I think it's worth explicitly pointing out that this PERTAINS TO > APPS > too. The world has changed significantly since OAUTH was conceived, and > native phone, etc apps continue to grow explosively after a long, long > decline leading up to OAUTH's birth. I would venture to say that a sizable > if not majority of uses of OAUTH will be in app settings. > > A few inline comments: > > 4.1.4. Threat: End-user credentials phished using compromised or > embedded browser > > A malicious application could attempt to phish end-user passwords by > misusing an embedded browser in the end-user authorization process, > or by presenting its own user-interface instead of allowing trusted > system browser to render the authorization user interface. By doing > so, the usual visual trust mechanisms may be bypassed (e.g. TLS > confirmation, web site mechanisms). By using an embedded or internal > client application user interface, the client application has access > to additional information it should not have access to (e.g. uid/ > password). > > > [mat] I think it's also worth mentioning either here, or in another > threat that there is a further social engineering misuse/attack where an > app offers/demands to keep your credentials so that you don't have to go > through the authorization rigmarole. Users are already conditioned to > give their credentials up to do things -- just this morning I noticed > facebook > asking for my email password which they promise with sugar on top to not > store. It might be worth mentioning that things like CAPTCHA could be > deployed to defend against that sort of attack/misuse. > > Impact: If the client application or the communication is > compromised, the user would not be aware and all information in the > authorization exchange could be captured such as username and > password. > > Countermeasures: > > o Client developers and end-user can be educated to trust an > external System-Browser only. > > > [mat] I assume that this is in here just for the amusement factor because > it is not a credible countermeasure. > > o Client applications could be validated prior publication in a > application market. > > [mat] How would this be done in practice? > > o Client developers should not collect authentication information > directly from users and should instead use redirects to and back > from a trusted external system-browser. > > > [mat] How would the resource/authentication server enforce such a thing? > > The main problem here is that the countermeasures -- if they are practical > at all -- > are deep and complex problems unto themselves. To just handwave them away > does > no justice to the seriousness of the threat. I realize that this strays > more > into BCP land but there isn't any B-C-P, and I'm not terribly convinced > there ever will be. In that respect, I think this threat and its potential > countermeasures need to be discussed in much more detail. If there is > anything > about OAUTH that will cause it to be junked, it's this threat. > > Mike > > ---------------------------------------------------------------------------------------------------- > > Mark McGloin > e-mail: mark.mcgloin@ie.ibm.com > Tel: +353 1 8155263 > Mobile: +353 87 9932662 > Security Architect, LotusLive and Cloud Business Support Systems > IBM Software Group > Building 6, IBM Technology campus, Damastown Industrial Estate, Mulhuddart, > Dublin 15 > > IBM International Holdings BV registered in Ireland with number 903924. > Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge, Dublin > 4 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From phil.hunt@oracle.com Thu Dec 15 09:54:28 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6417B21F85FF for ; Thu, 15 Dec 2011 09:54:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aO-OSiYePsdl for ; Thu, 15 Dec 2011 09:54:27 -0800 (PST) Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 4B19A21F85A8 for ; Thu, 15 Dec 2011 09:54:27 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pBFHsNps027398 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 15 Dec 2011 17:54:24 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pBFHsM9r027817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 Dec 2011 17:54:22 GMT Received: from abhmt105.oracle.com (abhmt105.oracle.com [141.146.116.57]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pBFHsM3G026077; Thu, 15 Dec 2011 11:54:22 -0600 Received: from [192.168.1.8] (/24.87.204.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 15 Dec 2011 09:54:21 -0800 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: Phil Hunt In-Reply-To: Date: Thu, 15 Dec 2011 09:54:44 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> References: To: Barry Leiba X-Mailer: Apple Mail (2.1251.1) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] X-CT-RefId: str=0001.0A090202.4EEA3450.00C3,ss=1,re=0.000,fgs=0 Cc: oauth WG Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 17:54:28 -0000 Note: one change recommended below... With regards to 4.1.4=85 4.1.4. Threat: End-user credentials phished using compromised or embedded browser A malicious application could attempt to phish end-user passwords by misusing an embedded browser in the end-user authorization process, or by presenting its own user-interface instead of allowing trusted system browser to render the authorization user interface. By doing so, the usual visual trust mechanisms may be bypassed (e.g. TLS confirmation, web site mechanisms). By using an embedded or internal client application user interface, the client application has access to additional information it should not have access to (e.g. uid/ password). [mat] I think it's also worth mentioning either here, or in another threat that there is a further social engineering misuse/attack where an app offers/demands to keep your credentials so that you don't have to go through the authorization rigmarole. Users are already conditioned to give their credentials up to do things -- just this morning I noticed = facebook asking for my email password which they promise with sugar on top to not store. It might be worth mentioning that things like CAPTCHA could be deployed to defend against that sort of attack/misuse. [Phil] I don't think we need to really add much here. We could write = whole essays on this topic and likely will.=20 I think the point is simply to educate the client developer that there = is no need for a client application to ever have access to a raw = uid/password (or any other user credential). =20 [/Phi] [snip] Countermeasures: o Client developers and end-user can be educated to trust an external System-Browser only. [mat] I assume that this is in here just for the amusement factor = because it is not a credible countermeasure. [Phil] I agree, Firefox recently demonstrated how poorly users recognize = the security signals in the browser by dropping the "lock" icon without = announcement. When I found out, I had already been using it for some = time and hadn't noticed. This counter measure should be changed to: o The OAuth flow is designed so that client applications never need to = know user passwords. Where possible Client applications SHOULD avoid = directly asking for user credentials during an authorization flow. [/Phil] o Client applications could be validated prior publication in a application market. [mat] How would this be done in practice? [Phil] I think this needs to change to: o Client applications could be validated for acceptable practices by the = Resource Site provider prior to issuing production Client Credentials. [/Phil] o Client developers should not collect authentication information directly from users and should instead use redirects to and back from a trusted external system-browser. [mat] How would the resource/authentication server enforce such a thing? [Phil] This is a best practice for the client developer. [Phil] [snip] Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-12-15, at 6:30 AM, Barry Leiba wrote: >> Working group last call begins today on the threat model document: >> http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01 >>=20 >> Please review this version and post last call comments by 9 December. >=20 > Sorry, folks: I got a little behind here. >=20 > Working-group last call is now over. There were no comments in > response to this thread, so it looks like we're mostly done here. > Mike Thomas pointed out to me that his message here: >=20 > http://www.ietf.org/mail-archive/web/oauth/current/msg07780.html >=20 > ...was in reference to this document -- that might not have been clear > because of the change in subject line. Torsten, et al, consider that > message to be your only working-group last call comment, and handle it > accordingly. When that's worked out and there's another version, we > should be ready to send this up to the IESG. >=20 > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From mike@mtcc.com Thu Dec 15 10:15:51 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33A7221F8ADC for ; Thu, 15 Dec 2011 10:15:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRVKvPCbVF2N for ; Thu, 15 Dec 2011 10:15:50 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 55E4A21F8A96 for ; Thu, 15 Dec 2011 10:15:50 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBFIFjRR020146 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 15 Dec 2011 10:15:45 -0800 Message-ID: <4EEA3951.5010904@mtcc.com> Date: Thu, 15 Dec 2011 10:15:45 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Phil Hunt References: <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> In-Reply-To: <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4412; t=1323972947; x=1324836947; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=09ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Phil=20Hunt=20 |Content-Type:=20text/plain=3B=20charset=3Dwindows-1252=3B= 20format=3Dflowed |Content-Transfer-Encoding:=208bit |MIME-Version:=201.0; bh=AUpeqZSubN64WZ6zsxu5rbwLlUsby5lJQx05D1+Y5dg=; b=o/88xUjJ0UGarSDQMcq5QwZwpFD+B9hqjYXHd7JZ+xK8qUIULt6pML/TQO GAM53TYe/h50521I00ywaNXvccUyEW/xvgiaeMBLeooVNEGzOadPy0bHyDSk NFwA65TYFuN+pRGQgS9JPgFTTUj8yM/o3/eAIPg/Wgt8IIjf+x0xs=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: Barry Leiba , oauth WG Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 18:15:51 -0000 On 12/15/2011 09:54 AM, Phil Hunt wrote: > Note: one change recommended below... > > With regards to 4.1.4… > 4.1.4. Threat: End-user credentials phished using compromised or > embedded browser > > A malicious application could attempt to phish end-user passwords by > misusing an embedded browser in the end-user authorization process, > or by presenting its own user-interface instead of allowing trusted > system browser to render the authorization user interface. By doing > so, the usual visual trust mechanisms may be bypassed (e.g. TLS > confirmation, web site mechanisms). By using an embedded or internal > client application user interface, the client application has access > to additional information it should not have access to (e.g. uid/ > password). > > > [mat] I think it's also worth mentioning either here, or in another > threat that there is a further social engineering misuse/attack where an > app offers/demands to keep your credentials so that you don't have to go > through the authorization rigmarole. Users are already conditioned to > give their credentials up to do things -- just this morning I noticed facebook > asking for my email password which they promise with sugar on top to not > store. It might be worth mentioning that things like CAPTCHA could be > deployed to defend against that sort of attack/misuse. > > [Phil] I don't think we need to really add much here. We could write whole essays on this topic and likely will. > > I think the point is simply to educate the client developer that there is no need for a client application to ever have access to a raw uid/password (or any other user credential). > > [/Phi] > Remember: I came here not understanding whether this threat was real or not. A threat document that can't be bothered to elaborate on one of the biggest existential threats to the protocol is worthless. The way it is worded now does not make it crystal clear that, yes, this means UIWebView's in iPhone apps, etc too. It should because it needs to scream: THIS THREAT APPLIES TO YOU, AUTH SERVER. > [snip] > > Countermeasures: > > o Client developers and end-user can be educated to trust an > external System-Browser only. > > > [mat] I assume that this is in here just for the amusement factor because > it is not a credible countermeasure. > > [Phil] I agree, Firefox recently demonstrated how poorly users recognize the security signals in the browser by dropping the "lock" icon without announcement. When I found out, I had already been using it for some time and hadn't noticed. This counter measure should be changed to: > > o The OAuth flow is designed so that client applications never need to know user passwords. Where possible Client applications SHOULD avoid directly asking for user credentials during an authorization flow. > [/Phil] > The basic problem here is that the client app is not trusted. So if it's a bad actor this admonition will be ignored. If it's a good actor, there wasn't a threat in first place. So the mitigation completely misses the mark. > o Client applications could be validated prior publication in a > application market. > > [mat] How would this be done in practice? > [Phil] I think this needs to change to: > > o Client applications could be validated for acceptable practices by the Resource Site provider prior to issuing production Client Credentials. > When, exactly, can we expect to see this in the field? Neither Twitter or Facebook do this. And even if they were so inclined, the draft provides exactly zero guidance as to what exactly that "validated" might mean in practice. The way I read this is: "we don't know how to mitigate this". > [/Phil] > o Client developers should not collect authentication information > directly from users and should instead use redirects to and back > from a trusted external system-browser. > > > [mat] How would the resource/authentication server enforce such a thing? > > [Phil] This is a best practice for the client developer. [Phil] > > I don't even know what that means in the context of embedded apps. Has anybody even tried this? At the very least, an example flow might be useful for the uninitiated client developer. Mike From mark.mcgloin@ie.ibm.com Fri Dec 16 03:02:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC3821F8B30 for ; Fri, 16 Dec 2011 03:02:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.573 X-Spam-Level: X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=-0.015, BAYES_00=-2.599, MIME_BASE64_BLANKS=0.041] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pp2SNa00tbL6 for ; Fri, 16 Dec 2011 03:02:45 -0800 (PST) Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by ietfa.amsl.com (Postfix) with ESMTP id C8BD121F8B2F for ; Fri, 16 Dec 2011 03:02:44 -0800 (PST) Received: from /spool/local by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 16 Dec 2011 11:02:40 -0000 Received: from d06nrmr1407.portsmouth.uk.ibm.com ([9.149.38.185]) by e06smtp12.uk.ibm.com ([192.168.101.142]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 16 Dec 2011 11:02:38 -0000 Received: from d06av09.portsmouth.uk.ibm.com (d06av09.portsmouth.uk.ibm.com [9.149.37.250]) by d06nrmr1407.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pBGB2btT1966240; Fri, 16 Dec 2011 11:02:37 GMT Received: from d06av09.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av09.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pBGB2Z7V000678; Fri, 16 Dec 2011 04:02:36 -0700 Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av09.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id pBGB2ZK9000654; Fri, 16 Dec 2011 04:02:35 -0700 In-Reply-To: <4EEA3951.5010904@mtcc.com> References: <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> X-KeepSent: 6C9EBE7C:1B053FE3-80257968:003C02DF; type=4; name=$KeepSent To: Michael Thomas X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010 Message-ID: From: Mark Mcgloin Date: Fri, 16 Dec 2011 11:02:31 +0000 X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 16/12/2011 11:02:30 MIME-Version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: base64 x-cbid: 11121611-8372-0000-0000-0000011F3A6C Cc: Barry Leiba , oauth WG , oauth-bounces@ietf.org Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 11:02:46 -0000 TWljaGFlbCwNCg0KSSB3aWxsIHJldmlldyB0aGUgY29tbWVudHMgZnJvbSBQaGlsIHdoZXJlIGhl IHN1Z2dlc3RzIHNvbWUgY2hhbmdlcyBpbg0Kc2VjdGlvbiA0LjEuNCBvZiB0aGUgdGhyZWF0IG1v ZGVsDQoNCkkgYW0gdW5jbGVhciBleGFjdGx5IHdoYXQgeW91IGFyZSBwcm9wb3NpbmcuIElmIHlv dSB3YW50IHRvIHByb3Bvc2UgYQ0KY2xlYXJseSB3b3JkZWQgcmV2YW1wIG9mIHRoYXQgc2VjdGlv biBpbiB0aGUgbmV4dCBjb3VwbGUgb2YgZGF5cywgSSBhbQ0Kd2lsbGluZyB0byByZXZpZXcgYW5k IGFjY2VwdCBsZWdpdGltYXRlIGNoYW5nZXMuIENsZWFybHkgd29yZGVkIG1lYW5zDQpjb25jaXNl LCB0ZWNobmljYWxseSBhY2N1cmF0ZSBhbmQgZGV2b2lkIG9mIGFsYXJtaXN0IHBocmFzZXMgYW5k IHdvcmRzIHVzZWQNCm91dCBvZiBjb250ZXh0LCBzdWNoIGFzIGV4aXN0ZW50aWFsLiBDYW4gSSBz dWdnZXN0IHlvdSByZXZpZXcgd2l0aCBhDQpjb2xsZWFndWUgYmVmb3JlIHBvc3RpbmcgaGVyZS4N Cg0KUmVnYXJkcw0KTWFyaw0KDQpvYXV0aC1ib3VuY2VzQGlldGYub3JnIHdyb3RlIG9uIDE1LzEy LzIwMTEgMTg6MTU6NDU6DQoNCj4gRnJvbToNCj4NCj4gTWljaGFlbCBUaG9tYXMgPG1pa2VAbXRj Yy5jb20+DQo+DQo+IFRvOg0KPg0KPiBQaGlsIEh1bnQgPHBoaWwuaHVudEBvcmFjbGUuY29tPg0K Pg0KPiBDYzoNCj4NCj4gQmFycnkgTGVpYmEgPGJhcnJ5bGVpYmFAY29tcHV0ZXIub3JnPiwgb2F1 dGggV0cgPG9hdXRoQGlldGYub3JnPg0KPg0KPiBEYXRlOg0KPg0KPiAxNS8xMi8yMDExIDE4OjE2 DQo+DQo+IFN1YmplY3Q6DQo+DQo+IFJlOiBbT0FVVEgtV0ddIFdHTEMgb24gZHJhZnQtaWV0Zi1v YXV0aC12Mi10aHJlYXRtb2RlbC0wMSwgZW5kcyA5IERlYw0KMjAxMQ0KPg0KPiBTZW50IGJ5Og0K Pg0KPiBvYXV0aC1ib3VuY2VzQGlldGYub3JnDQo+DQo+IE9uIDEyLzE1LzIwMTEgMDk6NTQgQU0s IFBoaWwgSHVudCB3cm90ZToNCj4gPiBOb3RlOiBvbmUgY2hhbmdlIHJlY29tbWVuZGVkIGJlbG93 Li4uDQo+ID4NCj4gPiBXaXRoIHJlZ2FyZHMgdG8gNC4xLjTigKYNCj4gPiA0LjEuNC4gIFRocmVh dDogRW5kLXVzZXIgY3JlZGVudGlhbHMgcGhpc2hlZCB1c2luZyBjb21wcm9taXNlZCBvcg0KPiA+ ICAgICAgICAgIGVtYmVkZGVkIGJyb3dzZXINCj4gPg0KPiA+ICAgICBBIG1hbGljaW91cyBhcHBs aWNhdGlvbiBjb3VsZCBhdHRlbXB0IHRvIHBoaXNoIGVuZC11c2VyIHBhc3N3b3Jkcw0KYnkNCj4g PiAgICAgbWlzdXNpbmcgYW4gZW1iZWRkZWQgYnJvd3NlciBpbiB0aGUgZW5kLXVzZXIgYXV0aG9y aXphdGlvbiBwcm9jZXNzLA0KPiA+ICAgICBvciBieSBwcmVzZW50aW5nIGl0cyBvd24gdXNlci1p bnRlcmZhY2UgaW5zdGVhZCBvZiBhbGxvd2luZyB0cnVzdGVkDQo+ID4gICAgIHN5c3RlbSBicm93 c2VyIHRvIHJlbmRlciB0aGUgYXV0aG9yaXphdGlvbiB1c2VyIGludGVyZmFjZS4gIEJ5DQpkb2lu Zw0KPiA+ICAgICBzbywgdGhlIHVzdWFsIHZpc3VhbCB0cnVzdCBtZWNoYW5pc21zIG1heSBiZSBi eXBhc3NlZCAoZS5nLiAgVExTDQo+ID4gICAgIGNvbmZpcm1hdGlvbiwgd2ViIHNpdGUgbWVjaGFu aXNtcykuICBCeSB1c2luZyBhbiBlbWJlZGRlZCBvcg0KaW50ZXJuYWwNCj4gPiAgICAgY2xpZW50 IGFwcGxpY2F0aW9uIHVzZXIgaW50ZXJmYWNlLCB0aGUgY2xpZW50IGFwcGxpY2F0aW9uIGhhcw0K YWNjZXNzDQo+ID4gICAgIHRvIGFkZGl0aW9uYWwgaW5mb3JtYXRpb24gaXQgc2hvdWxkIG5vdCBo YXZlIGFjY2VzcyB0byAoZS5nLiB1aWQvDQo+ID4gICAgIHBhc3N3b3JkKS4NCj4gPg0KPiA+DQo+ ID4gW21hdF0gSSB0aGluayBpdCdzIGFsc28gd29ydGggbWVudGlvbmluZyBlaXRoZXIgaGVyZSwg b3IgaW4gYW5vdGhlcg0KPiA+IHRocmVhdCB0aGF0IHRoZXJlIGlzIGEgZnVydGhlciBzb2NpYWwg ZW5naW5lZXJpbmcgbWlzdXNlL2F0dGFjayB3aGVyZQ0KYW4NCj4gPiBhcHAgb2ZmZXJzL2RlbWFu ZHMgdG8ga2VlcCB5b3VyIGNyZWRlbnRpYWxzIHNvIHRoYXQgeW91IGRvbid0IGhhdmUgdG8NCmdv DQo+ID4gdGhyb3VnaCB0aGUgYXV0aG9yaXphdGlvbiByaWdtYXJvbGUuIFVzZXJzIGFyZSBhbHJl YWR5IGNvbmRpdGlvbmVkIHRvDQo+ID4gZ2l2ZSB0aGVpciBjcmVkZW50aWFscyB1cCB0byBkbyB0 aGluZ3MgLS0ganVzdCB0aGlzIG1vcm5pbmcgSQ0KPiBub3RpY2VkIGZhY2Vib29rDQo+ID4gYXNr aW5nIGZvciBteSBlbWFpbCBwYXNzd29yZCB3aGljaCB0aGV5IHByb21pc2Ugd2l0aCBzdWdhciBv biB0b3AgdG8NCm5vdA0KPiA+IHN0b3JlLiBJdCBtaWdodCBiZSB3b3J0aCBtZW50aW9uaW5nIHRo YXQgdGhpbmdzIGxpa2UgQ0FQVENIQSBjb3VsZCBiZQ0KPiA+IGRlcGxveWVkIHRvIGRlZmVuZCBh Z2FpbnN0IHRoYXQgc29ydCBvZiBhdHRhY2svbWlzdXNlLg0KPiA+DQo+ID4gW1BoaWxdIEkgZG9u J3QgdGhpbmsgd2UgbmVlZCB0byByZWFsbHkgYWRkIG11Y2ggaGVyZS4gV2UgY291bGQNCj4gd3Jp dGUgd2hvbGUgZXNzYXlzIG9uIHRoaXMgdG9waWMgYW5kIGxpa2VseSB3aWxsLg0KPiA+DQo+ID4g SSB0aGluayB0aGUgcG9pbnQgaXMgc2ltcGx5IHRvIGVkdWNhdGUgdGhlIGNsaWVudCBkZXZlbG9w ZXIgdGhhdA0KPiB0aGVyZSBpcyBubyBuZWVkIGZvciBhIGNsaWVudCBhcHBsaWNhdGlvbiB0byBl dmVyIGhhdmUgYWNjZXNzIHRvIGENCj4gcmF3IHVpZC9wYXNzd29yZCAob3IgYW55IG90aGVyIHVz ZXIgY3JlZGVudGlhbCkuDQo+ID4NCj4gPiBbL1BoaV0NCj4gPg0KPg0KPiBSZW1lbWJlcjogSSBj YW1lIGhlcmUgbm90IHVuZGVyc3RhbmRpbmcgd2hldGhlciB0aGlzIHRocmVhdCB3YXMgcmVhbCBv cg0Kbm90Lg0KPiBBIHRocmVhdCBkb2N1bWVudCB0aGF0IGNhbid0IGJlIGJvdGhlcmVkIHRvIGVs YWJvcmF0ZSBvbiBvbmUgb2YgdGhlDQpiaWdnZXN0DQo+IGV4aXN0ZW50aWFsICB0aHJlYXRzIHRv IHRoZSBwcm90b2NvbCBpcyB3b3J0aGxlc3MuIFRoZSB3YXkgaXQgaXMgd29yZGVkDQo+IG5vdyBk b2VzDQo+IG5vdCBtYWtlIGl0IGNyeXN0YWwgY2xlYXIgdGhhdCwgeWVzLCB0aGlzIG1lYW5zIFVJ V2ViVmlldydzIGluIGlQaG9uZQ0KPiBhcHBzLCBldGMgdG9vLg0KPiBJdCBzaG91bGQgYmVjYXVz ZSBpdCBuZWVkcyB0byBzY3JlYW06IFRISVMgVEhSRUFUIEFQUExJRVMgVE8gWU9VLCBBVVRIDQo+ IFNFUlZFUi4NCj4NCj4NCj4gPiBbc25pcF0NCj4gPg0KPiA+ICAgICBDb3VudGVybWVhc3VyZXM6 DQo+ID4NCj4gPiAgICAgbyAgQ2xpZW50IGRldmVsb3BlcnMgYW5kIGVuZC11c2VyIGNhbiBiZSBl ZHVjYXRlZCB0byB0cnVzdCBhbg0KPiA+ICAgICAgICBleHRlcm5hbCBTeXN0ZW0tQnJvd3NlciBv bmx5Lg0KPiA+DQo+ID4NCj4gPiBbbWF0XSBJIGFzc3VtZSB0aGF0IHRoaXMgaXMgaW4gaGVyZSBq dXN0IGZvciB0aGUgYW11c2VtZW50IGZhY3Rvcg0KYmVjYXVzZQ0KPiA+IGl0IGlzIG5vdCBhIGNy ZWRpYmxlIGNvdW50ZXJtZWFzdXJlLg0KPiA+DQo+ID4gW1BoaWxdIEkgYWdyZWUsIEZpcmVmb3gg cmVjZW50bHkgZGVtb25zdHJhdGVkIGhvdyBwb29ybHkgdXNlcnMNCj4gcmVjb2duaXplIHRoZSBz ZWN1cml0eSBzaWduYWxzIGluIHRoZSBicm93c2VyIGJ5IGRyb3BwaW5nIHRoZSAibG9jayINCj4g aWNvbiB3aXRob3V0IGFubm91bmNlbWVudC4gV2hlbiBJIGZvdW5kIG91dCwgSSBoYWQgYWxyZWFk eSBiZWVuDQo+IHVzaW5nIGl0IGZvciBzb21lIHRpbWUgYW5kIGhhZG4ndCBub3RpY2VkLiAgVGhp cyBjb3VudGVyIG1lYXN1cmUNCj4gc2hvdWxkIGJlIGNoYW5nZWQgdG86DQo+ID4NCj4gPiBvIFRo ZSBPQXV0aCBmbG93IGlzIGRlc2lnbmVkIHNvIHRoYXQgY2xpZW50IGFwcGxpY2F0aW9ucyBuZXZl cg0KPiBuZWVkIHRvIGtub3cgdXNlciBwYXNzd29yZHMuIFdoZXJlIHBvc3NpYmxlIENsaWVudCBh cHBsaWNhdGlvbnMNCj4gU0hPVUxEIGF2b2lkIGRpcmVjdGx5IGFza2luZyBmb3IgdXNlciBjcmVk ZW50aWFscyBkdXJpbmcgYW4NCj4gYXV0aG9yaXphdGlvbiBmbG93Lg0KPiA+IFsvUGhpbF0NCj4g Pg0KPg0KPiBUaGUgYmFzaWMgcHJvYmxlbSBoZXJlIGlzIHRoYXQgdGhlIGNsaWVudCBhcHAgaXMg bm90IHRydXN0ZWQuIFNvIGlmIGl0J3MNCj4gYSBiYWQNCj4gYWN0b3IgdGhpcyBhZG1vbml0aW9u IHdpbGwgYmUgaWdub3JlZC4gSWYgaXQncyBhIGdvb2QgYWN0b3IsIHRoZXJlDQo+IHdhc24ndCBh IHRocmVhdA0KPiBpbiBmaXJzdCBwbGFjZS4gU28gdGhlIG1pdGlnYXRpb24gY29tcGxldGVseSBt aXNzZXMgdGhlIG1hcmsuDQo+DQo+ID4gICAgIG8gIENsaWVudCBhcHBsaWNhdGlvbnMgY291bGQg YmUgdmFsaWRhdGVkIHByaW9yIHB1YmxpY2F0aW9uIGluIGENCj4gPiAgICAgICAgYXBwbGljYXRp b24gbWFya2V0Lg0KPiA+DQo+ID4gW21hdF0gSG93IHdvdWxkIHRoaXMgYmUgZG9uZSBpbiBwcmFj dGljZT8NCj4gPiBbUGhpbF0gSSB0aGluayB0aGlzIG5lZWRzIHRvIGNoYW5nZSB0bzoNCj4gPg0K PiA+IG8gQ2xpZW50IGFwcGxpY2F0aW9ucyBjb3VsZCBiZSB2YWxpZGF0ZWQgZm9yIGFjY2VwdGFi bGUgcHJhY3RpY2VzDQo+IGJ5IHRoZSBSZXNvdXJjZSBTaXRlIHByb3ZpZGVyIHByaW9yIHRvIGlz c3VpbmcgcHJvZHVjdGlvbiBDbGllbnQNCkNyZWRlbnRpYWxzLg0KPiA+DQo+DQo+IFdoZW4sIGV4 YWN0bHksIGNhbiB3ZSBleHBlY3QgdG8gc2VlIHRoaXMgaW4gdGhlIGZpZWxkPyBOZWl0aGVyIFR3 aXR0ZXINCj4gb3IgRmFjZWJvb2sNCj4gZG8gdGhpcy4gQW5kIGV2ZW4gaWYgdGhleSB3ZXJlIHNv IGluY2xpbmVkLCB0aGUgZHJhZnQgcHJvdmlkZXMgZXhhY3RseQ0KPiB6ZXJvIGd1aWRhbmNlDQo+ IGFzIHRvIHdoYXQgZXhhY3RseSB0aGF0ICJ2YWxpZGF0ZWQiIG1pZ2h0IG1lYW4gaW4gcHJhY3Rp Y2UuIFRoZSB3YXkgSQ0KPiByZWFkIHRoaXMgaXM6DQo+ICJ3ZSBkb24ndCBrbm93IGhvdyB0byBt aXRpZ2F0ZSB0aGlzIi4NCj4gPiBbL1BoaWxdDQo+ID4gICAgIG8gIENsaWVudCBkZXZlbG9wZXJz IHNob3VsZCBub3QgY29sbGVjdCBhdXRoZW50aWNhdGlvbiBpbmZvcm1hdGlvbg0KPiA+ICAgICAg ICBkaXJlY3RseSBmcm9tIHVzZXJzIGFuZCBzaG91bGQgaW5zdGVhZCB1c2UgcmVkaXJlY3RzIHRv IGFuZCBiYWNrDQo+ID4gICAgICAgIGZyb20gYSB0cnVzdGVkIGV4dGVybmFsIHN5c3RlbS1icm93 c2VyLg0KPiA+DQo+ID4NCj4gPiBbbWF0XSBIb3cgd291bGQgdGhlIHJlc291cmNlL2F1dGhlbnRp Y2F0aW9uIHNlcnZlciBlbmZvcmNlIHN1Y2ggYQ0KdGhpbmc/DQo+ID4NCj4gPiBbUGhpbF0gVGhp cyBpcyBhIGJlc3QgcHJhY3RpY2UgZm9yIHRoZSBjbGllbnQgZGV2ZWxvcGVyLiBbUGhpbF0NCj4g Pg0KPiA+DQo+DQo+IEkgZG9uJ3QgZXZlbiBrbm93IHdoYXQgdGhhdCBtZWFucyBpbiB0aGUgY29u dGV4dCBvZiBlbWJlZGRlZCBhcHBzLg0KPiBIYXMgYW55Ym9keSBldmVuIHRyaWVkIHRoaXM/IEF0 IHRoZSB2ZXJ5IGxlYXN0LCBhbiBleGFtcGxlIGZsb3cgbWlnaHQNCj4gYmUgdXNlZnVsIGZvciB0 aGUgdW5pbml0aWF0ZWQgY2xpZW50IGRldmVsb3Blci4NCj4NCj4gTWlrZQ0KPiBfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBPQXV0aCBtYWlsaW5nIGxp c3QNCj4gT0F1dGhAaWV0Zi5vcmcNCj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9vYXV0aA0KPg== From mark.mcgloin@ie.ibm.com Fri Dec 16 04:09:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD13C21F8B4F for ; Fri, 16 Dec 2011 04:09:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.291 X-Spam-Level: X-Spam-Status: No, score=-2.291 tagged_above=-999 required=5 tests=[AWL=-0.292, BAYES_00=-2.599, J_CHICKENPOX_75=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Q9mAd4zAN65 for ; Fri, 16 Dec 2011 04:08:59 -0800 (PST) Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by ietfa.amsl.com (Postfix) with ESMTP id 2CBE021F8B2F for ; Fri, 16 Dec 2011 04:08:59 -0800 (PST) Received: from /spool/local by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 16 Dec 2011 12:08:52 -0000 Received: from d06nrmr1707.portsmouth.uk.ibm.com ([9.149.39.225]) by e06smtp13.uk.ibm.com ([192.168.101.143]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 16 Dec 2011 12:08:49 -0000 Received: from d06av02.portsmouth.uk.ibm.com (d06av02.portsmouth.uk.ibm.com [9.149.37.228]) by d06nrmr1707.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pBGC8mR92686990 for ; Fri, 16 Dec 2011 12:08:49 GMT Received: from d06av02.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av02.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pBGC8mTX021702 for ; Fri, 16 Dec 2011 05:08:48 -0700 Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av02.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id pBGC8mkD021697 for ; Fri, 16 Dec 2011 05:08:48 -0700 X-KeepSent: 89CAB6D0:846918A4-80257968:003F9F0B; type=4; name=$KeepSent To: OAuth WG X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010 Message-ID: From: Mark Mcgloin Date: Fri, 16 Dec 2011 12:08:44 +0000 X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 16/12/2011 12:08:43 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII x-cbid: 11121612-2966-0000-0000-000002A56721 Subject: Re: [OAUTH-WG] Phishing with Client Application Name Spoofing X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 12:09:00 -0000 Andre You are right that the threat model does not cover this kind of issue related to client registration. Client registration is considered to be out of scope in the oauth spec but it is worth drawing developers attention to this. I can add a threat entitled something like "Client Registration of phishing clients". It kind of reminds me of the issues android market place has seen recently with malware apps due to no vetting of those apps. It is touched upon in the oauth 2 rfc: http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-2 Regards Mark On 3 Nov 2011 17:09:39, "Andre DeMarre" wrote: You are right that they are similar, but there is a difference, and only one of the six countermeasures is relevant to the threat I described. http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4.1.4 seems to be about an attack where the malicious client impersonates a different (valid) client that is registered with the authorization server. In other words, the valid client is registered as client_id 123, and the malicious client does not have its own client_id but tries to pose as client 123. This corresponds to http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-10.2. In the threat I described, there is no valid client. The malicious client is properly registered with the authorization server and has its own client_id and client credentials. It can authenticate with the authorization server without trying to pose as a different client. As an attacker you might reason, "Why would I try to impersonate a valid client for which I don't know the client credentials and can't pass the redirect URI test, when I can just register my own client with my own redirect URI and be given my own credentials?" Imagine the attacker wants to impersonate Google with a popular web service called Foobar. The attacker registers his application with Foobar's auth server. It does not matter if the real Google has registered an authentic app with Foobar. The attacker has no reason to be interested in stealing or guessing client credentials when he can simply register his own app and call it "Google". The information the auth server shows to end users when asking them to grant authorization becomes very important. Regards,Andre DeMarre On Wed, Nov 2, 2011 at 2:27 PM, Torsten Lodderstedt wrote: > Hi Andre, > > how do you think differs the threat you descibed from > http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4.1.4 ? > > regards, > Torsten. From mike@mtcc.com Fri Dec 16 06:55:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3968D21F8B43; Fri, 16 Dec 2011 06:55:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xA4clVt0ymxM; Fri, 16 Dec 2011 06:55:34 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 3237621F8B08; Fri, 16 Dec 2011 06:55:34 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBGEtP7Y023348 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 16 Dec 2011 06:55:26 -0800 Message-ID: <4EEB5BDD.7080401@mtcc.com> Date: Fri, 16 Dec 2011 06:55:25 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Mark Mcgloin References: <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=7079; t=1324047328; x=1324911328; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Mark=20Mcgloin=20 |Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20forma t=3Dflowed |Content-Transfer-Encoding:=208bit |MIME-Version:=201.0; bh=T8iX1xOqfISGafuqI5YaEMDoN2hlJxQmO0xHF1EzBW4=; b=A/ULEnkeO7g/CArzA0lA9a32mq5+iMvmqCFb7K66igEsyDaR4lngMq/OYb Icz8X3PGdEQmjtYvIVRz4UnoZoomX02UMgx8pNYXn0Avfwsnri7DXBccWY6Z gsLSFnByt8VPFfH4nryTSbhJrbqGbLo23wuSSpuUez3WYQ5zDhisI=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: Barry Leiba , oauth WG , oauth-bounces@ietf.org Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 14:55:35 -0000 On 12/16/2011 03:02 AM, Mark Mcgloin wrote: > Michael, > > I will review the comments from Phil where he suggests some changes in > section 4.1.4 of the threat model > > I am unclear exactly what you are proposing. If you want to propose a > clearly worded revamp of that section in the next couple of days, I am > willing to review and accept legitimate changes. Clearly worded means > concise, technically accurate and devoid of alarmist phrases and words used > out of context, such as existential. Can I suggest you review with a > colleague before posting here. > Barry -- I have gone through this section and made comments and was blown off seemingly without reading them at all, and now I'm being told to come up with text for which I can be blown off again: "Can I suggest you review..." The fact of the matter is that my comments say that the threats are understated and mitigations that are proposed do not work. It's not my job alone to fix this. It's the working group's. In fact if I were to propose text, it would be along the lines of "can't be mitigated" because I do not know how to fix them. If nobody else can come up with a better mitigation, then that *is* what should be there, not some hand waving nonsense that doesn't work. Mike, "instruct users..." feh > Regards > Mark > > oauth-bounces@ietf.org wrote on 15/12/2011 18:15:45: > > >> From: >> >> Michael Thomas >> >> To: >> >> Phil Hunt >> >> Cc: >> >> Barry Leiba, oauth WG >> >> Date: >> >> 15/12/2011 18:16 >> >> Subject: >> >> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec >> > 2011 > >> Sent by: >> >> oauth-bounces@ietf.org >> >> On 12/15/2011 09:54 AM, Phil Hunt wrote: >> >>> Note: one change recommended below... >>> >>> With regards to 4.1.4… >>> 4.1.4. Threat: End-user credentials phished using compromised or >>> embedded browser >>> >>> A malicious application could attempt to phish end-user passwords >>> > by > >>> misusing an embedded browser in the end-user authorization process, >>> or by presenting its own user-interface instead of allowing trusted >>> system browser to render the authorization user interface. By >>> > doing > >>> so, the usual visual trust mechanisms may be bypassed (e.g. TLS >>> confirmation, web site mechanisms). By using an embedded or >>> > internal > >>> client application user interface, the client application has >>> > access > >>> to additional information it should not have access to (e.g. uid/ >>> password). >>> >>> >>> [mat] I think it's also worth mentioning either here, or in another >>> threat that there is a further social engineering misuse/attack where >>> > an > >>> app offers/demands to keep your credentials so that you don't have to >>> > go > >>> through the authorization rigmarole. Users are already conditioned to >>> give their credentials up to do things -- just this morning I >>> >> noticed facebook >> >>> asking for my email password which they promise with sugar on top to >>> > not > >>> store. It might be worth mentioning that things like CAPTCHA could be >>> deployed to defend against that sort of attack/misuse. >>> >>> [Phil] I don't think we need to really add much here. We could >>> >> write whole essays on this topic and likely will. >> >>> I think the point is simply to educate the client developer that >>> >> there is no need for a client application to ever have access to a >> raw uid/password (or any other user credential). >> >>> [/Phi] >>> >>> >> Remember: I came here not understanding whether this threat was real or >> > not. > >> A threat document that can't be bothered to elaborate on one of the >> > biggest > >> existential threats to the protocol is worthless. The way it is worded >> now does >> not make it crystal clear that, yes, this means UIWebView's in iPhone >> apps, etc too. >> It should because it needs to scream: THIS THREAT APPLIES TO YOU, AUTH >> SERVER. >> >> >> >>> [snip] >>> >>> Countermeasures: >>> >>> o Client developers and end-user can be educated to trust an >>> external System-Browser only. >>> >>> >>> [mat] I assume that this is in here just for the amusement factor >>> > because > >>> it is not a credible countermeasure. >>> >>> [Phil] I agree, Firefox recently demonstrated how poorly users >>> >> recognize the security signals in the browser by dropping the "lock" >> icon without announcement. When I found out, I had already been >> using it for some time and hadn't noticed. This counter measure >> should be changed to: >> >>> o The OAuth flow is designed so that client applications never >>> >> need to know user passwords. Where possible Client applications >> SHOULD avoid directly asking for user credentials during an >> authorization flow. >> >>> [/Phil] >>> >>> >> The basic problem here is that the client app is not trusted. So if it's >> a bad >> actor this admonition will be ignored. If it's a good actor, there >> wasn't a threat >> in first place. So the mitigation completely misses the mark. >> >> >>> o Client applications could be validated prior publication in a >>> application market. >>> >>> [mat] How would this be done in practice? >>> [Phil] I think this needs to change to: >>> >>> o Client applications could be validated for acceptable practices >>> >> by the Resource Site provider prior to issuing production Client >> > Credentials. > >>> >> When, exactly, can we expect to see this in the field? Neither Twitter >> or Facebook >> do this. And even if they were so inclined, the draft provides exactly >> zero guidance >> as to what exactly that "validated" might mean in practice. The way I >> read this is: >> "we don't know how to mitigate this". >> >>> [/Phil] >>> o Client developers should not collect authentication information >>> directly from users and should instead use redirects to and back >>> from a trusted external system-browser. >>> >>> >>> [mat] How would the resource/authentication server enforce such a >>> > thing? > >>> [Phil] This is a best practice for the client developer. [Phil] >>> >>> >>> >> I don't even know what that means in the context of embedded apps. >> Has anybody even tried this? At the very least, an example flow might >> be useful for the uninitiated client developer. >> >> Mike >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > From Michael.Jones@microsoft.com Fri Dec 16 09:12:07 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7ED21F8B37 for ; Fri, 16 Dec 2011 09:12:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.527 X-Spam-Level: X-Spam-Status: No, score=-5.527 tagged_above=-999 required=5 tests=[AWL=1.071, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lXa28p3oUdp for ; Fri, 16 Dec 2011 09:12:05 -0800 (PST) Received: from TX2EHSOBE002.bigfish.com (tx2ehsobe001.messaging.microsoft.com [65.55.88.11]) by ietfa.amsl.com (Postfix) with ESMTP id E943421F8AD6 for ; Fri, 16 Dec 2011 09:12:04 -0800 (PST) Received: from mail40-tx2-R.bigfish.com (10.9.14.247) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Fri, 16 Dec 2011 17:12:03 +0000 Received: from mail40-tx2 (localhost [127.0.0.1]) by mail40-tx2-R.bigfish.com (Postfix) with ESMTP id 96C43801B5; Fri, 16 Dec 2011 17:12:01 +0000 (UTC) X-SpamScore: -38 X-BigFish: VS-38(zzbb2dI9371Ic89bh1be0I1447M1b0bM542Mc857hzz1202hzz8275ch1033IL8275bh8275dhz2fh2a8h668h839h61h) X-Spam-TCS-SCL: 0:0 X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail40-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail40-tx2 (localhost.localdomain [127.0.0.1]) by mail40-tx2 (MessageSwitch) id 132405552087472_18377; Fri, 16 Dec 2011 17:12:00 +0000 (UTC) Received: from TX2EHSMHS017.bigfish.com (unknown [10.9.14.254]) by mail40-tx2.bigfish.com (Postfix) with ESMTP id 045005E0043; Fri, 16 Dec 2011 17:12:00 +0000 (UTC) Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS017.bigfish.com (10.9.99.117) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 16 Dec 2011 17:11:48 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0247.005; Fri, 16 Dec 2011 09:11:29 -0800 From: Mike Jones To: Mark Nottingham , Stephen Farrell , Hannes Tschofenig , Barry Leiba Thread-Topic: OK to post OAuth Bearer draft 15? Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEgBRnxgA Date: Fri, 16 Dec 2011 17:11:29 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7650C6@TK5EX14MBXC283.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.32] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F7650C6TK5EX14MBXC283r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 17:12:07 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F7650C6TK5EX14MBXC283r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VW5sZXNzIEkgaGVhciBhIOKAnG5v4oCdIGZyb20gTWFyaywgdGhlIGNoYWlycywgb3IgU3RlcGhl biBJ4oCZbGwgcGxhbiB0byBwdWJsaXNoIC0xNSBvdmVyIHRoZSB3ZWVrZW5kLiAgKE9yIGlmIEkg aGVhciBhIOKAnHllc+KAnSwgSeKAmWxsIGRvIHNvIHJpZ2h0IGF3YXkuIOKYuikNCg0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0g TWlrZQ0KDQpGcm9tOiBNaWtlIEpvbmVzDQpTZW50OiBXZWRuZXNkYXksIERlY2VtYmVyIDE0LCAy MDExIDY6MTMgUE0NClRvOiBNYXJrIE5vdHRpbmdoYW07ICdTdGVwaGVuIEZhcnJlbGwnOyBIYW5u ZXMgVHNjaG9mZW5pZzsgQmFycnkgTGVpYmENCkNjOiBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDog T0sgdG8gcG9zdCBPQXV0aCBCZWFyZXIgZHJhZnQgMTU/DQoNCk1hcmssIFN0ZXBoZW4sIEhhbm5l cywgYW5kIEJhcnJ5LA0KDQpBbnkgb2JqZWN0aW9ucyB0byBwb3N0aW5nIHRoZSB1cGRhdGVkIEJl YXJlciBkcmFmdCBpbmNvcnBvcmF0aW5nIHRoZSByZXN1bHRzIG9mIHRoZSBBUFBTIEFyZWEgcmV2 aWV3IGFuZCB0aGUgVExTIHJlcXVpcmVtZW50cz8NCg0KICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBNaWtl IEpvbmVzDQpTZW50OiBNb25kYXksIERlY2VtYmVyIDEyLCAyMDExIDg6NTEgQU0NClRvOiBNYXJr IE5vdHRpbmdoYW07ICdTdGVwaGVuIEZhcnJlbGwnOyBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1 dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSRTogW09BVVRILVdHXSBGVzogW2FwcHMtZGlzY3Vzc10g QVBQUyBBcmVhIHJldmlldyBvZiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNA0KDQoNClRo YW5rcyBmb3IgdGhlIGRldGFpbGVkIHJldmlldywgTWFyay4NCg0KDQoNClByZWxpbWluYXJ5IGRy YWZ0IDE1IG9mIHRoZSBPQXV0aCBCZWFyZXIgc3BlY2lmaWNhdGlvbiBpcyBhdHRhY2hlZC4gIEl0 IHJlc29sdmVzIHRoZSBmb3JtIGVuY29kaW5nIGlzc3VlcyByYWlzZWQgYnkgSnVsaWFuIFJlc2No a2UgaW4gdGhlIG1hbm5lciBkaXNjdXNzZWQgYXQgdGhlIHdvcmtpbmcgZ3JvdXAgbWVldGluZyBp biBUYWlwZWksIGluY29ycG9yYXRlcyB0aGUgY29uc2Vuc3VzIHRleHQgb24gVExTIHZlcnNpb24g cmVxdWlyZW1lbnRzLCBhbmQgY29udGFpbnMgc2V2ZXJhbCBpbXByb3ZlbWVudHMgc3VnZ2VzdGVk IGJ5IE1hcmsgTm90dGluZ2hhbSBkdXJpbmcgQVBQUyBhcmVhIHJldmlldy4NCg0KDQoNCk1hcmss IGNvbW1lbnRzIG9uIGFsbCB5b3VyIHByb3Bvc2VkIGNoYW5nZXMgZm9sbG93IGJlbG93Og0KDQoN Cg0KKiBTZWN0aW9uIDIuMyBVUkkgUXVlcnkgUGFyYW1ldGVyDQoNCg0KDQpUaGlzIHNlY3Rpb24g ZWZmZWN0aXZlbHkgcmVzZXJ2ZXMgYSBVUkkgcXVlcnkgcGFyYW1ldGVyIGZvciB0aGUgZHJhZnQn cyB1c2UuIFRoaXMgc2hvdWxkIG5vdCBiZSBkb25lIGxpZ2h0bHksIHNpbmNlIHRoaXMgd291bGQg YmUgYSBwcmVjZWRlbnQgZm9yIHRoZSBJRVRGIGVuY3JvYWNoaW5nIHVwb24gYSBzZXJ2ZXIncyBV UklzIChkb25lIHByZXZpb3VzbHkgaW4gUkZDNTc4NSwgYnV0IGluIGEgbXVjaCBtb3JlIGxpbWl0 ZWQgZmFzaGlvbiwgYXMgYSB0YWN0aWMgdG8gcHJldmVudCBmdXJ0aGVyLCB1bmNvbnRyb2xsZWQg ZW5jcm9hY2htZW50KS4NCg0KDQoNCkdpdmVuIHRoYXQgdGhlIGRyYWZ0IGFscmVhZHkgZGlzY291 cmFnZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hhbmlzbSwgSSdkIHJlY29tbWVuZCBkcm9wcGluZyBp dCBhbHRvZ2V0aGVyLiBJZiB0aGUgV29ya2luZyBHcm91cCB3aXNoZXMgaXQgdG8gcmVtYWluLCB0 aGlzIGlzc3VlcyBzaG91bGQgYmUgdmV0dGVkIGJvdGggdGhyb3VnaCB0aGUgQVBQUyBhcmVhIGFu ZCB0aGUgVzNDIGxpYWlzb24uDQoNCg0KDQooVGhlIHNhbWUgY3JpdGljaXNtIGNvdWxkIGJlIGxl dmVsZWQgYXQgU2VjdGlvbiAyLjIgRm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyLCBidXQgdGhh dCBhdCBsZWFzdCBpc24ndCBzdXJmYWNlZCBpbiBhbiBpZGVudGlmaWVyKQ0KDQoNCg0KVGhlcmUg YXJlIHNvbWUgY29udGV4dHMsIGVzcGVjaWFsbHkgbGltaXRlZCBicm93c2VycyBhbmQvb3IgZGV2 ZWxvcG1lbnQgZW52aXJvbm1lbnRzLCB3aGVyZSBxdWVyeSBwYXJhbWV0ZXJzIGFyZSB1c2FibGUg YnV0IHRoZSBvdGhlciBtZXRob2RzIGFyZSBub3QuICBUaHVzLCB0aGUgcXVlcnkgcGFyYW1ldGVy IG1ldGhvZCBtdXN0IGJlIHJldGFpbmVkLiAgQWxzbywgSnVzdGluIFJpY2h0ZXLigJlzIGNvbW1l bnRzIGRlc2NyaWJpbmcgdGhlIHZhbHVlIHRvIGhpbSBvZiB0aGUgcXVlcnkgcGFyYW1ldGVyIG1l dGhvZCBhcmUgcGVydGluZW50OiAg4oCcQSBVUkwgd2l0aCBhbGwgcGFyYW1ldGVycyBpbmNsdWRp bmcgYXV0aG9yaXphdGlvbiBpcyBhIHBvd2VyZnVsIGFydGlmYWN0IHdoaWNoIGNhbiBiZSBwYXNz ZWQgYXJvdW5kIGJldHdlZW4gc3lzdGVtcyBhcyBhIHVuaXTigJ0uDQoNCg0KDQpBcyB0byB1c2lu ZyBhIHN0YW5kYXJkIHBhcmFtZXRlciBuYW1lLCB0aGlzIGlzIGVzc2VudGlhbCBmb3IgaW50ZXJv cGVyYWJpbGl0eS4gIEl0IGlzIG5vdCDigJxyZXNlcnZlZOKAnSBpbiBhbnkgY29udGV4dHMgb3Ro ZXIgdGhhbiB3aGVuIHRoZSBCZWFyZXIgc3BlYyBpcyBlbXBsb3llZCwgd2hpY2ggaXMgYSB2b2x1 bnRhcnkgYWN0IGJ5IGJvdGggcGFydGllcy4gIFRodXMsIHRoaXMgcG9zZXMgbm8gdW5kdWUgYnVy ZGVucyBvciBuYW1lc3BhY2UgcmVzdHJpY3Rpb25zIG9uIGltcGxlbWVudGF0aW9ucyBpbiBwcmFj dGljZS4NCg0KDQoNCkZpbmFsbHksIHlvdeKAmWxsIGZpbmQgdGhhdCBPQXV0aCAxLjAgW1JGQyA1 ODQ5PGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzU4NDk+XSBzaW1pbGFybHkgZGVmaW5l ZCwgbm90IG9uZSwgYnV0IHR3byBzdGFuZGFyZCBxdWVyeSBwYXJhbWV0ZXIgdmFsdWVzOiAgb2F1 dGhfdG9rZW4gYW5kIG9hdXRoX3ZlcmlmaWVyLiAgQXMgdGhpcyBkaWRu4oCZdCBjYXVzZSBhbnkg cHJvYmxlbXMgaW4gcHJhY3RpY2UgdGhlbiwgSeKAmW0gc3VyZSB0aGF0IGRlZmluaW5nIGFuIGFj Y2Vzc190b2tlbiBwYXJhbWV0ZXIgd2l0aGluIHRoZSBCZWFyZXIgc3BlYyBmb3IgaW50ZXJvcGVy YWJpbGl0eSBwdXJwb3NlcyB3b27igJl0IGNhdXNlIGEgcHJvYmxlbSBlaXRoZXIuDQoNCg0KDQoq IFNlY3Rpb24gMyBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQNCg0K DQoNClRoZSBkcmFmdCByZWZlcmVuY2VzIHRoZSBxdW90ZWQtc3RyaW5nIEFCTkYgZnJvbSBIVFRQ LCBidXQgY2hhbmdlcyBpdHMgcHJvY2Vzc2luZyBpbiBhIGxhdGVyIHBhcmFncmFwaDoNCg0KDQoN CiIiIkluIGFsbCB0aGVzZSBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwg YXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFj dGVyLiIiIg0KDQoNCg0KVGhpcyBpcyBhdCBiZXN0IHN1cnByaXNpbmcgKGFzIG1hbnkgcmVhZGVy cyB3aWxsIHJlYXNvbmFibHkgc3VybWlzZSB0aGF0IHVzaW5nIHRoZSBxdW90ZWQtc3RyaW5nIEFC TkYgaW1wbGllcyB0aGF0IHRoZSBzYW1lIGNvZGUgY2FuIGJlIHVzZWQpLg0KDQpQbGVhc2UgZWl0 aGVyIHVzZSBxdW90ZWQtc3RyaW5nIGFzIGRlZmluZWQgKGkuZS4sIHdpdGggZXNjYXBpbmcpLg0K DQoNCg0KVGhpcyBwYXJhbWV0ZXIgZGVmaW5pdGlvbiB3YXMgYSByZXN1bHQgb2Ygc2lnbmlmaWNh bnQgd29ya2luZyBncm91cCBkaXNjdXNzaW9uIGFuZCByZWZsZWN0cyBhIHNvbGlkIGNvbnNlbnN1 cyBwb3NpdGlvbi4gIFVzaW5nIHRoZSBxdW90ZWQgc3RyaW5nIEJORiBtYWtlcyBpdCBjbGVhciwg cGVyIEp1bGlhbiBSZXNjaGtl4oCZcyBzdWdnZXN0aW9ucywgdGhhdCBnZW5lcmljIHBhcmFtZXRl ciBwYXJzaW5nIGNvZGUgY2FuIGJlIHNhZmVseSB1c2VkLiAgV2hlcmVhcyBwcm9oaWJpdGluZyB0 aGUgdXNlIG9mIGJhY2tzbGFzaCBxdW90aW5nIGJ5IHNlbmRlcnMgYWxzbyBtYWtlcyBpdCBjbGVh ciB0aGF0IGN1c3RvbSBpbXBsZW1lbnRhdGlvbnMgY2FuIGRpcmVjdGx5IHV0aWxpemUgdGhlIHBh cmFtZXRlciB2YWx1ZXMgYXMgdHJhbnNtaXR0ZWQgd2l0aG91dCBwZXJmb3JtaW5nIGFueSBxdW90 ZSBwcm9jZXNzaW5nLg0KDQoNCg0KSW4gc2hvcnQsIHRoZSBzcGVjIGRvZXNu4oCZdCBjaGFuZ2Ug dGhlIHByb2Nlc3Npbmcgb2YgcXVvdGVkIHN0cmluZ3MuICBJdCBzaW1wbHkgcmVzdHJpY3RzIHRo ZSBzZXQgb2YgbGVnYWwgaW5wdXQgY2hhcmFjdGVycyB3aXRoaW4gdGhlIHF1b3RlZCBzdHJpbmdz Lg0KDQoNCg0KKiBTZWN0aW9uIDE6IEludHJvZHVjdGlvbg0KDQoNCg0KVGhlIGludHJvZHVjdGlv biBleHBsYWlucyBvYXV0aCwgYnV0IGl0IGRvZXNuJ3QgZnVsbHkgZXhwbGFpbiB0aGUgcmVsYXRp b25zaGlwIG9mIHRoaXMgc3BlY2lmaWNhdGlvbiB0byBPQXV0aCAyLjAuIEUuZy4sIGNhbiBpdCBi ZSB1c2VkIGluZGVwZW5kZW50bHkgZnJvbSB0aGUgcmVzdCBvZiBPQXV0aD8gTGlrZXdpc2UsIHRo ZSBvdmVydmlldyAoc2VjdGlvbg0KDQoxLjMpIHNlZW1zIG1vcmUgc3BlY2lmaWMgdG8gdGhlIE9B dXRoIHNwZWNpZmljYXRpb24gdGhhbiB0aGlzIGRvY3VtZW50Lg0KDQpBcyBJIHJlYWQgaXQsIHRo aXMgbWVjaGFuaXNtIGNvdWxkIGJlIHVzZWQgZm9yIEFOWSBiZWFyZXIgdG9rZW4sIG5vdCBqdXN0 IG9uZSBnZW5lcmF0ZWQgdGhyb3VnaCBPQXV0aCBmbG93cy4NCg0KDQoNCklmIGl0IGlzIGluZGVl ZCBtb3JlIGdlbmVyYWwsIEknZCByZWNvbW1lbmQgbWluaW1pc2luZyB0aGUgZGlzY3Vzc2lvbiBv ZiBPQXV0aCwgcGVyaGFwcyBldmVuIHJlbW92aW5nIGl0IGZyb20gdGhlIGRvY3VtZW50IHRpdGxl Lg0KDQoNCg0KUGVyIHlvdXIgc3VnZ2VzdGlvbiwgSeKAmXZlIG1hZGUgaXQgY2xlYXIgaW4gdGhl IGludHJvZHVjdGlvbiB0aGF0IGJlYXJlciB0b2tlbnMgZnJvbSBhbnkgc291cmNlIGNhbiBiZSB1 c2VkIHRvIGFjY2VzcyBhc3NvY2lhdGVkIHByb3RlY3RlZCByZXNvdXJjZXMuICBUaGUgbmV3IGxh bmd1YWdlIGluIHRoZSBpbnRyb2R1Y3Rpb24gaXM6DQoNCg0KDQrigJxUaGlzIHNwZWNpZmljYXRp b24gZGVmaW5lcyB0aGUgdXNlIG9mIGJlYXJlciB0b2tlbnMgb3ZlciBIVFRQLzEuMSBbSeKAkUQu aWV0ZuKAkWh0dHBiaXPigJFwMeKAkW1lc3NhZ2luZ10gdXNpbmcgVExTIFtSRkM1MjQ2XSB0byBh Y2Nlc3MgcHJvdGVjdGVkIHJlc291cmNlcy4g4oCmIFdoaWxlIGRlc2lnbmVkIGZvciB1c2Ugd2l0 aCBhY2Nlc3MgdG9rZW5zIHJlc3VsdGluZyBmcm9tIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFtJ 4oCRRC5pZXRm4oCRb2F1dGjigJF2Ml0gZmxvd3MgdG8gYWNjZXNzIE9BdXRoIHByb3RlY3RlZCBy ZXNvdXJjZXMsIHRoaXMgc3BlY2lmaWNhdGlvbiBhY3R1YWxseSBkZWZpbmVzIGEgZ2VuZXJhbCBI VFRQIGF1dGhvcml6YXRpb24gbWV0aG9kIHRoYXQgY2FuIGJlIHVzZWQgd2l0aCBiZWFyZXIgdG9r ZW5zIGZyb20gYW55IHNvdXJjZSB0byBhY2Nlc3MgYW55IHJlc291cmNlcyBwcm90ZWN0ZWQgYnkg dGhvc2UgYmVhcmVyIHRva2Vucy7igJ0NCg0KDQoNCiogU2VjdGlvbiAzIFRoZSBXV1ctQXV0aGVu dGljYXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZA0KDQoNCg0KVGhlIGRpZmZlcmVuY2UgYmV0d2Vl biBhIHJlYWxtIGFuZCBhIHNjb3BlIGlzIG5vdCBleHBsYWluZWQuIEFyZSB0aGUgZnVuY3Rpb25h bGx5IGVxdWl2YWxlbnQsIGp1c3QgYSBzaW5nbGUgdmFsdWUgdnMuIGEgbGlzdD8NCg0KDQoNClJl YWxtIGlzIGFzIGRlZmluZWQgYnkgSFRUUGJpcy4gIEl0IHNheXMgdGhhdCDigJxUaGUgcmVhbG0g dmFsdWUgaXMgYSBzdHJpbmcsIGdlbmVyYWxseSBhc3NpZ25lZCBieSB0aGUgb3JpZ2luIHNlcnZl ciwgd2hpY2ggY2FuIGhhdmUgYWRkaXRpb25hbCBzZW1hbnRpY3Mgc3BlY2lmaWMgdG8gdGhlIGF1 dGhlbnRpY2F0aW9uIHNjaGVtZS7igJ0gIFRoZSBCZWFyZXIgc3BlY2lmaWNhdGlvbiBpbnRlbnRp b25hbGx5IGFkZHMgbm8gZXh0cmEgc2VtYW50aWNzIHRvIHRoZSByZWFsbSBkZWZpbml0aW9uLiAg V2hlcmVhcyB0aGUgc2NvcGUgcGFyYW1ldGVyIGlzIGRlZmluZWQgYXMgYW4gb3JkZXItaW5kZXBl bmRlbnQgc3BhY2Utc2VwYXJhdGVkIGxpc3Qgb2Ygc2NvcGUgdmFsdWVzLiAgVGhlIGNvbnRleHR1 YWwgbWVhbmluZyBvZiBib3RoIHRoZSByZWFsbSBhbmQgc2NvcGUgcGFyYW1ldGVycyBpcyBkZXBs b3ltZW50LWRlcGVuZGVudC4NCg0KDQoNCkRvIHlvdSByZWFsbHkgaW50ZW5kIHRvIGRpc2FsbG93 ICphbGwqIGV4dGVuc2lvbiBwYXJhbWV0ZXJzIG9uIHRoZSBjaGFsbGVuZ2U/DQoNCg0KDQpZZXMu ICBUaGVyZSB3YXMgYW4gZXhwbGljaXQgd29ya2luZyBncm91cCBjb25zZW5zdXMgZGVjaXNpb24g dG8gZG8gc28uDQoNCg0KDQpBbHNvLCB0aGUgc2NvcGUsIGVycm9yLCBlcnJvcl9kZXNjcmlwdGlv biBhbmQgZXJyb3JfdXJpIHBhcmFtZXRlcnMgYWxsIHNwZWNpZnkgb25seSBhIHF1b3RlZC1zdHJp bmcgc2VyaWFsaXNhdGlvbi4gSFRUUGJpcyBzdHJvbmdseSBzdWdnZXN0cyB0aGF0IG5ldyBzY2hl bWVzIGFsbG93IGJvdGggZm9ybXMsIGJlY2F1c2UgaW1wbGVtZW50YXRpb24gZXhwZXJpZW5jZSBo YXMgc2hvd24gdGhhdCBpbXBsZW1lbnRhdGlvbnMgd2lsbCBsaWtlbHkgc3VwcG9ydCBib3RoLCBu byBtYXR0ZXIgaG93IGRlZmluZWQ7IHRoaXMgaW1wcm92ZXMgaW50ZXJvcGVyYWJpbGl0eSAoc2Vl IHA3IDIuMy4xKS4NCg0KDQoNCk9uY2UgYWdhaW4sIHRoZSBjdXJyZW50IHRleHQgcmVmbGVjdHMg YSBjb25zZW5zdXMgZGVjaXNpb24gb2YgdGhlIHdvcmtpbmcgZ3JvdXAuICBJdCB3YXMgdmlld2Vk IHRoYXQgcmVxdWlyaW5nIHN1cHBvcnQgZm9yIG11bHRpcGxlIHdheXMgb2YgZG9pbmcgdGhlIHNh bWUgdGhpbmcgdW5uZWNlc3NhcmlseSBjb21wbGljYXRlZCBpbXBsZW1lbnRhdGlvbnMgd2l0aG91 dCBhbnkgY29tcGVuc2F0aW5nIGJlbmVmaXQ7IGJldHRlciB0byBzdXBwb3J0IG9uZSBzeW50YXgg Zm9yIGVhY2ggc2VtYW50aWMgb3BlcmF0aW9uIGFuZCByZXF1aXJlIGFsbCBpbXBsZW1lbnRhdGlv bnMgdG8gdXNlIGl0Lg0KDQoNCg0KRmluYWxseSwgdGhlIGVycm9yX2Rlc2NyaXB0aW9uIHBhcmFt ZXRlciBjYW4gY2Fycnkgb25seSBBU0NJSSBjaGFyYWN0ZXJzLiBXaGlsZSBJIHVuZGVyc3RhbmQg YSB0cmFkZW9mZiBoYXMgYmVlbiBtYWRlIGhlcmUgKGFuZCwgaW4gbXkganVkZ2VtZW50LCBhbiBh cHByb3ByaWF0ZSBvbmUpLCBpdCdzIGFwcHJvcHJpYXRlIHRvIGhpZ2hsaWdodCB0aGlzIGluIHJl dmlldy4NCg0KDQoNCk5vdGVkDQoNCg0KDQoqIEdlbmVyYWwNCg0KDQoNClRoZSBkcmFmdCBjdXJy ZW50bHkgZG9lc24ndCBtZW50aW9uIHdoZXRoZXIgQmVhcmVyIGlzIHN1aXRhYmxlIGZvciB1c2Ug YXMgYSBwcm94eSBhdXRoZW50aWNhdGlvbiBzY2hlbWUuIEkgc3VzcGVjdCBpdCAqbWF5KjsgaXQg d291bGQgYmUgd29ydGggZGlzY3Vzc2luZyB0aGlzIHdpdGggc29tZSBwcm94eSBpbXBsZW1lbnRl cnMgdG8gZ2F1Z2UgdGhlaXIgaW50ZXJlc3QgKGUuZy4sIFNxdWlkKS4NCg0KDQoNCldobyB3b3Vs ZCB5b3UgcmVjb21tZW5kIHJldmlldyB0aGUgZHJhZnQgZnJvbSB0aGlzIHBlcnNwZWN0aXZlPw0K DQoNCg0KRmluYWxseSwgTWFyaywgSSBhcHBsaWVkIGFsbCB0aGUgZWRpdG9yaWFsIHN1Z2dlc3Rp b25zIHlvdSBtYWRlLiAgVGhhbmtzIGZvciB0aG9zZS4NCg0KDQoNCk1hcmssIFN0ZXBoZW4sIGFu ZCBjaGFpcnMsIHBsZWFzZSBsZXQgbWUga25vdyB3aGV0aGVyIHRvIG5vdyBwb3N0IHRoaXMgZHJh ZnQgYXMgYW4gYWN0dWFsIHN1Ym1pc3Npb24uDQoNCg0KDQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MgYWxsLA0KDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt LSBNaWtlDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogb2F1dGgtYm91 bmNlc0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZz4gW21haWx0bzpvYXV0 aC1ib3VuY2VzQGlldGYub3JnXTxtYWlsdG86W21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3Jn XT4gT24gQmVoYWxmIE9mIFRzY2hvZmVuaWcsIEhhbm5lcyAoTlNOIC0gRkkvRXNwb28pDQpTZW50 OiBXZWRuZXNkYXksIE5vdmVtYmVyIDIzLCAyMDExIDExOjUxIFBNDQpUbzogb2F1dGhAaWV0Zi5v cmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogW09BVVRILVdHXSBGVzogW2FwcHMt ZGlzY3Vzc10gQVBQUyBBcmVhIHJldmlldyBvZiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0x NA0KDQoNCg0KRllJDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KDQpGcm9tOiBh cHBzLWRpc2N1c3MtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNA aWV0Zi5vcmc+DQoNClttYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0Zi5vcmddPG1haWx0 bzpbbWFpbHRvOmFwcHMtZGlzY3Vzcy1ib3VuY2VzQGlldGYub3JnXT4gT24gQmVoYWxmIE9mIGV4 dCBNYXJrIE5vdHRpbmdoYW0NCg0KU2VudDogVGh1cnNkYXksIE5vdmVtYmVyIDI0LCAyMDExIDg6 MjIgQU0NCg0KVG86IElFVEYgQXBwcyBEaXNjdXNzOyBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJl ci5hbGxAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmFsbEBpZXRm Lm9yZz4NCg0KQ2M6IFRoZSBJRVNHDQoNClN1YmplY3Q6IFthcHBzLWRpc2N1c3NdIEFQUFMgQXJl YSByZXZpZXcgb2YNCg0KZHJhZnQtaWV0Zi1vYXV0aC12Mi1iZWFyZXItMTQNCg0KDQoNCkkgaGF2 ZSBiZWVuIHNlbGVjdGVkIGFzIHRoZSBBcHBsaWNhdGlvbnMgQXJlYSBSZXZpZXcgVGVhbSByZXZp ZXdlciBmb3IgdGhpcyBkcmFmdCAoZm9yIGJhY2tncm91bmQgb24gYXBwcy1yZXZpZXcsIHBsZWFz ZSBzZWUgPGh0dHA6Ly93d3cuYXBwcy5pZXRmLm9yZy9jb250ZW50L2FwcGxpY2F0aW9ucy1hcmVh LXJldmlldy10ZWFtPikuDQoNCg0KDQpQbGVhc2UgcmVzb2x2ZSB0aGVzZSBjb21tZW50cyBhbG9u ZyB3aXRoIGFueSBvdGhlciBMYXN0IENhbGwgY29tbWVudHMgeW91IG1heSByZWNlaXZlLiBQbGVh c2Ugd2FpdCBmb3IgZGlyZWN0aW9uIGZyb20geW91ciBkb2N1bWVudCBzaGVwaGVyZCBvciBBRCBi ZWZvcmUgcG9zdGluZyBhIG5ldyB2ZXJzaW9uIG9mIHRoZSBkcmFmdC4NCg0KDQoNCkRvY3VtZW50 OiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNA0KDQpUaXRsZTogT0F1dGggMi4wIEJlYXJl ciBUb2tlbnMNCg0KUmV2aWV3ZXI6IE1hcmsgTm90dGluZ2hhbQ0KDQpSZXZpZXcgRGF0ZTogMjQv MTEvMjAxMQ0KDQoNCg0KU3VtbWFyeTogVGhpcyBkcmFmdCBpcyBhbG1vc3QgcmVhZHkgZm9yIHB1 YmxpY2F0aW9uIGFzIGEgUHJvcG9zZWQgU3RhbmRhcmQsIGJ1dCBoYXMgYSBmZXcgaXNzdWVzIHRo YXQgc2hvdWxkIGJlIGZpeGVkLg0KDQoNCg0KTWFqb3IgSXNzdWVzDQoNCi0tLS0tLS0tLS0tLQ0K DQoNCg0KKiBTZWN0aW9uIDIuMyBVUkkgUXVlcnkgUGFyYW1ldGVyDQoNCg0KDQpUaGlzIHNlY3Rp b24gZWZmZWN0aXZlbHkgcmVzZXJ2ZXMgYSBVUkkgcXVlcnkgcGFyYW1ldGVyIGZvciB0aGUgZHJh ZnQncyB1c2UuIFRoaXMgc2hvdWxkIG5vdCBiZSBkb25lIGxpZ2h0bHksIHNpbmNlIHRoaXMgd291 bGQgYmUgYSBwcmVjZWRlbnQgZm9yIHRoZSBJRVRGIGVuY3JvYWNoaW5nIHVwb24gYSBzZXJ2ZXIn cyBVUklzIChkb25lIHByZXZpb3VzbHkgaW4gUkZDNTc4NSwgYnV0IGluIGEgbXVjaCBtb3JlIGxp bWl0ZWQgZmFzaGlvbiwgYXMgYSB0YWN0aWMgdG8gcHJldmVudCBmdXJ0aGVyLCB1bmNvbnRyb2xs ZWQgZW5jcm9hY2htZW50KS4NCg0KDQoNCkdpdmVuIHRoYXQgdGhlIGRyYWZ0IGFscmVhZHkgZGlz Y291cmFnZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hhbmlzbSwgSSdkIHJlY29tbWVuZCBkcm9wcGlu ZyBpdCBhbHRvZ2V0aGVyLiBJZiB0aGUgV29ya2luZyBHcm91cCB3aXNoZXMgaXQgdG8gcmVtYWlu LCB0aGlzIGlzc3VlcyBzaG91bGQgYmUgdmV0dGVkIGJvdGggdGhyb3VnaCB0aGUgQVBQUyBhcmVh IGFuZCB0aGUgVzNDIGxpYWlzb24uDQoNCg0KDQooVGhlIHNhbWUgY3JpdGljaXNtIGNvdWxkIGJl IGxldmVsZWQgYXQgU2VjdGlvbiAyLjIgRm9ybS1FbmNvZGVkIEJvZHkgUGFyYW1ldGVyLCBidXQg dGhhdCBhdCBsZWFzdCBpc24ndCBzdXJmYWNlZCBpbiBhbiBpZGVudGlmaWVyKQ0KDQoNCg0KKiBT ZWN0aW9uIDMgVGhlIFdXVy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkDQoNCg0K DQpUaGUgZHJhZnQgcmVmZXJlbmNlcyB0aGUgcXVvdGVkLXN0cmluZyBBQk5GIGZyb20gSFRUUCwg YnV0IGNoYW5nZXMgaXRzIHByb2Nlc3NpbmcgaW4gYSBsYXRlciBwYXJhZ3JhcGg6DQoNCg0KDQoi IiJJbiBhbGwgdGhlc2UgY2FzZXMsIG5vIGNoYXJhY3RlciBxdW90aW5nIHdpbGwgb2NjdXIsIGFz IHNlbmRlcnMgYXJlIHByb2hpYml0ZWQgZnJvbSB1c2luZyB0aGUgJTVDICgnXCcpIGNoYXJhY3Rl ci4iIiINCg0KDQoNClRoaXMgaXMgYXQgYmVzdCBzdXJwcmlzaW5nIChhcyBtYW55IHJlYWRlcnMg d2lsbCByZWFzb25hYmx5IHN1cm1pc2UgdGhhdCB1c2luZyB0aGUgcXVvdGVkLXN0cmluZyBBQk5G IGltcGxpZXMgdGhhdCB0aGUgc2FtZSBjb2RlIGNhbiBiZSB1c2VkKS4NCg0KUGxlYXNlIGVpdGhl ciB1c2UgcXVvdGVkLXN0cmluZyBhcyBkZWZpbmVkIChpLmUuLCB3aXRoIGVzY2FwaW5nKS4NCg0K DQoNCg0KDQpNaW5vciBJc3N1ZXMNCg0KLS0tLS0tLS0tLS0tDQoNCg0KDQoqIFNlY3Rpb24gMTog SW50cm9kdWN0aW9uDQoNCg0KDQpUaGUgaW50cm9kdWN0aW9uIGV4cGxhaW5zIG9hdXRoLCBidXQg aXQgZG9lc24ndCBmdWxseSBleHBsYWluIHRoZSByZWxhdGlvbnNoaXAgb2YgdGhpcyBzcGVjaWZp Y2F0aW9uIHRvIE9BdXRoIDIuMC4gRS5nLiwgY2FuIGl0IGJlIHVzZWQgaW5kZXBlbmRlbnRseSBm cm9tIHRoZSByZXN0IG9mIE9BdXRoPyBMaWtld2lzZSwgdGhlIG92ZXJ2aWV3IChzZWN0aW9uDQoN CjEuMykgc2VlbXMgbW9yZSBzcGVjaWZpYyB0byB0aGUgT0F1dGggc3BlY2lmaWNhdGlvbiB0aGFu IHRoaXMgZG9jdW1lbnQuDQoNCkFzIEkgcmVhZCBpdCwgdGhpcyBtZWNoYW5pc20gY291bGQgYmUg dXNlZCBmb3IgQU5ZIGJlYXJlciB0b2tlbiwgbm90IGp1c3Qgb25lIGdlbmVyYXRlZCB0aHJvdWdo IE9BdXRoIGZsb3dzLg0KDQoNCg0KSWYgaXQgaXMgaW5kZWVkIG1vcmUgZ2VuZXJhbCwgSSdkIHJl Y29tbWVuZCBtaW5pbWlzaW5nIHRoZSBkaXNjdXNzaW9uIG9mIE9BdXRoLCBwZXJoYXBzIGV2ZW4g cmVtb3ZpbmcgaXQgZnJvbSB0aGUgZG9jdW1lbnQgdGl0bGUuDQoNCg0KDQoqIFNlY3Rpb24gMyBU aGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQNCg0KDQoNClRoZSBkaWZm ZXJlbmNlIGJldHdlZW4gYSByZWFsbSBhbmQgYSBzY29wZSBpcyBub3QgZXhwbGFpbmVkLiBBcmUg dGhlIGZ1bmN0aW9uYWxseSBlcXVpdmFsZW50LCBqdXN0IGEgc2luZ2xlIHZhbHVlIHZzLiBhIGxp c3Q/DQoNCg0KDQpEbyB5b3UgcmVhbGx5IGludGVuZCB0byBkaXNhbGxvdyAqYWxsKiBleHRlbnNp b24gcGFyYW1ldGVycyBvbiB0aGUgY2hhbGxlbmdlPw0KDQoNCg0KQWxzbywgdGhlIHNjb3BlLCBl cnJvciwgZXJyb3JfZGVzY3JpcHRpb24gYW5kIGVycm9yX3VyaSBwYXJhbWV0ZXJzIGFsbCBzcGVj aWZ5IG9ubHkgYSBxdW90ZWQtc3RyaW5nIHNlcmlhbGlzYXRpb24uIEhUVFBiaXMgc3Ryb25nbHkg c3VnZ2VzdHMgdGhhdCBuZXcgc2NoZW1lcyBhbGxvdyBib3RoIGZvcm1zLCBiZWNhdXNlIGltcGxl bWVudGF0aW9uIGV4cGVyaWVuY2UgaGFzIHNob3duIHRoYXQgaW1wbGVtZW50YXRpb25zIHdpbGwg bGlrZWx5IHN1cHBvcnQgYm90aCwgbm8gbWF0dGVyIGhvdyBkZWZpbmVkOyB0aGlzIGltcHJvdmVz IGludGVyb3BlcmFiaWxpdHkgKHNlZSBwNyAyLjMuMSkuDQoNCg0KDQpGaW5hbGx5LCB0aGUgZXJy b3JfZGVzY3JpcHRpb24gcGFyYW1ldGVyIGNhbiBjYXJyeSBvbmx5IEFTQ0lJIGNoYXJhY3RlcnMu IFdoaWxlIEkgdW5kZXJzdGFuZCBhIHRyYWRlb2ZmIGhhcyBiZWVuIG1hZGUgaGVyZSAoYW5kLCBp biBteSBqdWRnZW1lbnQsIGFuIGFwcHJvcHJpYXRlIG9uZSksIGl0J3MgYXBwcm9wcmlhdGUgdG8g aGlnaGxpZ2h0IHRoaXMgaW4gcmV2aWV3Lg0KDQoNCg0KKiBHZW5lcmFsDQoNCg0KDQpUaGUgZHJh ZnQgY3VycmVudGx5IGRvZXNuJ3QgbWVudGlvbiB3aGV0aGVyIEJlYXJlciBpcyBzdWl0YWJsZSBm b3IgdXNlIGFzIGEgcHJveHkgYXV0aGVudGljYXRpb24gc2NoZW1lLiBJIHN1c3BlY3QgaXQgKm1h eSo7IGl0IHdvdWxkIGJlIHdvcnRoIGRpc2N1c3NpbmcgdGhpcyB3aXRoIHNvbWUgcHJveHkgaW1w bGVtZW50ZXJzIHRvIGdhdWdlIHRoZWlyIGludGVyZXN0IChlLmcuLCBTcXVpZCkuDQoNCg0KDQoN Cg0KTml0cw0KDQotLS0tDQoNCg0KDQoqIFNlY3Rpb24gMi4xIEF1dGhvcml6YXRpb24gUmVxdWVz dCBIZWFkZXIgRmllbGQNCg0KDQoNCiJzaW1wbGljaXR5IHJlYXNvbnMiIC0tPiAic2ltcGxpY2l0 eSINCg0KDQoNCiJJZiBhZGRpdGlvbmFsIHBhcmFtZXRlcnMgYXJlIGRlc2lyZWQgaW4gdGhlIGZ1 dHVyZSwgYSBkaWZmZXJlbnQgc2NoZW1lIGNvdWxkIGJlIGRlZmluZWQuIiAtLT4gIklmIGFkZGl0 aW9uYWwgcGFyYW1ldGVycyBhcmUgbmVlZGVkIGluIHRoZSBmdXR1cmUsIGEgZGlmZmVyZW50IHNj aGVtZSB3b3VsZCBuZWVkIHRvIGJlIGRlZmluZWQuIg0KDQoNCg0KKiBTZWN0aW9uIDMgVGhlIFdX Vy1BdXRoZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkDQoNCg0KDQpUaGUgcmVxdWlyZW1l bnQgdGhhdCBhIHJlc291cmNlIHNlcnZlciBNVVNUIGluY2x1ZGUgdGhlIEhUVFAgV1dXLUF1dGhl bnRpY2F0ZSByZXNwb25zZSBoZWFkZXIgZmllbGQgaXMgb2RkOyByZWFsbHkgdGhpcyBpcyBhdCB0 aGUgZGlzY3JldGlvbiBvZiB0aGUgc2VydmVyLiBJcyBpdCByZWFsbHkgbmVjZXNzYXJ5IHRvIHVz ZSBhIGNvbmZvcm1hbmNlIHJlcXVpcmVtZW50IGhlcmU/DQoNCg0KDQpVUkktcmVmZXJlbmNlIC0t PiBVUkktUmVmZXJlbmNlDQoNCg0KDQoqIFNlY3Rpb24gMy4xIEVycm9yIENvZGVzDQoNCg0KDQo0 MDUgYmVsb25ncyBpbiB0aGUgbGlzdCBvZiB0eXBpY2FsbHkgYXBwcm9wcmlhdGUgc3RhdHVzIGNv ZGVzIGFzIHdlbGwuDQoNCg0KDQoNCg0KS2luZCByZWdhcmRzLA0KDQoNCg0KLS0NCg0KTWFyayBO b3R0aW5naGFtICAgaHR0cDovL3d3dy5tbm90Lm5ldC8NCg0KDQoNCg0KDQoNCg0KX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KYXBwcy1kaXNjdXNzIG1h aWxpbmcgbGlzdA0KDQphcHBzLWRpc2N1c3NAaWV0Zi5vcmc8bWFpbHRvOmFwcHMtZGlzY3Vzc0Bp ZXRmLm9yZz4NCg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9hcHBzLWRp c2N1c3MNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N Cg0KT0F1dGggbWFpbGluZyBsaXN0DQoNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRm Lm9yZz4NCg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQoN Cg== --_000_4E1F6AAD24975D4BA5B16804296739435F7650C6TK5EX14MBXC283r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseToiTVMgR290aGljIjsNCglwYW5vc2UtMToyIDExIDYgOSA3IDIgNSA4IDIg NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJNUyBHb3RoaWMiOw0KCXBhbm9zZS0xOjIg MTEgNiA5IDcgMiA1IDggMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt aWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OiJcQE1TIEdvdGhpYyI7DQoJcGFub3NlLTE6MiAxMSA2IDkgNyAyIDUg OCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3Jt YWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7 DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi O30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNw YW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9y OnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvUGxhaW5UZXh0LCBs aS5Nc29QbGFpblRleHQsIGRpdi5Nc29QbGFpblRleHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCW1zby1zdHlsZS1saW5rOiJQbGFpbiBUZXh0IENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFy Z2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNh bGlicmkiLCJzYW5zLXNlcmlmIjt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1z by1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJD b3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0 ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4 dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uSFRN TFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENo YXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVm b3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5QbGFpblRleHRD aGFyDQoJe21zby1zdHlsZS1uYW1lOiJQbGFpbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlv cml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiUGxhaW4gVGV4dCI7DQoJZm9udC1mYW1pbHk6IkNh bGlicmkiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0KCXttc28tc3R5bGUt bmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28t c3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1z ZXJpZiI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7fQ0K c3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1p bHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxT dHlsZTI1DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0K CXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdl IFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4g MS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQot LT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4 dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3Rl IG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpl eHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+ DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+ DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPlVubGVzcyBJIGhlYXIgYSDigJxub+KAnSBmcm9tIE1hcmss IHRoZSBjaGFpcnMsIG9yIFN0ZXBoZW4gSeKAmWxsIHBsYW4gdG8gcHVibGlzaCAtMTUgb3ZlciB0 aGUgd2Vla2VuZC4mbmJzcDsgKE9yIGlmIEkgaGVhciBhIOKAnHllc+KAnSwgSeKAmWxsIGRvIHNv IHJpZ2h0IGF3YXkuDQo8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OldpbmdkaW5ncztj b2xvcjojMUY0OTdEIj5KPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4pPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9y OiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHls ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4w cHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+ IE1pa2UgSm9uZXMNCjxicj4NCjxiPlNlbnQ6PC9iPiBXZWRuZXNkYXksIERlY2VtYmVyIDE0LCAy MDExIDY6MTMgUE08YnI+DQo8Yj5Ubzo8L2I+IE1hcmsgTm90dGluZ2hhbTsgJ1N0ZXBoZW4gRmFy cmVsbCc7IEhhbm5lcyBUc2Nob2ZlbmlnOyBCYXJyeSBMZWliYTxicj4NCjxiPkNjOjwvYj4gb2F1 dGhAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gT0sgdG8gcG9zdCBPQXV0aCBCZWFyZXIg ZHJhZnQgMTU/PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPk1hcmssIFN0ZXBoZW4sIEhhbm5lcywgYW5kIEJh cnJ5LDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+QW55IG9iamVjdGlvbnMg dG8gcG9zdGluZyB0aGUgdXBkYXRlZCBCZWFyZXIgZHJhZnQgaW5jb3Jwb3JhdGluZyB0aGUgcmVz dWx0cyBvZiB0aGUgQVBQUyBBcmVhIHJldmlldyBhbmQgdGhlIFRMUyByZXF1aXJlbWVudHM/PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJj b2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6 My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+IE1pa2UgSm9uZXMNCjxicj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIERlY2VtYmVyIDEyLCAy MDExIDg6NTEgQU08YnI+DQo8Yj5Ubzo8L2I+IE1hcmsgTm90dGluZ2hhbTsgJ1N0ZXBoZW4gRmFy cmVsbCc7IDxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+b2F1dGhAaWV0Zi5vcmc8L2E+ PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbT0FVVEgtV0ddIEZXOiBbYXBwcy1kaXNjdXNzXSBB UFBTIEFyZWEgcmV2aWV3IG9mIGRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhhbmtzIGZvciB0aGUg ZGV0YWlsZWQgcmV2aWV3LCBNYXJrLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5QcmVs aW1pbmFyeSBkcmFmdCAxNSBvZiB0aGUgT0F1dGggQmVhcmVyIHNwZWNpZmljYXRpb24gaXMgYXR0 YWNoZWQuJm5ic3A7IEl0IHJlc29sdmVzIHRoZSBmb3JtIGVuY29kaW5nIGlzc3VlcyByYWlzZWQg YnkgSnVsaWFuIFJlc2Noa2UgaW4gdGhlIG1hbm5lciBkaXNjdXNzZWQgYXQgdGhlIHdvcmtpbmcg Z3JvdXAgbWVldGluZyBpbiBUYWlwZWksIGluY29ycG9yYXRlcyB0aGUgY29uc2Vuc3VzIHRleHQg b24gVExTDQogdmVyc2lvbiByZXF1aXJlbWVudHMsIGFuZCBjb250YWlucyBzZXZlcmFsIGltcHJv dmVtZW50cyBzdWdnZXN0ZWQgYnkgTWFyayBOb3R0aW5naGFtIGR1cmluZyBBUFBTIGFyZWEgcmV2 aWV3LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5NYXJrLCBjb21tZW50cyBvbiBhbGwg eW91ciBwcm9wb3NlZCBjaGFuZ2VzIGZvbGxvdyBiZWxvdzo8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiogU2VjdGlvbiAyLjMgVVJJIFF1ZXJ5 IFBhcmFtZXRlcjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9 Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlRoaXMgc2VjdGlvbiBlZmZlY3RpdmVs eSByZXNlcnZlcyBhIFVSSSBxdWVyeSBwYXJhbWV0ZXIgZm9yIHRoZSBkcmFmdCdzIHVzZS4gVGhp cyBzaG91bGQgbm90IGJlIGRvbmUgbGlnaHRseSwgc2luY2UgdGhpcyB3b3VsZCBiZSBhIHByZWNl ZGVudCBmb3IgdGhlIElFVEYgZW5jcm9hY2hpbmcgdXBvbiBhIHNlcnZlcidzIFVSSXMgKGRvbmUg cHJldmlvdXNseSBpbg0KIFJGQzU3ODUsIGJ1dCBpbiBhIG11Y2ggbW9yZSBsaW1pdGVkIGZhc2hp b24sIGFzIGEgdGFjdGljIHRvIHByZXZlbnQgZnVydGhlciwgdW5jb250cm9sbGVkIGVuY3JvYWNo bWVudCkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFy Z2luLWxlZnQ6LjVpbiI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+R2l2ZW4gdGhhdCB0aGUgZHJhZnQgYWxyZWFk eSBkaXNjb3VyYWdlcyB0aGUgdXNlIG9mIHRoaXMgbWVjaGFuaXNtLCBJJ2QgcmVjb21tZW5kIGRy b3BwaW5nIGl0IGFsdG9nZXRoZXIuIElmIHRoZSBXb3JraW5nIEdyb3VwIHdpc2hlcyBpdCB0byBy ZW1haW4sIHRoaXMgaXNzdWVzIHNob3VsZCBiZSB2ZXR0ZWQgYm90aCB0aHJvdWdoIHRoZSBBUFBT IGFyZWEgYW5kDQogdGhlIFczQyBsaWFpc29uLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPihUaGUg c2FtZSBjcml0aWNpc20gY291bGQgYmUgbGV2ZWxlZCBhdCBTZWN0aW9uIDIuMiBGb3JtLUVuY29k ZWQgQm9keSBQYXJhbWV0ZXIsIGJ1dCB0aGF0IGF0IGxlYXN0IGlzbid0IHN1cmZhY2VkIGluIGFu IGlkZW50aWZpZXIpPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlRoZXJlIGFyZSBzb21l IGNvbnRleHRzLCBlc3BlY2lhbGx5IGxpbWl0ZWQgYnJvd3NlcnMgYW5kL29yIGRldmVsb3BtZW50 IGVudmlyb25tZW50cywgd2hlcmUgcXVlcnkgcGFyYW1ldGVycyBhcmUgdXNhYmxlIGJ1dCB0aGUg b3RoZXIgbWV0aG9kcyBhcmUgbm90LiZuYnNwOyBUaHVzLCB0aGUgcXVlcnkgcGFyYW1ldGVyIG1l dGhvZCBtdXN0IGJlIHJldGFpbmVkLiZuYnNwOyBBbHNvLCBKdXN0aW4gUmljaHRlcuKAmXMgY29t bWVudHMNCiBkZXNjcmliaW5nIHRoZSB2YWx1ZSB0byBoaW0gb2YgdGhlIHF1ZXJ5IHBhcmFtZXRl ciBtZXRob2QgYXJlIHBlcnRpbmVudDogJm5ic3A74oCcQSBVUkwgd2l0aCBhbGwgcGFyYW1ldGVy cyBpbmNsdWRpbmcgYXV0aG9yaXphdGlvbiBpcyBhIHBvd2VyZnVsIGFydGlmYWN0IHdoaWNoIGNh biBiZSBwYXNzZWQgYXJvdW5kIGJldHdlZW4gc3lzdGVtcyBhcyBhIHVuaXTigJ0uDQo8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+QXMgdG8gdXNpbmcgYSBzdGFuZGFyZCBwYXJhbWV0ZXIg bmFtZSwgdGhpcyBpcyBlc3NlbnRpYWwgZm9yIGludGVyb3BlcmFiaWxpdHkuJm5ic3A7IEl0IGlz IG5vdCDigJxyZXNlcnZlZOKAnSBpbiBhbnkgY29udGV4dHMgb3RoZXIgdGhhbiB3aGVuIHRoZSBC ZWFyZXIgc3BlYyBpcyBlbXBsb3llZCwgd2hpY2ggaXMgYSB2b2x1bnRhcnkgYWN0IGJ5IGJvdGgg cGFydGllcy4mbmJzcDsgVGh1cywgdGhpcyBwb3NlcyBubyB1bmR1ZSBidXJkZW5zDQogb3IgbmFt ZXNwYWNlIHJlc3RyaWN0aW9ucyBvbiBpbXBsZW1lbnRhdGlvbnMgaW4gcHJhY3RpY2UuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZpbmFsbHksIHlvdeKAmWxsIGZpbmQgdGhhdCBPQXV0 aCAxLjAgWzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzU4NDkiPlJGQyA1 ODQ5PC9hPl0gc2ltaWxhcmx5IGRlZmluZWQsIG5vdCBvbmUsIGJ1dCB0d28gc3RhbmRhcmQgcXVl cnkgcGFyYW1ldGVyIHZhbHVlczombmJzcDsgb2F1dGhfdG9rZW4gYW5kIG9hdXRoX3ZlcmlmaWVy LiZuYnNwOyBBcyB0aGlzIGRpZG7igJl0IGNhdXNlIGFueSBwcm9ibGVtcw0KIGluIHByYWN0aWNl IHRoZW4sIEnigJltIHN1cmUgdGhhdCBkZWZpbmluZyBhbiBhY2Nlc3NfdG9rZW4gcGFyYW1ldGVy IHdpdGhpbiB0aGUgQmVhcmVyIHNwZWMgZm9yIGludGVyb3BlcmFiaWxpdHkgcHVycG9zZXMgd29u 4oCZdCBjYXVzZSBhIHByb2JsZW0gZWl0aGVyLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+KiBTZWN0aW9uIDMgVGhlIFdXVy1BdXRoZW50aWNh dGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+VGhlIGRyYWZ0 IHJlZmVyZW5jZXMgdGhlIHF1b3RlZC1zdHJpbmcgQUJORiBmcm9tIEhUVFAsIGJ1dCBjaGFuZ2Vz IGl0cyBwcm9jZXNzaW5nIGluIGEgbGF0ZXIgcGFyYWdyYXBoOjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPiZxdW90OyZxdW90OyZxdW90O0luIGFsbCB0aGVzZSBjYXNlcywgbm8gY2hhcmFjdGVyIHF1 b3Rpbmcgd2lsbCBvY2N1ciwgYXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZCBmcm9tIHVzaW5nIHRo ZSAlNUMgKCdcJykgY2hhcmFjdGVyLiZxdW90OyZxdW90OyZxdW90OzxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0 Oi41aW4iPlRoaXMgaXMgYXQgYmVzdCBzdXJwcmlzaW5nIChhcyBtYW55IHJlYWRlcnMgd2lsbCBy ZWFzb25hYmx5IHN1cm1pc2UgdGhhdCB1c2luZyB0aGUgcXVvdGVkLXN0cmluZyBBQk5GIGltcGxp ZXMgdGhhdCB0aGUgc2FtZSBjb2RlIGNhbiBiZSB1c2VkKS48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5QbGVhc2UgZWl0aGVy IHVzZSBxdW90ZWQtc3RyaW5nIGFzIGRlZmluZWQgKGkuZS4sIHdpdGggZXNjYXBpbmcpLjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGlzIHBhcmFtZXRlciBkZWZpbml0aW9uIHdhcyBh IHJlc3VsdCBvZiBzaWduaWZpY2FudCB3b3JraW5nIGdyb3VwIGRpc2N1c3Npb24gYW5kIHJlZmxl Y3RzIGEgc29saWQgY29uc2Vuc3VzIHBvc2l0aW9uLiZuYnNwOyBVc2luZyB0aGUgcXVvdGVkIHN0 cmluZyBCTkYgbWFrZXMgaXQgY2xlYXIsIHBlciBKdWxpYW4gUmVzY2hrZeKAmXMgc3VnZ2VzdGlv bnMsIHRoYXQgZ2VuZXJpYyBwYXJhbWV0ZXIgcGFyc2luZyBjb2RlDQogY2FuIGJlIHNhZmVseSB1 c2VkLiZuYnNwOyBXaGVyZWFzIHByb2hpYml0aW5nIHRoZSB1c2Ugb2YgYmFja3NsYXNoIHF1b3Rp bmcgYnkgc2VuZGVycyBhbHNvIG1ha2VzIGl0IGNsZWFyIHRoYXQgY3VzdG9tIGltcGxlbWVudGF0 aW9ucyBjYW4gZGlyZWN0bHkgdXRpbGl6ZSB0aGUgcGFyYW1ldGVyIHZhbHVlcyBhcyB0cmFuc21p dHRlZCB3aXRob3V0IHBlcmZvcm1pbmcgYW55IHF1b3RlIHByb2Nlc3NpbmcuPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPkluIHNob3J0LCB0aGUgc3BlYyBkb2VzbuKAmXQgY2hhbmdlIHRo ZSBwcm9jZXNzaW5nIG9mIHF1b3RlZCBzdHJpbmdzLiZuYnNwOyBJdCBzaW1wbHkgcmVzdHJpY3Rz IHRoZSBzZXQgb2YgbGVnYWwgaW5wdXQgY2hhcmFjdGVycyB3aXRoaW4gdGhlIHF1b3RlZCBzdHJp bmdzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+KiBTZWN0aW9uIDE6IEludHJvZHVjdGlvbjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPlRoZSBp bnRyb2R1Y3Rpb24gZXhwbGFpbnMgb2F1dGgsIGJ1dCBpdCBkb2Vzbid0IGZ1bGx5IGV4cGxhaW4g dGhlIHJlbGF0aW9uc2hpcCBvZiB0aGlzIHNwZWNpZmljYXRpb24gdG8gT0F1dGggMi4wLiBFLmcu LCBjYW4gaXQgYmUgdXNlZCBpbmRlcGVuZGVudGx5IGZyb20gdGhlIHJlc3Qgb2YgT0F1dGg/IExp a2V3aXNlLCB0aGUgb3ZlcnZpZXcgKHNlY3Rpb248bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4xLjMpIHNlZW1zIG1vcmUgc3Bl Y2lmaWMgdG8gdGhlIE9BdXRoIHNwZWNpZmljYXRpb24gdGhhbiB0aGlzIGRvY3VtZW50LjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPkFzIEkgcmVhZCBpdCwgdGhpcyBtZWNoYW5pc20gY291bGQgYmUgdXNlZCBmb3IgQU5ZIGJl YXJlciB0b2tlbiwgbm90IGp1c3Qgb25lIGdlbmVyYXRlZCB0aHJvdWdoIE9BdXRoIGZsb3dzLg0K PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxl ZnQ6LjVpbiI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBz dHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+SWYgaXQgaXMgaW5kZWVkIG1vcmUgZ2VuZXJhbCwgSSdk IHJlY29tbWVuZCBtaW5pbWlzaW5nIHRoZSBkaXNjdXNzaW9uIG9mIE9BdXRoLCBwZXJoYXBzIGV2 ZW4gcmVtb3ZpbmcgaXQgZnJvbSB0aGUgZG9jdW1lbnQgdGl0bGUuPG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPlBlciB5b3VyIHN1Z2dlc3Rpb24sIEnigJl2ZSBtYWRlIGl0IGNsZWFyIGlu IHRoZSBpbnRyb2R1Y3Rpb24gdGhhdCBiZWFyZXIgdG9rZW5zIGZyb20gYW55IHNvdXJjZSBjYW4g YmUgdXNlZCB0byBhY2Nlc3MgYXNzb2NpYXRlZCBwcm90ZWN0ZWQgcmVzb3VyY2VzLiZuYnNwOyBU aGUgbmV3IGxhbmd1YWdlIGluIHRoZSBpbnRyb2R1Y3Rpb24gaXM6PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPuKAnFRoaXMgc3BlY2lmaWNhdGlvbiBkZWZpbmVzIHRoZSB1c2Ugb2YgYmVh cmVyIHRva2VucyBvdmVyIEhUVFAvMS4xIFtJPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPkQuaWV0ZjxzcGFuIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtNUyBHb3RoaWMmcXVvdDsiPuKAkTwvc3Bhbj5odHRwYmlzPHNwYW4gc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPnAxPHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPm1lc3NhZ2luZ10N CiB1c2luZyBUTFMgW1JGQzUyNDZdIHRvIGFjY2VzcyBwcm90ZWN0ZWQgcmVzb3VyY2VzLiDigKYg V2hpbGUgZGVzaWduZWQgZm9yIHVzZSB3aXRoIGFjY2VzcyB0b2tlbnMgcmVzdWx0aW5nIGZyb20g T0F1dGggMi4wIEF1dGhvcml6YXRpb24gW0k8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 TVMgR290aGljJnF1b3Q7Ij7igJE8L3NwYW4+RC5pZXRmPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPm9hdXRoPHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OiZxdW90O01TIEdvdGhpYyZxdW90OyI+4oCRPC9zcGFuPnYyXQ0KIGZsb3dzIHRvIGFj Y2VzcyBPQXV0aCBwcm90ZWN0ZWQgcmVzb3VyY2VzLCB0aGlzIHNwZWNpZmljYXRpb24gYWN0dWFs bHkgZGVmaW5lcyBhIGdlbmVyYWwgSFRUUCBhdXRob3JpemF0aW9uIG1ldGhvZCB0aGF0IGNhbiBi ZSB1c2VkIHdpdGggYmVhcmVyIHRva2VucyBmcm9tIGFueSBzb3VyY2UgdG8gYWNjZXNzIGFueSBy ZXNvdXJjZXMgcHJvdGVjdGVkIGJ5IHRob3NlIGJlYXJlciB0b2tlbnMu4oCdPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4qIFNlY3Rpb24gMyBU aGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQ8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj5UaGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGEgcmVhbG0gYW5kIGEgc2NvcGUgaXMgbm90 IGV4cGxhaW5lZC4gQXJlIHRoZSBmdW5jdGlvbmFsbHkgZXF1aXZhbGVudCwganVzdCBhIHNpbmds ZSB2YWx1ZSB2cy4gYSBsaXN0Pw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlJlYWxt IGlzIGFzIGRlZmluZWQgYnkgSFRUUGJpcy4mbmJzcDsgSXQgc2F5cyB0aGF0IOKAnFRoZSByZWFs bSB2YWx1ZSBpcyBhIHN0cmluZywgZ2VuZXJhbGx5IGFzc2lnbmVkIGJ5IHRoZSBvcmlnaW4gc2Vy dmVyLCB3aGljaCBjYW4gaGF2ZSBhZGRpdGlvbmFsIHNlbWFudGljcyBzcGVjaWZpYyB0byB0aGUg YXV0aGVudGljYXRpb24gc2NoZW1lLuKAnSZuYnNwOyBUaGUgQmVhcmVyIHNwZWNpZmljYXRpb24g aW50ZW50aW9uYWxseQ0KIGFkZHMgbm8gZXh0cmEgc2VtYW50aWNzIHRvIHRoZSByZWFsbSBkZWZp bml0aW9uLiZuYnNwOyBXaGVyZWFzIHRoZSBzY29wZSBwYXJhbWV0ZXIgaXMgZGVmaW5lZCBhcyBh biBvcmRlci1pbmRlcGVuZGVudCBzcGFjZS1zZXBhcmF0ZWQgbGlzdCBvZiBzY29wZSB2YWx1ZXMu Jm5ic3A7IFRoZSBjb250ZXh0dWFsIG1lYW5pbmcgb2YgYm90aCB0aGUgcmVhbG0gYW5kIHNjb3Bl IHBhcmFtZXRlcnMgaXMgZGVwbG95bWVudC1kZXBlbmRlbnQuPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj5EbyB5b3UgcmVhbGx5IGludGVuZCB0 byBkaXNhbGxvdyAqYWxsKiBleHRlbnNpb24gcGFyYW1ldGVycyBvbiB0aGUgY2hhbGxlbmdlPzxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5ZZXMuJm5ic3A7IFRoZXJlIHdhcyBhbiBleHBs aWNpdCB3b3JraW5nIGdyb3VwIGNvbnNlbnN1cyBkZWNpc2lvbiB0byBkbyBzby48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPkFsc28sIHRoZSBz Y29wZSwgZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uIGFuZCBlcnJvcl91cmkgcGFyYW1ldGVycyBh bGwgc3BlY2lmeSBvbmx5IGEgcXVvdGVkLXN0cmluZyBzZXJpYWxpc2F0aW9uLiBIVFRQYmlzIHN0 cm9uZ2x5IHN1Z2dlc3RzIHRoYXQgbmV3IHNjaGVtZXMgYWxsb3cgYm90aCBmb3JtcywgYmVjYXVz ZSBpbXBsZW1lbnRhdGlvbiBleHBlcmllbmNlDQogaGFzIHNob3duIHRoYXQgaW1wbGVtZW50YXRp b25zIHdpbGwgbGlrZWx5IHN1cHBvcnQgYm90aCwgbm8gbWF0dGVyIGhvdyBkZWZpbmVkOyB0aGlz IGltcHJvdmVzIGludGVyb3BlcmFiaWxpdHkgKHNlZSBwNyAyLjMuMSkuDQo8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+T25jZSBhZ2FpbiwgdGhlIGN1cnJlbnQgdGV4dCByZWZsZWN0cyBh IGNvbnNlbnN1cyBkZWNpc2lvbiBvZiB0aGUgd29ya2luZyBncm91cC4mbmJzcDsgSXQgd2FzIHZp ZXdlZCB0aGF0IHJlcXVpcmluZyBzdXBwb3J0IGZvciBtdWx0aXBsZSB3YXlzIG9mIGRvaW5nIHRo ZSBzYW1lIHRoaW5nIHVubmVjZXNzYXJpbHkgY29tcGxpY2F0ZWQgaW1wbGVtZW50YXRpb25zIHdp dGhvdXQgYW55IGNvbXBlbnNhdGluZyBiZW5lZml0Ow0KIGJldHRlciB0byBzdXBwb3J0IG9uZSBz eW50YXggZm9yIGVhY2ggc2VtYW50aWMgb3BlcmF0aW9uIGFuZCByZXF1aXJlIGFsbCBpbXBsZW1l bnRhdGlvbnMgdG8gdXNlIGl0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+RmluYWxseSwgdGhlIGVycm9yX2Rlc2NyaXB0aW9uIHBhcmFtZXRl ciBjYW4gY2Fycnkgb25seSBBU0NJSSBjaGFyYWN0ZXJzLiBXaGlsZSBJIHVuZGVyc3RhbmQgYSB0 cmFkZW9mZiBoYXMgYmVlbiBtYWRlIGhlcmUgKGFuZCwgaW4gbXkganVkZ2VtZW50LCBhbiBhcHBy b3ByaWF0ZSBvbmUpLCBpdCdzIGFwcHJvcHJpYXRlIHRvIGhpZ2hsaWdodCB0aGlzIGluIHJldmll dy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Tm90ZWQ8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPiogR2VuZXJhbDxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPlRoZSBkcmFmdCBjdXJyZW50bHkgZG9lc24ndCBtZW50aW9uIHdoZXRoZXIg QmVhcmVyIGlzIHN1aXRhYmxlIGZvciB1c2UgYXMgYSBwcm94eSBhdXRoZW50aWNhdGlvbiBzY2hl bWUuIEkgc3VzcGVjdCBpdCAqbWF5KjsgaXQgd291bGQgYmUgd29ydGggZGlzY3Vzc2luZyB0aGlz IHdpdGggc29tZSBwcm94eSBpbXBsZW1lbnRlcnMgdG8gZ2F1Z2UgdGhlaXIgaW50ZXJlc3QNCiAo ZS5nLiwgU3F1aWQpLiA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+V2hvIHdvdWxkIHlv dSByZWNvbW1lbmQgcmV2aWV3IHRoZSBkcmFmdCBmcm9tIHRoaXMgcGVyc3BlY3RpdmU/PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZpbmFsbHksIE1hcmssIEkgYXBwbGllZCBhbGwgdGhl IGVkaXRvcmlhbCBzdWdnZXN0aW9ucyB5b3UgbWFkZS4mbmJzcDsgVGhhbmtzIGZvciB0aG9zZS48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+TWFyaywgU3RlcGhlbiwgYW5kIGNoYWlycywg cGxlYXNlIGxldCBtZSBrbm93IHdoZXRoZXIgdG8gbm93IHBvc3QgdGhpcyBkcmFmdCBhcyBhbiBh Y3R1YWwgc3VibWlzc2lvbi48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IFRoYW5rcyBhbGwsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLS0tLU9y aWdpbmFsIE1lc3NhZ2UtLS0tLTxicj4NCkZyb206IDxhIGhyZWY9Im1haWx0bzpvYXV0aC1ib3Vu Y2VzQGlldGYub3JnIj5vYXV0aC1ib3VuY2VzQGlldGYub3JnPC9hPiA8YSBocmVmPSJtYWlsdG86 W21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSI+DQpbbWFpbHRvOm9hdXRoLWJvdW5jZXNA aWV0Zi5vcmddPC9hPiBPbiBCZWhhbGYgT2YgVHNjaG9mZW5pZywgSGFubmVzIChOU04gLSBGSS9F c3Bvbyk8YnI+DQpTZW50OiBXZWRuZXNkYXksIE5vdmVtYmVyIDIzLCAyMDExIDExOjUxIFBNPGJy Pg0KVG86IDxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+b2F1dGhAaWV0Zi5vcmc8L2E+ PGJyPg0KU3ViamVjdDogW09BVVRILVdHXSBGVzogW2FwcHMtZGlzY3Vzc10gQVBQUyBBcmVhIHJl dmlldyBvZiBkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci0xNDxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij5GWUk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+LS0tLS1PcmlnaW5h bCBNZXNzYWdlLS0tLS08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZy b206IDxhIGhyZWY9Im1haWx0bzphcHBzLWRpc2N1c3MtYm91bmNlc0BpZXRmLm9yZyI+PHNwYW4g c3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmFwcHMtZGlzY3Vz cy1ib3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxhIGhyZWY9Im1haWx0bzpbbWFpbHRvOmFwcHMtZGlzY3Vzcy1ib3VuY2Vz QGlldGYub3JnXSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u Om5vbmUiPlttYWlsdG86YXBwcy1kaXNjdXNzLWJvdW5jZXNAaWV0Zi5vcmddPC9zcGFuPjwvYT4g T24gQmVoYWxmIE9mIGV4dCBNYXJrIE5vdHRpbmdoYW08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPlNlbnQ6IFRodXJzZGF5LCBOb3ZlbWJlciAyNCwgMjAxMSA4OjIyIEFN PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UbzogSUVURiBBcHBzIERp c2N1c3M7IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLW9hdXRoLXYyLWJlYXJlci5hbGxAaWV0 Zi5vcmciPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5v bmUiPmRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLmFsbEBpZXRmLm9yZzwvc3Bhbj48L2E+PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5DYzogVGhlIElFU0c8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlN1YmplY3Q6IFthcHBzLWRpc2N1c3Nd IEFQUFMgQXJlYSByZXZpZXcgb2Y8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPmRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVyLTE0PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPkkgaGF2ZSBiZWVuIHNlbGVjdGVkIGFzIHRoZSBBcHBsaWNhdGlvbnMgQXJlYSBSZXZp ZXcgVGVhbSByZXZpZXdlciBmb3IgdGhpcyBkcmFmdCAoZm9yIGJhY2tncm91bmQgb24gYXBwcy1y ZXZpZXcsIHBsZWFzZSBzZWUgJmx0OzxhIGhyZWY9Imh0dHA6Ly93d3cuYXBwcy5pZXRmLm9yZy9j b250ZW50L2FwcGxpY2F0aW9ucy1hcmVhLXJldmlldy10ZWFtIj48c3BhbiBzdHlsZT0iY29sb3I6 d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cDovL3d3dy5hcHBzLmlldGYub3Jn L2NvbnRlbnQvYXBwbGljYXRpb25zLWFyZWEtcmV2aWV3LXRlYW08L3NwYW4+PC9hPiZndDspLjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5QbGVhc2UgcmVzb2x2ZSB0aGVzZSBjb21tZW50 cyBhbG9uZyB3aXRoIGFueSBvdGhlciBMYXN0IENhbGwgY29tbWVudHMgeW91IG1heSByZWNlaXZl LiBQbGVhc2Ugd2FpdCBmb3IgZGlyZWN0aW9uIGZyb20geW91ciBkb2N1bWVudCBzaGVwaGVyZCBv ciBBRCBiZWZvcmUgcG9zdGluZyBhIG5ldyB2ZXJzaW9uIG9mIHRoZSBkcmFmdC48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+RG9jdW1lbnQ6IGRyYWZ0LWlldGYtb2F1dGgtdjItYmVhcmVy LTE0PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaXRsZTogT0F1dGgg Mi4wIEJlYXJlciBUb2tlbnM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PlJldmlld2VyOiBNYXJrIE5vdHRpbmdoYW08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPlJldmlldyBEYXRlOiAyNC8xMS8yMDExPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPlN1bW1hcnk6IFRoaXMgZHJhZnQgaXMgYWxtb3N0IHJlYWR5IGZvciBwdWJsaWNhdGlv biBhcyBhIFByb3Bvc2VkIFN0YW5kYXJkLCBidXQgaGFzIGEgZmV3IGlzc3VlcyB0aGF0IHNob3Vs ZCBiZSBmaXhlZC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+TWFqb3IgSXNzdWVzPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLS0tLS0tLS0tLS08bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+KiBTZWN0aW9uIDIuMyBVUkkgUXVlcnkgUGFyYW1ldGVy PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlRoaXMgc2VjdGlvbiBlZmZlY3RpdmVseSBy ZXNlcnZlcyBhIFVSSSBxdWVyeSBwYXJhbWV0ZXIgZm9yIHRoZSBkcmFmdCdzIHVzZS4gVGhpcyBz aG91bGQgbm90IGJlIGRvbmUgbGlnaHRseSwgc2luY2UgdGhpcyB3b3VsZCBiZSBhIHByZWNlZGVu dCBmb3IgdGhlIElFVEYgZW5jcm9hY2hpbmcgdXBvbiBhIHNlcnZlcidzIFVSSXMgKGRvbmUgcHJl dmlvdXNseSBpbiBSRkM1Nzg1LCBidXQgaW4gYSBtdWNoIG1vcmUNCiBsaW1pdGVkIGZhc2hpb24s IGFzIGEgdGFjdGljIHRvIHByZXZlbnQgZnVydGhlciwgdW5jb250cm9sbGVkIGVuY3JvYWNobWVu dCkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkdpdmVuIHRoYXQgdGhlIGRyYWZ0IGFs cmVhZHkgZGlzY291cmFnZXMgdGhlIHVzZSBvZiB0aGlzIG1lY2hhbmlzbSwgSSdkIHJlY29tbWVu ZCBkcm9wcGluZyBpdCBhbHRvZ2V0aGVyLiBJZiB0aGUgV29ya2luZyBHcm91cCB3aXNoZXMgaXQg dG8gcmVtYWluLCB0aGlzIGlzc3VlcyBzaG91bGQgYmUgdmV0dGVkIGJvdGggdGhyb3VnaCB0aGUg QVBQUyBhcmVhIGFuZCB0aGUgVzNDIGxpYWlzb24uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPihUaGUgc2FtZSBjcml0aWNpc20gY291bGQgYmUgbGV2ZWxlZCBhdCBTZWN0aW9uIDIuMiBG b3JtLUVuY29kZWQgQm9keSBQYXJhbWV0ZXIsIGJ1dCB0aGF0IGF0IGxlYXN0IGlzbid0IHN1cmZh Y2VkIGluIGFuIGlkZW50aWZpZXIpPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiogU2Vj dGlvbiAzIFRoZSBXV1ctQXV0aGVudGljYXRlIFJlc3BvbnNlIEhlYWRlciBGaWVsZDxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGUgZHJhZnQgcmVmZXJlbmNlcyB0aGUgcXVvdGVkLXN0 cmluZyBBQk5GIGZyb20gSFRUUCwgYnV0IGNoYW5nZXMgaXRzIHByb2Nlc3NpbmcgaW4gYSBsYXRl ciBwYXJhZ3JhcGg6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZxdW90OyZxdW90OyZx dW90O0luIGFsbCB0aGVzZSBjYXNlcywgbm8gY2hhcmFjdGVyIHF1b3Rpbmcgd2lsbCBvY2N1ciwg YXMgc2VuZGVycyBhcmUgcHJvaGliaXRlZCBmcm9tIHVzaW5nIHRoZSAlNUMgKCdcJykgY2hhcmFj dGVyLiZxdW90OyZxdW90OyZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGlz IGlzIGF0IGJlc3Qgc3VycHJpc2luZyAoYXMgbWFueSByZWFkZXJzIHdpbGwgcmVhc29uYWJseSBz dXJtaXNlIHRoYXQgdXNpbmcgdGhlIHF1b3RlZC1zdHJpbmcgQUJORiBpbXBsaWVzIHRoYXQgdGhl IHNhbWUgY29kZSBjYW4gYmUgdXNlZCkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5QbGVhc2UgZWl0aGVyIHVzZSBxdW90ZWQtc3RyaW5nIGFzIGRlZmluZWQgKGkuZS4s IHdpdGggZXNjYXBpbmcpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk1pbm9yIElzc3VlczxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+LS0tLS0tLS0tLS0tPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiogU2VjdGlvbiAxOiBJbnRyb2R1Y3Rpb248bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+VGhlIGludHJvZHVjdGlvbiBleHBsYWlucyBvYXV0aCwgYnV0IGl0 IGRvZXNuJ3QgZnVsbHkgZXhwbGFpbiB0aGUgcmVsYXRpb25zaGlwIG9mIHRoaXMgc3BlY2lmaWNh dGlvbiB0byBPQXV0aCAyLjAuIEUuZy4sIGNhbiBpdCBiZSB1c2VkIGluZGVwZW5kZW50bHkgZnJv bSB0aGUgcmVzdCBvZiBPQXV0aD8gTGlrZXdpc2UsIHRoZSBvdmVydmlldyAoc2VjdGlvbjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+MS4zKSBzZWVtcyBtb3JlIHNwZWNp ZmljIHRvIHRoZSBPQXV0aCBzcGVjaWZpY2F0aW9uIHRoYW4gdGhpcyBkb2N1bWVudC48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkFzIEkgcmVhZCBpdCwgdGhpcyBtZWNo YW5pc20gY291bGQgYmUgdXNlZCBmb3IgQU5ZIGJlYXJlciB0b2tlbiwgbm90IGp1c3Qgb25lIGdl bmVyYXRlZCB0aHJvdWdoIE9BdXRoIGZsb3dzLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPklmIGl0IGlzIGluZGVlZCBtb3JlIGdlbmVyYWwsIEknZCByZWNvbW1lbmQgbWluaW1pc2lu ZyB0aGUgZGlzY3Vzc2lvbiBvZiBPQXV0aCwgcGVyaGFwcyBldmVuIHJlbW92aW5nIGl0IGZyb20g dGhlIGRvY3VtZW50IHRpdGxlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4qIFNlY3Rp b24gMyBUaGUgV1dXLUF1dGhlbnRpY2F0ZSBSZXNwb25zZSBIZWFkZXIgRmllbGQ8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBhIHJlYWxtIGFuZCBh IHNjb3BlIGlzIG5vdCBleHBsYWluZWQuIEFyZSB0aGUgZnVuY3Rpb25hbGx5IGVxdWl2YWxlbnQs IGp1c3QgYSBzaW5nbGUgdmFsdWUgdnMuIGEgbGlzdD8NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5EbyB5b3UgcmVhbGx5IGludGVuZCB0byBkaXNhbGxvdyAqYWxsKiBleHRlbnNpb24g cGFyYW1ldGVycyBvbiB0aGUgY2hhbGxlbmdlPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij5BbHNvLCB0aGUgc2NvcGUsIGVycm9yLCBlcnJvcl9kZXNjcmlwdGlvbiBhbmQgZXJyb3JfdXJp IHBhcmFtZXRlcnMgYWxsIHNwZWNpZnkgb25seSBhIHF1b3RlZC1zdHJpbmcgc2VyaWFsaXNhdGlv bi4gSFRUUGJpcyBzdHJvbmdseSBzdWdnZXN0cyB0aGF0IG5ldyBzY2hlbWVzIGFsbG93IGJvdGgg Zm9ybXMsIGJlY2F1c2UgaW1wbGVtZW50YXRpb24gZXhwZXJpZW5jZSBoYXMgc2hvd24gdGhhdCBp bXBsZW1lbnRhdGlvbnMNCiB3aWxsIGxpa2VseSBzdXBwb3J0IGJvdGgsIG5vIG1hdHRlciBob3cg ZGVmaW5lZDsgdGhpcyBpbXByb3ZlcyBpbnRlcm9wZXJhYmlsaXR5IChzZWUgcDcgMi4zLjEpLg0K PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZpbmFsbHksIHRoZSBlcnJvcl9kZXNjcmlw dGlvbiBwYXJhbWV0ZXIgY2FuIGNhcnJ5IG9ubHkgQVNDSUkgY2hhcmFjdGVycy4gV2hpbGUgSSB1 bmRlcnN0YW5kIGEgdHJhZGVvZmYgaGFzIGJlZW4gbWFkZSBoZXJlIChhbmQsIGluIG15IGp1ZGdl bWVudCwgYW4gYXBwcm9wcmlhdGUgb25lKSwgaXQncyBhcHByb3ByaWF0ZSB0byBoaWdobGlnaHQg dGhpcyBpbiByZXZpZXcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiogR2VuZXJhbDxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGUgZHJhZnQgY3VycmVudGx5IGRvZXNuJ3Qg bWVudGlvbiB3aGV0aGVyIEJlYXJlciBpcyBzdWl0YWJsZSBmb3IgdXNlIGFzIGEgcHJveHkgYXV0 aGVudGljYXRpb24gc2NoZW1lLiBJIHN1c3BlY3QgaXQgKm1heSo7IGl0IHdvdWxkIGJlIHdvcnRo IGRpc2N1c3NpbmcgdGhpcyB3aXRoIHNvbWUgcHJveHkgaW1wbGVtZW50ZXJzIHRvIGdhdWdlIHRo ZWlyIGludGVyZXN0IChlLmcuLCBTcXVpZCkuDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5OaXRzPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLS0tPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiogU2VjdGlvbiAyLjEgQXV0aG9yaXphdGlvbiBSZXF1ZXN0IEhlYWRl ciBGaWVsZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mcXVvdDtzaW1wbGljaXR5IHJl YXNvbnMmcXVvdDsgLS0mZ3Q7ICZxdW90O3NpbXBsaWNpdHkmcXVvdDs8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+JnF1b3Q7SWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJzIGFyZSBkZXNpcmVk IGluIHRoZSBmdXR1cmUsIGEgZGlmZmVyZW50IHNjaGVtZSBjb3VsZCBiZSBkZWZpbmVkLiZxdW90 OyAtLSZndDsgJnF1b3Q7SWYgYWRkaXRpb25hbCBwYXJhbWV0ZXJzIGFyZSBuZWVkZWQgaW4gdGhl IGZ1dHVyZSwgYSBkaWZmZXJlbnQgc2NoZW1lIHdvdWxkIG5lZWQgdG8gYmUgZGVmaW5lZC4mcXVv dDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+KiBTZWN0aW9uIDMgVGhlIFdXVy1BdXRo ZW50aWNhdGUgUmVzcG9uc2UgSGVhZGVyIEZpZWxkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPlRoZSByZXF1aXJlbWVudCB0aGF0IGEgcmVzb3VyY2Ugc2VydmVyIE1VU1QgaW5jbHVkZSB0 aGUgSFRUUCBXV1ctQXV0aGVudGljYXRlIHJlc3BvbnNlIGhlYWRlciBmaWVsZCBpcyBvZGQ7IHJl YWxseSB0aGlzIGlzIGF0IHRoZSBkaXNjcmV0aW9uIG9mIHRoZSBzZXJ2ZXIuIElzIGl0IHJlYWxs eSBuZWNlc3NhcnkgdG8gdXNlIGEgY29uZm9ybWFuY2UgcmVxdWlyZW1lbnQgaGVyZT88bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VVJJLXJlZmVyZW5jZSAtLSZndDsgVVJJLVJlZmVyZW5j ZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4qIFNlY3Rpb24gMy4xIEVycm9yIENvZGVz PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjQwNSBiZWxvbmdzIGluIHRoZSBsaXN0IG9m IHR5cGljYWxseSBhcHByb3ByaWF0ZSBzdGF0dXMgY29kZXMgYXMgd2VsbC48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij5LaW5kIHJlZ2FyZHMsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPi0tPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5NYXJrIE5vdHRpbmdoYW0mbmJz cDsmbmJzcDsgPGEgaHJlZj0iaHR0cDovL3d3dy5tbm90Lm5ldC8iPjxzcGFuIHN0eWxlPSJjb2xv cjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwOi8vd3d3Lm1ub3QubmV0Lzwv c3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+YXBwcy1k aXNjdXNzIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PGEgaHJlZj0ibWFpbHRvOmFwcHMtZGlzY3Vzc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNv bG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmFwcHMtZGlzY3Vzc0BpZXRmLm9y Zzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48YSBo cmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FwcHMtZGlzY3VzcyI+ PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHBz Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vYXBwcy1kaXNjdXNzPC9zcGFuPjwvYT48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij5PQXV0aCBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+PHNwYW4gc3R5 bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPk9BdXRoQGlldGYub3Jn PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxhIGhy ZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPjxzcGFuIHN0 eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2JvZHk+DQo8L2h0bWw+DQo= --_000_4E1F6AAD24975D4BA5B16804296739435F7650C6TK5EX14MBXC283r_-- From bcampbell@pingidentity.com Fri Dec 16 14:59:21 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22201F0C6E for ; Fri, 16 Dec 2011 14:59:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.977 X-Spam-Level: X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7eUJUeTeD5Wc for ; Fri, 16 Dec 2011 14:59:20 -0800 (PST) Received: from na3sys009aog120.obsmtp.com (na3sys009aog120.obsmtp.com [74.125.149.140]) by ietfa.amsl.com (Postfix) with ESMTP id 84B3B1F0C65 for ; Fri, 16 Dec 2011 14:59:20 -0800 (PST) Received: from mail-vx0-f177.google.com ([209.85.220.177]) (using TLSv1) by na3sys009aob120.postini.com ([74.125.148.12]) with SMTP ID DSNKTuvNRx6hn8R53xRGRdEjYp93/JZ1SLPP@postini.com; Fri, 16 Dec 2011 14:59:20 PST Received: by vcbf11 with SMTP id f11so2761731vcb.22 for ; Fri, 16 Dec 2011 14:59:19 -0800 (PST) Received: by 10.52.34.194 with SMTP id b2mr1862166vdj.102.1324076359200; Fri, 16 Dec 2011 14:59:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.169.98 with HTTP; Fri, 16 Dec 2011 14:58:48 -0800 (PST) In-Reply-To: <918554FB-F7B1-42E7-AA49-E3611F435796@oracle.com> References: <918554FB-F7B1-42E7-AA49-E3611F435796@oracle.com> From: Brian Campbell Date: Fri, 16 Dec 2011 15:58:48 -0700 Message-ID: To: Phil Hunt Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "oauth \(oauth@ietf.org\)" Subject: Re: [OAUTH-WG] SAML Bearer Spec 09 - Refresh Clarification X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 22:59:21 -0000 Hey Phil, Your understanding is pretty much inline with how I understand it. That text actually originates from earlier versions of the core spec (I think -09 [1] was the last sighting). And I carried it over when the grant_type got generalized and the assertion pieces moved into the SAML/OAuth draft. The main idea was that the extension grants (or at least assertions) relied on some existing trust framework and that issuing a refresh token would effectually undermine that by giving the client a new way of getting access outside the established framework of trust. So, for example, with an RT a fired employee might still be able to access resources at a SaaS provider. That was the thinking anyway but I don't disagree that the wording in the draft could make that more clear and/or be a less restrictive. Regarding the text you've proposed, I'm not sure I know exactly what "lifetime of the authorization grant" means or how the AS would know. And I think it might be too ambiguous to have as normative language. Can you give a workable definition? Or was it intentionally left kind of vague? I'll should also note that that exact same text is in section 3.1 of the "JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0" [2] draft. Whatever we decide, I can't think of any reason it would't apply to both drafts. And that suggests that it should be moved up into the "OAuth 2.0 Assertion Profile" - perhaps into section 4.1.3 [3]? Thanks, Brian P.S. My apologies for the extremely slow response - this one just slipped though the cracks for a while - I have no other excuse. [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-09#section-4.1.3 [2] http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03#section-3.1 [3] http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3 On Fri, Nov 4, 2011 at 2:40 PM, Phil Hunt wrote: > Section 4.5 of the OAuth Core spec provides that extension spec MAY issue > refresh tokens. =A0Yet, section 3.1 of the OAuth2 SAML Bearer specificati= on > currently says SHOULD NOT (from draft 09): > > Authorization servers SHOULD issue access tokens with a limited lifetime = and > require clients to refresh them by requesting a new access token using th= e > same assertion, if it is still valid, or with a new assertion. The > authorization server SHOULD NOT issue a refresh token. > > > There has been some confusion as to why authorization servers SHOULD NOT > issue refresh tokens.=A0Apparently this wording was put in place because = a > SAML Bearer authorization might have a shorter life than typical refresh > token lifetime. Hence there was a concern that an authorization server wo= uld > inadvertently issue a long-lasting refresh token that outlives the origin= al > SAML Bearer authorization. =A0In order to make this concern clear I propo= se > the following text that makes clear the concern and makes refresh tokens > more permissive: > > Authorization servers SHOULD issue access tokens with a limited lifetime = and > require clients to refresh them by requesting a new access token using th= e > same assertion, if it is still valid, or with a new assertion. The > authorization server SHOULD NOT issue a refresh token that has an expiry > longer than the lifetime of the authorization grant. > > I'm not aware of any other concerns regarding refresh tokens being issued= in > conjunction with SAML Bearer assertions? =A0Are there any concerns that > suggest we should keep the wording as generally SHOULD NOT? > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From sm@elandsys.com Fri Dec 16 15:47:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4B021F85EF; Fri, 16 Dec 2011 15:47:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.555 X-Spam-Level: X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nIff8pfq2VA; Fri, 16 Dec 2011 15:47:33 -0800 (PST) Received: from mail.elandsys.com (mail.elandsys.com [208.69.177.125]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7E521F88B7; Fri, 16 Dec 2011 15:47:33 -0800 (PST) Received: from SUBMAN.elandsys.com ([41.136.232.24]) (authenticated bits=0) by mail.elandsys.com (8.13.8/8.13.8) with ESMTP id pBGNlOk9010473; Fri, 16 Dec 2011 15:47:29 -0800 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=elandsys.com; s=mail; t=1324079251; bh=lZIRqqIo+ccL0sMP1lfnCgZ5qwE=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=KT0gVt+5PCsUhtGcZVvE8GPjpNjAQi722D5fRIltGZeEglC+CHagNyKBcUIo1Hq6O FniIoAOKoXN+X7vjF7RwflO+LPAFaV2AsVH5v+grBJ3it1hb5ebTi0/mjITt14uvnd vOdm3XbCL/VWQIHGQNoyeALjhSVDCM2iadTd22cs= Message-Id: <6.2.5.6.2.20111216152046.0b4cbbc0@resistor.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Fri, 16 Dec 2011 15:46:26 -0800 To: oauth@ietf.org From: S Moonesamy In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.re dmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Fri, 16 Dec 2011 15:48:39 -0800 Cc: appsdir@ietf.org Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 23:47:35 -0000 At 18:13 14-12-2011, Mike Jones wrote: >Any objections to posting the updated Bearer draft incorporating the >results of the APPS Area review and the TLS requirements? Mark Nottingham followed up on his review [1]. If this working group considers that the concerns raised have been addressed, I gather that it ok for me to raise them as issues during the Last Call for draft-ietf-oauth-v2-bearer. Regards, S. Moonesamy 1. http://www.ietf.org/mail-archive/web/oauth/current/msg08052.html 2. http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03805.html From melvincarvalho@gmail.com Sun Dec 18 09:05:43 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C086521F8511 for ; Sun, 18 Dec 2011 09:05:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.999 X-Spam-Level: X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8iCeeWvNcUw for ; Sun, 18 Dec 2011 09:05:43 -0800 (PST) Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2A06921F850E for ; Sun, 18 Dec 2011 09:05:43 -0800 (PST) Received: by vbbfo1 with SMTP id fo1so2722268vbb.31 for ; Sun, 18 Dec 2011 09:05:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=pBkGcN7z0ksDfjGMm6foiEU+QsqVx/miZiSc0CwgO/A=; b=MGZKcngG6Xgxhny8nR4rakguWqhJAINYE/LrHrkOpUIY/ZLfkWdD8cb5OOWAgOzzII gr5g2uJbINLMb5sgdL6jl0HCEMiaNVJJth1LcSGyK2N9YsOPH3vVRBdpVvjrS10h4cLg I+lKoBzX/JnnE2sDVMpqavbVXtylMa+Rpq7Lk= MIME-Version: 1.0 Received: by 10.52.94.148 with SMTP id dc20mr9845687vdb.109.1324227942650; Sun, 18 Dec 2011 09:05:42 -0800 (PST) Received: by 10.52.34.6 with HTTP; Sun, 18 Dec 2011 09:05:42 -0800 (PST) Date: Sun, 18 Dec 2011 18:05:42 +0100 Message-ID: From: Melvin Carvalho To: oauth@ietf.org Content-Type: text/plain; charset=ISO-8859-1 Subject: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 17:09:18 -0000 Quick question. I was wondering if OAuth 2.0 can work with access control lists. For example there is a protected resource (e.g. a photo), and I want to set it up so that a two or more users (for example a group of friends) U1, U2 ... Un will be able to access it after authenticating. Is this kind of flow possibly with OAuth 2.0, and if so whose responsibility is it to maintain the list of agents than can access the resource? From d.tangren@gmail.com Sun Dec 18 09:22:40 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D17D21F84B8 for ; Sun, 18 Dec 2011 09:22:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdRIRHzZNpzQ for ; Sun, 18 Dec 2011 09:22:39 -0800 (PST) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 95E7921F8485 for ; Sun, 18 Dec 2011 09:22:39 -0800 (PST) Received: by ggnk5 with SMTP id k5so4086699ggn.31 for ; Sun, 18 Dec 2011 09:22:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=n3uU+ERZvZWpwRkTarhGOlQJYic0vIyco8Zc44pm2mI=; b=DLrpNKbgNlADyzDeFBr0Py+61fB7E/oBnpa0DkwOx7yeNCb4Mg3exSfmsoGVDTzJR9 d1cLP/kWLhtlXAMOkAXPUIqzHPfQQEYhKK97uCVNahkO7kb0Rz9Cycw3o5Atn7RMQEiH 3+KVX6S3stX70vAq2WrLlPt2z1Xzr6TSUZc7k= Received: by 10.101.129.39 with SMTP id g39mr7139371ann.25.1324228959187; Sun, 18 Dec 2011 09:22:39 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.96.16 with HTTP; Sun, 18 Dec 2011 09:22:18 -0800 (PST) In-Reply-To: References: From: Doug Tangren Date: Sun, 18 Dec 2011 12:22:18 -0500 Message-ID: To: Melvin Carvalho Content-Type: multipart/alternative; boundary=001636c927a1b6b38b04b46114b9 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 17:22:40 -0000 --001636c927a1b6b38b04b46114b9 Content-Type: text/plain; charset=UTF-8 On Sun, Dec 18, 2011 at 12:05 PM, Melvin Carvalho wrote: > Quick question. I was wondering if OAuth 2.0 can work with access > control lists. > > For example there is a protected resource (e.g. a photo), and I want > to set it up so that a two or more users (for example a group of > friends) U1, U2 ... Un will be able to access it after authenticating. > > Is this kind of flow possibly with OAuth 2.0, and if so whose > responsibility is it to maintain the list of agents than can access > the resource? > The scope parameter fulfills this role. It would be up to the service to document the scope for clients, the auth server to ask the user if they wished allow the client this extra scope of access, and the resource server to interpret the scope for the particular request. --001636c927a1b6b38b04b46114b9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Sun, Dec 18, 2011 at 12:05 PM, Melvin= Carvalho <melvincarvalho@gmail.com> wrote:
Quick question. =C2=A0I was wondering if OAuth 2.0 can work with access
control lists.

For example there is a protected resource (e.g. a photo), and I want
to set it up so that a two or more users (for example a group of
friends) U1, U2 ... Un will be able to access it after authenticating.

Is this kind of flow possibly with OAuth 2.0, and if so whose
responsibility is it to maintain the list of agents than can access
the resource?

The scope parameter fulfi= lls this role. It would be up to the service to document the scope for clie= nts, the auth server to ask the user if they wished allow the client this e= xtra scope of access, and the resource server to interpret the scope for th= e particular request.
--001636c927a1b6b38b04b46114b9-- From romeda@gmail.com Sun Dec 18 09:49:48 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF9121F853A for ; Sun, 18 Dec 2011 09:49:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.599 X-Spam-Level: X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpDP29B0RL1r for ; Sun, 18 Dec 2011 09:49:47 -0800 (PST) Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id A0B0921F852E for ; Sun, 18 Dec 2011 09:49:47 -0800 (PST) Received: by obcuz6 with SMTP id uz6so1432770obc.31 for ; Sun, 18 Dec 2011 09:49:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=YJ5Err7fIik0BHYZUtK9RgnLyYvzOqK7boMrci9PDX0=; b=RT6qj3T2aeMucNJKi3iPsArQaQgHwpA1BAS6GU/AqIgw2o8h9bNGrwZZVY/10S8rZ/ wdLiC0uUcSB4X8HyRZtncDPdgKyN/cVeXkn9HBtT4AO36RbaHZbSTzs9PhgjakA7vcXE e7p+amkmvtUlnz7sz8JVPRJlMf5inTOT77LE4= Received: by 10.182.159.99 with SMTP id xb3mr8562303obb.8.1324230587242; Sun, 18 Dec 2011 09:49:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.47.131 with HTTP; Sun, 18 Dec 2011 09:49:26 -0800 (PST) In-Reply-To: References: From: Blaine Cook Date: Sun, 18 Dec 2011 17:49:26 +0000 Message-ID: To: Doug Tangren Content-Type: text/plain; charset=UTF-8 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 17:49:48 -0000 On 18 December 2011 17:22, Doug Tangren wrote: > > On Sun, Dec 18, 2011 at 12:05 PM, Melvin Carvalho > wrote: >> >> Is this kind of flow possibly with OAuth 2.0, and if so whose >> responsibility is it to maintain the list of agents than can access >> the resource? > > The scope parameter fulfills this role. It would be up to the service to > document the scope for clients, the auth server to ask the user if they > wished allow the client this extra scope of access, and the resource server > to interpret the scope for the particular request. It's not necessary to use the scope parameter; you'd probably want some private API that allows an authenticated client to say something like: "User x is also allowed to access this resource", and when User X's client obtains an access token, they'll be able to access the resource in question. The ACL in any event is the responsibility of the service provider, as the service provider is the only entity able to enforce access control. b. From barryleiba.mailing.lists@gmail.com Sun Dec 18 10:51:18 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A895621F85A8 for ; Sun, 18 Dec 2011 10:51:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.377 X-Spam-Level: X-Spam-Status: No, score=-100.377 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgYoQKr980Vy for ; Sun, 18 Dec 2011 10:51:18 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1DBA921F852E for ; Sun, 18 Dec 2011 10:51:18 -0800 (PST) Received: by yhjj72 with SMTP id j72so4360856yhj.31 for ; Sun, 18 Dec 2011 10:51:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=WYWkH81zVfQrOyEmJNv7FjOu0IMex7QYvq7NHPxM7vc=; b=pscyDZ0dbJvjA8FTbwiE0pCAOzYEhJKJFY9Hn9/OH7LTywxHInCnaNJKAlK/tTn+UY wd/TmLZHfX/eUe6rBo4pJKGTclyK/K0D0a/kxnvu5Z7C7BENpSmiHroXZAtOrizjQz6N LYZN38tjpICNHpZ/JtgmOASdAd4TJ+exfuNKU= MIME-Version: 1.0 Received: by 10.236.154.42 with SMTP id g30mr24801494yhk.3.1324234277692; Sun, 18 Dec 2011 10:51:17 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.225.26 with HTTP; Sun, 18 Dec 2011 10:51:17 -0800 (PST) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7650C6@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435F7650C6@TK5EX14MBXC283.redmond.corp.microsoft.com> Date: Sun, 18 Dec 2011 13:51:17 -0500 X-Google-Sender-Auth: ZruXfXkNTM8KL471PR-fdkXwAf4 Message-ID: From: Barry Leiba To: Mike Jones Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: Mark Nottingham , "oauth@ietf.org" Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 18:51:18 -0000 > Unless I hear a =93no=94 from Mark, the chairs, or Stephen I=92ll plan to= publish > -15 over the weekend.=A0 (Or if I hear a =93yes=94, I=92ll do so right aw= ay. J) In general, I always prefer that people have the latest text to review and comment on, and when there are significant updates to distribute, a new version is a good thing. Versions are cheap, so we should publish them often. So, that's a yes. There's also something else I want to say: I consider Mark's comments to be significant and important, and I don't consider them to have been adequately addressed. He's brought up concerns that the working group had not previously thought about, and which are real problems in how communication with web services works, with respect to bearer tokens. Let me point out that "this represents working-group consensus" is not always a valid response. If the working group has actually considered the *issue*, that might be OK. But if there's consensus for the chosen solution and someone brings up a *new* issue with it, that issue needs to be addressed anew. Suppose the working group looks at a particular question and decides on solution X. Suppose there's not really even any argument, but unanimous agreement that X is the simplest approach, and everyone strongly supports X. So that goes into the document. Then someone reviews it and says, "Solution X has a very nasty failure mode in situation Q, and that makes it extremely problematic for this usage. You really need to do Y or Z in order for it to work safely." Saying that X represents working-group consensus doesn't fly here. It does, but the working group never thought about the situation-Q failure condition, and now has to address things in that light. The answer *after* that might be "Consensus is that Q will never arise in our usage, so X remains viable, and is the best solution for us," and that's OK. But the discussion and the consideration of alternatives that don't have the cited problem needs to happen. As Mark points out, he does not have the standing to block the publication of anything; he has just brought up issues that he sees with the document as it stands. But the chairs, the responsible AD, and, ultimately, the rest of the IESG can block publication if substantive issues have not been addressed, and we think that the unresolved problems could be bad for the Internet. The working group needs to make sure that it's clear how those substantive issues have been addressed, or why they don't matter. Barry, as chair From barryleiba.mailing.lists@gmail.com Sun Dec 18 10:55:32 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 690FF21F85EF for ; Sun, 18 Dec 2011 10:55:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.933 X-Spam-Level: X-Spam-Status: No, score=-100.933 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-3v9IOzYqfp for ; Sun, 18 Dec 2011 10:55:32 -0800 (PST) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id E12F021F85C7 for ; Sun, 18 Dec 2011 10:55:31 -0800 (PST) Received: by yenm7 with SMTP id m7so3639725yen.31 for ; Sun, 18 Dec 2011 10:55:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=A1mbpNcXF/DWGjC8cCfo3Iw68HBwJtBxwxpoYXZFRpA=; b=eThGqRUz+HBiHZw1dshcleM2wTgluKz4xWGuJNORDbQTaBc8w+qqPNFhl90lgAGLOx hz4NgfLUavo6rS0zF/yLcfgQA/jrDdpUjMWL6284qWhAal6jBgfXrF4xOeoZAFhXwyvc Z/gPdowoRGfU1911U4uUV6ZLdXkFyqyr/iuDE= MIME-Version: 1.0 Received: by 10.236.115.40 with SMTP id d28mr23661957yhh.37.1324234531474; Sun, 18 Dec 2011 10:55:31 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.225.26 with HTTP; Sun, 18 Dec 2011 10:55:31 -0800 (PST) In-Reply-To: References: Date: Sun, 18 Dec 2011 13:55:31 -0500 X-Google-Sender-Auth: cJpu6NIi_TXKt-WWLD9prJYLc4Y Message-ID: From: Barry Leiba To: oauth WG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 18:55:32 -0000 To close out this issue: There's disagreement about whether this proposed text is "necessary", but no one thinks it's *bad*, and I see consensus to use it. Eran, please make the following change in two places in the base document: > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > NEW > The authorization server MUST implement TLS. =A0Which version(s) > ought to be implemented will vary over time, and depend on > the widespread deployment and known security vulnerabilities at > the time of implementation. =A0At the time of this writing, TLS version > 1.2 [RFC5246] is the most recent version, but has very limited > actual deployment, and might not be readily available in > implementation toolkits. =A0TLS version 1.0 [RFC2246] is the > most widely deployed version, and will give the broadest > interoperability. > > Servers MAY also implement additional transport-layer > mechanisms that meet their security requirements. Barry, as chair From barryleiba.mailing.lists@gmail.com Sun Dec 18 11:00:35 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9628221F861E for ; Sun, 18 Dec 2011 11:00:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.655 X-Spam-Level: X-Spam-Status: No, score=-100.655 tagged_above=-999 required=5 tests=[AWL=-0.278, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukp+B9dL91en for ; Sun, 18 Dec 2011 11:00:34 -0800 (PST) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id AB8FA21F85EF for ; Sun, 18 Dec 2011 11:00:34 -0800 (PST) Received: by yhjj72 with SMTP id j72so4362603yhj.31 for ; Sun, 18 Dec 2011 11:00:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=gW1uGUC4T1h5LWMvF9obxbOfYn3JMKvKmvYJFlvv8e0=; b=QAuYVcGp90jJ9/3AKuY9cBjxQkJQ7s0x43FuWKaS8UMB29GV7SUrbqVItqhcmZCkCw 8m5PPrXyVs7bNZRFny2dCl9YILg/BBwgEfXIjH2aPfJFsEuFKQyv+jSDHghl+XFlNHXM QyO6I+Mn5kCv4dLtBhA8jLzyvTyRGijHvv9mU= MIME-Version: 1.0 Received: by 10.236.115.40 with SMTP id d28mr23675579yhh.37.1324234834308; Sun, 18 Dec 2011 11:00:34 -0800 (PST) Sender: barryleiba.mailing.lists@gmail.com Received: by 10.146.225.26 with HTTP; Sun, 18 Dec 2011 11:00:34 -0800 (PST) In-Reply-To: References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> Date: Sun, 18 Dec 2011 14:00:34 -0500 X-Google-Sender-Auth: Sz-yFSLhP9Nf44n1JiJtHU5qyOg Message-ID: From: Barry Leiba To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 19:00:35 -0000 Closing out this issue: > 7.2 Access Token Implementation Considerations > > Access token types have to be mutually understood among the > authorization server, the resource server, and the client -- the > access token issues the token, the resource server validates it, and > the client is required to understand the type, as noted in section > 7.1, above. =A0Because of that, interoperability of program code > developed separately depends upon the token types that are supported > in the code. > > Toolkits that are intended for general use (for building other clients > and/or servers), therefore, SHOULD implement as many token types as > practical, to ensure that programs developed with those toolkits are > able to use the token types they need. =A0In particular, all general-use > toolkits MUST implement bearer tokens [...ref...] and MAC tokens > [...ref...]. > > Purpose-built code, built without such toolkits, has somewhat more > flexibility, as its developers know the specific environment they're > developing for. =A0There's clearly little point to including code to > support a particular token type when it's known in advance that the > type in question will never be used in the intended deployment. > Developers of purpose-built code are encouraged to consider future > extensions and to plan ahead for changes in circumstances, and might > still want to include support for multiple token types. =A0That said, > the choice of token-type support for such purpose-built code is left > to the developers and their specific requirements. We do NOT have consensus to use that text, nor any other. As I see it, the STRONG consensus of the working group is not to make any change with regard to text about which tokens to use or how to authenticate the client. This issue is closed, and Stephen reluctantly accepts that he's in the rough on this issue... but leaves us with the warning that he expects other ADs, on their own, to raise this issue during IESG evaluation. That might result in DISCUSS positions that we have to address at that time. Eran, I think this gets us done with the base-doc issues, and we should be ready for you to prepare a final version that can go into IETF last call (unless you're aware of anything I've missed). Barry From stephen.farrell@cs.tcd.ie Sun Dec 18 11:04:20 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12DD121F84D6 for ; Sun, 18 Dec 2011 11:04:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.669 X-Spam-Level: X-Spam-Status: No, score=-101.669 tagged_above=-999 required=5 tests=[AWL=0.930, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id po9RkqT0ctxL for ; Sun, 18 Dec 2011 11:04:19 -0800 (PST) Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id D3A9221F84B7 for ; Sun, 18 Dec 2011 11:04:18 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id B65CB171CBF; Sun, 18 Dec 2011 19:04:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1324235057; bh=ZmLxnBwRgqxZ+W IpKTQq3oM9qMbpUisDZrAswss4+zA=; b=1sh9N8g4w5LWJvM7vaD0Bca6rzYp8y x9HmEiGOGHliYaeN0FehRoeCfMZqRW93TZnsUicbYnxpXnjgZd2ZKiACAiRrL7Ny pGRgC+ATNeCjhIXG72xdcijINf8fAoJL7Mw1Ld2oop4YkY9v8uys9sbamL2qNOtj tvsZ2xohV0oU6xJ0DTyvX3TXr1iX2XRhPrxzKMQIDnZzQqM7seEJnipWthnal0KE iBzpPfe9huMbRpeeOoXSISLj/OIXw0oRIWCpA3MvFrqFLGh/iSITHOK1AjaftNFk 9pX2sk7a+Yjf2qjJBY7gkVckzyIlO5fyLeMCU/jwfuEurGGeJZMHQOYg== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id G5snkQLyMesv; Sun, 18 Dec 2011 19:04:17 +0000 (GMT) Received: from [10.87.48.8] (unknown [86.41.5.127]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 50DE3171C68; Sun, 18 Dec 2011 19:04:17 +0000 (GMT) Message-ID: <4EEE3931.3080704@cs.tcd.ie> Date: Sun, 18 Dec 2011 19:04:17 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Barry Leiba References: <4ED82D62.3070800@cs.tcd.ie> <4ED89384.9060603@cs.tcd.ie> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement token type X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 19:04:20 -0000 On 12/18/2011 07:00 PM, Barry Leiba wrote: > Closing out this issue: > >> 7.2 Access Token Implementation Considerations >> >> Access token types have to be mutually understood among the >> authorization server, the resource server, and the client -- the >> access token issues the token, the resource server validates it, and >> the client is required to understand the type, as noted in section >> 7.1, above. Because of that, interoperability of program code >> developed separately depends upon the token types that are supported >> in the code. >> >> Toolkits that are intended for general use (for building other clients >> and/or servers), therefore, SHOULD implement as many token types as >> practical, to ensure that programs developed with those toolkits are >> able to use the token types they need. In particular, all general-use >> toolkits MUST implement bearer tokens [...ref...] and MAC tokens >> [...ref...]. >> >> Purpose-built code, built without such toolkits, has somewhat more >> flexibility, as its developers know the specific environment they're >> developing for. There's clearly little point to including code to >> support a particular token type when it's known in advance that the >> type in question will never be used in the intended deployment. >> Developers of purpose-built code are encouraged to consider future >> extensions and to plan ahead for changes in circumstances, and might >> still want to include support for multiple token types. That said, >> the choice of token-type support for such purpose-built code is left >> to the developers and their specific requirements. > > We do NOT have consensus to use that text, nor any other. As I see > it, the STRONG consensus of the working group is not to make any > change with regard to text about which tokens to use or how to > authenticate the client. This issue is closed, and Stephen > reluctantly accepts that he's in the rough on this issue... but leaves > us with the warning that he expects other ADs, on their own, to raise > this issue during IESG evaluation. That might result in DISCUSS > positions that we have to address at that time. Just to confirm that the above is the case. IMO I'm still right and the WG are still wrong:-) But let's see if we can make progress in any case. S > > Eran, I think this gets us done with the base-doc issues, and we > should be ready for you to prepare a final version that can go into > IETF last call (unless you're aware of anything I've missed). > > Barry > From internet-drafts@ietf.org Sun Dec 18 12:43:57 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A050221F8906; Sun, 18 Dec 2011 12:43:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.582 X-Spam-Level: X-Spam-Status: No, score=-102.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ca8uAKo4ET9c; Sun, 18 Dec 2011 12:43:57 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3B7F21F88B7; Sun, 18 Dec 2011 12:43:56 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.64p1 Message-ID: <20111218204356.32122.61643.idtracker@ietfa.amsl.com> Date: Sun, 18 Dec 2011 12:43:56 -0800 Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-15.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 20:43:57 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Authorization Protocol Working Gr= oup of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens Author(s) : Michael B. Jones Dick Hardt David Recordon Filename : draft-ietf-oauth-v2-bearer-15.txt Pages : 22 Date : 2011-12-18 This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-15.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-15.txt From Michael.Jones@microsoft.com Sun Dec 18 13:15:37 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024E421F8ACE for ; Sun, 18 Dec 2011 13:15:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HaMp5Wz1EVU for ; Sun, 18 Dec 2011 13:15:36 -0800 (PST) Received: from DB3EHSOBE006.bigfish.com (db3ehsobe006.messaging.microsoft.com [213.199.154.144]) by ietfa.amsl.com (Postfix) with ESMTP id 97E0921F8ACC for ; Sun, 18 Dec 2011 13:15:35 -0800 (PST) Received: from mail52-db3-R.bigfish.com (10.3.81.240) by DB3EHSOBE006.bigfish.com (10.3.84.26) with Microsoft SMTP Server id 14.1.225.23; Sun, 18 Dec 2011 21:15:29 +0000 Received: from mail52-db3 (localhost [127.0.0.1]) by mail52-db3-R.bigfish.com (Postfix) with ESMTP id 692B42400DB for ; Sun, 18 Dec 2011 21:15:49 +0000 (UTC) X-SpamScore: -12 X-BigFish: VS-12(zzc85fhzz1202hzz1033IL8275eh8275bh8275dh3284oa1495iz2fh2a8h668h839h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail52-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC101.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail52-db3 (localhost.localdomain [127.0.0.1]) by mail52-db3 (MessageSwitch) id 1324242949265669_4665; Sun, 18 Dec 2011 21:15:49 +0000 (UTC) Received: from DB3EHSMHS010.bigfish.com (unknown [10.3.81.254]) by mail52-db3.bigfish.com (Postfix) with ESMTP id 3DB95440043 for ; Sun, 18 Dec 2011 21:15:49 +0000 (UTC) Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS010.bigfish.com (10.3.87.110) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 18 Dec 2011 21:15:28 +0000 Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.146]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0247.005; Sun, 18 Dec 2011 13:15:31 -0800 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: OAuth 2.0 Bearer Token Specification Draft -15 Thread-Index: Acy9yi1PBMCPF6ETQrSejghO6uByAg== Date: Sun, 18 Dec 2011 21:15:30 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F76B808@TK5EX14MBXC284.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.34] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F76B808TK5EX14MBXC284r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -15 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 21:15:37 -0000 --_000_4E1F6AAD24975D4BA5B16804296739435F76B808TK5EX14MBXC284r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Draft 15 of the OAuth 2.0 Bearer Token Specification has been published. It contains th= e following changes: * Clarified that form-encoded content must consist entirely of ASCII= characters. * Added TLS version requirements. * Applied editorial improvements suggested by Mark Nottingham during= the APPS area review. The draft is available at: * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 A HTML-formatted version is available at: * http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-15.html -- Mike --_000_4E1F6AAD24975D4BA5B16804296739435F76B808TK5EX14MBXC284r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Draft 15 of the OAuth 2.0 Bearer Token Specification has been published.  It conta= ins the following changes:

·    &= nbsp;   Clarifi= ed that form-encoded content must consist entirely of ASCII characters.

·    &= nbsp;   Added T= LS version requirements.

·    &= nbsp;   Applied= editorial improvements suggested by Mark Nottingham during the APPS area r= eview.

 

The draft is available at:

·        http://tools.ietf.org/html/draft-ietf-oauth-v2-bea= rer-15

A HTML-formatted version is available at:=

·        http://self-issued.info/docs/draft-ietf-oau= th-v2-bearer-15.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739435F76B808TK5EX14MBXC284r_-- From Michael.Jones@microsoft.com Sun Dec 18 17:01:05 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39A5121F8AA9 for ; Sun, 18 Dec 2011 17:01:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.298 X-Spam-Level: X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=-1.299, BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcjR82XndJrs for ; Sun, 18 Dec 2011 17:01:03 -0800 (PST) Received: from AM1EHSOBE005.bigfish.com (am1ehsobe005.messaging.microsoft.com [213.199.154.208]) by ietfa.amsl.com (Postfix) with ESMTP id 1B58B21F8A71 for ; Sun, 18 Dec 2011 17:01:02 -0800 (PST) Received: from mail76-am1-R.bigfish.com (10.3.201.254) by AM1EHSOBE005.bigfish.com (10.3.204.25) with Microsoft SMTP Server id 14.1.225.23; Mon, 19 Dec 2011 01:00:56 +0000 Received: from mail76-am1 (localhost [127.0.0.1]) by mail76-am1-R.bigfish.com (Postfix) with ESMTP id 9B64C500080; Sat, 12 May 2012 01:01:19 +0000 (UTC) X-SpamScore: -33 X-BigFish: VS-33(zzbb2dI9371I1447M542M1432N98dKzz1202hzz8275ch1033IL8275dhz2fh2a8h668h839h944h286p) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI X-FB-SS: 13, Received-SPF: pass (mail76-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC101.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail76-am1 (localhost.localdomain [127.0.0.1]) by mail76-am1 (MessageSwitch) id 1336784479213979_24934; Sat, 12 May 2012 01:01:19 +0000 (UTC) Received: from AM1EHSMHS019.bigfish.com (unknown [10.3.201.254]) by mail76-am1.bigfish.com (Postfix) with ESMTP id 24CF4480048; Sat, 12 May 2012 01:01:19 +0000 (UTC) Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS019.bigfish.com (10.3.206.22) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 19 Dec 2011 01:00:55 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0247.005; Sun, 18 Dec 2011 17:00:58 -0800 From: Mike Jones To: Mark Nottingham Thread-Topic: OK to post OAuth Bearer draft 15? Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEgARlkuAAK9WC5A= Date: Mon, 19 Dec 2011 01:00:57 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: Barry Leiba , OAuth WG Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 01:01:05 -0000 Thanks for your comments, Mark. Here are my thoughts on the issues that yo= u see as being outstanding. I'd also welcome additional input from the wor= king group on these topics: ON THE URI QUERY PARAMETER METHOD: It seems like your objection to this is based on it using a standard query = parameter name. It therefore seems like there are four possible resolution= s to this issue: 1. Delete the query parameter method, as you suggested in your initial com= ments. Given that I know this method is in widespread use in certain conte= xts, I doubt that there would be working group consensus for this resolutio= n. 2. Use a method for discovering the query parameter name. It's my underst= anding that discovery work is presently out of scope for the OAuth working = group as currently chartered. The chairs and area directors could obviousl= y change this, but it's my sense that developing a discovery spec for this = purpose would delay the approval of this spec by a significant period of ti= me. I also question whether working group consensus could be developed for= this resolution. 3. Change the normative requirement for using the name access_token to a r= ecommendation. Specifically, we could change the text "When sending the ac= cess token in the HTTP request URI, the client adds the access token to the= request URI query component ... using the 'access_token' parameter" to "Wh= en sending the access token in the HTTP request URI, the client adds the ac= cess token to the request URI query component ... using a query parameter. = It is RECOMMENDED that the query parameter name 'access_token' be used". = (If we change this to RECOMMENDED, I suspect we'd also do the same for the = name of the form-encoded body parameter.) This would seem to resolve your = core objection, while still providing clear guidance to aid interoperabilit= y. What would people think of this? 4. Leave the specification as-is. I'd like to hear working group opinions on which of these potential resolut= ions members support. ON THE WWW-AUTHENTICATE RESPONSE HEADER FIELD: =20 See the follow-up discussion with Julian. ON THE REALM AND SCOPE DEFINITIONS: You wrote "That's not a great story for interop. How are people actually su= pposed to use them? Can you at least give an example?" I agree with you th= at that's not a great story for interop but it's also the current reality o= f OAuth usage. Indeed, I know that different deployments use them in diffe= rent ways for different things. There's a bunch of information that curren= tly needs to be exchanged in a manner not covered by the specifications to = use OAuth between parties. Among other things, this includes the endpoint = addresses, the ways that realm and scope are used, and (when not opaque) th= e format of the access token. (Profiles of OAuth such as OpenID Connect address this by providing specifi= c guidance, but that guidance, I believe, is too specific to add to the OAu= th specs themselves.) Given that both scope and realm are used in practice in different ways by d= ifferent deployments, I don't see a clear resolution to this issue other th= an to leave the spec as-is. I'd welcome specific alternative wording propo= sals, however. ON SPECIFYING ONLY A QUOTED-STRING SERIALIZATION: I understand and agree with your desire to promote code reuse. You cite HT= TPbis P7 2.3.1 to support adding a requirement for supporting token seriali= zation in addition to quoted-string serialization for all parameters. I be= lieve that the relevant text there is: When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients can use a generic parser that applies to all authentication schemes. Note: the fact that the value syntax for the "realm" parameter is restricted to quoted-string was a bad design choice not to be repeated for new parameters. First, it's my understanding that this text was added between -16 and -17 e= xplicitly to try to force a change the definitions used in the Bearer spec.= While this seems heavy-handed, be that as it may. Assuming the specific= ation remains as-is, I think there are two code reusability cases to consid= er: Recipient Case: Recipients are able to use code capable of parsing both to= ken and quoted-string syntax to parse fields that may only contain quoted s= tring syntax. Thus, the rationale for this requirement given in P7 is actu= ally incorrect; recipients *can* use a generic parser that applies to all a= uthentication schemes. (Perhaps P7 should be corrected?) There is no code= -reuse problem for recipients. Producer Case: I will grant that it is possible for generic parameter prod= ucer code to exist that does not give the caller control over how the param= eter is serialized. If such code is used, it would be possible for a param= eter value such as "xyz" to be erroneously serialized as xyz, thus creating= an interoperability problem. Note however, that serialization of the HTTP= -defined realm parameter MUST occur using quoted-string serialization. Thu= s, in practice, it would seem that generic frameworks still need to enable = callers to control the serialization formats of specific parameters. Hence= , I doubt that this problem-in-theory is actually a problem-in-practice. I= 'd be interested in data points from the working group about whether HTTP f= rameworks they use would have his problem in practice or not. It seems that there are two possible resolutions to this issue: 1. Change the spec to allow both quoted-string and token serialization for= these parameters. 2. Leave the specification as-is. I'd like to hear working group opinions on which of these potential resolut= ions members support. ON SUITABILITY AS A PROXY AUTHENTICATION SCHEME: Could someone who is a member of ietf-http-wg@w3.org volunteer to ask that = list whether they would like to make any review comments on http://tools.ie= tf.org/html/draft-ietf-oauth-v2-bearer-15 as to its suitability for use as = a proxy authentication scheme (and to cc: me when you ask the question)? I= 'm not a member of this list. Thanks all, -- Mike -----Original Message----- From: Mark Nottingham [mailto:mnot@mnot.net]=20 Sent: Wednesday, December 14, 2011 6:37 PM To: Mike Jones Cc: Stephen Farrell; Hannes Tschofenig; Peter Saint-Andre; Barry Leiba; OAu= th WG Subject: Re: OK to post OAuth Bearer draft 15? Hi Mike - It's not my function to object (or not) to the publication of the draft; I = merely provided the APPS review, which will be considered by the responsibl= e AD (like all other Last Call comments), and potentially the IESG. If you're asking whether my concerns have been addressed, see some specific= s below. Regards, On 15/12/2011, at 1:13 PM, Mike Jones wrote: > Mark, Stephen, Hannes, and Barry, > =20 > Any objections to posting the updated Bearer draft incorporating the resu= lts of the APPS Area review and the TLS requirements? > =20 > -- Mike > =20 > From: Mike Jones=20 > Sent: Monday, December 12, 2011 8:51 AM > To: Mark Nottingham; 'Stephen Farrell'; oauth@ietf.org > Subject: RE: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf= -oauth-v2-bearer-14 > =20 > Thanks for the detailed review, Mark. > =20 > Preliminary draft 15 of the OAuth Bearer specification is attached. It r= esolves the form encoding issues raised by Julian Reschke in the manner dis= cussed at the working group meeting in Taipei, incorporates the consensus t= ext on TLS version requirements, and contains several improvements suggeste= d by Mark Nottingham during APPS area review. > =20 > Mark, comments on all your proposed changes follow below: > =20 >> * Section 2.3 URI Query Parameter >> =20 >> This section effectively reserves a URI query parameter for the draft's = use. This should not be done lightly, since this would be a precedent for t= he IETF encroaching upon a server's URIs (done previously in RFC5785, but i= n a much more limited fashion, as a tactic to prevent further, uncontrolled= encroachment). >> =20 >> Given that the draft already discourages the use of this mechanism, I'd = recommend dropping it altogether. If the Working Group wishes it to remain,= this issues should be vetted both through the APPS area and the W3C liaiso= n. >> =20 >> (The same criticism could be leveled at Section 2.2 Form-Encoded Body Pa= rameter, but that at least isn't surfaced in an identifier) >> =20 > There are some contexts, especially limited browsers and/or development e= nvironments What does "developmental environments" mean here? > , where query parameters are usable but the other methods are not. Thus,= the query parameter method must be retained. Also, Justin Richter's comme= nts describing the value to him of the query parameter method are pertinent= : "A URL with all parameters including authorization is a powerful artifac= t which can be passed around between systems as a unit". > =20 > As to using a standard parameter name, this is essential for interoperabi= lity. I find it hard to believe that you could not find or design a mechanism to = discover a URI. > It is not "reserved" in any contexts other than when the Bearer spec is e= mployed, which is a voluntary act by both parties. Thus, this poses no und= ue burdens or namespace restrictions on implementations in practice. > =20 > Finally, you'll find that OAuth 1.0 [RFC 5849] similarly defined, not one= , but two standard query parameter values: oauth_token and oauth_verifier.= As this didn't cause any problems in practice then, I'm sure that definin= g an access_token parameter within the Bearer spec for interoperability pur= poses won't cause a problem either. The fact that a non-standards-track document did something that's potential= ly harmful doesn't make it OK. Saying that problems won't occur based upon = such short-term implementation experience with this type of issue is ludicr= ous; the nature of the issue is long-term encroachment and setting preceden= t. >> * Section 3 The WWW-Authenticate Response Header Field >> =20 >> The draft references the quoted-string ABNF from HTTP, but changes its p= rocessing in a later paragraph: >> =20 >> """In all these cases, no character quoting will occur, as senders are p= rohibited from using the %5C ('\') character.""" >> =20 >> This is at best surprising (as many readers will reasonably surmise that= using the quoted-string ABNF implies that the same code can be used). >> Please either use quoted-string as defined (i.e., with escaping). >> =20 > This parameter definition was a result of significant working group discu= ssion and reflects a solid consensus position. Using the quoted string BNF= makes it clear, per Julian Reschke's suggestions, that generic parameter p= arsing code can be safely used. Whereas prohibiting the use of backslash q= uoting by senders also makes it clear that custom implementations can direc= tly utilize the parameter values as transmitted without performing any quot= e processing. > =20 > In short, the spec doesn't change the processing of quoted strings. It s= imply restricts the set of legal input characters within the quoted strings= . See follow-up discussion with Julian. >> * Section 3 The WWW-Authenticate Response Header Field >> =20 >> The difference between a realm and a scope is not explained. Are the fun= ctionally equivalent, just a single value vs. a list? >> =20 > Realm is as defined by HTTPbis. It says that "The realm value is a strin= g, generally assigned by the origin server, which can have additional seman= tics specific to the authentication scheme." Yes... > The Bearer specification intentionally adds no extra semantics to the rea= lm definition. Whereas the scope parameter is defined as an order-independ= ent space-separated list of scope values. The contextual meaning of both t= he realm and scope parameters is deployment-dependent. That's not a great story for interop. How are people actually supposed to u= se them? Can you at least give an example? >> Do you really intend to disallow *all* extension parameters on the chal= lenge? > =20 > Yes. There was an explicit working group consensus decision to do so. It would be good to note this. >> Also, the scope, error, error_description and error_uri parameters all s= pecify only a quoted-string serialisation. HTTPbis strongly suggests that n= ew schemes allow both forms, because implementation experience has shown th= at implementations will likely support both, no matter how defined; this im= proves interoperability (see p7 2.3.1). > =20 > Once again, the current text reflects a consensus decision of the working= group. It was viewed that requiring support for multiple ways of doing th= e same thing unnecessarily complicated implementations without any compensa= ting benefit; better to support one syntax for each semantic operation and = require all implementations to use it. And I'm sure you're aware that the goal of this text in HTTPbis is to encou= rage reuse of code, rather than having multiple implementations of slightly= different things. This is doubly true when you're not actually defining th= e syntax, but instead reusing syntax from elsewhere (HTTP), which already h= as parsers and generators implemented.=20 >> * General >> =20 >> The draft currently doesn't mention whether Bearer is suitable for use a= s a proxy authentication scheme. I suspect it *may*; it would be worth disc= ussing this with some proxy implementers to gauge their interest (e.g., Squ= id). >> =20 > Who would you recommend review the draft from this perspective? The easiest way would be to ask on the ietf-http-wg@w3.org mailing list; th= ere are several intermediary implementers active there. Regards, -- Mark Nottingham http://www.mnot.net/ From Michael.Jones@microsoft.com Sun Dec 18 17:01:12 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8806821F8B28 for ; Sun, 18 Dec 2011 17:01:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.949 X-Spam-Level: X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8iqWhofGAR0j for ; Sun, 18 Dec 2011 17:01:11 -0800 (PST) Received: from AM1EHSOBE002.bigfish.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id B30EA21F8B23 for ; Sun, 18 Dec 2011 17:01:10 -0800 (PST) Received: from mail62-am1-R.bigfish.com (10.3.201.247) by AM1EHSOBE002.bigfish.com (10.3.204.22) with Microsoft SMTP Server id 14.1.225.23; Mon, 19 Dec 2011 01:01:04 +0000 Received: from mail62-am1 (localhost [127.0.0.1]) by mail62-am1-R.bigfish.com (Postfix) with ESMTP id BD9211C00D0; Mon, 19 Dec 2011 01:01:22 +0000 (UTC) X-SpamScore: -43 X-BigFish: VS-43(zz9371I936eK542M1432N1418M98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail62-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail62-am1 (localhost.localdomain [127.0.0.1]) by mail62-am1 (MessageSwitch) id 1324256482592092_30403; Mon, 19 Dec 2011 01:01:22 +0000 (UTC) Received: from AM1EHSMHS010.bigfish.com (unknown [10.3.201.248]) by mail62-am1.bigfish.com (Postfix) with ESMTP id 8D2334C0043; Mon, 19 Dec 2011 01:01:22 +0000 (UTC) Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS010.bigfish.com (10.3.207.110) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 19 Dec 2011 01:01:04 +0000 Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0247.005; Sun, 18 Dec 2011 17:01:07 -0800 From: Mike Jones To: Julian Reschke Thread-Topic: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 Thread-Index: Acy47iNp13oTBlqgSku13D4DVT123QARXncAABBmrxD//4ZMAP/2vuaA Date: Mon, 19 Dec 2011 01:01:07 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739435F773D24@TK5EX14MBXC283.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE634DE.4000902@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE63CD8.60704@gmx.de> In-Reply-To: <4EE63CD8.60704@gmx.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Cc: Mark Nottingham , "oauth@ietf.org" Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 01:01:12 -0000 Hi Julian, I'm glad to hear that you're not disagreeing with the decision to disallow = '\' in certain parameter values. I think that knowing that brings us much = closer to resolution on this issue. I'm puzzled by your statement "What I'm disagreeing with is writing the ABN= F in a way that will make it likely for implementers to special-case OAuth = parameters when they should not", however. At your suggestion, we changed = the ABNF to use the standard HTTPbis quoted-string element (and to stop usi= ng a special-case ABNFs for these parameters). Indeed, in this way, the cu= rrent definition makes it clear that no special-case parameter processing i= s needed (unlike the previous definitions). Likewise, I'm puzzled by this related statement of yours: "The syntax of W= WW-Authenticate is defined by HTTP. You *can* profile what senders can put = into OAuth-specific parameters, but profiling what consumers need to parse = is dangerous. Don't. Just use the generic grammar." The reason this puzzle= s me is that I can find no text in the draft profiling what consumers need = to parse. And indeed, the spec *does* use the generic grammar. The only s= tatements restricting the contents of these fields profile what *producers*= may put in them. These statements are: "Producers of scope strings MUST NOT use characters outside the set %x21 / = %x23-5B / %x5D-7E for representing the scope values and %x20 for the delimi= ter. Producers of error and error_description strings MUST NOT use characte= rs outside the set %x20-21 / %x23-5B / %x5D-7E for representing these value= s. Producers of error-uri strings MUST NOT use characters outside the set %= x21 / %x23-5B / %x5D-7E for representing these values. Furthermore, error-u= ri strings MUST conform to the URI-Reference syntax. In all these cases, no= character quoting will occur, as senders are prohibited from using the %5C= ('\') character." I'm guessing that you're objecting to the last sentence above about no char= acter quoting occurring. As I see it, that sentence in no way profiles wha= t consumers need to parse; it is making an observation that directly follow= s from the restrictions upon producers made in the other sentences of the p= aragraph. If that is the text that you are objecting to, I can see two potential reso= lutions to this issue: 1. Remove the sentence making the observation that no character quoting wi= ll occur. This would be less clear for developers but doing so would not c= hange the meaning of the specification. 2. Leave the specification as-is. Since the specification *is* now using = the generic grammar (the quoted-string ABNF element), I'm hoping that you w= ill respond agreeing that no problem remains, thus closing this issue. If you still disagree with (2), Julian, then I'd like to hear working group= opinions on which of these potential resolutions members support. Thanks all, -- Mike -----Original Message----- From: Julian Reschke [mailto:julian.reschke@gmx.de]=20 Sent: Monday, December 12, 2011 9:42 AM To: Mike Jones Cc: Mark Nottingham; Stephen Farrell; oauth@ietf.org Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-o= auth-v2-bearer-14 On 2011-12-12 18:28, Mike Jones wrote: > Julian, you should reread the (substantial) mailing list threads on this = topic. As an example demonstrating the consensus, I've attached a pair of = messages from a thread on this topic in which several people supported the = input restriction to preclude character quoting. > > For instance, in this thread Eran Hammer-Lahav wrote: "All I agree with = is to limit the scope character-set in the v2 spec to the subset of ASCII a= llowed in HTTP header quoted-string, excluding " and \ so no escaping is ne= eded, ever." > > You'll also find that all of these people then explicitly agreed with thi= s restriction: > John Bradley > William Mills > Phil Hunt > Mike Jones > > I believe that there were others as well. Therefore, it is inaccurate to= characterize this consensus decision as "essentially, the two of us disagr= eed". Mike, I'm not disagreeing with the decision not to allow "\" in the value.=20 What I'm disagreeing with is writing the ABNF in a way that will make it li= kely for implementers to special-case OAuth parameters when they should not= . The syntax of WWW-Authenticate is defined by HTTP. You *can* profile what s= enders can put into OAuth-specific parameters, but profiling what consumers= need to parse is dangerous. Don't. Just use the generic grammar. Best regards, Julian From julian.reschke@gmx.de Mon Dec 19 01:04:20 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0330321F8AA9 for ; Mon, 19 Dec 2011 01:04:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.066 X-Spam-Level: X-Spam-Status: No, score=-106.066 tagged_above=-999 required=5 tests=[AWL=-3.467, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GmPLNVkGlyR8 for ; Mon, 19 Dec 2011 01:04:19 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id F3F7121F8A7E for ; Mon, 19 Dec 2011 01:04:18 -0800 (PST) Received: (qmail invoked by alias); 19 Dec 2011 09:04:17 -0000 Received: from p3EE2691F.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.105.31] by mail.gmx.net (mp022) with SMTP; 19 Dec 2011 10:04:17 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/f6hV15EXfht4WzYNC0xz+OSWjphnx5KfepdvRsF +DCZOOnDOKWKrg Message-ID: <4EEEFE0A.5020003@gmx.de> Date: Mon, 19 Dec 2011 10:04:10 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE634DE.4000902@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE63CD8.60704@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F773D24@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F773D24@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Mark Nottingham , "oauth@ietf.org" Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 09:04:20 -0000 On 2011-12-19 02:01, Mike Jones wrote: > Hi Julian, > > I'm glad to hear that you're not disagreeing with the decision to disallow '\' in certain parameter values. I think that knowing that brings us much closer to resolution on this issue. I think you misunderstood me. I was referring to the value *after* parsing. > I'm puzzled by your statement "What I'm disagreeing with is writing the ABNF in a way that will make it likely for implementers to special-case OAuth parameters when they should not", however. At your suggestion, we changed the ABNF to use the standard HTTPbis quoted-string element (and to stop using a special-case ABNFs for these parameters). Indeed, in this way, the current definition makes it clear that no special-case parameter processing is needed (unlike the previous definitions). The grammar should allow both token and quoted-string. Actually, it shouldn't be there at all, as the header field, including it's ABNF, is defined in HTTPbis P7. > Likewise, I'm puzzled by this related statement of yours: "The syntax of WWW-Authenticate is defined by HTTP. You *can* profile what senders can put into OAuth-specific parameters, but profiling what consumers need to parse is dangerous. Don't. Just use the generic grammar." The reason this puzzles me is that I can find no text in the draft profiling what consumers need to parse. And indeed, the spec *does* use the generic grammar. The only statements restricting the contents of these fields profile what *producers* may put in them. These statements are: No, see above. The grammar you specified profiles what HTTPbis P7 (and RFC2616/7) allow. > "Producers of scope strings MUST NOT use characters outside the set %x21 / %x23-5B / %x5D-7E for representing the scope values and %x20 for the delimiter. Producers of error and error_description strings MUST NOT use characters outside the set %x20-21 / %x23-5B / %x5D-7E for representing these values. Producers of error-uri strings MUST NOT use characters outside the set %x21 / %x23-5B / %x5D-7E for representing these values. Furthermore, error-uri strings MUST conform to the URI-Reference syntax. In all these cases, no character quoting will occur, as senders are prohibited from using the %5C ('\') character." > > I'm guessing that you're objecting to the last sentence above about no character quoting occurring. As I see it, that sentence in no way profiles what consumers need to parse; it is making an observation that directly follows from the restrictions upon producers made in the other sentences of the paragraph. > > If that is the text that you are objecting to, I can see two potential resolutions to this issue: > > 1. Remove the sentence making the observation that no character quoting will occur. This would be less clear for developers but doing so would not change the meaning of the specification. > > 2. Leave the specification as-is. Since the specification *is* now using the generic grammar (the quoted-string ABNF element), I'm hoping that you will respond agreeing that no problem remains, thus closing this issue. > > If you still disagree with (2), Julian, then I'd like to hear working group opinions on which of these potential resolutions members support. I already disagreed with (2), and I gave my reason in the very mail you're replying to: "The syntax of WWW-Authenticate is defined by HTTP. You *can* profile what senders can put into OAuth-specific parameters, but profiling what consumers need to parse is dangerous. Don't. Just use the generic grammar." Best regards, Julian From julian.reschke@gmx.de Mon Dec 19 02:37:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBAB21F8B50 for ; Mon, 19 Dec 2011 02:37:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.199 X-Spam-Level: X-Spam-Status: No, score=-105.199 tagged_above=-999 required=5 tests=[AWL=-2.600, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lf8A4bJRyGWL for ; Mon, 19 Dec 2011 02:37:45 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id BD42421F8B46 for ; Mon, 19 Dec 2011 02:37:44 -0800 (PST) Received: (qmail invoked by alias); 19 Dec 2011 10:37:43 -0000 Received: from p3EE2691F.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.105.31] by mail.gmx.net (mp056) with SMTP; 19 Dec 2011 11:37:43 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX19R7Kg+gqlRSHQUdXUr5pZmkB8yhVN4PxnzUWxXpd J5mpzp1Sf4emYc Message-ID: <4EEF13F1.7030409@gmx.de> Date: Mon, 19 Dec 2011 11:37:37 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Mark Nottingham , Barry Leiba , OAuth WG Subject: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 10:37:46 -0000 On 2011-12-19 02:00, Mike Jones wrote: > ... > ON SPECIFYING ONLY A QUOTED-STRING SERIALIZATION: > > I understand and agree with your desire to promote code reuse. You cite HTTPbis P7 2.3.1 to support adding a requirement for supporting token serialization in addition to quoted-string serialization for all parameters. I believe that the relevant text there is: > When the auth-param syntax is used, all parameters ought > to support both token and quoted-string syntax, and syntactical > constraints ought to be defined on the field value after parsing > (i.e., quoted-string processing). This is necessary so that > recipients can use a generic parser that applies to all > authentication schemes. > > Note: the fact that the value syntax for the "realm" parameter is > restricted to quoted-string was a bad design choice not to be > repeated for new parameters. > > First, it's my understanding that this text was added between -16 and -17 explicitly to try to force a change the definitions used in the Bearer spec. While this seems heavy-handed, be that as it may. Assuming the specification remains as-is, I think there are two code reusability cases to consider: > ... The text change was caused by both the early interactions with OAuth (mainly thanks to James), and the fact that we see that was defined for Realm isn't implemented in practice (). (Note: we had a working feedback loop between WG's here; that's a feature) If you disagree with what HTTPbis P7 now says than you really really ought to come over to the HTTPbis WG's mailing list (*) and argue your point. (*) Similarly to how I'm arguing my point over here. > Recipient Case: Recipients are able to use code capable of parsing both token and quoted-string syntax to parse fields that may only contain quoted string syntax. Thus, the rationale for this requirement given in P7 is actually incorrect; recipients *can* use a generic parser that applies to all authentication schemes. (Perhaps P7 should be corrected?) There is no code-reuse problem for recipients. Yes, there is. As the test case above shows, all UA recipients accept both forms; none of them rejects the token syntax. This is a problem as people frequently do not code against specs but just do "what works". I'm pretty sure that changing a UA's behavior here would cause breakage in practice. > Producer Case: I will grant that it is possible for generic parameter producer code to exist that does not give the caller control over how the parameter is serialized. If such code is used, it would be possible for a parameter value such as "xyz" to be erroneously serialized as xyz, thus creating an interoperability problem. Note however, that serialization of the HTTP-defined realm parameter MUST occur using quoted-string serialization. Thus, in practice, it would seem that generic frameworks still need to enable callers to control the serialization formats of specific parameters. Hence, I doubt that this problem-in-theory is actually a problem-in-practice. I'd be interested in data points from the working group about whether HTTP frameworks they use would have his problem in practice or not. > > It seems that there are two possible resolutions to this issue: > > 1. Change the spec to allow both quoted-string and token serialization for these parameters. > > 2. Leave the specification as-is. > ... 3. Do not specify the ABNF. The ABNF of the WWW-Authenticate is defined in HTTPbis. Just state the names of the parameters, their syntax *after* parsing and their semantics. Best regards, Julian From paul.madsen@gmail.com Mon Dec 19 04:19:20 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C84221F8B52 for ; Mon, 19 Dec 2011 04:19:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRlCLZeNl7o0 for ; Mon, 19 Dec 2011 04:19:19 -0800 (PST) Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 98B2621F8B46 for ; Mon, 19 Dec 2011 04:19:19 -0800 (PST) Received: by qadz3 with SMTP id z3so3378648qad.10 for ; Mon, 19 Dec 2011 04:19:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=+OM/y8+ng3Sb0pYj+Emc9vZe/UKhtlTQ+YhvC+SUNOs=; b=Ly+xkaEG6N/4vqilAa45Zc7ijTUAQp0eRpxIZZp/DC87vFzyXhx+4YvL8C6R+7Yv2O BixaZobTGLnJOKgnH/4b45RcS7zaCoX88AJVbCszyBhzeIE0UlFwClFSTKXuBchQKLXV f3sMVdmEPNGX4ekw7O9TD/GG6aapMoTcn8Zig= Received: by 10.224.110.210 with SMTP id o18mr24433449qap.72.1324297159088; Mon, 19 Dec 2011 04:19:19 -0800 (PST) Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id ih18sm35793863qab.8.2011.12.19.04.19.17 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 04:19:17 -0800 (PST) Message-ID: <4EEF2BC4.7020409@gmail.com> Date: Mon, 19 Dec 2011 07:19:16 -0500 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: oauth@ietf.org Content-Type: multipart/alternative; boundary="------------000105020909020200080202" Subject: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 12:19:20 -0000 This is a multi-part message in MIME format. --------------000105020909020200080202 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case) We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2. OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't. Notwithstanding the above definition, the spec gives a degree of discretion to the AS The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. Give this discretion, is itpractical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate? Is this consistent with the OAuth definition of confidentiality? Thanks Paul --------------000105020909020200080202 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

 
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.
Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?

Thanks

Paul









 --------------000105020909020200080202-- From alexey.skolyarov@dins.ru Mon Dec 19 04:41:30 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D984221F8B68 for ; Mon, 19 Dec 2011 04:41:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.472 X-Spam-Level: * X-Spam-Status: No, score=1.472 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYHOSD+2UBbt for ; Mon, 19 Dec 2011 04:41:29 -0800 (PST) Received: from smtp01.dins.ru (smtp01.dins.ru [193.104.181.104]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4FE21F8B67 for ; Mon, 19 Dec 2011 04:41:28 -0800 (PST) Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru [192.168.12.108]) by smtp01.dins.ru (Postfix) with ESMTP id 0443ADB49D9 for ; Mon, 19 Dec 2011 15:41:25 +0300 (MSK) Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Mon, 19 Dec 2011 16:41:27 +0400 From: Alexey Skolyarov To: "oauth@ietf.org" Thread-Topic: conflict: error response invalid_request and state parameter duplication Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7Q== Date: Mon, 19 Dec 2011 12:41:25 +0000 Message-ID: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.14.189] Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC1506MS2corpdinsru_" MIME-Version: 1.0 Subject: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 12:41:30 -0000 --_000_0433F58A304676408A8AF95199AFEB97CC1506MS2corpdinsru_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGVsbG8gZXZlcnlib2R5LA0KDQpTaW5jZSB0aGlzIGlzIG15IGZpcnN0IHBvc3Qgb24gdGhpcyBs aXN0LCBJ4oCZbGwgc2F5IGZldyB3b3JkcyBhYm91dCB3aG9hbWk6DQpNeSBuYW1lIGlzIEFsZXhl eSBTa29seWFyb3YsIEkgd29yayBpbiBTYWludC1QZXRlcnNidXJnLCBSdXNzaWEuIEnigJltIGlu dGVyZXN0ZWQgaW4gT0F1dGgyIGJlY2F1c2UgSSBmb3VuZCBubyB2MiBwcm92aWRlcnMgZm9yIEpl cnNleTxodHRwOi8vamVyc2V5LmphdmEubmV0Lz4gZXhjZXB0IFNwcmluZyBTZWN1cml0eSB3aGlj aCBpcyBtdWNoIG1vcmUgY29tcGxleCB0aGFuIDEuMGEgaW1wbGVtZW50YXRpb24gaW4gSmVyc2V5 LWNvbnRyaWIuIEN1cnJlbnRseSBJ4oCZbSB1bmRlciBOREEsIHNvIEkgY2Fu4oCZdCBzYXkgbW9y ZSDimLkNCg0KTmV2ZXJ0aGVsZXNzIHdl4oCZdmUgZG9uZSBzcGVjaWZpY2F0aW9uIHN0dWR5IGFu ZCBmb3VuZCBhIGNvbmZsaWN0IOKAkyBpbiBsYXN0IHBhcmFncmFwaCBvZiBzZWN0aW9uIDMuMS4g IkF1dGhvcml6YXRpb24gRW5kcG9pbnQiPGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtb2F1dGgtdjItMjIjc2VjdGlvbi0zLjE+IGl0IGlzIG1lbnRpb25lZCB0aGF0IOKAnFJl cXVlc3QgYW5kIHJlc3BvbnNlIHBhcmFtZXRlcnMgTVVTVCBOT1QgYmUgaW5jbHVkZWQgbW9yZSB0 aGFuIG9uY2XigJ0uDQpUaGlzIHN0YXRlbWVudCBjb25mbGljdHMgd2l0aCBzdGF0ZSBwYXJhbWV0 ZXIgZGVmaW5pdGlvbiBpbiBzZWN0aW9uIDQuMS4yLjEgIkVycm9yIHJlc3BvbnNlIjxodHRwOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyI3NlY3Rpb24tNC4xLjIu MT4sIHdoZXJlIGl04oCZcyBzYWlkIHRoYXQgc3RhdGUgaXMg4oCcUkVRVUlSRUQgaWYgYSB2YWxp ZCAic3RhdGUiIHBhcmFtZXRlciB3YXMgcHJlc2VudCBpbiB0aGUgY2xpZW50ICBhdXRob3JpemF0 aW9uIHJlcXVlc3QuICBUaGUgZXhhY3QgdmFsdWUgcmVjZWl2ZWQgZnJvbSB0aGUgY2xpZW504oCd Lg0KDQpIb3cgcGFzc2luZyBzdGF0ZT1RV0Umc3RhdGU9QVNEIGluc2lkZSBzYW1lIHJlcXVlc3Qg c2hvdWxkIGJlIGhhbmRsZWQgdGhlbj8NCg0KRnJvbSBvbmUgaGFuZCBpdCBpcyBmb3JiaWRkZW4g dG8gcHJvY2VzcyByZXF1ZXN0cyB3aXRoIG11bHRpcGxlIHBhcmFtZXRlciBvY2N1cnJlbmNlcy4N CkJ1dCBmcm9tIGFub3RoZXIgaGFuZCBTcGVjaWZpY2F0aW9uIHJlcXVpcmVzIHRvIHBhc3MgdGhl IHN0YXRlIGlmIGl0IHdhcyBmb3VuZCBpbiBhIHJlcXVlc3QuDQpWaW9sYXRpb24gb2YgYW55IG9m IHRoZXNlIHN0YXRlbWVudHMgY2FuIGJlIHRyZWF0ZWQgYXMg4oCccGFydGlhbCBjb21wbGlhbmNl 4oCdIHRvIGRyYWZ0LTIyLCBzbyBJ4oCZbSBpbiBkb3VidCB3aGF0IHdheSBpcyBwcmVmZXJyZWQg dGhlcmUuDQoNCldoYXQgZG8geW91IGd1eXMgdGhpbms/DQoNClRoYW5rcyBpbiBhZHZhbmNlLg0K LS0NCkJlc3QgcmVnYXJkcywgQWxleGV5IFNrb2x5YXJvdg0KDQo= --_000_0433F58A304676408A8AF95199AFEB97CC1506MS2corpdinsru_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1 IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwi c2Fucy1zZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6 dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5F bWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0No cERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7fQ0KQHBhZ2UgV29yZFNlY3Rp b24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjoyLjBjbSA0Mi41cHQgMi4wY20g My4wY207fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0 eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hl YWQ+DQo8Ym9keSBsYW5nPSJSVSIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNs YXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t VVMiPkhlbGxvIGV2ZXJ5Ym9keSw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPlNpbmNlIHRoaXMgaXMgbXkg Zmlyc3QgcG9zdCBvbiB0aGlzIGxpc3QsIEnigJlsbCBzYXkgZmV3IHdvcmRzIGFib3V0IHdob2Ft aTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n PSJFTi1VUyI+TXkgbmFtZSBpcyBBbGV4ZXkgU2tvbHlhcm92LCBJIHdvcmsgaW4gU2FpbnQtUGV0 ZXJzYnVyZywgUnVzc2lhLiBJ4oCZbSBpbnRlcmVzdGVkIGluIE9BdXRoMiBiZWNhdXNlIEkgZm91 bmQgbm8gdjIgcHJvdmlkZXJzIGZvcg0KPGEgaHJlZj0iaHR0cDovL2plcnNleS5qYXZhLm5ldC8i PkplcnNleTwvYT4gZXhjZXB0IFNwcmluZyBTZWN1cml0eSB3aGljaCBpcyBtdWNoIG1vcmUgY29t cGxleCB0aGFuIDEuMGEgaW1wbGVtZW50YXRpb24gaW4gSmVyc2V5LWNvbnRyaWIuIEN1cnJlbnRs eSBJ4oCZbSB1bmRlciBOREEsIHNvIEkgY2Fu4oCZdCBzYXkgbW9yZQ0KPC9zcGFuPjxzcGFuIGxh bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6V2luZ2RpbmdzIj5MPC9zcGFuPjxzcGFuIGxh bmc9IkVOLVVTIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPk5ldmVydGhlbGVzcyB3ZeKAmXZlIGRvbmUg c3BlY2lmaWNhdGlvbiBzdHVkeSBhbmQgZm91bmQgYSBjb25mbGljdCDigJMgaW4gbGFzdCBwYXJh Z3JhcGggb2YNCjxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt b2F1dGgtdjItMjIjc2VjdGlvbi0zLjEiPnNlY3Rpb24gMy4xLiAmcXVvdDtBdXRob3JpemF0aW9u IEVuZHBvaW50JnF1b3Q7PC9hPiBpdCBpcyBtZW50aW9uZWQgdGhhdCDigJw8aT5SZXF1ZXN0IGFu ZCByZXNwb25zZSBwYXJhbWV0ZXJzIE1VU1QgTk9UIGJlIGluY2x1ZGVkIG1vcmUgdGhhbiBvbmNl PC9pPuKAnS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBsYW5nPSJFTi1VUyI+VGhpcyBzdGF0ZW1lbnQgY29uZmxpY3RzIHdpdGggPGk+c3RhdGU8L2k+ IHBhcmFtZXRlciBkZWZpbml0aW9uIGluDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcv aHRtbC9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyI3NlY3Rpb24tNC4xLjIuMSI+c2VjdGlvbiA0LjEu Mi4xICZxdW90O0Vycm9yIHJlc3BvbnNlJnF1b3Q7PC9hPiwgd2hlcmUgaXTigJlzIHNhaWQgdGhh dCBzdGF0ZSBpcyDigJw8aT5SRVFVSVJFRCBpZiBhIHZhbGlkICZxdW90O3N0YXRlJnF1b3Q7IHBh cmFtZXRlciB3YXMgcHJlc2VudCBpbiB0aGUgY2xpZW50Jm5ic3A7IGF1dGhvcml6YXRpb24gcmVx dWVzdC4mbmJzcDsgVGhlIGV4YWN0IHZhbHVlIHJlY2VpdmVkDQogZnJvbSB0aGUgY2xpZW50PC9p PuKAnS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs YW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPkhvdyBwYXNzaW5nIDxpPnN0YXRlPVFXRSZhbXA7c3Rh dGU9QVNEPC9pPiBpbnNpZGUgc2FtZSByZXF1ZXN0IHNob3VsZCBiZSBoYW5kbGVkIHRoZW4/PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t VVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLVVTIj5Gcm9tIG9uZSBoYW5kIGl0IGlzIGZvcmJpZGRlbiB0byBwcm9jZXNz IHJlcXVlc3RzIHdpdGggbXVsdGlwbGUgcGFyYW1ldGVyIG9jY3VycmVuY2VzLjwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj5CdXQg ZnJvbSBhbm90aGVyIGhhbmQgU3BlY2lmaWNhdGlvbiByZXF1aXJlcyB0byBwYXNzIHRoZSBzdGF0 ZSBpZiBpdCB3YXMgZm91bmQgaW4gYSByZXF1ZXN0Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPlZpb2xhdGlvbiBvZiBhbnkg b2YgdGhlc2Ugc3RhdGVtZW50cyBjYW4gYmUgdHJlYXRlZCBhcyDigJxwYXJ0aWFsIGNvbXBsaWFu Y2XigJ0gdG8gZHJhZnQtMjIsIHNvIEnigJltIGluIGRvdWJ0IHdoYXQgd2F5IGlzIHByZWZlcnJl ZCB0aGVyZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPldoYXQgZG8geW91IGd1eXMgdGhpbms/PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IGxhbmc9IkVOLVVTIj5UaGFua3MgaW4gYWR2YW5jZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox Mi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3Nlcmlm JnF1b3Q7Ij4tLQ0KPGJyPg0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtjb2xvcjojNEY4MUJEIj5CZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YN Cjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQiPjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVT Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4N Cg== --_000_0433F58A304676408A8AF95199AFEB97CC1506MS2corpdinsru_-- From alexey.skolyarov@dins.ru Mon Dec 19 05:20:11 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 275F621F8B6D for ; Mon, 19 Dec 2011 05:20:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.172 X-Spam-Level: X-Spam-Status: No, score=0.172 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNVzgmHtUdS6 for ; Mon, 19 Dec 2011 05:20:10 -0800 (PST) Received: from smtp01.dins.ru (smtp01.dins.ru [193.104.181.104]) by ietfa.amsl.com (Postfix) with ESMTP id 3B83021F8B73 for ; Mon, 19 Dec 2011 05:20:09 -0800 (PST) Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru [192.168.12.108]) by smtp01.dins.ru (Postfix) with ESMTP id 8CB90DB49D9; Mon, 19 Dec 2011 16:20:05 +0300 (MSK) Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Mon, 19 Dec 2011 17:20:07 +0400 From: Alexey Skolyarov To: Buhake Sindi Thread-Topic: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7f//wDsA//+4skA= Date: Mon, 19 Dec 2011 13:20:07 +0000 Message-ID: <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> In-Reply-To: Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.14.189] Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC157DMS2corpdinsru_" MIME-Version: 1.0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 13:20:11 -0000 --_000_0433F58A304676408A8AF95199AFEB97CC157DMS2corpdinsru_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGVsbG8gQnVoYWtlLA0KDQpUaGFua3MgZm9yIHlvdXIgYW5zd2VyIQ0KSXQgc2VlbXMgSSBzaG91 bGQgZXhwbGFpbiBhIGJpdCBoZXJlIOKAkyBJ4oCZbSBub3QgYWJvdXQgaG93IHRvIHBhc3MgdGhl IHN0YXRlIHdpdGggbXVsdGlwbGUgdmFsdWVzLCBJ4oCZbSB0cnlpbmcgdG8gZmlndXJlIG91dCBo b3cgdGhlIE9BdXRoLTIuMC1kcmFmdC0yMiDigJMgY29tcGxpYW50IHNlcnZlciBzaG91bGQgcmVz cG9uZCBvbiBkdXBsaWNhdGlvbiBvZiBzdGF0ZSByZXF1ZXN0IHBhcmFtZXRlci4NCg0KRm9yIGlu c3RhbmNlIHdoYXQgc2hvdWxkIGJlIHJldHVybmVkIGluIHJlc3BvbnNlIG9uIGZvbGxvd2luZyBy ZXF1ZXN0Og0KR0VUIC9hdXRob3JpemU/cmVzcG9uc2VfdHlwZT1jb2RlJmNsaWVudF9pZD1zNkJo ZFJrcXQzJnN0YXRlPVFXRSZzdGF0ZT1BU0QmcmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGY2xp ZW50JTJFZXhhbXBsZSUyRWNvbSUyRmNiIEhUVFAvMS4xDQpIb3N0OiBzZXJ2ZXIuZXhhbXBsZS5j b20NCg0KSXTigJlzIHVuY2xlYXIgZm9yIG1lIHNob3VsZCBpdCBiZQ0KSFRUUC8xLjEgMzAyIEZv dW5kDQpMb2NhdGlvbjogaHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb20vY2I/ZXJyb3I9aW52YWxp ZF9yZXF1ZXN0ICh3aXRob3V0IHRoZSBzdGF0ZSBjb21wbGV0ZWx5IOKAkyBzZWVtcyB0byBiZSB3 cm9uZyBiZWZvcmVoYW5kKQ0Kb3INCkhUVFAvMS4xIDMwMiBGb3VuZA0KTG9jYXRpb246IGh0dHBz Oi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFsaWRfcmVxdWVzdCZzdGF0ZT1RV0Ug KCBvciBBU0QgLSBvbmUgb2YgcGFzc2VkIHN0YXRlcyB1c2VkKQ0Kb3INCkhUVFAvMS4xIDMwMiBG b3VuZA0KTG9jYXRpb246IGh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFs aWRfcmVxdWVzdCZzdGF0ZT1RV0UlMjBBU0QgKGJvdGggYnV0IHZpb2xhdGVzIHRoZSBpZGVhIHRo YXQgc3RhdGUgc2hvdWxkIGJlIGtlcHQgdW5jaGFuZ2VkKS4NCg0KSSBob3BlIHRoaXMgZXhhbXBs ZSBjb3VsZCBtYWtlIG15IHF1ZXN0aW9uIGNsZWFyZXIuDQoNClRoYW5rcyBpbiBhZHZhbmNlLg0K LS0NCkJlc3QgcmVnYXJkcywgQWxleGV5IFNrb2x5YXJvdg0KDQoNCkZyb206IEJ1aGFrZSBTaW5k aSBbbWFpbHRvOmJ1aGFrZUBnb29nbGVtYWlsLmNvbV0NClNlbnQ6IE1vbmRheSwgRGVjZW1iZXIg MTksIDIwMTEgNDo1MyBQTQ0KVG86IEFsZXhleSBTa29seWFyb3YNClN1YmplY3Q6IFJlOiBbT0FV VEgtV0ddIGNvbmZsaWN0OiBlcnJvciByZXNwb25zZSBpbnZhbGlkX3JlcXVlc3QgYW5kIHN0YXRl IHBhcmFtZXRlciBkdXBsaWNhdGlvbg0KDQpIaSBBbGV4ZXksDQoNCklmIEknbSBub3QgbWlzdGFr ZW4sIHRvIGRlY2xhcmUgbXVsdGlwbGUgdmFsdWVzIGluICJzdGF0ZSIsIHRoZSBkb2N1bWVudCBz dGF0ZXMgdGhhdCBpdCBzaG91bGQgYmUgc3BhY2UtZGVsaW1pdGVkICgiICIpLiBUaGlzIGlzIHVu bGlrZSBGYWNlYm9vayBzdGF0ZSB3aGljaCBpcyBjb21tYS1kZWxpbWl0ZWQuDQpPbiAxOSBEZWNl bWJlciAyMDExIDE0OjQxLCBBbGV4ZXkgU2tvbHlhcm92IDxhbGV4ZXkuc2tvbHlhcm92QGRpbnMu cnU8bWFpbHRvOmFsZXhleS5za29seWFyb3ZAZGlucy5ydT4+IHdyb3RlOg0KSGVsbG8gZXZlcnli b2R5LA0KDQpTaW5jZSB0aGlzIGlzIG15IGZpcnN0IHBvc3Qgb24gdGhpcyBsaXN0LCBJ4oCZbGwg c2F5IGZldyB3b3JkcyBhYm91dCB3aG9hbWk6DQpNeSBuYW1lIGlzIEFsZXhleSBTa29seWFyb3Ys IEkgd29yayBpbiBTYWludC1QZXRlcnNidXJnLCBSdXNzaWEuIEnigJltIGludGVyZXN0ZWQgaW4g T0F1dGgyIGJlY2F1c2UgSSBmb3VuZCBubyB2MiBwcm92aWRlcnMgZm9yIEplcnNleTxodHRwOi8v amVyc2V5LmphdmEubmV0Lz4gZXhjZXB0IFNwcmluZyBTZWN1cml0eSB3aGljaCBpcyBtdWNoIG1v cmUgY29tcGxleCB0aGFuIDEuMGEgaW1wbGVtZW50YXRpb24gaW4gSmVyc2V5LWNvbnRyaWIuIEN1 cnJlbnRseSBJ4oCZbSB1bmRlciBOREEsIHNvIEkgY2Fu4oCZdCBzYXkgbW9yZSDimLkNCg0KTmV2 ZXJ0aGVsZXNzIHdl4oCZdmUgZG9uZSBzcGVjaWZpY2F0aW9uIHN0dWR5IGFuZCBmb3VuZCBhIGNv bmZsaWN0IOKAkyBpbiBsYXN0IHBhcmFncmFwaCBvZiBzZWN0aW9uIDMuMS4gIkF1dGhvcml6YXRp b24gRW5kcG9pbnQiPGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgt djItMjIjc2VjdGlvbi0zLjE+IGl0IGlzIG1lbnRpb25lZCB0aGF0IOKAnFJlcXVlc3QgYW5kIHJl c3BvbnNlIHBhcmFtZXRlcnMgTVVTVCBOT1QgYmUgaW5jbHVkZWQgbW9yZSB0aGFuIG9uY2XigJ0u DQpUaGlzIHN0YXRlbWVudCBjb25mbGljdHMgd2l0aCBzdGF0ZSBwYXJhbWV0ZXIgZGVmaW5pdGlv biBpbiBzZWN0aW9uIDQuMS4yLjEgIkVycm9yIHJlc3BvbnNlIjxodHRwOi8vdG9vbHMuaWV0Zi5v cmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyI3NlY3Rpb24tNC4xLjIuMT4sIHdoZXJlIGl0 4oCZcyBzYWlkIHRoYXQgc3RhdGUgaXMg4oCcUkVRVUlSRUQgaWYgYSB2YWxpZCAic3RhdGUiIHBh cmFtZXRlciB3YXMgcHJlc2VudCBpbiB0aGUgY2xpZW50ICBhdXRob3JpemF0aW9uIHJlcXVlc3Qu ICBUaGUgZXhhY3QgdmFsdWUgcmVjZWl2ZWQgZnJvbSB0aGUgY2xpZW504oCdLg0KDQpIb3cgcGFz c2luZyBzdGF0ZT1RV0Umc3RhdGU9QVNEIGluc2lkZSBzYW1lIHJlcXVlc3Qgc2hvdWxkIGJlIGhh bmRsZWQgdGhlbj8NCg0KRnJvbSBvbmUgaGFuZCBpdCBpcyBmb3JiaWRkZW4gdG8gcHJvY2VzcyBy ZXF1ZXN0cyB3aXRoIG11bHRpcGxlIHBhcmFtZXRlciBvY2N1cnJlbmNlcy4NCkJ1dCBmcm9tIGFu b3RoZXIgaGFuZCBTcGVjaWZpY2F0aW9uIHJlcXVpcmVzIHRvIHBhc3MgdGhlIHN0YXRlIGlmIGl0 IHdhcyBmb3VuZCBpbiBhIHJlcXVlc3QuDQpWaW9sYXRpb24gb2YgYW55IG9mIHRoZXNlIHN0YXRl bWVudHMgY2FuIGJlIHRyZWF0ZWQgYXMg4oCccGFydGlhbCBjb21wbGlhbmNl4oCdIHRvIGRyYWZ0 LTIyLCBzbyBJ4oCZbSBpbiBkb3VidCB3aGF0IHdheSBpcyBwcmVmZXJyZWQgdGhlcmUuDQoNCldo YXQgZG8geW91IGd1eXMgdGhpbms/DQoNClRoYW5rcyBpbiBhZHZhbmNlLg0KLS0NCkJlc3QgcmVn YXJkcywgQWxleGV5IFNrb2x5YXJvdg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1h aWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vb2F1dGgNCg0KDQoNCi0tDQpUaGUgRWxpdGUgR2VudGxlbWFuDQo= --_000_0433F58A304676408A8AF95199AFEB97CC157DMS2corpdinsru_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1 IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglw YW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0K cC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5 OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi SFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N CnNwYW4uaG9lbnpiDQoJe21zby1zdHlsZS1uYW1lOmhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUx OA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJy aSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVk Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJ Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUt dHlwZTpleHBvcnQtb25seTt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5 Mi4wcHQ7DQoJbWFyZ2luOjIuMGNtIDQyLjVwdCAyLjBjbSAzLjBjbTt9DQpkaXYuV29yZFNlY3Rp b24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDld Pjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0K PC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91 dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpz aGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IlJVIiBs aW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPkhlbGxvIEJ1aGFrZSw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+VGhhbmtzIGZvciB5b3VyIGFuc3dlciE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkl0IHNlZW1zIEkgc2hvdWxkIGV4cGxhaW4gYSBiaXQgaGVy ZSDigJMgSeKAmW0gbm90IGFib3V0IGhvdyB0byBwYXNzIHRoZSBzdGF0ZSB3aXRoIG11bHRpcGxl IHZhbHVlcywgSeKAmW0gdHJ5aW5nIHRvIGZpZ3VyZSBvdXQgaG93IHRoZSBPQXV0aC0yLjAtZHJh ZnQtMjINCiDigJMgY29tcGxpYW50IHNlcnZlciBzaG91bGQgcmVzcG9uZCBvbiBkdXBsaWNhdGlv biBvZiBzdGF0ZSByZXF1ZXN0IHBhcmFtZXRlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzFGNDk3RCI+Rm9yIGluc3RhbmNlIHdoYXQgc2hvdWxkIGJlIHJldHVybmVkIGluIHJlc3BvbnNl IG9uIGZvbGxvd2luZyByZXF1ZXN0OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+R0VUIC9hdXRob3JpemU/cmVzcG9uc2Vf dHlwZT1jb2RlJmFtcDtjbGllbnRfaWQ9czZCaGRSa3F0MyZhbXA7PGI+c3RhdGU9UVdFPC9iPiZh bXA7PGI+c3RhdGU9QVNEPC9iPiZhbXA7cmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGY2xpZW50 JTJFZXhhbXBsZSUyRWNvbSUyRmNiIEhUVFAvMS4xPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5IPC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 Ij5vc3Q6IHNlcnZlci5leGFtcGxlLmNvbTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5JdOKAmXMgdW5jbGVhciBmb3IgbWUgc2hvdWxkIGl0IGJlDQo8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3 YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPkhUVFAvMS4xIDMwMiBGb3Vu ZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdl LWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+ TG9jYXRpb246IGh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFsaWRfcmVx dWVzdA0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+KHdpdGhvdXQgdGhlIHN0YXRlIGNvbXBsZXRlbHkg4oCTIHNlZW1zIHRvIGJl IHdyb25nIGJlZm9yZWhhbmQpDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1V UyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPm9yDQo8L3NwYW4+PHNwYW4g bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBs YW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPkhUVFAvMS4xIDMwMiBGb3VuZDxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9y ZTphbHdheXMiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+TG9jYXRpb246IGh0 dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFsaWRfcmVxdWVzdCZhbXA7c3Rh dGU9UVdFPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+DQogKCBvciBBU0QgLSBvbmUgb2YgcGFzc2VkIHN0YXRlcyB1c2VkKSA8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVh ay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPm9yDQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i cGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPkhUVFAvMS4xIDMwMiBGb3VuZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l dyZxdW90Oztjb2xvcjpibGFjayI+TG9jYXRpb246IGh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29t L2NiP2Vycm9yPWludmFsaWRfcmVxdWVzdCZhbXA7c3RhdGU9UVdFJTIwQVNEDQo8L3NwYW4+PHNw YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4oYm90 aCBidXQgdmlvbGF0ZXMgdGhlIGlkZWEgdGhhdCBzdGF0ZSBzaG91bGQgYmUga2VwdCB1bmNoYW5n ZWQpLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3Bh biBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgaG9w ZSB0aGlzIGV4YW1wbGUgY291bGQgbWFrZSBteSBxdWVzdGlvbiBjbGVhcmVyLg0KPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVm b3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBpbiBhZHZhbmNlLjwv c3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29s b3I6IzFGNDk3RCI+LS0gPGJyPg0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiM0RjgxQkQiPkJlc3QgcmVnYXJkcywgQWxleGV5IFNrb2x5YXJvdg0KPGJyPg0KPGJyPg0KPC9z cGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0 O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNw YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNw YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gQnVoYWtlIFNpbmRpIFttYWls dG86YnVoYWtlQGdvb2dsZW1haWwuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgRGVj ZW1iZXIgMTksIDIwMTEgNDo1MyBQTTxicj4NCjxiPlRvOjwvYj4gQWxleGV5IFNrb2x5YXJvdjxi cj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBjb25mbGljdDogZXJyb3IgcmVzcG9u c2UgaW52YWxpZF9yZXF1ZXN0IGFuZCBzdGF0ZSBwYXJhbWV0ZXIgZHVwbGljYXRpb248bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIu MHB0Ij5IaSBBbGV4ZXksPGJyPg0KPGJyPg0KSWYgSSdtIG5vdCBtaXN0YWtlbiwgdG8gZGVjbGFy ZSBtdWx0aXBsZSB2YWx1ZXMgaW4gJnF1b3Q7c3RhdGUmcXVvdDssIHRoZSBkb2N1bWVudCBzdGF0 ZXMgdGhhdCBpdCBzaG91bGQgYmUgc3BhY2UtZGVsaW1pdGVkICgmcXVvdDsgJnF1b3Q7KS4gVGhp cyBpcyB1bmxpa2UgRmFjZWJvb2sgc3RhdGUgd2hpY2ggaXMgY29tbWEtZGVsaW1pdGVkLjxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIDE5IERlY2VtYmVyIDIw MTEgMTQ6NDEsIEFsZXhleSBTa29seWFyb3YgJmx0OzxhIGhyZWY9Im1haWx0bzphbGV4ZXkuc2tv bHlhcm92QGRpbnMucnUiPmFsZXhleS5za29seWFyb3ZAZGlucy5ydTwvYT4mZ3Q7IHdyb3RlOjxv OnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IGxhbmc9IkVOLVVTIj5IZWxsbyBldmVyeWJvZHksPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+U2lu Y2UgdGhpcyBpcyBteSBmaXJzdCBwb3N0IG9uIHRoaXMgbGlzdCwgSeKAmWxsIHNheSBmZXcgd29y ZHMgYWJvdXQgd2hvYW1pOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPk15IG5hbWUgaXMgQWxleGV5IFNrb2x5YXJvdiwgSSB3 b3JrIGluIFNhaW50LVBldGVyc2J1cmcsIFJ1c3NpYS4gSeKAmW0gaW50ZXJlc3RlZCBpbiBPQXV0 aDIgYmVjYXVzZSBJIGZvdW5kIG5vIHYyIHByb3ZpZGVycyBmb3INCjxhIGhyZWY9Imh0dHA6Ly9q ZXJzZXkuamF2YS5uZXQvIiB0YXJnZXQ9Il9ibGFuayI+SmVyc2V5PC9hPiBleGNlcHQgU3ByaW5n IFNlY3VyaXR5IHdoaWNoIGlzIG11Y2ggbW9yZSBjb21wbGV4IHRoYW4gMS4wYSBpbXBsZW1lbnRh dGlvbiBpbiBKZXJzZXktY29udHJpYi4gQ3VycmVudGx5IEnigJltIHVuZGVyIE5EQSwgc28gSSBj YW7igJl0IHNheSBtb3JlDQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZh bWlseTpXaW5nZGluZ3MiPkw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5OZXZlcnRoZWxlc3Mgd2Xi gJl2ZSBkb25lIHNwZWNpZmljYXRpb24gc3R1ZHkgYW5kIGZvdW5kIGEgY29uZmxpY3Qg4oCTIGlu IGxhc3QgcGFyYWdyYXBoIG9mDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9k cmFmdC1pZXRmLW9hdXRoLXYyLTIyI3NlY3Rpb24tMy4xIiB0YXJnZXQ9Il9ibGFuayI+DQpzZWN0 aW9uIDMuMS4gJnF1b3Q7QXV0aG9yaXphdGlvbiBFbmRwb2ludCZxdW90OzwvYT4gaXQgaXMgbWVu dGlvbmVkIHRoYXQg4oCcPGk+UmVxdWVzdCBhbmQgcmVzcG9uc2UgcGFyYW1ldGVycyBNVVNUIE5P VCBiZSBpbmNsdWRlZCBtb3JlIHRoYW4gb25jZTwvaT7igJ0uPC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhpcyBzdGF0ZW1l bnQgY29uZmxpY3RzIHdpdGgNCjxpPnN0YXRlPC9pPiBwYXJhbWV0ZXIgZGVmaW5pdGlvbiBpbiA8 YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXYyLTIy I3NlY3Rpb24tNC4xLjIuMSIgdGFyZ2V0PSJfYmxhbmsiPg0Kc2VjdGlvbiA0LjEuMi4xICZxdW90 O0Vycm9yIHJlc3BvbnNlJnF1b3Q7PC9hPiwgd2hlcmUgaXTigJlzIHNhaWQgdGhhdCBzdGF0ZSBp cyDigJw8aT5SRVFVSVJFRCBpZiBhIHZhbGlkICZxdW90O3N0YXRlJnF1b3Q7IHBhcmFtZXRlciB3 YXMgcHJlc2VudCBpbiB0aGUgY2xpZW50Jm5ic3A7IGF1dGhvcml6YXRpb24gcmVxdWVzdC4mbmJz cDsgVGhlIGV4YWN0IHZhbHVlIHJlY2VpdmVkIGZyb20gdGhlIGNsaWVudDwvaT7igJ0uPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1V UyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBsYW5nPSJFTi1VUyI+SG93IHBhc3NpbmcNCjxpPnN0YXRlPVFXRSZhbXA7c3RhdGU9QVNE PC9pPiBpbnNpZGUgc2FtZSByZXF1ZXN0IHNob3VsZCBiZSBoYW5kbGVkIHRoZW4/PC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+ Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBsYW5nPSJFTi1VUyI+RnJvbSBvbmUgaGFuZCBpdCBpcyBmb3JiaWRkZW4gdG8gcHJvY2VzcyBy ZXF1ZXN0cyB3aXRoIG11bHRpcGxlIHBhcmFtZXRlciBvY2N1cnJlbmNlcy48L3NwYW4+PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5CdXQg ZnJvbSBhbm90aGVyIGhhbmQgU3BlY2lmaWNhdGlvbiByZXF1aXJlcyB0byBwYXNzIHRoZSBzdGF0 ZSBpZiBpdCB3YXMgZm91bmQgaW4gYSByZXF1ZXN0Lg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VmlvbGF0aW9uIG9mIGFu eSBvZiB0aGVzZSBzdGF0ZW1lbnRzIGNhbiBiZSB0cmVhdGVkIGFzIOKAnHBhcnRpYWwgY29tcGxp YW5jZeKAnSB0byBkcmFmdC0yMiwgc28gSeKAmW0gaW4gZG91YnQgd2hhdCB3YXkgaXMgcHJlZmVy cmVkIHRoZXJlLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPldoYXQgZG8geW91IGd1eXMgdGhpbms/ PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5n PSJFTi1VUyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhhbmtzIGluIGFkdmFuY2UuPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9 ImNvbG9yOiM4ODg4ODgiPi0tDQo8YnI+DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJjb2xvcjojNEY4MUJEIj5CZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YgPC9zcGFuPg0K PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojODg4ODg4 Ij4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWJvdHRvbToxMi4wcHQiPjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFp bHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRw czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+ aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyIGNsZWFyPSJhbGwi Pg0KPGJyPg0KLS0gPGJyPg0KVGhlIEVsaXRlIEdlbnRsZW1hbjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_0433F58A304676408A8AF95199AFEB97CC157DMS2corpdinsru_-- From jricher@mitre.org Mon Dec 19 07:01:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC7421F8AC9 for ; Mon, 19 Dec 2011 07:01:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4ZNjz5V7lNW for ; Mon, 19 Dec 2011 07:01:50 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4B02621F8A7E for ; Mon, 19 Dec 2011 07:01:50 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 830C621B152D; Mon, 19 Dec 2011 10:01:49 -0500 (EST) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 37EE121B156C; Mon, 19 Dec 2011 10:01:49 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 19 Dec 2011 10:01:48 -0500 Message-ID: <4EEF51BE.7080202@mitre.org> Date: Mon, 19 Dec 2011 10:01:18 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: Alexey Skolyarov References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> In-Reply-To: <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> Content-Type: multipart/alternative; boundary="------------010902070007010909090108" X-Originating-IP: [129.83.31.51] Cc: "oauth@ietf.org" , Buhake Sindi Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 15:01:53 -0000 --------------010902070007010909090108 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit The spec already says that you can't repeat request parameters on the line like that, so that's an invalid_request error, as described in section 5.2: 5.2. Error Response The authorization server responds with an HTTP 400 (Bad Request) status code and includes the following parameters with the response: error REQUIRED. A single error code from the following: invalid_request The request is missing a required parameter, includes an unsupported parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed. -- Justin On 12/19/2011 08:20 AM, Alexey Skolyarov wrote: > > Hello Buhake, > > Thanks for your answer! > > It seems I should explain a bit here -- I'm not about how to pass the > state with multiple values, I'm trying to figure out how the > OAuth-2.0-draft-22 -- compliant server should respond on duplication > of state request parameter. > > For instance what should be returned in response on following request: > > GET > /authorize?response_type=code&client_id=s6BhdRkqt3&*state=QWE*&*state=ASD*&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb > HTTP/1.1 > > Host: server.example.com > > It's unclear for me should it be > > HTTP/1.1 302 Found > > Location: https://client.example.com/cb?error=invalid_request (without > the state completely -- seems to be wrong beforehand) > > or > > HTTP/1.1 302 Found > > Location: > https://client.example.com/cb?error=invalid_request&state=QWE( or ASD > - one of passed states used) > > or > > HTTP/1.1 302 Found > > Location: > https://client.example.com/cb?error=invalid_request&state=QWE%20ASD > (both but violates the idea that state should be kept unchanged). > > I hope this example could make my question clearer. > > Thanks in advance. > > -- > Best regards, Alexey Skolyarov > > *From:*Buhake Sindi [mailto:buhake@googlemail.com] > *Sent:* Monday, December 19, 2011 4:53 PM > *To:* Alexey Skolyarov > *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and > state parameter duplication > > Hi Alexey, > > If I'm not mistaken, to declare multiple values in "state", the > document states that it should be space-delimited (" "). This is > unlike Facebook state which is comma-delimited. > > On 19 December 2011 14:41, Alexey Skolyarov > wrote: > > Hello everybody, > > Since this is my first post on this list, I'll say few words about whoami: > > My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I'm > interested in OAuth2 because I found no v2 providers for Jersey > except Spring Security which is much more > complex than 1.0a implementation in Jersey-contrib. Currently I'm > under NDA, so I can't say more L > > Nevertheless we've done specification study and found a conflict -- in > last paragraph of section 3.1. "Authorization Endpoint" > it is > mentioned that "/Request and response parameters MUST NOT be included > more than once/". > > This statement conflicts with /state/ parameter definition in section > 4.1.2.1 "Error response" > , > where it's said that state is "/REQUIRED if a valid "state" parameter > was present in the client authorization request. The exact value > received from the client/". > > How passing /state=QWE&state=ASD/ inside same request should be > handled then? > > From one hand it is forbidden to process requests with multiple > parameter occurrences. > > But from another hand Specification requires to pass the state if it > was found in a request. > > Violation of any of these statements can be treated as "partial > compliance" to draft-22, so I'm in doubt what way is preferred there. > > What do you guys think? > > Thanks in advance. > > -- > Best regards, Alexey Skolyarov > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > The Elite Gentleman > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------010902070007010909090108 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit The spec already says that you can't repeat request parameters on the line like that, so that's an invalid_request error, as described in section 5.2:

5.2.  Error Response


   The authorization server responds with an HTTP 400 (Bad Request)
   status code and includes the following parameters with the response:

   error
         REQUIRED.  A single error code from the following:
         invalid_request
               The request is missing a required parameter, includes an
               unsupported parameter value, repeats a parameter,
               includes multiple credentials, utilizes more than one
               mechanism for authenticating the client, or is otherwise
               malformed.


 -- Justin

On 12/19/2011 08:20 AM, Alexey Skolyarov wrote:

Hello Buhake,

 

Thanks for your answer!

It seems I should explain a bit here – I’m not about how to pass the state with multiple values, I’m trying to figure out how the OAuth-2.0-draft-22 – compliant server should respond on duplication of state request parameter.

 

For instance what should be returned in response on following request:

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=QWE&state=ASD&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

 

It’s unclear for me should it be

HTTP/1.1 302 Found

Location: https://client.example.com/cb?error=invalid_request (without the state completely – seems to be wrong beforehand)

or

HTTP/1.1 302 Found

Location: https://client.example.com/cb?error=invalid_request&state=QWE ( or ASD - one of passed states used)

or

HTTP/1.1 302 Found

Location: https://client.example.com/cb?error=invalid_request&state=QWE%20ASD (both but violates the idea that state should be kept unchanged).

 

I hope this example could make my question clearer.

 

Thanks in advance.

--
Best regards, Alexey Skolyarov

 

From: Buhake Sindi [mailto:buhake@googlemail.com]
Sent: Monday, December 19, 2011 4:53 PM
To: Alexey Skolyarov
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

 

Hi Alexey,

If I'm not mistaken, to declare multiple values in "state", the document states that it should be space-delimited (" "). This is unlike Facebook state which is comma-delimited.

On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolyarov@dins.ru> wrote:

Hello everybody,

 

Since this is my first post on this list, I’ll say few words about whoami:

My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m interested in OAuth2 because I found no v2 providers for Jersey except Spring Security which is much more complex than 1.0a implementation in Jersey-contrib. Currently I’m under NDA, so I can’t say more L

 

Nevertheless we’ve done specification study and found a conflict – in last paragraph of section 3.1. "Authorization Endpoint" it is mentioned that “Request and response parameters MUST NOT be included more than once”.

This statement conflicts with state parameter definition in section 4.1.2.1 "Error response", where it’s said that state is “REQUIRED if a valid "state" parameter was present in the client  authorization request.  The exact value received from the client”.

 

How passing state=QWE&state=ASD inside same request should be handled then?

 

From one hand it is forbidden to process requests with multiple parameter occurrences.

But from another hand Specification requires to pass the state if it was found in a request.

Violation of any of these statements can be treated as “partial compliance” to draft-22, so I’m in doubt what way is preferred there.

 

What do you guys think?

 

Thanks in advance.

--
Best regards, Alexey Skolyarov

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
The Elite Gentleman



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------010902070007010909090108-- From zachary.zeltsan@alcatel-lucent.com Mon Dec 19 08:53:50 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4DE521F8B57 for ; Mon, 19 Dec 2011 08:53:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6+ac4oTZpRPR for ; Mon, 19 Dec 2011 08:53:50 -0800 (PST) Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id 550E121F8A58 for ; Mon, 19 Dec 2011 08:53:50 -0800 (PST) Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id pBJGrmZg012046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 19 Dec 2011 10:53:49 -0600 (CST) Received: from USNAVSXCHHUB03.ndc.alcatel-lucent.com (usnavsxchhub03.ndc.alcatel-lucent.com [135.3.39.112]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id pBJGrmks001971 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 19 Dec 2011 10:53:48 -0600 Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.127]) by USNAVSXCHHUB03.ndc.alcatel-lucent.com ([135.3.39.112]) with mapi; Mon, 19 Dec 2011 10:53:48 -0600 From: "Zeltsan, Zachary (Zachary)" To: "'Melvin Carvalho'" , "'oauth@ietf.org'" Date: Mon, 19 Dec 2011 10:53:45 -0600 Thread-Topic: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) Thread-Index: Acy9p8pDqKGg01MWTNu5g63yTwKVawAw6PkQ Message-ID: <5710F82C0E73B04FA559560098BF95B1250CCD8DCC@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33 X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11 Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 16:53:50 -0000 The user authentication and access control to the resources is out of the O= Auth scope.=20 The question is how to make a resource (e.g., a photo) accessible by the au= thorized clients C1,...,Cn. If each client has obtained a user's authorizat= ion for the scopes that include the photo, then all clients' access tokens = should enable them to access the photo. If for a client Ci the authorized s= cope does not include the photo, the client would need get a new user autho= rization.=20 The resource server would be a logical place for maintaining ACL. Zachary=20 -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= elvin Carvalho Sent: Sunday, December 18, 2011 12:06 PM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) Quick question. I was wondering if OAuth 2.0 can work with access control lists. For example there is a protected resource (e.g. a photo), and I want to set it up so that a two or more users (for example a group of friends) U1, U2 ... Un will be able to access it after authenticating. Is this kind of flow possibly with OAuth 2.0, and if so whose responsibility is it to maintain the list of agents than can access the resource? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From mike@mtcc.com Mon Dec 19 09:18:37 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A40D21F8A4E for ; Mon, 19 Dec 2011 09:18:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3UTHc8aG1K4 for ; Mon, 19 Dec 2011 09:18:36 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id D0AFB21F84C5 for ; Mon, 19 Dec 2011 09:18:36 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBJHIYKF016930 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 09:18:34 -0800 Message-ID: <4EEF71EA.3080200@mtcc.com> Date: Mon, 19 Dec 2011 09:18:34 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Paul Madsen References: <4EEF2BC4.7020409@gmail.com> In-Reply-To: <4EEF2BC4.7020409@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1775; t=1324315115; x=1325179115; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Paul=20Madsen=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=zLaOYHMkDQiFwc/K99M+mKqfxAsMJOvkTwqqRq35yUs=; b=uUxy8DQcEaIBn3boYq3Ue4YLqHw7tRg+986S0OFiemIMU0pTLI0eN83QXT S1OYhLHHK6ZX/GCoAWeTnfcBps0LthwwHVfrZ3sHPCFktWvnLkm/xrymFHGQ 55/ldGQx0Z8UDQKHk2u0o7JRJwESnzeuODB3V94y+ECOB1IuMMsyU=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 17:18:37 -0000 On 12/19/2011 04:19 AM, Paul Madsen wrote: > Hi, the Online Media Authorization Protocol (OMAP) is a (as yet > unreleased) profile of OAuth 2.0 for online delivery of video content > based on a user's subscriptions (the TV Everywhere use case) > > We want to support both server & native mobile clients. It is for the > second class of clients that I'd appreciate some clarification of > 'confidentiality' as defined in OAuth 2. > > OAuth 2 distinguishes confidential & public clients based on their > ability to secure the credentials they'd use to authenticate to an AS > - confidential clients can protect those credentials, public clients > can't. > > Notwithstanding the above definition, the spec gives a degree of > discretion to the AS > > The client type designation is based on the authorization server's > definition of secure authentication and its acceptable exposure > levels of client credentials. > > > Give this discretion, is it practical for the OMAP spec to stipulate > that 'All Clients (both server & native mobile), MUST be > confidential', ie let each individual OMAP AS specify its own > requirements of clients and their ability to securely authenticate? Hi, Can you say exactly what your security requirements are before trying to determine which (if either) is the right answer? I've got some concerns in this area that I'm trying to understand and am not sure if they're related to your concern or not. Part of this is that I really don't understand what the difference is between a "public" client and a "confidential client" and rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever* be a "confidential" client, and if so how? Mike From jricher@mitre.org Mon Dec 19 09:44:41 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 529AA1F0C57 for ; Mon, 19 Dec 2011 09:44:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K48LjqSkvyQ2 for ; Mon, 19 Dec 2011 09:44:40 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC2F1F0C52 for ; Mon, 19 Dec 2011 09:44:40 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id F18CF21B1475; Mon, 19 Dec 2011 12:44:38 -0500 (EST) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 94C7C21B0022; Mon, 19 Dec 2011 12:44:38 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 19 Dec 2011 12:44:38 -0500 Message-ID: <4EEF77E7.6030808@mitre.org> Date: Mon, 19 Dec 2011 12:44:07 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: Paul Madsen References: <4EEF2BC4.7020409@gmail.com> In-Reply-To: <4EEF2BC4.7020409@gmail.com> Content-Type: multipart/alternative; boundary="------------020808050703010806000708" X-Originating-IP: [129.83.31.51] Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 17:44:41 -0000 --------------020808050703010806000708 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Native mobile clients can't really be confidential clients. The distinction between "public" and "confidential" clients is whether or not they can keep deployment-time secrets; which is to say, a client_secret. This is not to say that they can't keep *any* secrets. In particular those generated at runtime, like an access token or refresh token, could be held perfectly safe. But at the time the app is deployed to its running environment, you have to ask "who has access to its code and configuration?" Think of it this way. In the standard world, a native app gets copied to every device with the client_id and client_secret baked in. This makes the client_secret not very secret, and not at all unique. Anybody with access to the binary -- which is to say, every user -- could decompile the client_secret out of it and bake it into their *own* client, pretending to be your app and causing all kinds of havoc. This is a very different problem from somebody breaking into the token store and stealing an access token, which lets them only get to their own account. Compare this to a server-based app where the only ones with access to the binary and configuration are the administrators of the server, not the end users. It's a much more limited list of folks that can potentially see it, and therefore the client_secret can actually mean something and add a small extra layer of security. There are a few ways to mitigate this difference for public clients, such as using some kind of dynamic registration for all clients (which doesn't buy you much in terms of overall security) or putting up scary messages about native clients to try and educate your users. You can also use a trusted callback URL for your app on a hosted website that works in conjunction with your native app. This is actually the suggested use for the Implicit Flow, which was made for public clients in the browser. Native apps also have the concern of embedded browsers vs. external native browsers, and what trust the user puts into them. For all OAuth flows, you have to trust the browser provider on the platform of choice, since the user's going to be logging in directly through that browser. It's very much outside the scope of OAuth to make that world any better though, and there have been long and detailed discussions on this list about that very topic, leading to some concrete recommendations in the draft as it stands today. To answer your original query: I don't think that mandating one kind of client vs. the other will really help. OAuth 1.0 only had "confidential" clients, and that led to inane workarounds like Google's "anonymous/anonymous" client id/secret. Hope this helps. -- Justin On 12/19/2011 07:19 AM, Paul Madsen wrote: > Hi, the Online Media Authorization Protocol (OMAP) is a (as yet > unreleased) profile of OAuth 2.0 for online delivery of video content > based on a user's subscriptions (the TV Everywhere use case) > > We want to support both server & native mobile clients. It is for the > second class of clients that I'd appreciate some clarification of > 'confidentiality' as defined in OAuth 2. > > OAuth 2 distinguishes confidential & public clients based on their > ability to secure the credentials they'd use to authenticate to an AS > - confidential clients can protect those credentials, public clients > can't. > > Notwithstanding the above definition, the spec gives a degree of > discretion to the AS > > The client type designation is based on the authorization server's > definition of secure authentication and its acceptable exposure > levels of client credentials. > > > Give this discretion, is itpractical for the OMAP spec to stipulate > that 'All Clients (both server & native mobile), MUST be > confidential', ie let each individual OMAP AS specify its own > requirements of clients and their ability to securely authenticate? > > Is this consistent with the OAuth definition of confidentiality? > > Thanks > > Paul > > > > > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------020808050703010806000708 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Native mobile clients can't really be confidential clients.

The distinction between "public" and "confidential" clients is whether or not they can keep deployment-time secrets; which is to say, a client_secret. This is not to say that they can't keep *any* secrets. In particular those generated at runtime, like an access token or refresh token, could be held perfectly safe. But at the time the app is deployed to its running environment, you have to ask "who has access to its code and configuration?"

Think of it this way. In the standard world, a native app gets copied to every device with the client_id and client_secret baked in. This makes the client_secret not very secret, and not at all unique. Anybody with access to the binary -- which is to say, every user -- could decompile the client_secret out of it and bake it into their *own* client, pretending to be your app and causing all kinds of havoc. This is a very different problem from somebody breaking into the token store and stealing an access token, which lets them only get to their own account.

Compare this to a server-based app where the only ones with access to the binary and configuration are the administrators of the server, not the end users. It's a much more limited list of folks that can potentially see it, and therefore the client_secret can actually mean something and add a small extra layer of security.

There are a few ways to mitigate this difference for public clients, such as using some kind of dynamic registration for all clients (which doesn't buy you much in terms of overall security) or putting up scary messages about native clients to try and educate your users. You can also use a trusted callback URL for your app on a hosted website that works in conjunction with your native app. This is actually the suggested use for the Implicit Flow, which was made for public clients in the browser.

Native apps also have the concern of embedded browsers vs. external native browsers, and what trust the user puts into them. For all OAuth flows, you have to trust the browser provider on the platform of choice, since the user's going to be logging in directly through that browser. It's very much outside the scope of OAuth to make that world any better though, and there have been long and detailed discussions on this list about that very topic, leading to some concrete recommendations in the draft as it stands today.

To answer your original query: I don't think that mandating one kind of client vs. the other will really help. OAuth 1.0 only had "confidential" clients, and that led to inane workarounds like Google's "anonymous/anonymous" client id/secret.

Hope this helps.

 -- Justin

On 12/19/2011 07:19 AM, Paul Madsen wrote:
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

 
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.
Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?

Thanks

Paul









 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------020808050703010806000708-- From paul.madsen@gmail.com Mon Dec 19 09:51:00 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C377A21F8BA8 for ; Mon, 19 Dec 2011 09:51:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+ApJBWuq0gF for ; Mon, 19 Dec 2011 09:51:00 -0800 (PST) Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 64F3221F8BA6 for ; Mon, 19 Dec 2011 09:50:59 -0800 (PST) Received: by laah2 with SMTP id h2so2529462laa.31 for ; Mon, 19 Dec 2011 09:50:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=m5UJPAd1qDPGS1q95WU8fIBfC93JCxoSvGZ9hFznlFw=; b=K99bwA4C22Qulj72p+r1Pd68nJwIsqpHPD3ujDVo9hAE/hBg5gAWVU6RHrgQwpotqW YfjXlvooF8+Sf8RL7AvTfFw0MjjlnS+4Kx2LUwTg1QxRn5/qpv/ix35mn7/sFj1dHL2G JzU0Gur7j0CraqWY35sjCu2HdGM+svDSI4o7I= Received: by 10.152.134.50 with SMTP id ph18mr17387511lab.1.1324317058062; Mon, 19 Dec 2011 09:50:58 -0800 (PST) Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id lr3sm17459040lab.17.2011.12.19.09.50.54 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 09:50:56 -0800 (PST) Message-ID: <4EEF797D.4020608@gmail.com> Date: Mon, 19 Dec 2011 12:50:53 -0500 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Michael Thomas References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> In-Reply-To: <4EEF71EA.3080200@mtcc.com> Content-Type: multipart/alternative; boundary="------------020800070702030909070700" Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 17:51:00 -0000 This is a multi-part message in MIME format. --------------020800070702030909070700 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint. thanks paul On 12/19/11 12:18 PM, Michael Thomas wrote: > On 12/19/2011 04:19 AM, Paul Madsen wrote: >> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >> unreleased) profile of OAuth 2.0 for online delivery of video content >> based on a user's subscriptions (the TV Everywhere use case) >> >> We want to support both server & native mobile clients. It is for the >> second class of clients that I'd appreciate some clarification of >> 'confidentiality' as defined in OAuth 2. >> >> OAuth 2 distinguishes confidential & public clients based on their >> ability to secure the credentials they'd use to authenticate to an AS >> - confidential clients can protect those credentials, public clients >> can't. >> >> Notwithstanding the above definition, the spec gives a degree of >> discretion to the AS >> >> The client type designation is based on the authorization server's >> definition of secure authentication and its acceptable exposure >> levels of client credentials. >> >> >> Give this discretion, is it practical for the OMAP spec to stipulate >> that 'All Clients (both server & native mobile), MUST be >> confidential', ie let each individual OMAP AS specify its own >> requirements of clients and their ability to securely authenticate? > > Hi, > > Can you say exactly what your security requirements are before trying > to determine which > (if either) is the right answer? I've got some concerns in this area > that I'm trying to understand > and am not sure if they're related to your concern or not. Part of > this is that I really don't > understand what the difference is between a "public" client and a > "confidential client" and > rereading the draft isn't helping me. In particular, can a iPhone app > with a UIWebView *ever* > be a "confidential" client, and if so how? > > Mike --------------020800070702030909070700 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.

thanks

paul

On 12/19/11 12:18 PM, Michael Thomas wrote:
On 12/19/2011 04:19 AM, Paul Madsen wrote:
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

    The client type designation is based on the authorization server's
    definition of secure authentication and its acceptable exposure
    levels of client credentials.


Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Hi,

Can you say exactly what your security requirements are before trying to determine which
(if either) is the right answer? I've got some concerns in this area that I'm trying to understand
and am not sure if they're related to your concern or not. Part of this is that I really don't
understand what the difference is between a "public" client and a "confidential client" and
rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever*
be a "confidential" client, and if so how?

Mike
--------------020800070702030909070700-- From mike@mtcc.com Mon Dec 19 09:55:23 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8A221F8BA6 for ; Mon, 19 Dec 2011 09:55:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTqTfvyjMyhu for ; Mon, 19 Dec 2011 09:55:22 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 3971D21F8BA8 for ; Mon, 19 Dec 2011 09:55:22 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBJHtJTA018423 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 09:55:20 -0800 Message-ID: <4EEF7A87.5090100@mtcc.com> Date: Mon, 19 Dec 2011 09:55:19 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Justin Richer References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> In-Reply-To: <4EEF77E7.6030808@mitre.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1379; t=1324317320; x=1325181320; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Justin=20Richer=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=U1FTfLCZZ1z/Om2JPul9SNvU9bgK/ZRzefFVnwvy/xM=; b=myp9UdQuYJv3VfLhPJb7fooEJBGE+g6rkMMCFAfXiad+I/arQVPlsWAMOO SZPFcdRse/NwEKRcSs3RahWLyl0lL8ToqMQwNOt30upqN/friiMKDAw2VYLe 3tww1Ln7yUpB6DnB4dCfdoU7tTOsIxgKrCyqpmEbYbRG140SwPLjI=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 17:55:23 -0000 On 12/19/2011 09:44 AM, Justin Richer wrote: > Native mobile clients can't really be confidential clients. > > The distinction between "public" and "confidential" clients is whether > or not they can keep deployment-time secrets; which is to say, a > client_secret. This is not to say that they can't keep *any* secrets. > In particular those generated at runtime, like an access token or > refresh token, could be held perfectly safe. But at the time the app > is deployed to its running environment, you have to ask "who has > access to its code and configuration?" Ah, thank you. The draft could be a *lot* more explicit about that in its definitions. After reading it several times, I couldn't figure out who "public" was to whom. > Native apps also have the concern of embedded browsers vs. external > native browsers, and what trust the user puts into them. For all OAuth > flows, you have to trust the browser provider on the platform of > choice, since the user's going to be logging in directly through that > browser. It's very much outside the scope of OAuth to make that world > any better though, and there have been long and detailed discussions > on this list about that very topic, leading to some concrete > recommendations in the draft as it stands today. As far as I can tell, the recommendations don't work. Mike From wmills@yahoo-inc.com Mon Dec 19 09:58:05 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A25D21F8BB0 for ; Mon, 19 Dec 2011 09:58:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.091 X-Spam-Level: X-Spam-Status: No, score=-15.091 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_40=-0.185, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUApRR0dYssD for ; Mon, 19 Dec 2011 09:58:04 -0800 (PST) Received: from nm8-vm0.bullet.mail.bf1.yahoo.com (nm8-vm0.bullet.mail.bf1.yahoo.com [98.139.213.95]) by ietfa.amsl.com (Postfix) with SMTP id 33E6721F8BAE for ; Mon, 19 Dec 2011 09:58:04 -0800 (PST) Received: from [98.139.212.153] by nm8.bullet.mail.bf1.yahoo.com with NNFMP; 19 Dec 2011 17:58:03 -0000 Received: from [98.139.212.248] by tm10.bullet.mail.bf1.yahoo.com with NNFMP; 19 Dec 2011 17:58:03 -0000 Received: from [127.0.0.1] by omp1057.mail.bf1.yahoo.com with NNFMP; 19 Dec 2011 17:58:03 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 609200.2758.bm@omp1057.mail.bf1.yahoo.com Received: (qmail 51172 invoked by uid 60001); 19 Dec 2011 17:58:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1324317482; bh=FYx2W/AVidEoGRcVlogq8Ljo5Djxp+f8NnKfY59ZAjQ=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Wv+LnNGcS65LM4FMIq5YkskrHq2Dzi+AGbJHFxuk8mdIAcm2DNbww1G+7IBdxtXBBOLZ/IMksR/B3dgIbqx5eobQGUdS5Uz8B9ehKX4Xzvipgtn1CWshCd+9J4wAb+TiRO9rzdkgvrryti4vF1fbsrHVMU1XL1PvGZfLaq8vbd4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=LdezZ1u5UdPz1a0IPiCn0h1SxVbboNWAcIXN9yuDtYAh6TpbSS7c73g4KGRwM+sYoDACuBL1OcALhnuuLW07CUbmEhZlm4iSQrM5g1uCgTjQnbWAteuK0BSceMg1ntv1Zv6cIGE50ISJYx8IaUBvQhHFV7voHyL4JteeABNlvpA=; X-YMail-OSG: aPvT568VM1k_eAE9ZAizWEJFe6ksjlkU2xN28tR7_77rAoZ OtBZ6hEWswJ.WGwIkfRSoZUmY9pnn4u.xjNxGtkbQzyTPzqbaKFuPjHJCp3S N9sTsBefIiEgQ9ezgoa0EJWpVgjKcr2V.q_zw79j2eMEmK4W.YXBWg0iib2l _0FojznAkf6mTgwsQW01TAu5386yOU3QPZVHpNeZJCVT0xuy8J3W.2VWaXL_ 0COE8sV4AxeVEZ0pzoupFSAGU0muhAX4QOUKcHhwlteplBRY4MzT89bqRT5i n3s.wNBQm3MA66U2Hf2q5Fbmb1V08L.lFRFtnwCq69R8ZUN11WaVULoSFWBw 8etyRPFL8N2lOmdwqGk1k8wDZNqJyvSMKZfdrXfTy6_wwc0xu9wzKmZNAXcM 7xNwFLNxGOt9_coANXga_JyrktRsrvC3kf8RfKw-- Received: from [209.131.62.115] by web31802.mail.mud.yahoo.com via HTTP; Mon, 19 Dec 2011 09:58:02 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.116.331537 References: Message-ID: <1324317482.46636.YahooMailNeo@web31802.mail.mud.yahoo.com> Date: Mon, 19 Dec 2011 09:58:02 -0800 (PST) From: William Mills To: Melvin Carvalho , "oauth@ietf.org" In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1036955950-2011670418-1324317482=:46636" Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 17:58:05 -0000 ---1036955950-2011670418-1324317482=:46636 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Why do you need OAuth for that?=A0 You can apply the ACL after authenticati= on, OR you can also specifically issue credentials for access to the specif= ic resource, but this is a limited credential rather than applying a per us= er ACL.=0A=0A=0A=0A________________________________=0A From: Melvin Carvalh= o =0ATo: oauth@ietf.org =0ASent: Sunday, December= 18, 2011 9:05 AM=0ASubject: [OAUTH-WG] OAuth 2.0 and Access Control Lists = (ACL)=0A =0AQuick question.=A0 I was wondering if OAuth 2.0 can work with a= ccess=0Acontrol lists.=0A=0AFor example there is a protected resource (e.g.= a photo), and I want=0Ato set it up so that a two or more users (for examp= le a group of=0Afriends) U1, U2 ... Un will be able to access it after auth= enticating.=0A=0AIs this kind of flow possibly with OAuth 2.0, and if so wh= ose=0Aresponsibility is it to maintain the list of agents than can access= =0Athe resource?=0A_______________________________________________=0AOAuth = mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth ---1036955950-2011670418-1324317482=:46636 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Why do you need OAuth for that?  You can apply the ACL after authent= ication, OR you can also specifically issue credentials for access to the s= pecific resource, but this is a limited credential rather than applying a p= er user ACL.

From: Melvin Carvalho <melvincarvalho@gmai= l.com>
To: oauth@ie= tf.org
Sent: Sunday, = December 18, 2011 9:05 AM
Subject= : [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)
=0AQui= ck question.  I was wondering if OAuth 2.0 can work with access
con= trol lists.

For example there is a protected resource (e.g. a photo)= , and I want
to set it up so that a two or more users (for example a gro= up of
friends) U1, U2 ... Un will be able to access it after authenticat= ing.

Is this kind of flow possibly with OAuth 2.0, and if so whoseresponsibility is it to maintain the list of agents than can access
th= e resource?
_______________________________________________
OAuth mai= ling list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= br>

---1036955950-2011670418-1324317482=:46636-- From mike@mtcc.com Mon Dec 19 10:00:08 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3839A21F8BAE for ; Mon, 19 Dec 2011 10:00:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mKCCbWK9deE for ; Mon, 19 Dec 2011 10:00:07 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8CD21F8BAA for ; Mon, 19 Dec 2011 10:00:07 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBJI05Ou018620 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 10:00:05 -0800 Message-ID: <4EEF7BA4.80907@mtcc.com> Date: Mon, 19 Dec 2011 10:00:04 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Paul Madsen References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> In-Reply-To: <4EEF797D.4020608@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2699; t=1324317606; x=1325181606; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Paul=20Madsen=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=Prv82I7B1KHpu5KBOH71CCm3WhjFXT7PbZAdXZfjfb8=; b=EDLW9WcGo7wW21tm8Tllm+36JS2/D17Mj/QkRrMB2TETH0b52sRs3mNhMw y6NLp6ENRkRC7mpGtDqNjJtM+q6ceHRdtGvdffu9UxrMuUrXXmeuYHlA+P19 gutX42VwNf4Ew/OE8sMNjjvkoy/i/KyR4qRsd86Up93O2lsS63hhs=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 18:00:08 -0000 On 12/19/2011 09:50 AM, Paul Madsen wrote: > Hi Mike, to some extent I think my question is not about specific > security characteristics, but rather whether its realistic for our > group to mandate that both server & native clients have the *same* > security characteristics - particularly the ability to 'securely' > authenticate to the AS on the token endpoint. Well given the explanation Justin just gave, they do not. As I understand your initial query, redefining a native/embedded app as "confidential" doesn't alter that reality. But my first question about requirements still is relevant: what are you trying to protect from whom, and what is the level of risk that your profile of oauth is willing to tolerate? Mike > > thanks > > paul > > On 12/19/11 12:18 PM, Michael Thomas wrote: >> On 12/19/2011 04:19 AM, Paul Madsen wrote: >>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >>> unreleased) profile of OAuth 2.0 for online delivery of video >>> content based on a user's subscriptions (the TV Everywhere use case) >>> >>> We want to support both server & native mobile clients. It is for >>> the second class of clients that I'd appreciate some clarification >>> of 'confidentiality' as defined in OAuth 2. >>> >>> OAuth 2 distinguishes confidential & public clients based on their >>> ability to secure the credentials they'd use to authenticate to an >>> AS - confidential clients can protect those credentials, public >>> clients can't. >>> >>> Notwithstanding the above definition, the spec gives a degree of >>> discretion to the AS >>> >>> The client type designation is based on the authorization server's >>> definition of secure authentication and its acceptable exposure >>> levels of client credentials. >>> >>> >>> Give this discretion, is it practical for the OMAP spec to stipulate >>> that 'All Clients (both server & native mobile), MUST be >>> confidential', ie let each individual OMAP AS specify its own >>> requirements of clients and their ability to securely authenticate? >> >> Hi, >> >> Can you say exactly what your security requirements are before trying >> to determine which >> (if either) is the right answer? I've got some concerns in this area >> that I'm trying to understand >> and am not sure if they're related to your concern or not. Part of >> this is that I really don't >> understand what the difference is between a "public" client and a >> "confidential client" and >> rereading the draft isn't helping me. In particular, can a iPhone app >> with a UIWebView *ever* >> be a "confidential" client, and if so how? >> >> Mike From gffletch@aol.com Mon Dec 19 10:03:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6DAC21F85A7 for ; Mon, 19 Dec 2011 10:03:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmUHJUBxRgJL for ; Mon, 19 Dec 2011 10:03:03 -0800 (PST) Received: from imr-db02.mx.aol.com (imr-db02.mx.aol.com [205.188.91.96]) by ietfa.amsl.com (Postfix) with ESMTP id 2B59421F858C for ; Mon, 19 Dec 2011 10:03:02 -0800 (PST) Received: from mtaout-db01.r1000.mx.aol.com (mtaout-db01.r1000.mx.aol.com [172.29.51.193]) by imr-db02.mx.aol.com (8.14.1/8.14.1) with ESMTP id pBJI2o3u000536; Mon, 19 Dec 2011 13:02:50 -0500 Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db01.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 46CC6E000606; Mon, 19 Dec 2011 13:02:50 -0500 (EST) Message-ID: <4EEF7C4B.2070405@aol.com> Date: Mon, 19 Dec 2011 13:02:51 -0500 From: George Fletcher Organization: AOL LLC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Melvin Carvalho References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit x-aol-global-disposition: G DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1324317770; bh=oMRTaEo9dYKe0n50uT/k9M3DZEePDb74OH6Wh6Btgaw=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=LElCrjYFbr1AhZmkxPwFt+MWU7iVQ9DW1/sg1ytznpKa+yKGxSCNjvcMF/tdjI/Y8 S3AI27Ww/Li5L88pvn9ei8E8gHzLP7HD671DVuK0L5Rfk471PNEXSLaSO3w36sqhQx q2y+hV919zkglxEs0QVwIpLjGdHbe66EVLStDyBQ= X-AOL-SCOLL-SCORE: 0:2:483121952:93952408 X-AOL-SCOLL-URL_COUNT: 0 x-aol-sid: 3039ac1d33c14eef7c4a4b0e X-AOL-IP: 10.181.186.254 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 18:03:03 -0000 I would also recommend looking at User-Managed-Access which provides this kind of layer on top of OAuth2. http://kantarainitiative.org/confluence/display/uma/UMA+Explained Thanks, George On 12/18/11 12:05 PM, Melvin Carvalho wrote: > Quick question. I was wondering if OAuth 2.0 can work with access > control lists. > > For example there is a protected resource (e.g. a photo), and I want > to set it up so that a two or more users (for example a group of > friends) U1, U2 ... Un will be able to access it after authenticating. > > Is this kind of flow possibly with OAuth 2.0, and if so whose > responsibility is it to maintain the list of agents than can access > the resource? > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From paul.madsen@gmail.com Mon Dec 19 10:09:58 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39C121F8B47 for ; Mon, 19 Dec 2011 10:09:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50i1qFAHQtH6 for ; Mon, 19 Dec 2011 10:09:58 -0800 (PST) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 8076C21F8B38 for ; Mon, 19 Dec 2011 10:09:57 -0800 (PST) Received: by faas1 with SMTP id s1so3884924faa.31 for ; Mon, 19 Dec 2011 10:09:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=o+skX1xydGT05xJ7D8Uk4eD8zQqfiw1Iqcl0BbcPhKU=; b=LS2EHMLbZYPgqgTwtXlGID6OYxlfcymtzOQpwRr8sa1VJsQEEyI91SF6pKCQIBXenj QNJdg2MId0Wijck1iOjOyta27TceNDMhLaQ/XF8PVKxanEu7jGnnBZ0ks3jgllG0Q+ti Mf6wFGzlI4G6wcjbHA/brW7BZXpY2QdY7LmoA= Received: by 10.180.83.69 with SMTP id o5mr1031381wiy.1.1324318194883; Mon, 19 Dec 2011 10:09:54 -0800 (PST) Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id ei9sm26854319wid.0.2011.12.19.10.09.52 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 10:09:53 -0800 (PST) Message-ID: <4EEF7DEF.6090009@gmail.com> Date: Mon, 19 Dec 2011 13:09:51 -0500 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Justin Richer References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> In-Reply-To: <4EEF77E7.6030808@mitre.org> Content-Type: multipart/alternative; boundary="------------090506070806000007020306" Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 18:09:59 -0000 This is a multi-part message in MIME format. --------------090506070806000007020306 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thanks Justin, FWIW, I agree with your analysis Seems to me we have the following breakdown of clients - confidential server clients - confidential native clients (somewhat theoretical at the moment, assumes either 1) a client registration mechanism to deliver credentials post installation, such as OpenID Connects Client Registration spec, or 2) a distribution channel in which uniquely credentials can be packaged into the binary before delivery) - public clients (no option of client authn, but still possible to have some protection against token leakage via other mitigating mechanisms) thanks again paul On 12/19/11 12:44 PM, Justin Richer wrote: > Native mobile clients can't really be confidential clients. > > The distinction between "public" and "confidential" clients is whether > or not they can keep deployment-time secrets; which is to say, a > client_secret. This is not to say that they can't keep *any* secrets. > In particular those generated at runtime, like an access token or > refresh token, could be held perfectly safe. But at the time the app > is deployed to its running environment, you have to ask "who has > access to its code and configuration?" > > Think of it this way. In the standard world, a native app gets copied > to every device with the client_id and client_secret baked in. This > makes the client_secret not very secret, and not at all unique. > Anybody with access to the binary -- which is to say, every user -- > could decompile the client_secret out of it and bake it into their > *own* client, pretending to be your app and causing all kinds of > havoc. This is a very different problem from somebody breaking into > the token store and stealing an access token, which lets them only get > to their own account. > > Compare this to a server-based app where the only ones with access to > the binary and configuration are the administrators of the server, not > the end users. It's a much more limited list of folks that can > potentially see it, and therefore the client_secret can actually mean > something and add a small extra layer of security. > > There are a few ways to mitigate this difference for public clients, > such as using some kind of dynamic registration for all clients (which > doesn't buy you much in terms of overall security) or putting up scary > messages about native clients to try and educate your users. You can > also use a trusted callback URL for your app on a hosted website that > works in conjunction with your native app. This is actually the > suggested use for the Implicit Flow, which was made for public clients > in the browser. > > Native apps also have the concern of embedded browsers vs. external > native browsers, and what trust the user puts into them. For all OAuth > flows, you have to trust the browser provider on the platform of > choice, since the user's going to be logging in directly through that > browser. It's very much outside the scope of OAuth to make that world > any better though, and there have been long and detailed discussions > on this list about that very topic, leading to some concrete > recommendations in the draft as it stands today. > > To answer your original query: I don't think that mandating one kind > of client vs. the other will really help. OAuth 1.0 only had > "confidential" clients, and that led to inane workarounds like > Google's "anonymous/anonymous" client id/secret. > > Hope this helps. > > -- Justin > > On 12/19/2011 07:19 AM, Paul Madsen wrote: >> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >> unreleased) profile of OAuth 2.0 for online delivery of video content >> based on a user's subscriptions (the TV Everywhere use case) >> >> We want to support both server & native mobile clients. It is for the >> second class of clients that I'd appreciate some clarification of >> 'confidentiality' as defined in OAuth 2. >> >> OAuth 2 distinguishes confidential & public clients based on their >> ability to secure the credentials they'd use to authenticate to an AS >> - confidential clients can protect those credentials, public clients >> can't. >> >> Notwithstanding the above definition, the spec gives a degree of >> discretion to the AS >> >> The client type designation is based on the authorization server's >> definition of secure authentication and its acceptable exposure >> levels of client credentials. >> >> >> Give this discretion, is itpractical for the OMAP spec to stipulate >> that 'All Clients (both server & native mobile), MUST be >> confidential', ie let each individual OMAP AS specify its own >> requirements of clients and their ability to securely authenticate? >> >> Is this consistent with the OAuth definition of confidentiality? >> >> Thanks >> >> Paul >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > --------------090506070806000007020306 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Thanks Justin, FWIW, I agree with your analysis

Seems to me we have the following breakdown of clients

- confidential server clients

- confidential native clients (somewhat theoretical at the moment, assumes either 1) a client registration mechanism to deliver credentials post installation, such as OpenID Connects Client Registration spec, or 2) a distribution channel in which uniquely credentials can be packaged into the binary before delivery)

- public clients (no option of client authn, but still possible to have some protection against token leakage via other mitigating mechanisms)

thanks again

paul

On 12/19/11 12:44 PM, Justin Richer wrote:
Native mobile clients can't really be confidential clients.

The distinction between "public" and "confidential" clients is whether or not they can keep deployment-time secrets; which is to say, a client_secret. This is not to say that they can't keep *any* secrets. In particular those generated at runtime, like an access token or refresh token, could be held perfectly safe. But at the time the app is deployed to its running environment, you have to ask "who has access to its code and configuration?"

Think of it this way. In the standard world, a native app gets copied to every device with the client_id and client_secret baked in. This makes the client_secret not very secret, and not at all unique. Anybody with access to the binary -- which is to say, every user -- could decompile the client_secret out of it and bake it into their *own* client, pretending to be your app and causing all kinds of havoc. This is a very different problem from somebody breaking into the token store and stealing an access token, which lets them only get to their own account.

Compare this to a server-based app where the only ones with access to the binary and configuration are the administrators of the server, not the end users. It's a much more limited list of folks that can potentially see it, and therefore the client_secret can actually mean something and add a small extra layer of security.

There are a few ways to mitigate this difference for public clients, such as using some kind of dynamic registration for all clients (which doesn't buy you much in terms of overall security) or putting up scary messages about native clients to try and educate your users. You can also use a trusted callback URL for your app on a hosted website that works in conjunction with your native app. This is actually the suggested use for the Implicit Flow, which was made for public clients in the browser.

Native apps also have the concern of embedded browsers vs. external native browsers, and what trust the user puts into them. For all OAuth flows, you have to trust the browser provider on the platform of choice, since the user's going to be logging in directly through that browser. It's very much outside the scope of OAuth to make that world any better though, and there have been long and detailed discussions on this list about that very topic, leading to some concrete recommendations in the draft as it stands today.

To answer your original query: I don't think that mandating one kind of client vs. the other will really help. OAuth 1.0 only had "confidential" clients, and that led to inane workarounds like Google's "anonymous/anonymous" client id/secret.

Hope this helps.

 -- Justin

On 12/19/2011 07:19 AM, Paul Madsen wrote:
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

 
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.
Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?

Thanks

Paul









 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------090506070806000007020306-- From paul.madsen@gmail.com Mon Dec 19 10:20:52 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B26721F8B81 for ; Mon, 19 Dec 2011 10:20:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhcB7+8lGZ+g for ; Mon, 19 Dec 2011 10:20:51 -0800 (PST) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 72AAE21F8B82 for ; Mon, 19 Dec 2011 10:20:51 -0800 (PST) Received: by wgbdr13 with SMTP id dr13so8502833wgb.13 for ; Mon, 19 Dec 2011 10:20:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=hkS1GFEXj1IvYBigtMTJsG6HPAv6fWnVCA3HWvlRmUQ=; b=enOqzPi+jst5j8nU7T9OhwivjDt+RWcVgEWQn2RQOE5GhZh3znVW0ufpuDIa2sQBGK FmXXIRFjsJi0Z7XtgW3cXJ8BGVO7rJR54HfjnduH3BJzWQl7joHm8WplwshCOgXdf1Qe +A/u1R0Ve3ZlA4d+JSEbXIp+E7YOnYWIjVJvE= Received: by 10.227.209.66 with SMTP id gf2mr12935522wbb.20.1324318850621; Mon, 19 Dec 2011 10:20:50 -0800 (PST) Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id en20sm26869008wid.10.2011.12.19.10.20.48 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 10:20:49 -0800 (PST) Message-ID: <4EEF807E.30806@gmail.com> Date: Mon, 19 Dec 2011 13:20:46 -0500 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Michael Thomas References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> <4EEF7BA4.80907@mtcc.com> In-Reply-To: <4EEF7BA4.80907@mtcc.com> Content-Type: multipart/alternative; boundary="------------050206080509020205020406" Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 18:20:52 -0000 This is a multi-part message in MIME format. --------------050206080509020205020406 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit our bearer access tokens (JWT formatted) encapsulate a set of content permissions, and serve to authorize the entity presenting them to the corresponding video content. We dont want those tokens falling into the wrong hands, and so want to prevent an attacker being able to impersonate a valid client and trade an authz code for the token. *Ideally*, all our clients would be confidential, and so capable of authenticating to the AS to prevent/mitigate the above risk thanks paul On 12/19/11 1:00 PM, Michael Thomas wrote: > On 12/19/2011 09:50 AM, Paul Madsen wrote: >> Hi Mike, to some extent I think my question is not about specific >> security characteristics, but rather whether its realistic for our >> group to mandate that both server & native clients have the *same* >> security characteristics - particularly the ability to 'securely' >> authenticate to the AS on the token endpoint. > > Well given the explanation Justin just gave, they do not. As I understand > your initial query, redefining a native/embedded app as "confidential" > doesn't > alter that reality. But my first question about requirements still is > relevant: > what are you trying to protect from whom, and what is the level of > risk that > your profile of oauth is willing to tolerate? > > Mike > >> >> thanks >> >> paul >> >> On 12/19/11 12:18 PM, Michael Thomas wrote: >>> On 12/19/2011 04:19 AM, Paul Madsen wrote: >>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >>>> unreleased) profile of OAuth 2.0 for online delivery of video >>>> content based on a user's subscriptions (the TV Everywhere use case) >>>> >>>> We want to support both server & native mobile clients. It is for >>>> the second class of clients that I'd appreciate some clarification >>>> of 'confidentiality' as defined in OAuth 2. >>>> >>>> OAuth 2 distinguishes confidential & public clients based on their >>>> ability to secure the credentials they'd use to authenticate to an >>>> AS - confidential clients can protect those credentials, public >>>> clients can't. >>>> >>>> Notwithstanding the above definition, the spec gives a degree of >>>> discretion to the AS >>>> >>>> The client type designation is based on the authorization server's >>>> definition of secure authentication and its acceptable exposure >>>> levels of client credentials. >>>> >>>> >>>> Give this discretion, is it practical for the OMAP spec to >>>> stipulate that 'All Clients (both server & native mobile), MUST be >>>> confidential', ie let each individual OMAP AS specify its own >>>> requirements of clients and their ability to securely authenticate? >>> >>> Hi, >>> >>> Can you say exactly what your security requirements are before >>> trying to determine which >>> (if either) is the right answer? I've got some concerns in this area >>> that I'm trying to understand >>> and am not sure if they're related to your concern or not. Part of >>> this is that I really don't >>> understand what the difference is between a "public" client and a >>> "confidential client" and >>> rereading the draft isn't helping me. In particular, can a iPhone >>> app with a UIWebView *ever* >>> be a "confidential" client, and if so how? >>> >>> Mike > --------------050206080509020205020406 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit our bearer access tokens (JWT formatted) encapsulate a set of content permissions, and serve to authorize the entity presenting them to the corresponding video content.

We dont want those tokens falling into the wrong hands, and so want to prevent an attacker being able to impersonate a valid client and trade an authz code for the token.

*Ideally*, all our clients would be confidential, and so capable of authenticating to the AS to prevent/mitigate the above risk

thanks

paul

On 12/19/11 1:00 PM, Michael Thomas wrote:
On 12/19/2011 09:50 AM, Paul Madsen wrote:
Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.

Well given the explanation Justin just gave, they do not. As I understand
your initial query, redefining a native/embedded app as "confidential" doesn't
alter that reality. But my first question about requirements still is relevant:
what are you trying to protect from whom, and what is the level of risk that
your profile of oauth is willing to tolerate?

Mike


thanks

paul

On 12/19/11 12:18 PM, Michael Thomas wrote:
On 12/19/2011 04:19 AM, Paul Madsen wrote:
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

    The client type designation is based on the authorization server's
    definition of secure authentication and its acceptable exposure
    levels of client credentials.


Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Hi,

Can you say exactly what your security requirements are before trying to determine which
(if either) is the right answer? I've got some concerns in this area that I'm trying to understand
and am not sure if they're related to your concern or not. Part of this is that I really don't
understand what the difference is between a "public" client and a "confidential client" and
rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever*
be a "confidential" client, and if so how?

Mike

--------------050206080509020205020406-- From mike@mtcc.com Mon Dec 19 10:38:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6F721F0C51 for ; Mon, 19 Dec 2011 10:38:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPGXPEHxI585 for ; Mon, 19 Dec 2011 10:38:46 -0800 (PST) Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 85B161F0C40 for ; Mon, 19 Dec 2011 10:38:46 -0800 (PST) Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBJIch74020483 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 10:38:44 -0800 Message-ID: <4EEF84B3.5060800@mtcc.com> Date: Mon, 19 Dec 2011 10:38:43 -0800 From: Michael Thomas User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: Paul Madsen References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> <4EEF7BA4.80907@mtcc.com> <4EEF807E.30806@gmail.com> In-Reply-To: <4EEF807E.30806@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4243; t=1324319924; x=1325183924; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20 |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Paul=20Madsen=20 |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=6UiivQF0MO9m6e4Ygs1VFMt4B5nO10+3H54XLRS7204=; b=LkuK2mCEFhY79ryl14pWZnNmtmV4vQGcnloaPSZ4fPzdAqM9ApRUUt/E6f E10QJ6/SqfA2G2S69fACE0EPnCsfS7VaFrovD5CORsWQXM2faID5NxsWNHDx kx4P6Sm4OpqX4s9MYxdlXtwmFhIsJL03o/Lq+tdKniaENVA2QKf7Q=; Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 18:38:48 -0000 On 12/19/2011 10:20 AM, Paul Madsen wrote: > our bearer access tokens (JWT formatted) encapsulate a set of content > permissions, and serve to authorize the entity presenting them to the > corresponding video content. > > We dont want those tokens falling into the wrong hands, and so want to > prevent an attacker being able to impersonate a valid client and trade > an authz code for the token. > > *Ideally*, all our clients would be confidential, and so capable of > authenticating to the AS to prevent/mitigate the above risk If there's any incentive at all to decompile an .apk (for example) and steal the client secret, you can be guaranteed that somebody will do that. Consider also that most developers area going to use whatever sample code there is and do just about nothing to hide the key as best they can regardless of how many warnings you put in your sample code. So the attack is not likely to even be particularly difficult. Is it really too much to ask app developers to spend $7/month for a shared hosting service to keep their client secret a lot more secure? Another thing to consider: in your client enrollment process how would you insure/police that they are actually in compliance that it actually is actually coming from confidential client? Mike > > thanks > > paul > > On 12/19/11 1:00 PM, Michael Thomas wrote: >> On 12/19/2011 09:50 AM, Paul Madsen wrote: >>> Hi Mike, to some extent I think my question is not about specific >>> security characteristics, but rather whether its realistic for our >>> group to mandate that both server & native clients have the *same* >>> security characteristics - particularly the ability to 'securely' >>> authenticate to the AS on the token endpoint. >> >> Well given the explanation Justin just gave, they do not. As I >> understand >> your initial query, redefining a native/embedded app as >> "confidential" doesn't >> alter that reality. But my first question about requirements still is >> relevant: >> what are you trying to protect from whom, and what is the level of >> risk that >> your profile of oauth is willing to tolerate? >> >> Mike >> >>> >>> thanks >>> >>> paul >>> >>> On 12/19/11 12:18 PM, Michael Thomas wrote: >>>> On 12/19/2011 04:19 AM, Paul Madsen wrote: >>>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >>>>> unreleased) profile of OAuth 2.0 for online delivery of video >>>>> content based on a user's subscriptions (the TV Everywhere use case) >>>>> >>>>> We want to support both server & native mobile clients. It is for >>>>> the second class of clients that I'd appreciate some clarification >>>>> of 'confidentiality' as defined in OAuth 2. >>>>> >>>>> OAuth 2 distinguishes confidential & public clients based on their >>>>> ability to secure the credentials they'd use to authenticate to an >>>>> AS - confidential clients can protect those credentials, public >>>>> clients can't. >>>>> >>>>> Notwithstanding the above definition, the spec gives a degree of >>>>> discretion to the AS >>>>> >>>>> The client type designation is based on the authorization >>>>> server's >>>>> definition of secure authentication and its acceptable exposure >>>>> levels of client credentials. >>>>> >>>>> >>>>> Give this discretion, is it practical for the OMAP spec to >>>>> stipulate that 'All Clients (both server & native mobile), MUST be >>>>> confidential', ie let each individual OMAP AS specify its own >>>>> requirements of clients and their ability to securely authenticate? >>>> >>>> Hi, >>>> >>>> Can you say exactly what your security requirements are before >>>> trying to determine which >>>> (if either) is the right answer? I've got some concerns in this >>>> area that I'm trying to understand >>>> and am not sure if they're related to your concern or not. Part of >>>> this is that I really don't >>>> understand what the difference is between a "public" client and a >>>> "confidential client" and >>>> rereading the draft isn't helping me. In particular, can a iPhone >>>> app with a UIWebView *ever* >>>> be a "confidential" client, and if so how? >>>> >>>> Mike >> From tonynad@microsoft.com Mon Dec 19 10:48:47 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4995E11E80A0 for ; Mon, 19 Dec 2011 10:48:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.466 X-Spam-Level: X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eSzt7eW3JdH7 for ; Mon, 19 Dec 2011 10:48:44 -0800 (PST) Received: from DB3EHSOBE006.bigfish.com (db3ehsobe006.messaging.microsoft.com [213.199.154.144]) by ietfa.amsl.com (Postfix) with ESMTP id BD96611E809D for ; Mon, 19 Dec 2011 10:48:43 -0800 (PST) Received: from mail59-db3-R.bigfish.com (10.3.81.243) by DB3EHSOBE006.bigfish.com (10.3.84.26) with Microsoft SMTP Server id 14.1.225.23; Mon, 19 Dec 2011 18:48:36 +0000 Received: from mail59-db3 (localhost [127.0.0.1]) by mail59-db3-R.bigfish.com (Postfix) with ESMTP id 0B940C03AF for ; Mon, 19 Dec 2011 18:49:00 +0000 (UTC) X-SpamScore: -27 X-BigFish: VS-27(zzbb2dI9371Ic85fh328cM98dKzz1202h1082kzz1033IL8275bh8275dhz2fh2a8h683h839h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI X-FB-SS: 13, Received-SPF: pass (mail59-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail59-db3 (localhost.localdomain [127.0.0.1]) by mail59-db3 (MessageSwitch) id 1324320539599753_3679; Mon, 19 Dec 2011 18:48:59 +0000 (UTC) Received: from DB3EHSMHS007.bigfish.com (unknown [10.3.81.243]) by mail59-db3.bigfish.com (Postfix) with ESMTP id 7F757660077 for ; Mon, 19 Dec 2011 18:48:59 +0000 (UTC) Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS007.bigfish.com (10.3.87.107) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 19 Dec 2011 18:48:34 +0000 Received: from TX2EHSOBE001.bigfish.com (157.54.51.80) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.2.247.5; Mon, 19 Dec 2011 10:48:33 -0800 Received: from mail110-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE001.bigfish.com (10.9.40.21) with Microsoft SMTP Server id 14.1.225.23; Mon, 19 Dec 2011 18:47:55 +0000 Received: from mail110-tx2 (localhost [127.0.0.1]) by mail110-tx2-R.bigfish.com (Postfix) with ESMTP id 518644C01A5 for ; Mon, 19 Dec 2011 18:48:20 +0000 (UTC) X-Spam-TCS-SCL: 0:0 Received: from mail110-tx2 (localhost.localdomain [127.0.0.1]) by mail110-tx2 (MessageSwitch) id 1324320499759961_5915; Mon, 19 Dec 2011 18:48:19 +0000 (UTC) Received: from TX2EHSMHS035.bigfish.com (unknown [10.9.14.240]) by mail110-tx2.bigfish.com (Postfix) with ESMTP id B29EE440056; Mon, 19 Dec 2011 18:48:19 +0000 (UTC) Received: from BL2PRD0310HT004.namprd03.prod.outlook.com (157.56.240.21) by TX2EHSMHS035.bigfish.com (10.9.99.135) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 19 Dec 2011 18:47:53 +0000 Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.10.172]) by BL2PRD0310HT004.namprd03.prod.outlook.com ([10.255.97.39]) with mapi id 14.16.0094.000; Mon, 19 Dec 2011 18:47:59 +0000 From: Anthony Nadalin To: Justin Richer , Paul Madsen Thread-Topic: [OAUTH-WG] Native clients & 'confidentiality' Thread-Index: AQHMvkh3Hw6jtbvAKECl8r4+p6HRs5XjbwuAgAAO/CA= Date: Mon, 19 Dec 2011 18:47:57 +0000 Message-ID: References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> In-Reply-To: <4EEF77E7.6030808@mitre.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.46.126.7] Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E73BFD93AEBL2PRD0310MB362_" MIME-Version: 1.0 X-OrganizationHeadersPreserved: BL2PRD0310HT004.namprd03.prod.outlook.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn% X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com X-OriginatorOrg: microsoft.com Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 18:48:47 -0000 --_000_B26C1EF377CB694EAB6BDDC8E624B6E73BFD93AEBL2PRD0310MB362_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Not really sure how you came to the conclusion that native mobile clients c= an't be confidential? As pointed out in section 3.7 of the http://www.ietf.= org/id/draft-ietf-oauth-v2-threatmodel-01.txt there are guidelines that con= fidential clients should follow, but does not distinguish between native cl= ients or native mobile clients. From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J= ustin Richer Sent: Monday, December 19, 2011 9:44 AM To: Paul Madsen Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' Native mobile clients can't really be confidential clients. The distinction between "public" and "confidential" clients is whether or n= ot they can keep deployment-time secrets; which is to say, a client_secret.= This is not to say that they can't keep *any* secrets. In particular those= generated at runtime, like an access token or refresh token, could be held= perfectly safe. But at the time the app is deployed to its running environ= ment, you have to ask "who has access to its code and configuration?" Think of it this way. In the standard world, a native app gets copied to ev= ery device with the client_id and client_secret baked in. This makes the cl= ient_secret not very secret, and not at all unique. Anybody with access to = the binary -- which is to say, every user -- could decompile the client_sec= ret out of it and bake it into their *own* client, pretending to be your ap= p and causing all kinds of havoc. This is a very different problem from som= ebody breaking into the token store and stealing an access token, which let= s them only get to their own account. Compare this to a server-based app where the only ones with access to the b= inary and configuration are the administrators of the server, not the end u= sers. It's a much more limited list of folks that can potentially see it, a= nd therefore the client_secret can actually mean something and add a small = extra layer of security. There are a few ways to mitigate this difference for public clients, such a= s using some kind of dynamic registration for all clients (which doesn't bu= y you much in terms of overall security) or putting up scary messages about= native clients to try and educate your users. You can also use a trusted c= allback URL for your app on a hosted website that works in conjunction with= your native app. This is actually the suggested use for the Implicit Flow,= which was made for public clients in the browser. Native apps also have the concern of embedded browsers vs. external native = browsers, and what trust the user puts into them. For all OAuth flows, you = have to trust the browser provider on the platform of choice, since the use= r's going to be logging in directly through that browser. It's very much ou= tside the scope of OAuth to make that world any better though, and there ha= ve been long and detailed discussions on this list about that very topic, l= eading to some concrete recommendations in the draft as it stands today. To answer your original query: I don't think that mandating one kind of cli= ent vs. the other will really help. OAuth 1.0 only had "confidential" clien= ts, and that led to inane workarounds like Google's "anonymous/anonymous" c= lient id/secret. Hope this helps. -- Justin On 12/19/2011 07:19 AM, Paul Madsen wrote: Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased)= profile of OAuth 2.0 for online delivery of video content based on a user'= s subscriptions (the TV Everywhere use case) We want to support both server & native mobile clients. It is for the secon= d class of clients that I'd appreciate some clarification of 'confidentiali= ty' as defined in OAuth 2. OAuth 2 distinguishes confidential & public clients based on their ability = to secure the credentials they'd use to authenticate to an AS - confidentia= l clients can protect those credentials, public clients can't. Notwithstanding the above definition, the spec gives a degree of discretion= to the AS The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. Give this discretion, is it practical for the OMAP spec to stipulate that '= All Clients (both server & native mobile), MUST be confidential', ie let ea= ch individual OMAP AS specify its own requirements of clients and their abi= lity to securely authenticate? Is this consistent with the OAuth definition of confidentiality? Thanks Paul _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_B26C1EF377CB694EAB6BDDC8E624B6E73BFD93AEBL2PRD0310MB362_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Not really sure how you c= ame to the conclusion that native mobile clients can’t be confidentia= l? As pointed out in section 3.7 of the h= ttp://www.ietf.org/id/draft-ietf-oauth-v2-threatmodel-01.txt there are = guidelines that confidential clients should follow, but does not distinguis= h between native clients or native mobile clients.

 <= /p>

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf= .org] On Behalf Of Justin Richer
Sent: Monday, December 19, 2011 9:44 AM
To: Paul Madsen
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'<= /o:p>

 

Native mobile clients can't really be confidential c= lients.

The distinction between "public" and "confidential" cli= ents is whether or not they can keep deployment-time secrets; which is to s= ay, a client_secret. This is not to say that they can't keep *any* secrets.= In particular those generated at runtime, like an access token or refresh token, could be held perfectly safe. But at the time the = app is deployed to its running environment, you have to ask "who has a= ccess to its code and configuration?"

Think of it this way. In the standard world, a native app gets copied to ev= ery device with the client_id and client_secret baked in. This makes the cl= ient_secret not very secret, and not at all unique. Anybody with access to = the binary -- which is to say, every user -- could decompile the client_secret out of it and bake it into their= *own* client, pretending to be your app and causing all kinds of havoc. Th= is is a very different problem from somebody breaking into the token store = and stealing an access token, which lets them only get to their own account.

Compare this to a server-based app where the only ones with access to the b= inary and configuration are the administrators of the server, not the end u= sers. It's a much more limited list of folks that can potentially see it, a= nd therefore the client_secret can actually mean something and add a small extra layer of security.

There are a few ways to mitigate this difference for public clients, such a= s using some kind of dynamic registration for all clients (which doesn't bu= y you much in terms of overall security) or putting up scary messages about= native clients to try and educate your users. You can also use a trusted callback URL for your app on a host= ed website that works in conjunction with your native app. This is actually= the suggested use for the Implicit Flow, which was made for public clients= in the browser.

Native apps also have the concern of embedded browsers vs. external native = browsers, and what trust the user puts into them. For all OAuth flows, you = have to trust the browser provider on the platform of choice, since the use= r's going to be logging in directly through that browser. It's very much outside the scope of OAuth to make th= at world any better though, and there have been long and detailed discussio= ns on this list about that very topic, leading to some concrete recommendat= ions in the draft as it stands today.

To answer your original query: I don't think that mandating one kind of cli= ent vs. the other will really help. OAuth 1.0 only had "confidential&q= uot; clients, and that led to inane workarounds like Google's "anonymo= us/anonymous" client id/secret.

Hope this helps.

 -- Justin

On 12/19/2011 07:19 AM, Paul Madsen wrote:

Hi, the Online Media Authorization Protocol (OMAP) is a (a= s yet unreleased) profile of OAuth 2.0 for online delivery of video content= based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the s= econd class of clients that I'd appreciate some clarification of 'confident= iality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their abil= ity to secure the credentials they'd use to authenticate to an AS - confide= ntial clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion= to the AS


&n=
bsp;  The client type designation is based on the authorization server=
's
&n=
bsp;  definition of secure authentication and its acceptable exposure<=
o:p>
&n=
bsp;  levels of client credentials.
 
 =

Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server &a= mp; native mobile), MUST be confidential', ie let each individual OMAP AS s= pecify its own requirements of clients and their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?

Thanks

Paul












_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ie=
tf.org/mailman/listinfo/oauth

 

--_000_B26C1EF377CB694EAB6BDDC8E624B6E73BFD93AEBL2PRD0310MB362_-- From gffletch@aol.com Mon Dec 19 11:11:03 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EE1911E8098 for ; Mon, 19 Dec 2011 11:11:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TM1F949E7ftA for ; Mon, 19 Dec 2011 11:11:02 -0800 (PST) Received: from imr-ma05.mx.aol.com (imr-ma05.mx.aol.com [64.12.100.31]) by ietfa.amsl.com (Postfix) with ESMTP id B6DA111E8097 for ; Mon, 19 Dec 2011 11:11:01 -0800 (PST) Received: from mtaout-ma04.r1000.mx.aol.com (mtaout-ma04.r1000.mx.aol.com [172.29.41.4]) by imr-ma05.mx.aol.com (8.14.1/8.14.1) with ESMTP id pBJJAZxg023524; Mon, 19 Dec 2011 14:10:35 -0500 Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 1A00EE0000BC; Mon, 19 Dec 2011 14:10:35 -0500 (EST) Message-ID: <4EEF8C2A.8030205@aol.com> Date: Mon, 19 Dec 2011 14:10:34 -0500 From: George Fletcher Organization: AOL LLC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Paul Madsen References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> <4EEF7DEF.6090009@gmail.com> In-Reply-To: <4EEF7DEF.6090009@gmail.com> Content-Type: multipart/alternative; boundary="------------050103020805040908030501" x-aol-global-disposition: G DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1324321835; bh=at68fPV0jSEZoHqvJBG9PjJOsRLTO+5Xkk1KQ6YPciU=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=fVMOcS37Spo67amDU/RsDp6urdNlheeMSBIbbUzftiEom/U7ZsqPL9KTLFn9t97PG N1rJLnjsJGfMRQfKdzEs65p3T5Futx94sgJzZ/kZxC0QDv5Ko5etKZFJN6dSWINkxa DQwl7/5ljDzb/J2tpHgEkLFq5rOrb0T4eALDeWU0= X-AOL-SCOLL-SCORE: 0:2:458373632:93952408 X-AOL-SCOLL-URL_COUNT: 0 x-aol-sid: 3039ac1d29044eef8c2b2ecc X-AOL-IP: 10.181.186.254 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:11:03 -0000 This is a multi-part message in MIME format. --------------050103020805040908030501 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Paul, Is the need to authenticate the client a need to ensure that the content is only displayed on certain devices/clients? Or prevent phishing/stealing of authz bearer tokens? As you point out, it's possible to protect the bearer tokens and associated refresh tokens "via other mitigating mechanisms". I'm not sure it's possible to authenticate the device/client with out the device/client having some special "hardware" that can be leveraged in the authentication step. Even dynamic registration doesn't solve the security issues (the device/client can still be disassembled and associated values discovered) of the device/client, just mitigates the exposure risk. However, this does cause increased work for the AS as it will now be tracking each and every device as a unique client. It's also likely for the device registration steps to be discovered, in which case restricting to a particular device again fails. It seems like trying to bind the bearer token to a device/client instance might be a better approach. That way you know that the customer correctly authorized that device/client instance and it is "allowed" to present the bearer token. Of course enforcing/proving the "allowed" part sort of breaks the "bearer" part:) Thanks, George On 12/19/11 1:09 PM, Paul Madsen wrote: > Thanks Justin, FWIW, I agree with your analysis > > Seems to me we have the following breakdown of clients > > - confidential server clients > > - confidential native clients (somewhat theoretical at the moment, > assumes either 1) a client registration mechanism to deliver > credentials post installation, such as OpenID Connects Client > Registration spec, or 2) a distribution channel in which uniquely > credentials can be packaged into the binary before delivery) > > - public clients (no option of client authn, but still possible to > have some protection against token leakage via other mitigating > mechanisms) > > thanks again > > paul > > On 12/19/11 12:44 PM, Justin Richer wrote: >> Native mobile clients can't really be confidential clients. >> >> The distinction between "public" and "confidential" clients is >> whether or not they can keep deployment-time secrets; which is to >> say, a client_secret. This is not to say that they can't keep *any* >> secrets. In particular those generated at runtime, like an access >> token or refresh token, could be held perfectly safe. But at the time >> the app is deployed to its running environment, you have to ask "who >> has access to its code and configuration?" >> >> Think of it this way. In the standard world, a native app gets copied >> to every device with the client_id and client_secret baked in. This >> makes the client_secret not very secret, and not at all unique. >> Anybody with access to the binary -- which is to say, every user -- >> could decompile the client_secret out of it and bake it into their >> *own* client, pretending to be your app and causing all kinds of >> havoc. This is a very different problem from somebody breaking into >> the token store and stealing an access token, which lets them only >> get to their own account. >> >> Compare this to a server-based app where the only ones with access to >> the binary and configuration are the administrators of the server, >> not the end users. It's a much more limited list of folks that can >> potentially see it, and therefore the client_secret can actually mean >> something and add a small extra layer of security. >> >> There are a few ways to mitigate this difference for public clients, >> such as using some kind of dynamic registration for all clients >> (which doesn't buy you much in terms of overall security) or putting >> up scary messages about native clients to try and educate your users. >> You can also use a trusted callback URL for your app on a hosted >> website that works in conjunction with your native app. This is >> actually the suggested use for the Implicit Flow, which was made for >> public clients in the browser. >> >> Native apps also have the concern of embedded browsers vs. external >> native browsers, and what trust the user puts into them. For all >> OAuth flows, you have to trust the browser provider on the platform >> of choice, since the user's going to be logging in directly through >> that browser. It's very much outside the scope of OAuth to make that >> world any better though, and there have been long and detailed >> discussions on this list about that very topic, leading to some >> concrete recommendations in the draft as it stands today. >> >> To answer your original query: I don't think that mandating one kind >> of client vs. the other will really help. OAuth 1.0 only had >> "confidential" clients, and that led to inane workarounds like >> Google's "anonymous/anonymous" client id/secret. >> >> Hope this helps. >> >> -- Justin >> >> On 12/19/2011 07:19 AM, Paul Madsen wrote: >>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >>> unreleased) profile of OAuth 2.0 for online delivery of video >>> content based on a user's subscriptions (the TV Everywhere use case) >>> >>> We want to support both server & native mobile clients. It is for >>> the second class of clients that I'd appreciate some clarification >>> of 'confidentiality' as defined in OAuth 2. >>> >>> OAuth 2 distinguishes confidential & public clients based on their >>> ability to secure the credentials they'd use to authenticate to an >>> AS - confidential clients can protect those credentials, public >>> clients can't. >>> >>> Notwithstanding the above definition, the spec gives a degree of >>> discretion to the AS >>> >>> The client type designation is based on the authorization server's >>> definition of secure authentication and its acceptable exposure >>> levels of client credentials. >>> >>> >>> Give this discretion, is itpractical for the OMAP spec to stipulate >>> that 'All Clients (both server & native mobile), MUST be >>> confidential', ie let each individual OMAP AS specify its own >>> requirements of clients and their ability to securely authenticate? >>> >>> Is this consistent with the OAuth definition of confidentiality? >>> >>> Thanks >>> >>> Paul >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------050103020805040908030501 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi Paul,

Is the need to authenticate the client a need to ensure that the content is only displayed on certain devices/clients? Or prevent phishing/stealing of authz bearer tokens?

As you point out, it's possible to protect the bearer tokens and associated refresh tokens "via other mitigating mechanisms". I'm not sure it's possible to authenticate the device/client with out the device/client having some special "hardware" that can be leveraged in the authentication step.

Even dynamic registration doesn't solve the security issues (the device/client can still be disassembled and associated values discovered) of the device/client, just mitigates the exposure risk. However, this does cause increased work for the AS as it will now be tracking each and every device as a unique client. It's also likely for the device registration steps to be discovered, in which case restricting to a particular device again fails.

It seems like trying to bind the bearer token to a device/client instance might be a better approach. That way you know that the customer correctly authorized that device/client instance and it is "allowed" to present the bearer token. Of course enforcing/proving the "allowed" part sort of breaks the "bearer" part:)

Thanks,
George

On 12/19/11 1:09 PM, Paul Madsen wrote:
Thanks Justin, FWIW, I agree with your analysis

Seems to me we have the following breakdown of clients

- confidential server clients

- confidential native clients (somewhat theoretical at the moment, assumes either 1) a client registration mechanism to deliver credentials post installation, such as OpenID Connects Client Registration spec, or 2) a distribution channel in which uniquely credentials can be packaged into the binary before delivery)

- public clients (no option of client authn, but still possible to have some protection against token leakage via other mitigating mechanisms)

thanks again

paul

On 12/19/11 12:44 PM, Justin Richer wrote:
Native mobile clients can't really be confidential clients.

The distinction between "public" and "confidential" clients is whether or not they can keep deployment-time secrets; which is to say, a client_secret. This is not to say that they can't keep *any* secrets. In particular those generated at runtime, like an access token or refresh token, could be held perfectly safe. But at the time the app is deployed to its running environment, you have to ask "who has access to its code and configuration?"

Think of it this way. In the standard world, a native app gets copied to every device with the client_id and client_secret baked in. This makes the client_secret not very secret, and not at all unique. Anybody with access to the binary -- which is to say, every user -- could decompile the client_secret out of it and bake it into their *own* client, pretending to be your app and causing all kinds of havoc. This is a very different problem from somebody breaking into the token store and stealing an access token, which lets them only get to their own account.

Compare this to a server-based app where the only ones with access to the binary and configuration are the administrators of the server, not the end users. It's a much more limited list of folks that can potentially see it, and therefore the client_secret can actually mean something and add a small extra layer of security.

There are a few ways to mitigate this difference for public clients, such as using some kind of dynamic registration for all clients (which doesn't buy you much in terms of overall security) or putting up scary messages about native clients to try and educate your users. You can also use a trusted callback URL for your app on a hosted website that works in conjunction with your native app. This is actually the suggested use for the Implicit Flow, which was made for public clients in the browser.

Native apps also have the concern of embedded browsers vs. external native browsers, and what trust the user puts into them. For all OAuth flows, you have to trust the browser provider on the platform of choice, since the user's going to be logging in directly through that browser. It's very much outside the scope of OAuth to make that world any better though, and there have been long and detailed discussions on this list about that very topic, leading to some concrete recommendations in the draft as it stands today.

To answer your original query: I don't think that mandating one kind of client vs. the other will really help. OAuth 1.0 only had "confidential" clients, and that led to inane workarounds like Google's "anonymous/anonymous" client id/secret.

Hope this helps.

 -- Justin

On 12/19/2011 07:19 AM, Paul Madsen wrote:
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

 
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.
Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?

Thanks

Paul









 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------050103020805040908030501-- From jricher@mitre.org Mon Dec 19 11:32:10 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED9AE21F84BC for ; Mon, 19 Dec 2011 11:32:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5osaNhVKJ7gA for ; Mon, 19 Dec 2011 11:32:09 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9D721F8319 for ; Mon, 19 Dec 2011 11:32:09 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D2AC821B01F7; Mon, 19 Dec 2011 14:32:08 -0500 (EST) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id BA24221B01AF; Mon, 19 Dec 2011 14:32:08 -0500 (EST) Received: from [129.83.50.8] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 19 Dec 2011 14:32:08 -0500 Message-ID: <4EEF9119.6020403@mitre.org> Date: Mon, 19 Dec 2011 14:31:37 -0500 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: George Fletcher References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> <4EEF7DEF.6090009@gmail.com> <4EEF8C2A.8030205@aol.com> In-Reply-To: <4EEF8C2A.8030205@aol.com> Content-Type: multipart/alternative; boundary="------------060607080001070809030007" X-Originating-IP: [129.83.31.51] Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:32:11 -0000 --------------060607080001070809030007 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit A part of what George has outlined below is captured in the OpenID Connect Dynamic Registration flow. In that, the Dynamic Registration endpoint MAY be an OAuth2 protected resource. If you could mint your distributed clients with unique identifiers of some type, they could use those as bearer tokens to the registration endpoint, thereby getting a client id and secret. The AS still has to keep track of all of these registered clients, and you've still got to find some way mint and manage all of those bearer tokens in the first place. But this approach does at least give you an OAuth-friendly way to bootstrap the whole process. -- Justin On 12/19/2011 02:10 PM, George Fletcher wrote: > Hi Paul, > > Is the need to authenticate the client a need to ensure that the > content is only displayed on certain devices/clients? Or prevent > phishing/stealing of authz bearer tokens? > > As you point out, it's possible to protect the bearer tokens and > associated refresh tokens "via other mitigating mechanisms". I'm not > sure it's possible to authenticate the device/client with out the > device/client having some special "hardware" that can be leveraged in > the authentication step. > > Even dynamic registration doesn't solve the security issues (the > device/client can still be disassembled and associated values > discovered) of the device/client, just mitigates the exposure risk. > However, this does cause increased work for the AS as it will now be > tracking each and every device as a unique client. It's also likely > for the device registration steps to be discovered, in which case > restricting to a particular device again fails. > > It seems like trying to bind the bearer token to a device/client > instance might be a better approach. That way you know that the > customer correctly authorized that device/client instance and it is > "allowed" to present the bearer token. Of course enforcing/proving the > "allowed" part sort of breaks the "bearer" part:) > > Thanks, > George > > On 12/19/11 1:09 PM, Paul Madsen wrote: >> Thanks Justin, FWIW, I agree with your analysis >> >> Seems to me we have the following breakdown of clients >> >> - confidential server clients >> >> - confidential native clients (somewhat theoretical at the moment, >> assumes either 1) a client registration mechanism to deliver >> credentials post installation, such as OpenID Connects Client >> Registration spec, or 2) a distribution channel in which uniquely >> credentials can be packaged into the binary before delivery) >> >> - public clients (no option of client authn, but still possible to >> have some protection against token leakage via other mitigating >> mechanisms) >> >> thanks again >> >> paul >> >> On 12/19/11 12:44 PM, Justin Richer wrote: >>> Native mobile clients can't really be confidential clients. >>> >>> The distinction between "public" and "confidential" clients is >>> whether or not they can keep deployment-time secrets; which is to >>> say, a client_secret. This is not to say that they can't keep *any* >>> secrets. In particular those generated at runtime, like an access >>> token or refresh token, could be held perfectly safe. But at the >>> time the app is deployed to its running environment, you have to ask >>> "who has access to its code and configuration?" >>> >>> Think of it this way. In the standard world, a native app gets >>> copied to every device with the client_id and client_secret baked >>> in. This makes the client_secret not very secret, and not at all >>> unique. Anybody with access to the binary -- which is to say, every >>> user -- could decompile the client_secret out of it and bake it into >>> their *own* client, pretending to be your app and causing all kinds >>> of havoc. This is a very different problem from somebody breaking >>> into the token store and stealing an access token, which lets them >>> only get to their own account. >>> >>> Compare this to a server-based app where the only ones with access >>> to the binary and configuration are the administrators of the >>> server, not the end users. It's a much more limited list of folks >>> that can potentially see it, and therefore the client_secret can >>> actually mean something and add a small extra layer of security. >>> >>> There are a few ways to mitigate this difference for public clients, >>> such as using some kind of dynamic registration for all clients >>> (which doesn't buy you much in terms of overall security) or putting >>> up scary messages about native clients to try and educate your >>> users. You can also use a trusted callback URL for your app on a >>> hosted website that works in conjunction with your native app. This >>> is actually the suggested use for the Implicit Flow, which was made >>> for public clients in the browser. >>> >>> Native apps also have the concern of embedded browsers vs. external >>> native browsers, and what trust the user puts into them. For all >>> OAuth flows, you have to trust the browser provider on the platform >>> of choice, since the user's going to be logging in directly through >>> that browser. It's very much outside the scope of OAuth to make that >>> world any better though, and there have been long and detailed >>> discussions on this list about that very topic, leading to some >>> concrete recommendations in the draft as it stands today. >>> >>> To answer your original query: I don't think that mandating one kind >>> of client vs. the other will really help. OAuth 1.0 only had >>> "confidential" clients, and that led to inane workarounds like >>> Google's "anonymous/anonymous" client id/secret. >>> >>> Hope this helps. >>> >>> -- Justin >>> >>> On 12/19/2011 07:19 AM, Paul Madsen wrote: >>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >>>> unreleased) profile of OAuth 2.0 for online delivery of video >>>> content based on a user's subscriptions (the TV Everywhere use case) >>>> >>>> We want to support both server & native mobile clients. It is for >>>> the second class of clients that I'd appreciate some clarification >>>> of 'confidentiality' as defined in OAuth 2. >>>> >>>> OAuth 2 distinguishes confidential & public clients based on their >>>> ability to secure the credentials they'd use to authenticate to an >>>> AS - confidential clients can protect those credentials, public >>>> clients can't. >>>> >>>> Notwithstanding the above definition, the spec gives a degree of >>>> discretion to the AS >>>> >>>> The client type designation is based on the authorization server's >>>> definition of secure authentication and its acceptable exposure >>>> levels of client credentials. >>>> >>>> >>>> Give this discretion, is itpractical for the OMAP spec to stipulate >>>> that 'All Clients (both server & native mobile), MUST be >>>> confidential', ie let each individual OMAP AS specify its own >>>> requirements of clients and their ability to securely authenticate? >>>> >>>> Is this consistent with the OAuth definition of confidentiality? >>>> >>>> Thanks >>>> >>>> Paul >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------060607080001070809030007 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit A part of what George has outlined below is captured in the OpenID Connect Dynamic Registration flow. In that, the Dynamic Registration endpoint MAY be an OAuth2 protected resource. If you could mint your distributed clients with unique identifiers of some type, they could use those as bearer tokens to the registration endpoint, thereby getting a client id and secret.

The AS still has to keep track of all of these registered clients, and you've still got to find some way mint and manage all of those bearer tokens in the first place. But this approach does at least give you an OAuth-friendly way to bootstrap the whole process.

 -- Justin

On 12/19/2011 02:10 PM, George Fletcher wrote:
Hi Paul,

Is the need to authenticate the client a need to ensure that the content is only displayed on certain devices/clients? Or prevent phishing/stealing of authz bearer tokens?

As you point out, it's possible to protect the bearer tokens and associated refresh tokens "via other mitigating mechanisms". I'm not sure it's possible to authenticate the device/client with out the device/client having some special "hardware" that can be leveraged in the authentication step.

Even dynamic registration doesn't solve the security issues (the device/client can still be disassembled and associated values discovered) of the device/client, just mitigates the exposure risk. However, this does cause increased work for the AS as it will now be tracking each and every device as a unique client. It's also likely for the device registration steps to be discovered, in which case restricting to a particular device again fails.

It seems like trying to bind the bearer token to a device/client instance might be a better approach. That way you know that the customer correctly authorized that device/client instance and it is "allowed" to present the bearer token. Of course enforcing/proving the "allowed" part sort of breaks the "bearer" part:)

Thanks,
George

On 12/19/11 1:09 PM, Paul Madsen wrote:
Thanks Justin, FWIW, I agree with your analysis

Seems to me we have the following breakdown of clients

- confidential server clients

- confidential native clients (somewhat theoretical at the moment, assumes either 1) a client registration mechanism to deliver credentials post installation, such as OpenID Connects Client Registration spec, or 2) a distribution channel in which uniquely credentials can be packaged into the binary before delivery)

- public clients (no option of client authn, but still possible to have some protection against token leakage via other mitigating mechanisms)

thanks again

paul

On 12/19/11 12:44 PM, Justin Richer wrote:
Native mobile clients can't really be confidential clients.

The distinction between "public" and "confidential" clients is whether or not they can keep deployment-time secrets; which is to say, a client_secret. This is not to say that they can't keep *any* secrets. In particular those generated at runtime, like an access token or refresh token, could be held perfectly safe. But at the time the app is deployed to its running environment, you have to ask "who has access to its code and configuration?"

Think of it this way. In the standard world, a native app gets copied to every device with the client_id and client_secret baked in. This makes the client_secret not very secret, and not at all unique. Anybody with access to the binary -- which is to say, every user -- could decompile the client_secret out of it and bake it into their *own* client, pretending to be your app and causing all kinds of havoc. This is a very different problem from somebody breaking into the token store and stealing an access token, which lets them only get to their own account.

Compare this to a server-based app where the only ones with access to the binary and configuration are the administrators of the server, not the end users. It's a much more limited list of folks that can potentially see it, and therefore the client_secret can actually mean something and add a small extra layer of security.

There are a few ways to mitigate this difference for public clients, such as using some kind of dynamic registration for all clients (which doesn't buy you much in terms of overall security) or putting up scary messages about native clients to try and educate your users. You can also use a trusted callback URL for your app on a hosted website that works in conjunction with your native app. This is actually the suggested use for the Implicit Flow, which was made for public clients in the browser.

Native apps also have the concern of embedded browsers vs. external native browsers, and what trust the user puts into them. For all OAuth flows, you have to trust the browser provider on the platform of choice, since the user's going to be logging in directly through that browser. It's very much outside the scope of OAuth to make that world any better though, and there have been long and detailed discussions on this list about that very topic, leading to some concrete recommendations in the draft as it stands today.

To answer your original query: I don't think that mandating one kind of client vs. the other will really help. OAuth 1.0 only had "confidential" clients, and that led to inane workarounds like Google's "anonymous/anonymous" client id/secret.

Hope this helps.

 -- Justin

On 12/19/2011 07:19 AM, Paul Madsen wrote:
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of discretion to the AS

 
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.
Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?

Thanks

Paul









 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------060607080001070809030007-- From john@jkemp.net Mon Dec 19 11:35:02 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B33F11E80A0 for ; Mon, 19 Dec 2011 11:35:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GT91h5bGlTfE for ; Mon, 19 Dec 2011 11:35:01 -0800 (PST) Received: from oproxy6-pub.bluehost.com (oproxy6-pub.bluehost.com [67.222.54.6]) by ietfa.amsl.com (Postfix) with SMTP id 7C98311E8098 for ; Mon, 19 Dec 2011 11:35:01 -0800 (PST) Received: (qmail 18931 invoked by uid 0); 19 Dec 2011 19:34:40 -0000 Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy3.bluehost.com with SMTP; 19 Dec 2011 19:34:39 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=Nz1tMWMf5zpf/sUbNQGDGVIFowHR8hSjOt1EiA4Y4wU=; b=oOiTKsjYrx9yrOOpfvzj0FjyClRo5G/LNka7xCNJyTB7mKnTKgwsmXCA2yKyBHJD1xuUeLWrbmv0GEIuhtgbVIHZBVYCEwBtoKBJivF491kSpvihX0ACrAJvEhObs7MR; Received: from cpe-74-67-30-101.nycap.res.rr.com ([74.67.30.101] helo=[192.168.1.104]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1Rciyt-00026R-IY; Mon, 19 Dec 2011 12:34:39 -0700 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: John Kemp In-Reply-To: <4EEF797D.4020608@gmail.com> Date: Mon, 19 Dec 2011 13:08:41 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> To: Paul Madsen X-Mailer: Apple Mail (2.1251.1) X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 74.67.30.101 authed with john+jkemp.net} Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:35:02 -0000 Hi Paul, On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote: > Hi Mike, to some extent I think my question is not about specific = security characteristics, but rather whether its realistic for our group = to mandate that both server & native clients have the *same* security = characteristics - particularly the ability to 'securely' authenticate to = the AS on the token endpoint. Well=85 from your description of your case (e.g. "based on a user's = subscriptions"), I'm not sure whether the client (software) designation = makes much difference. Am I correct in thinking that the credentials = which really need to be protected are those assigned to a user, rather = than those assigned to a client? In which case, wouldn't it be possible = for even a 'public' OAuth client to acquire them from the user = dynamically (rather than storing them on the device) and pass them = encrypted or hashed to the server? Cheers, - John >=20 > thanks >=20 > paul >=20 > On 12/19/11 12:18 PM, Michael Thomas wrote: >> On 12/19/2011 04:19 AM, Paul Madsen wrote:=20 >>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet = unreleased) profile of OAuth 2.0 for online delivery of video content = based on a user's subscriptions (the TV Everywhere use case)=20 >>>=20 >>> We want to support both server & native mobile clients. It is for = the second class of clients that I'd appreciate some clarification of = 'confidentiality' as defined in OAuth 2.=20 >>>=20 >>> OAuth 2 distinguishes confidential & public clients based on their = ability to secure the credentials they'd use to authenticate to an AS - = confidential clients can protect those credentials, public clients = can't.=20 >>>=20 >>> Notwithstanding the above definition, the spec gives a degree of = discretion to the AS=20 >>>=20 >>> The client type designation is based on the authorization = server's=20 >>> definition of secure authentication and its acceptable exposure=20= >>> levels of client credentials.=20 >>>=20 >>>=20 >>> Give this discretion, is it practical for the OMAP spec to stipulate = that 'All Clients (both server & native mobile), MUST be confidential', = ie let each individual OMAP AS specify its own requirements of clients = and their ability to securely authenticate?=20 >>=20 >> Hi,=20 >>=20 >> Can you say exactly what your security requirements are before trying = to determine which=20 >> (if either) is the right answer? I've got some concerns in this area = that I'm trying to understand=20 >> and am not sure if they're related to your concern or not. Part of = this is that I really don't=20 >> understand what the difference is between a "public" client and a = "confidential client" and=20 >> rereading the draft isn't helping me. In particular, can a iPhone app = with a UIWebView *ever*=20 >> be a "confidential" client, and if so how?=20 >>=20 >> Mike=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From john@jkemp.net Mon Dec 19 11:35:07 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C99D11E80B8 for ; Mon, 19 Dec 2011 11:35:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyiCqwQ4sY8h for ; Mon, 19 Dec 2011 11:35:06 -0800 (PST) Received: from oproxy3-pub.bluehost.com (oproxy3-pub.bluehost.com [69.89.21.8]) by ietfa.amsl.com (Postfix) with SMTP id 9A32F11E80B7 for ; Mon, 19 Dec 2011 11:35:06 -0800 (PST) Received: (qmail 3603 invoked by uid 0); 19 Dec 2011 19:34:45 -0000 Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by oproxy3.bluehost.com with SMTP; 19 Dec 2011 19:34:45 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=Nz1tMWMf5zpf/sUbNQGDGVIFowHR8hSjOt1EiA4Y4wU=; b=C9TM8/sipBRJjA3rDfDbBnQ8+fosW7qC7ULwjvfW0t0OIwHuDtnLZBASMShGhGTcghVvyIsHUdfljFCE58ZKflgs22TbuIttd8RVVjqTtlgFuBhdj+fAMtgpXNNnBaXq; Received: from cpe-74-67-30-101.nycap.res.rr.com ([74.67.30.101] helo=[192.168.1.104]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1Rciyz-00026R-3U; Mon, 19 Dec 2011 12:34:45 -0700 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: John Kemp In-Reply-To: <4EEF797D.4020608@gmail.com> Date: Mon, 19 Dec 2011 13:21:20 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <941C10F0-2769-427A-8B65-7D28087E66EE@jkemp.net> References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> To: Paul Madsen X-Mailer: Apple Mail (2.1251.1) X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 74.67.30.101 authed with john+jkemp.net} Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:35:07 -0000 Hi Paul, On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote: > Hi Mike, to some extent I think my question is not about specific = security characteristics, but rather whether its realistic for our group = to mandate that both server & native clients have the *same* security = characteristics - particularly the ability to 'securely' authenticate to = the AS on the token endpoint. Well=85 from your description of your case (e.g. "based on a user's = subscriptions"), I'm not sure whether the client (software) designation = makes much difference. Am I correct in thinking that the credentials = which really need to be protected are those assigned to a user, rather = than those assigned to a client? In which case, wouldn't it be possible = for even a 'public' OAuth client to acquire them from the user = dynamically (rather than storing them on the device) and pass them = encrypted or hashed to the server? Cheers, - John >=20 > thanks >=20 > paul >=20 > On 12/19/11 12:18 PM, Michael Thomas wrote: >> On 12/19/2011 04:19 AM, Paul Madsen wrote:=20 >>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet = unreleased) profile of OAuth 2.0 for online delivery of video content = based on a user's subscriptions (the TV Everywhere use case)=20 >>>=20 >>> We want to support both server & native mobile clients. It is for = the second class of clients that I'd appreciate some clarification of = 'confidentiality' as defined in OAuth 2.=20 >>>=20 >>> OAuth 2 distinguishes confidential & public clients based on their = ability to secure the credentials they'd use to authenticate to an AS - = confidential clients can protect those credentials, public clients = can't.=20 >>>=20 >>> Notwithstanding the above definition, the spec gives a degree of = discretion to the AS=20 >>>=20 >>> The client type designation is based on the authorization = server's=20 >>> definition of secure authentication and its acceptable exposure=20= >>> levels of client credentials.=20 >>>=20 >>>=20 >>> Give this discretion, is it practical for the OMAP spec to stipulate = that 'All Clients (both server & native mobile), MUST be confidential', = ie let each individual OMAP AS specify its own requirements of clients = and their ability to securely authenticate?=20 >>=20 >> Hi,=20 >>=20 >> Can you say exactly what your security requirements are before trying = to determine which=20 >> (if either) is the right answer? I've got some concerns in this area = that I'm trying to understand=20 >> and am not sure if they're related to your concern or not. Part of = this is that I really don't=20 >> understand what the difference is between a "public" client and a = "confidential client" and=20 >> rereading the draft isn't helping me. In particular, can a iPhone app = with a UIWebView *ever*=20 >> be a "confidential" client, and if so how?=20 >>=20 >> Mike=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From paul.madsen@gmail.com Mon Dec 19 11:49:46 2011 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFEEF11E80BE for ; Mon, 19 Dec 2011 11:49:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YoPQxn7IdSkP for ; Mon, 19 Dec 2011 11:49:46 -0800 (PST) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id B5C8B11E8080 for ; Mon, 19 Dec 2011 11:49:45 -0800 (PST) Received: by wgbdr13 with SMTP id dr13so8605011wgb.13 for ; Mon, 19 Dec 2011 11:49:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=CbXpAyMgAnzTCrKzzubk7ddOZ0akCKtXIE15Yild4Ro=; b=K9WlBckZfWxbilnUCQTFjs2iLKwj+zxVpN92CKFOXXrEqYiMnlIyjVTr1ZTO18eiFh Mdn93WbtcGO0Rq74t5tv57YUh4mTlpskYiQV9prwc8vguBkOfCiHDnrydc8MbIoRhYIs lWWHCPHrODCbcv5DP7eAftAlHDXfGFSpoIR3g= Received: by 10.227.203.84 with SMTP id fh20mr12151286wbb.27.1324324184840; Mon, 19 Dec 2011 11:49:44 -0800 (PST) Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id eg7sm27189636wib.8.2011.12.19.11.49.42 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 11:49:44 -0800 (PST) Message-ID: <4EEF9555.6030605@gmail.com> Date: Mon, 19 Dec 2011 14:49:41 -0500 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: John Kemp References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> <941C10F0-2769-427A-8B65-7D28087E66EE@jkemp.net> In-Reply-To: <941C10F0-2769-427A-8B65-7D28087E66EE@jkemp.net> Content-Type: multipart/alternative; boundary="------------020103030103070900010007" Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Native clients & 'confidentiality' X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 19:49:47 -0000 This is a multi-part message in MIME format. --------------020103030103070900010007 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Hi John, the user identity & credentials are definitely fundamental (they allow the video content to be personalized), but given the valuable nature of the resources being accessed, many Resource Owners (that produce the video content) will expect that the clients be able to authenticate with its own credentials as well. Wrt storing the user's credentials on the device, we are profiling the authz code grant type - we don't want passwords on the device , or even traded via RO creds grant type. But was that the question? thanks paul On 12/19/11 1:21 PM, John Kemp wrote: > Hi Paul, > > On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote: > >> Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server& native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint. > Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server? > > Cheers, > > - John > >> thanks >> >> paul >> >> On 12/19/11 12:18 PM, Michael Thomas wrote: >>> On 12/19/2011 04:19 AM, Paul Madsen wrote: >>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case) >>>> >>>> We want to support both server& native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2. >>>> >>>> OAuth 2 distinguishes confidential& public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't. >>>> >>>> Notwithstanding the above definition, the spec gives a degree of discretion to the AS >>>> >>>> The client type designation is based on the authorization server's >>>> definition of secure authentication and its acceptable exposure >>>> levels of client credentials. >>>> >>>> >>>> Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server& native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate? >>> Hi, >>> >>> Can you say exactly what your security requirements are before trying to determine which >>> (if either) is the right answer? I've got some concerns in this area that I'm trying to understand >>> and am not sure if they're related to your concern or not. Part of this is that I really don't >>> understand what the difference is between a "public" client and a "confidential client" and >>> rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever* >>> be a "confidential" client, and if so how? >>> >>> Mike >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth --------------020103030103070900010007 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit Hi John, the user identity & credentials are definitely fundamental (they allow the video content to be personalized), but given the valuable nature of the resources being accessed, many Resource Owners (that produce the video content) will expect that the clients be able to authenticate with its own credentials as well.

Wrt storing the user's credentials on the device, we are profiling the authz code grant type - we don't want passwords on the device , or even traded via RO creds grant type. But was that the question?

thanks

paul 

On 12/19/11 1:21 PM, John Kemp wrote: 
Hi Paul,

On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:


Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.

Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server?

Cheers,

- John


thanks

paul

On 12/19/11 12:18 PM, Michael Thomas wrote:

On 12/19/2011 04:19 AM, Paul Madsen wrote: 

Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case) 

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2. 

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't. 

Notwithstanding the above definition, the spec gives a degree of discretion to the AS 

   The client type designation is based on the authorization server's 
   definition of secure authentication and its acceptable exposure 
   levels of client credentials. 


Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate? 

Hi, 

Can you say exactly what your security requirements are before trying to determine which 
(if either) is the right answer? I've got some concerns in this area that I'm trying to understand 
and am not sure if they're related to your concern or not. Part of this is that I really don't 
understand what the difference is between a "public" client and a "confidential client" and 
rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever* 
be a "confidential" client, and if so how? 

Mike 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


    

  


--------------020103030103070900010007--

From paul.madsen@gmail.com  Mon Dec 19 12:11:33 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7509F11E80B9 for ; Mon, 19 Dec 2011 12:11:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level: 
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2vOW0wF6grpn for ; Mon, 19 Dec 2011 12:11:29 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id BE5CA11E809D for ; Mon, 19 Dec 2011 12:11:28 -0800 (PST)
Received: by wgbdr13 with SMTP id dr13so8628690wgb.13 for ; Mon, 19 Dec 2011 12:11:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=szBMxwpUHE2BeILLE32jR2N4U5zVoxH9CWTVR0q371I=; b=Mo0sD/UVA2NzKIM0fsSGTZanvgfkQQsakvOc7nSQZ98kw6wIRwN5dexg5QNldRL5Am biwIp6yUO2dNX4v+9jdokNrRqjoSewpMr/pjVckybjhMMRQFRu/Jmf5a3XG/5DwczxQt y4k2Azluv+kGO1EWMr3ZAPd8j2D7YK1nP8ido=
Received: by 10.227.207.205 with SMTP id fz13mr13460488wbb.0.1324325487852; Mon, 19 Dec 2011 12:11:27 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id ep13sm26994887wbb.8.2011.12.19.12.11.24 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 12:11:26 -0800 (PST)
Message-ID: <4EEF9A6B.7070307@gmail.com>
Date: Mon, 19 Dec 2011 15:11:23 -0500
From: Paul Madsen 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: George Fletcher 
References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> <4EEF7DEF.6090009@gmail.com> <4EEF8C2A.8030205@aol.com>
In-Reply-To: <4EEF8C2A.8030205@aol.com>
Content-Type: multipart/alternative; boundary="------------050300080706050308080001"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 19 Dec 2011 20:11:33 -0000

This is a multi-part message in MIME format.
--------------050300080706050308080001
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi George, inline

thanks

paul

On 12/19/11 2:10 PM, George Fletcher wrote:
> Hi Paul,
>
> Is the need to authenticate the client a need to ensure that the 
> content is only displayed on certain devices/clients? Or prevent 
> phishing/stealing of authz bearer tokens?
I'm not best qualified to answer but I believe it's the latter, ie not 
DRM motivated
>
> As you point out, it's possible to protect the bearer tokens and 
> associated refresh tokens "via other mitigating mechanisms". I'm not 
> sure it's possible to authenticate the device/client with out the 
> device/client having some special "hardware" that can be leveraged in 
> the authentication step.
are you referring to a 'bootstrap' problem?
>
> Even dynamic registration doesn't solve the security issues (the 
> device/client can still be disassembled and associated values 
> discovered) of the device/client, just mitigates the exposure risk. 
> However, this does cause increased work for the AS as it will now be 
> tracking each and every device as a unique client. It's also likely 
> for the device registration steps to be discovered, in which case 
> restricting to a particular device again fails.
yes, but as you imply an attacker will only access those credentials 
specific to that particular copy of the native client. Hopefully too 
much work to be able to see Glee Season 2.

Can you clarify what you mean about the device registration steps being 
'discovered'?
>
> It seems like trying to bind the bearer token to a device/client 
> instance might be a better approach. That way you know that the 
> customer correctly authorized that device/client instance and it is 
> "allowed" to present the bearer token. Of course enforcing/proving the 
> "allowed" part sort of breaks the "bearer" part:)
yeah, how do we bind a bearer token to anything? :-) Doesnt that by 
definition take us towards MAC?


>
> Thanks,
> George
>
> On 12/19/11 1:09 PM, Paul Madsen wrote:
>> Thanks Justin, FWIW, I agree with your analysis
>>
>> Seems to me we have the following breakdown of clients
>>
>> - confidential server clients
>>
>> - confidential native clients (somewhat theoretical at the moment, 
>> assumes either 1) a client registration mechanism to deliver 
>> credentials post installation, such as OpenID Connects Client 
>> Registration spec, or 2) a distribution channel in which uniquely 
>> credentials can be packaged into the binary before delivery)
>>
>> - public clients (no option of client authn, but still possible to 
>> have some protection against token leakage via other mitigating 
>> mechanisms)
>>
>> thanks again
>>
>> paul
>>
>> On 12/19/11 12:44 PM, Justin Richer wrote:
>>> Native mobile clients can't really be confidential clients.
>>>
>>> The distinction between "public" and "confidential" clients is 
>>> whether or not they can keep deployment-time secrets; which is to 
>>> say, a client_secret. This is not to say that they can't keep *any* 
>>> secrets. In particular those generated at runtime, like an access 
>>> token or refresh token, could be held perfectly safe. But at the 
>>> time the app is deployed to its running environment, you have to ask 
>>> "who has access to its code and configuration?"
>>>
>>> Think of it this way. In the standard world, a native app gets 
>>> copied to every device with the client_id and client_secret baked 
>>> in. This makes the client_secret not very secret, and not at all 
>>> unique. Anybody with access to the binary -- which is to say, every 
>>> user -- could decompile the client_secret out of it and bake it into 
>>> their *own* client, pretending to be your app and causing all kinds 
>>> of havoc. This is a very different problem from somebody breaking 
>>> into the token store and stealing an access token, which lets them 
>>> only get to their own account.
>>>
>>> Compare this to a server-based app where the only ones with access 
>>> to the binary and configuration are the administrators of the 
>>> server, not the end users. It's a much more limited list of folks 
>>> that can potentially see it, and therefore the client_secret can 
>>> actually mean something and add a small extra layer of security.
>>>
>>> There are a few ways to mitigate this difference for public clients, 
>>> such as using some kind of dynamic registration for all clients 
>>> (which doesn't buy you much in terms of overall security) or putting 
>>> up scary messages about native clients to try and educate your 
>>> users. You can also use a trusted callback URL for your app on a 
>>> hosted website that works in conjunction with your native app. This 
>>> is actually the suggested use for the Implicit Flow, which was made 
>>> for public clients in the browser.
>>>
>>> Native apps also have the concern of embedded browsers vs. external 
>>> native browsers, and what trust the user puts into them. For all 
>>> OAuth flows, you have to trust the browser provider on the platform 
>>> of choice, since the user's going to be logging in directly through 
>>> that browser. It's very much outside the scope of OAuth to make that 
>>> world any better though, and there have been long and detailed 
>>> discussions on this list about that very topic, leading to some 
>>> concrete recommendations in the draft as it stands today.
>>>
>>> To answer your original query: I don't think that mandating one kind 
>>> of client vs. the other will really help. OAuth 1.0 only had 
>>> "confidential" clients, and that led to inane workarounds like 
>>> Google's "anonymous/anonymous" client id/secret.
>>>
>>> Hope this helps.
>>>
>>>  -- Justin
>>>
>>> On 12/19/2011 07:19 AM, Paul Madsen wrote:
>>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet 
>>>> unreleased) profile of OAuth 2.0 for online delivery of video 
>>>> content based on a user's subscriptions (the TV Everywhere use case)
>>>>
>>>> We want to support both server & native mobile clients. It is for 
>>>> the second class of clients that I'd appreciate some clarification 
>>>> of 'confidentiality' as defined in OAuth 2.
>>>>
>>>> OAuth 2 distinguishes confidential & public clients based on their 
>>>> ability to secure the credentials they'd use to authenticate to an 
>>>> AS - confidential clients can protect those credentials, public 
>>>> clients can't.
>>>>
>>>> Notwithstanding the above definition, the spec gives a degree of 
>>>> discretion to the AS
>>>>
>>>>     The client type designation is based on the authorization server's
>>>>     definition of secure authentication and its acceptable exposure
>>>>     levels of client credentials.
>>>>
>>>>
>>>> Give this discretion, is itpractical for the OMAP spec to stipulate 
>>>> that 'All Clients (both server & native mobile), MUST be 
>>>> confidential', ie let each individual OMAP AS specify its own 
>>>> requirements of clients and their ability to securely authenticate?
>>>>
>>>> Is this consistent with the OAuth definition of confidentiality?
>>>>
>>>> Thanks
>>>>
>>>> Paul
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

--------------050300080706050308080001
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


  
    
  
  
    Hi George, inline

    

    thanks 

    

    paul

    

    On 12/19/11 2:10 PM, George Fletcher wrote:
    

      
      Hi Paul,

        

        Is the need to authenticate the client a need to ensure that the
        content is only displayed on certain devices/clients? Or prevent
        phishing/stealing of authz bearer tokens?

      

    I'm not best qualified to answer but I believe it's the latter, ie
    not DRM motivated

    
 

        As you point out, it's possible to protect the bearer tokens and
        associated refresh tokens "via other mitigating mechanisms". I'm
        not sure it's possible to authenticate the device/client with
        out the device/client having some special "hardware" that can be
        leveraged in the authentication step.

      

    are you referring to a 'bootstrap' problem?

    
 

        Even dynamic registration doesn't solve the security issues (the
        device/client can still be disassembled and associated values
        discovered) of the device/client, just mitigates the exposure
        risk. However, this does cause increased work for the AS as it
        will now be tracking each and every device as a unique client.
        It's also likely for the device registration steps to be
        discovered, in which case restricting to a particular device
        again fails.

      

    yes, but as you imply an attacker will only access those credentials
    specific to that particular copy of the native client. Hopefully too
    much work to be able to see Glee Season 2.

    

    Can you clarify what you mean about the device registration steps
    being 'discovered'?

    
 

        It seems like trying to bind the bearer token to a device/client
        instance might be a better approach. That way you know that the
        customer correctly authorized that device/client instance and it
        is "allowed" to present the bearer token. Of course
        enforcing/proving the "allowed" part sort of breaks the "bearer"
        part:)

      

    yeah, how do we bind a bearer token to anything? :-) Doesnt that by
    definition take us towards MAC?

    

    

    
 

        Thanks,

        George

      

      On 12/19/11 1:09 PM, Paul Madsen wrote:
      

        
        Thanks Justin, FWIW, I agree with your
          analysis

          

          Seems to me we have the following breakdown of clients

        

        - confidential server clients

        

        - confidential native clients (somewhat theoretical at the
        moment, assumes either 1) a client registration mechanism to
        deliver credentials post installation, such as OpenID Connects
        Client Registration spec, or 2) a distribution channel in which
        uniquely credentials can be packaged into the binary before
        delivery)

        

        - public clients (no option of client authn, but still possible
        to have some protection against token leakage via other
        mitigating mechanisms)

        

        thanks again

        

        paul

        

        On 12/19/11 12:44 PM, Justin Richer wrote:
        

          
          Native mobile clients can't really be confidential clients. 

          

          The distinction between "public" and "confidential" clients is
          whether or not they can keep deployment-time secrets; which is
          to say, a client_secret. This is not to say that they can't
          keep *any* secrets. In particular those generated at runtime,
          like an access token or refresh token, could be held perfectly
          safe. But at the time the app is deployed to its running
          environment, you have to ask "who has access to its code and
          configuration?"

          

          Think of it this way. In the standard world, a native app gets
          copied to every device with the client_id and client_secret
          baked in. This makes the client_secret not very secret, and
          not at all unique. Anybody with access to the binary -- which
          is to say, every user -- could decompile the client_secret out
          of it and bake it into their *own* client, pretending to be
          your app and causing all kinds of havoc. This is a very
          different problem from somebody breaking into the token store
          and stealing an access token, which lets them only get to
          their own account. 

          

          Compare this to a server-based app where the only ones with
          access to the binary and configuration are the administrators
          of the server, not the end users. It's a much more limited
          list of folks that can potentially see it, and therefore the
          client_secret can actually mean something and add a small
          extra layer of security. 

          

          There are a few ways to mitigate this difference for public
          clients, such as using some kind of dynamic registration for
          all clients (which doesn't buy you much in terms of overall
          security) or putting up scary messages about native clients to
          try and educate your users. You can also use a trusted
          callback URL for your app on a hosted website that works in
          conjunction with your native app. This is actually the
          suggested use for the Implicit Flow, which was made for public
          clients in the browser.

          

          Native apps also have the concern of embedded browsers vs.
          external native browsers, and what trust the user puts into
          them. For all OAuth flows, you have to trust the browser
          provider on the platform of choice, since the user's going to
          be logging in directly through that browser. It's very much
          outside the scope of OAuth to make that world any better
          though, and there have been long and detailed discussions on
          this list about that very topic, leading to some concrete
          recommendations in the draft as it stands today.

          

          To answer your original query: I don't think that mandating
          one kind of client vs. the other will really help. OAuth 1.0
          only had "confidential" clients, and that led to inane
          workarounds like Google's "anonymous/anonymous" client
          id/secret. 

          

          Hope this helps.

          

           -- Justin

          

          On 12/19/2011 07:19 AM, Paul Madsen wrote:
          

            
            Hi, the Online Media Authorization
              Protocol (OMAP) is a (as yet unreleased) profile of OAuth
              2.0 for online delivery of video content based on a user's
              subscriptions (the TV Everywhere use case)

              

              We want to support both server & native mobile
              clients. It is for the second class of clients that I'd
              appreciate some clarification of 'confidentiality' as
              defined in OAuth 2.

              

              OAuth 2 distinguishes confidential & public clients
              based on their ability to secure the credentials they'd
              use to authenticate to an AS - confidential clients can
              protect those credentials, public clients can't.

              

              Notwithstanding the above definition, the spec gives a
              degree of discretion to the AS

              

            
            
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.




             Give this discretion, is it practical



              for the OMAP spec to stipulate that 'All Clients (both
              server & native mobile), MUST be confidential', ie let
              each individual OMAP AS specify its own requirements of
              clients and their ability to securely authenticate? 

              

              Is this consistent with the OAuth definition of
              confidentiality?

              

              Thanks

              

              Paul

              

            

            

            

              

              

              

              

              

             

            

            

            
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


          

          

        

        

        

        

        
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


      

      

    

  


--------------050300080706050308080001--

From john@jkemp.net  Mon Dec 19 12:21:03 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860DC21F85C7 for ; Mon, 19 Dec 2011 12:21:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level: 
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id me-PtpvZoO9i for ; Mon, 19 Dec 2011 12:21:02 -0800 (PST)
Received: from oproxy8-pub.bluehost.com (oproxy8-pub.bluehost.com [69.89.22.20]) by ietfa.amsl.com (Postfix) with SMTP id B0AA521F85D1 for ; Mon, 19 Dec 2011 12:21:02 -0800 (PST)
Received: (qmail 6846 invoked by uid 0); 19 Dec 2011 20:20:40 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by oproxy8.bluehost.com with SMTP; 19 Dec 2011 20:20:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default;  h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=BBufLT2dyj7CxW+eTZcBrpS13wtjsnSkf9BWDotBku0=;  b=s1A2t0n5MAXPt47N5qI1D0q6cWqvzferx+CjRpYuuPxzm98+qVjGRIrtaEek34jNjy6pnURNXFIjCGZzusVsRnHPjdEs7LGHqC3c5JRVU5r+7JYPuO8roZFsL7VsX9Rv;
Received: from cpe-74-67-30-101.nycap.res.rr.com ([74.67.30.101] helo=[192.168.1.104]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1RcjhP-0002lZ-T6; Mon, 19 Dec 2011 13:20:40 -0700
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=windows-1252
From: John Kemp 
In-Reply-To: <4EEF9555.6030605@gmail.com>
Date: Mon, 19 Dec 2011 15:20:36 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> <941C10F0-2769-427A-8B65-7D28087E66EE@jkemp.net> <4EEF9555.6030605@gmail.com>
To: Paul Madsen 
X-Mailer: Apple Mail (2.1251.1)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 74.67.30.101 authed with john+jkemp.net}
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 19 Dec 2011 20:21:03 -0000

Hey Paul,

On Dec 19, 2011, at 2:49 PM, Paul Madsen wrote:

> Hi John, the user identity & credentials are definitely fundamental =
(they allow the video content to be personalized), but given the =
valuable nature of the resources being accessed, many Resource Owners =
(that produce the video content) will expect that the clients be able to =
authenticate with its own credentials as well.

In which case, YMMV right, as usual, depending on the ability of the =
client to keep a secret? So, the expectation that clients can reliably =
authenticate seems still only reliable as those clients' platforms =
typically are (which is to say, not very reliable when put in the hands =
of consumers).=20

>=20
> Wrt storing the user's credentials on the device, we are profiling the =
authz code grant type - we don't want passwords on the device , or even =
traded via RO creds grant type. But was that the question?

I was just trying to figure out why you care whether the client can keep =
a secret, assuming that it's actually and only the user authentication =
which determines whether the content may be accessed. If we're talking =
about protecting the user from phishing, you may not be as reliant on a =
client secret as if the content may be accessed only by authorized =
software installations in addition to authorized users.=20

- John

>=20
> thanks
>=20
> paul =20
>=20
> On 12/19/11 1:21 PM, John Kemp wrote:
>> Hi Paul,
>>=20
>> On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:
>>=20
>>=20
>>> Hi Mike, to some extent I think my question is not about specific =
security characteristics, but rather whether its realistic for our group =
to mandate that both server & native clients have the *same* security =
characteristics - particularly the ability to 'securely' authenticate to =
the AS on the token endpoint.
>>>=20
>> Well=85 from your description of your case (e.g. "based on a user's =
subscriptions"), I'm not sure whether the client (software) designation =
makes much difference. Am I correct in thinking that the credentials =
which really need to be protected are those assigned to a user, rather =
than those assigned to a client? In which case, wouldn't it be possible =
for even a 'public' OAuth client to acquire them from the user =
dynamically (rather than storing them on the device) and pass them =
encrypted or hashed to the server?
>>=20
>> Cheers,
>>=20
>> - John
>>=20
>>=20
>>> thanks
>>>=20
>>> paul
>>>=20
>>> On 12/19/11 12:18 PM, Michael Thomas wrote:
>>>=20
>>>> On 12/19/2011 04:19 AM, Paul Madsen wrote:=20
>>>>=20
>>>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet =
unreleased) profile of OAuth 2.0 for online delivery of video content =
based on a user's subscriptions (the TV Everywhere use case)=20
>>>>>=20
>>>>> We want to support both server & native mobile clients. It is for =
the second class of clients that I'd appreciate some clarification of =
'confidentiality' as defined in OAuth 2.=20
>>>>>=20
>>>>> OAuth 2 distinguishes confidential & public clients based on their =
ability to secure the credentials they'd use to authenticate to an AS - =
confidential clients can protect those credentials, public clients =
can't.=20
>>>>>=20
>>>>> Notwithstanding the above definition, the spec gives a degree of =
discretion to the AS=20
>>>>>=20
>>>>>    The client type designation is based on the authorization =
server's=20
>>>>>    definition of secure authentication and its acceptable exposure=20=

>>>>>    levels of client credentials.=20
>>>>>=20
>>>>>=20
>>>>> Give this discretion, is it practical for the OMAP spec to =
stipulate that 'All Clients (both server & native mobile), MUST be =
confidential', ie let each individual OMAP AS specify its own =
requirements of clients and their ability to securely authenticate?=20
>>>>>=20
>>>> Hi,=20
>>>>=20
>>>> Can you say exactly what your security requirements are before =
trying to determine which=20
>>>> (if either) is the right answer? I've got some concerns in this =
area that I'm trying to understand=20
>>>> and am not sure if they're related to your concern or not. Part of =
this is that I really don't=20
>>>> understand what the difference is between a "public" client and a =
"confidential client" and=20
>>>> rereading the draft isn't helping me. In particular, can a iPhone =
app with a UIWebView *ever*=20
>>>> be a "confidential" client, and if so how?=20
>>>>=20
>>>> Mike=20
>>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>>=20
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth


From paul.madsen@gmail.com  Mon Dec 19 12:45:38 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E330621F853B for ; Mon, 19 Dec 2011 12:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level: 
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oT+rfyRzpj92 for ; Mon, 19 Dec 2011 12:45:38 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id C443C21F853A for ; Mon, 19 Dec 2011 12:45:37 -0800 (PST)
Received: by vbbfo1 with SMTP id fo1so3661038vbb.31 for ; Mon, 19 Dec 2011 12:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=qVMXFF8p+oWpit34DgVAPyTkjWNpeNY45HIKHP141cw=; b=MdWnw/TjT+fn24C5QBGPkHPxZCFhe/mgYZq2g9pFkiVKqB19sYf48aa9fjuW2NL2SD dsALpPK0IqwoE+UvK7V0vGOUUtQZr5emtV+J8LG8R4rkbDHhOHGVNQ4NfrD/5I11PTOs 3CgflmbxpexZ1J97HMx+Ww1fDyZcXxEhMQsHo=
Received: by 10.52.94.75 with SMTP id da11mr12191009vdb.111.1324327535972; Mon, 19 Dec 2011 12:45:35 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.168.159]) by mx.google.com with ESMTPS id l9sm17380869vde.13.2011.12.19.12.45.34 (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 12:45:35 -0800 (PST)
Message-ID: <4EEFA26D.1020001@gmail.com>
Date: Mon, 19 Dec 2011 15:45:33 -0500
From: Paul Madsen 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: John Kemp 
References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com> <941C10F0-2769-427A-8B65-7D28087E66EE@jkemp.net> <4EEF9555.6030605@gmail.com> 
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------020907070708020309080604"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 19 Dec 2011 20:45:39 -0000

This is a multi-part message in MIME format.
--------------020907070708020309080604
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

thanks John, inline

On 12/19/11 3:20 PM, John Kemp wrote:
> Hey Paul,
>
> On Dec 19, 2011, at 2:49 PM, Paul Madsen wrote:
>
>> Hi John, the user identity&  credentials are definitely fundamental (they allow the video content to be personalized), but given the valuable nature of the resources being accessed, many Resource Owners (that produce the video content) will expect that the clients be able to authenticate with its own credentials as well.
> In which case, YMMV right, as usual, depending on the ability of the client to keep a secret? So, the expectation that clients can reliably authenticate seems still only reliable as those clients' platforms typically are (which is to say, not very reliable when put in the hands of consumers).
indeed, which points out that 'confidentiality <--> public' is a continuum.
>
>> Wrt storing the user's credentials on the device, we are profiling the authz code grant type - we don't want passwords on the device , or even traded via RO creds grant type. But was that the question?
> I was just trying to figure out why you care whether the client can keep a secret, assuming that it's actually and only the user authentication which determines whether the content may be accessed. If we're talking about protecting the user from phishing, you may not be as reliant on a client secret as if the content may be accessed only by authorized software installations in addition to authorized users.
A decision to release a vid could depend both on the user's 
subscriptions as well as the client being registered/valid. So, yes we 
care about clients keeping secrets, and so are able to authenticate to 
the AS in order to get tokens

As Justin pointed out, the challenge is more in getting the secret to a 
native client than keeping it hidden once obtained.

>
> - John
>
>> thanks
>>
>> paul
>>
>> On 12/19/11 1:21 PM, John Kemp wrote:
>>> Hi Paul,
>>>
>>> On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:
>>>
>>>
>>>> Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server&  native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.
>>>>
>>> Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server?
>>>
>>> Cheers,
>>>
>>> - John
>>>
>>>
>>>> thanks
>>>>
>>>> paul
>>>>
>>>> On 12/19/11 12:18 PM, Michael Thomas wrote:
>>>>
>>>>> On 12/19/2011 04:19 AM, Paul Madsen wrote:
>>>>>
>>>>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)
>>>>>>
>>>>>> We want to support both server&  native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.
>>>>>>
>>>>>> OAuth 2 distinguishes confidential&  public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.
>>>>>>
>>>>>> Notwithstanding the above definition, the spec gives a degree of discretion to the AS
>>>>>>
>>>>>>     The client type designation is based on the authorization server's
>>>>>>     definition of secure authentication and its acceptable exposure
>>>>>>     levels of client credentials.
>>>>>>
>>>>>>
>>>>>> Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server&  native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?
>>>>>>
>>>>> Hi,
>>>>>
>>>>> Can you say exactly what your security requirements are before trying to determine which
>>>>> (if either) is the right answer? I've got some concerns in this area that I'm trying to understand
>>>>> and am not sure if they're related to your concern or not. Part of this is that I really don't
>>>>> understand what the difference is between a "public" client and a "confidential client" and
>>>>> rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever*
>>>>> be a "confidential" client, and if so how?
>>>>>
>>>>> Mike
>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>>
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth

--------------020907070708020309080604
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit


  
    
  
  
    thanks John, inline

    

    On 12/19/11 3:20 PM, John Kemp wrote:
    

      
Hey Paul,

On Dec 19, 2011, at 2:49 PM, Paul Madsen wrote:



      

        
Hi John, the user identity & credentials are definitely fundamental (they allow the video content to be personalized), but given the valuable nature of the resources being accessed, many Resource Owners (that produce the video content) will expect that the clients be able to authenticate with its own credentials as well.


      

      
In which case, YMMV right, as usual, depending on the ability of the client to keep a secret? So, the expectation that clients can reliably authenticate seems still only reliable as those clients' platforms typically are (which is to say, not very reliable when put in the hands of consumers). 

    

    indeed, which points out that 'confidentiality <--> public' is
    a continuum. 

    

      



      

        
Wrt storing the user's credentials on the device, we are profiling the authz code grant type - we don't want passwords on the device , or even traded via RO creds grant type. But was that the question?


      

      
I was just trying to figure out why you care whether the client can keep a secret, assuming that it's actually and only the user authentication which determines whether the content may be accessed. If we're talking about protecting the user from phishing, you may not be as reliant on a client secret as if the content may be accessed only by authorized software installations in addition to authorized users. 

    

    A decision to release a vid could depend both on the user's
    subscriptions as well as the client being registered/valid. So, yes
    we care about clients keeping secrets, and so are able to
    authenticate to the AS in order to get tokens

    

    As Justin pointed out, the challenge is more in getting the secret
    to a native client than keeping it hidden once obtained.

    

    

      

- John



      

        
thanks

paul  

On 12/19/11 1:21 PM, John Kemp wrote:


        

          
Hi Paul,

On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:




          

            
Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.



          

          
Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server?

Cheers,

- John




          

            
thanks

paul

On 12/19/11 12:18 PM, Michael Thomas wrote:



            

              
On 12/19/2011 04:19 AM, Paul Madsen wrote: 



              

                
Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case) 

We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2. 

OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't. 

Notwithstanding the above definition, the spec gives a degree of discretion to the AS 

   The client type designation is based on the authorization server's 
   definition of secure authentication and its acceptable exposure 
   levels of client credentials. 


Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate? 



              

              
Hi, 

Can you say exactly what your security requirements are before trying to determine which 
(if either) is the right answer? I've got some concerns in this area that I'm trying to understand 
and am not sure if they're related to your concern or not. Part of this is that I really don't 
understand what the difference is between a "public" client and a "confidential client" and 
rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever* 
be a "confidential" client, and if so how? 

Mike 



            

            
_______________________________________________
OAuth mailing list

OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


          

        

      

      

    

  


--------------020907070708020309080604--

From eve@xmlgrrl.com  Mon Dec 19 15:53:12 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7664E21F84BC for ; Mon, 19 Dec 2011 15:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.293
X-Spam-Level: 
X-Spam-Status: No, score=-1.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306,  URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLiXbAUPJEY8 for ; Mon, 19 Dec 2011 15:53:11 -0800 (PST)
Received: from promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id C0EDE21F84C2 for ; Mon, 19 Dec 2011 15:53:11 -0800 (PST)
Received: from [192.168.168.185] ([192.168.168.185]) (authenticated bits=0) by promanage-inc.com (8.14.4/8.14.4) with ESMTP id pBJNr5q0027633 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 19 Dec 2011 15:53:06 -0800
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: Eve Maler 
In-Reply-To: <4EEF7C4B.2070405@aol.com>
Date: Mon, 19 Dec 2011 15:53:01 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <8709095D-EBF1-4E9A-99C3-765E29DDB946@xmlgrrl.com>
References:  <4EEF7C4B.2070405@aol.com>
To: Melvin Carvalho 
X-Mailer: Apple Mail (2.1251.1)
Cc: OAuth WG 
Subject: Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 19 Dec 2011 23:53:12 -0000

If you check out the recording of the UMA webinar from last week, you'll =
see a demo (starting at about the 33:00 mark) that shows individual user =
data being accessed according to ACL-type authorization policy settings, =
with the resource owner able to set these policies and then not have to =
be online when the requester shows up:

http://kantarainitiative.org/confluence/display/uma/Home

(As an aside, the UMA spec also provides an extended example that =
illustrates how scopes can be made interoperable enough to protect =
photos individually. See =
http://tools.ietf.org/html/draft-hardjono-oauth-umacore-02, especially =
Sections 1.4 and 10.)

	Eve

On 19 Dec 2011, at 10:02 AM, George Fletcher wrote:

> I would also recommend looking at User-Managed-Access which provides =
this kind of layer on top of OAuth2.
>=20
> http://kantarainitiative.org/confluence/display/uma/UMA+Explained
>=20
> Thanks,
> George
>=20
> On 12/18/11 12:05 PM, Melvin Carvalho wrote:
>> Quick question.  I was wondering if OAuth 2.0 can work with access
>> control lists.
>>=20
>> For example there is a protected resource (e.g. a photo), and I want
>> to set it up so that a two or more users (for example a group of
>> friends) U1, U2 ... Un will be able to access it after =
authenticating.
>>=20
>> Is this kind of flow possibly with OAuth 2.0, and if so whose
>> responsibility is it to maintain the list of agents than can access
>> the resource?
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl


From alexey.skolyarov@dins.ru  Mon Dec 19 22:57:11 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9820821F84D4 for ; Mon, 19 Dec 2011 22:57:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.478
X-Spam-Level: 
X-Spam-Status: No, score=-0.478 tagged_above=-999 required=5 tests=[AWL=0.650,  BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IdjIqGM4rHh for ; Mon, 19 Dec 2011 22:57:10 -0800 (PST)
Received: from smtp01.dins.ru (smtp01.dins.ru [193.104.181.104]) by ietfa.amsl.com (Postfix) with ESMTP id B80FE21F84D2 for ; Mon, 19 Dec 2011 22:57:09 -0800 (PST)
Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru [192.168.12.108]) by smtp01.dins.ru (Postfix) with ESMTP id E2477DB49D9; Tue, 20 Dec 2011 09:57:05 +0300 (MSK)
Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Tue, 20 Dec 2011 10:57:08 +0400
From: Alexey Skolyarov 
To: Justin Richer 
Thread-Topic: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7f//wDsA//+4skCAAGsZAP/+tVRw
Date: Tue, 20 Dec 2011 06:57:07 +0000
Message-ID: <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru>  <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> <4EEF51BE.7080202@mitre.org>
In-Reply-To: <4EEF51BE.7080202@mitre.org>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.14.189]
Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC17B7MS2corpdinsru_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" , Buhake Sindi 
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 20 Dec 2011 06:57:11 -0000

--_000_0433F58A304676408A8AF95199AFEB97CC17B7MS2corpdinsru_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSBzZWUgdGhhdC4gQnV0IGhvdyB0aGUgc2VydmVyIHNob3VsZCByZXNwb25kIG9uIGluY29ycmVj
dCByZXF1ZXN0ICh3aGVuIGl04oCZcyBub3QgcG9zc2libGUgdG8gZGV0ZXJtaW5lIGNvcnJlY3Qg
c3RhdGUgdG8gYmUgcGFzc2VkKS4NClNwZWNpZmljYWxseSwgd2hhdCBzdGF0ZSBzaG91bGQgYmUg
cGFzc2VkIHRvIHRoZSBjbGllbnQg4oCTIG5vIG9uZSwgYW55IG9yIGFsbCBvZiB0aGVtPw0KDQot
LQ0KQmVzdCByZWdhcmRzLCBBbGV4ZXkgU2tvbHlhcm92DQpEaW5vIFN5c3RlbXMgSmF2YSBUZWFt
DQpQaG9uZTogKzcgKDgxMikgNzQwLTc3LTYxIGV4dC4gNDE2MSAgICBTa3lwZTogYWxleGV5LnNr
b2x5YXJvdg0KQ2VsbDogKzcgKDkwNSkgMjAwLTI5LTgwICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICBNYWlsdG86IGFsZXhleS5za29seWFyb3ZAZGlucy5ydTxtYWlsdG86YWxleGV5LnNrb2x5
YXJvdkBkaW5zLnJ1Pg0KDQpGcm9tOiBKdXN0aW4gUmljaGVyIFttYWlsdG86anJpY2hlckBtaXRy
ZS5vcmddDQpTZW50OiBNb25kYXksIERlY2VtYmVyIDE5LCAyMDExIDc6MDEgUE0NClRvOiBBbGV4
ZXkgU2tvbHlhcm92DQpDYzogQnVoYWtlIFNpbmRpOyBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDog
UmU6IFtPQVVUSC1XR10gY29uZmxpY3Q6IGVycm9yIHJlc3BvbnNlIGludmFsaWRfcmVxdWVzdCBh
bmQgc3RhdGUgcGFyYW1ldGVyIGR1cGxpY2F0aW9uDQoNClRoZSBzcGVjIGFscmVhZHkgc2F5cyB0
aGF0IHlvdSBjYW4ndCByZXBlYXQgcmVxdWVzdCBwYXJhbWV0ZXJzIG9uIHRoZSBsaW5lIGxpa2Ug
dGhhdCwgc28gdGhhdCdzIGFuIGludmFsaWRfcmVxdWVzdCBlcnJvciwgYXMgZGVzY3JpYmVkIGlu
IHNlY3Rpb24gNS4yOg0KNS4yLiAgRXJyb3IgUmVzcG9uc2UNCg0KDQoNCg0KDQogICBUaGUgYXV0
aG9yaXphdGlvbiBzZXJ2ZXIgcmVzcG9uZHMgd2l0aCBhbiBIVFRQIDQwMCAoQmFkIFJlcXVlc3Qp
DQoNCiAgIHN0YXR1cyBjb2RlIGFuZCBpbmNsdWRlcyB0aGUgZm9sbG93aW5nIHBhcmFtZXRlcnMg
d2l0aCB0aGUgcmVzcG9uc2U6DQoNCg0KDQogICBlcnJvcg0KDQogICAgICAgICBSRVFVSVJFRC4g
IEEgc2luZ2xlIGVycm9yIGNvZGUgZnJvbSB0aGUgZm9sbG93aW5nOg0KDQogICAgICAgICBpbnZh
bGlkX3JlcXVlc3QNCg0KICAgICAgICAgICAgICAgVGhlIHJlcXVlc3QgaXMgbWlzc2luZyBhIHJl
cXVpcmVkIHBhcmFtZXRlciwgaW5jbHVkZXMgYW4NCg0KICAgICAgICAgICAgICAgdW5zdXBwb3J0
ZWQgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIGEgcGFyYW1ldGVyLA0KDQogICAgICAgICAgICAg
ICBpbmNsdWRlcyBtdWx0aXBsZSBjcmVkZW50aWFscywgdXRpbGl6ZXMgbW9yZSB0aGFuIG9uZQ0K
DQogICAgICAgICAgICAgICBtZWNoYW5pc20gZm9yIGF1dGhlbnRpY2F0aW5nIHRoZSBjbGllbnQs
IG9yIGlzIG90aGVyd2lzZQ0KDQogICAgICAgICAgICAgICBtYWxmb3JtZWQuDQoNCg0KIC0tIEp1
c3Rpbg0KDQpPbiAxMi8xOS8yMDExIDA4OjIwIEFNLCBBbGV4ZXkgU2tvbHlhcm92IHdyb3RlOg0K
SGVsbG8gQnVoYWtlLA0KDQpUaGFua3MgZm9yIHlvdXIgYW5zd2VyIQ0KSXQgc2VlbXMgSSBzaG91
bGQgZXhwbGFpbiBhIGJpdCBoZXJlIOKAkyBJ4oCZbSBub3QgYWJvdXQgaG93IHRvIHBhc3MgdGhl
IHN0YXRlIHdpdGggbXVsdGlwbGUgdmFsdWVzLCBJ4oCZbSB0cnlpbmcgdG8gZmlndXJlIG91dCBo
b3cgdGhlIE9BdXRoLTIuMC1kcmFmdC0yMiDigJMgY29tcGxpYW50IHNlcnZlciBzaG91bGQgcmVz
cG9uZCBvbiBkdXBsaWNhdGlvbiBvZiBzdGF0ZSByZXF1ZXN0IHBhcmFtZXRlci4NCg0KRm9yIGlu
c3RhbmNlIHdoYXQgc2hvdWxkIGJlIHJldHVybmVkIGluIHJlc3BvbnNlIG9uIGZvbGxvd2luZyBy
ZXF1ZXN0Og0KR0VUIC9hdXRob3JpemU/cmVzcG9uc2VfdHlwZT1jb2RlJmNsaWVudF9pZD1zNkJo
ZFJrcXQzJnN0YXRlPVFXRSZzdGF0ZT1BU0QmcmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGY2xp
ZW50JTJFZXhhbXBsZSUyRWNvbSUyRmNiIEhUVFAvMS4xDQpIb3N0OiBzZXJ2ZXIuZXhhbXBsZS5j
b20NCg0KSXTigJlzIHVuY2xlYXIgZm9yIG1lIHNob3VsZCBpdCBiZQ0KSFRUUC8xLjEgMzAyIEZv
dW5kDQpMb2NhdGlvbjogaHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb20vY2I/ZXJyb3I9aW52YWxp
ZF9yZXF1ZXN0ICh3aXRob3V0IHRoZSBzdGF0ZSBjb21wbGV0ZWx5IOKAkyBzZWVtcyB0byBiZSB3
cm9uZyBiZWZvcmVoYW5kKQ0Kb3INCkhUVFAvMS4xIDMwMiBGb3VuZA0KTG9jYXRpb246IGh0dHBz
Oi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFsaWRfcmVxdWVzdCZzdGF0ZT1RV0Ug
KCBvciBBU0QgLSBvbmUgb2YgcGFzc2VkIHN0YXRlcyB1c2VkKQ0Kb3INCkhUVFAvMS4xIDMwMiBG
b3VuZA0KTG9jYXRpb246IGh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFs
aWRfcmVxdWVzdCZzdGF0ZT1RV0UlMjBBU0QgKGJvdGggYnV0IHZpb2xhdGVzIHRoZSBpZGVhIHRo
YXQgc3RhdGUgc2hvdWxkIGJlIGtlcHQgdW5jaGFuZ2VkKS4NCg0KSSBob3BlIHRoaXMgZXhhbXBs
ZSBjb3VsZCBtYWtlIG15IHF1ZXN0aW9uIGNsZWFyZXIuDQoNClRoYW5rcyBpbiBhZHZhbmNlLg0K
LS0NCkJlc3QgcmVnYXJkcywgQWxleGV5IFNrb2x5YXJvdg0KDQoNCg0KRnJvbTogQnVoYWtlIFNp
bmRpIFttYWlsdG86YnVoYWtlQGdvb2dsZW1haWwuY29tXQ0KU2VudDogTW9uZGF5LCBEZWNlbWJl
ciAxOSwgMjAxMSA0OjUzIFBNDQpUbzogQWxleGV5IFNrb2x5YXJvdg0KU3ViamVjdDogUmU6IFtP
QVVUSC1XR10gY29uZmxpY3Q6IGVycm9yIHJlc3BvbnNlIGludmFsaWRfcmVxdWVzdCBhbmQgc3Rh
dGUgcGFyYW1ldGVyIGR1cGxpY2F0aW9uDQoNCkhpIEFsZXhleSwNCg0KSWYgSSdtIG5vdCBtaXN0
YWtlbiwgdG8gZGVjbGFyZSBtdWx0aXBsZSB2YWx1ZXMgaW4gInN0YXRlIiwgdGhlIGRvY3VtZW50
IHN0YXRlcyB0aGF0IGl0IHNob3VsZCBiZSBzcGFjZS1kZWxpbWl0ZWQgKCIgIikuIFRoaXMgaXMg
dW5saWtlIEZhY2Vib29rIHN0YXRlIHdoaWNoIGlzIGNvbW1hLWRlbGltaXRlZC4NCk9uIDE5IERl
Y2VtYmVyIDIwMTEgMTQ6NDEsIEFsZXhleSBTa29seWFyb3YgPGFsZXhleS5za29seWFyb3ZAZGlu
cy5ydTxtYWlsdG86YWxleGV5LnNrb2x5YXJvdkBkaW5zLnJ1Pj4gd3JvdGU6DQpIZWxsbyBldmVy
eWJvZHksDQoNClNpbmNlIHRoaXMgaXMgbXkgZmlyc3QgcG9zdCBvbiB0aGlzIGxpc3QsIEnigJls
bCBzYXkgZmV3IHdvcmRzIGFib3V0IHdob2FtaToNCk15IG5hbWUgaXMgQWxleGV5IFNrb2x5YXJv
diwgSSB3b3JrIGluIFNhaW50LVBldGVyc2J1cmcsIFJ1c3NpYS4gSeKAmW0gaW50ZXJlc3RlZCBp
biBPQXV0aDIgYmVjYXVzZSBJIGZvdW5kIG5vIHYyIHByb3ZpZGVycyBmb3IgSmVyc2V5PGh0dHA6
Ly9qZXJzZXkuamF2YS5uZXQvPiBleGNlcHQgU3ByaW5nIFNlY3VyaXR5IHdoaWNoIGlzIG11Y2gg
bW9yZSBjb21wbGV4IHRoYW4gMS4wYSBpbXBsZW1lbnRhdGlvbiBpbiBKZXJzZXktY29udHJpYi4g
Q3VycmVudGx5IEnigJltIHVuZGVyIE5EQSwgc28gSSBjYW7igJl0IHNheSBtb3JlIOKYuQ0KDQpO
ZXZlcnRoZWxlc3Mgd2XigJl2ZSBkb25lIHNwZWNpZmljYXRpb24gc3R1ZHkgYW5kIGZvdW5kIGEg
Y29uZmxpY3Qg4oCTIGluIGxhc3QgcGFyYWdyYXBoIG9mIHNlY3Rpb24gMy4xLiAiQXV0aG9yaXph
dGlvbiBFbmRwb2ludCI8aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0
aC12Mi0yMiNzZWN0aW9uLTMuMT4gaXQgaXMgbWVudGlvbmVkIHRoYXQg4oCcUmVxdWVzdCBhbmQg
cmVzcG9uc2UgcGFyYW1ldGVycyBNVVNUIE5PVCBiZSBpbmNsdWRlZCBtb3JlIHRoYW4gb25jZeKA
nS4NClRoaXMgc3RhdGVtZW50IGNvbmZsaWN0cyB3aXRoIHN0YXRlIHBhcmFtZXRlciBkZWZpbml0
aW9uIGluIHNlY3Rpb24gNC4xLjIuMSAiRXJyb3IgcmVzcG9uc2UiPGh0dHA6Ly90b29scy5pZXRm
Lm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtdjItMjIjc2VjdGlvbi00LjEuMi4xPiwgd2hlcmUg
aXTigJlzIHNhaWQgdGhhdCBzdGF0ZSBpcyDigJxSRVFVSVJFRCBpZiBhIHZhbGlkICJzdGF0ZSIg
cGFyYW1ldGVyIHdhcyBwcmVzZW50IGluIHRoZSBjbGllbnQgIGF1dGhvcml6YXRpb24gcmVxdWVz
dC4gIFRoZSBleGFjdCB2YWx1ZSByZWNlaXZlZCBmcm9tIHRoZSBjbGllbnTigJ0uDQoNCkhvdyBw
YXNzaW5nIHN0YXRlPVFXRSZzdGF0ZT1BU0QgaW5zaWRlIHNhbWUgcmVxdWVzdCBzaG91bGQgYmUg
aGFuZGxlZCB0aGVuPw0KDQpGcm9tIG9uZSBoYW5kIGl0IGlzIGZvcmJpZGRlbiB0byBwcm9jZXNz
IHJlcXVlc3RzIHdpdGggbXVsdGlwbGUgcGFyYW1ldGVyIG9jY3VycmVuY2VzLg0KQnV0IGZyb20g
YW5vdGhlciBoYW5kIFNwZWNpZmljYXRpb24gcmVxdWlyZXMgdG8gcGFzcyB0aGUgc3RhdGUgaWYg
aXQgd2FzIGZvdW5kIGluIGEgcmVxdWVzdC4NClZpb2xhdGlvbiBvZiBhbnkgb2YgdGhlc2Ugc3Rh
dGVtZW50cyBjYW4gYmUgdHJlYXRlZCBhcyDigJxwYXJ0aWFsIGNvbXBsaWFuY2XigJ0gdG8gZHJh
ZnQtMjIsIHNvIEnigJltIGluIGRvdWJ0IHdoYXQgd2F5IGlzIHByZWZlcnJlZCB0aGVyZS4NCg0K
V2hhdCBkbyB5b3UgZ3V5cyB0aGluaz8NCg0KVGhhbmtzIGluIGFkdmFuY2UuDQotLQ0KQmVzdCBy
ZWdhcmRzLCBBbGV4ZXkgU2tvbHlhcm92DQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8
bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0
aW5mby9vYXV0aA0KDQoNCg0KLS0NClRoZSBFbGl0ZSBHZW50bGVtYW4NCg0KDQoNCg0KX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KT0F1dGggbWFpbGlu
ZyBsaXN0DQoNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCg0KaHR0cHM6
Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQo=

--_000_0433F58A304676408A8AF95199AFEB97CC17B7MS2corpdinsru_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg
MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1
IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglw
YW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5
OiJDb3VyaWVyIE5ldyBcO2NvbG9yXDpibGFjayI7DQoJcGFub3NlLTE6MCAwIDAgMCAwIDAgMCAw
IDAgMDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1h
bCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsN
Cglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJp
ZiI7DQoJY29sb3I6YmxhY2s7fQ0KaDMNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk7DQoJbXNvLXN0
eWxlLWxpbms6IkhlYWRpbmcgMyBDaGFyIjsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCglt
YXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1s
ZWZ0OjBjbTsNCglmb250LXNpemU6MTMuNXB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9t
YW4iLCJzZXJpZiI7DQoJY29sb3I6YmxhY2s7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246
dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t
c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl
cmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi
SFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4w
MDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciOw0K
CWNvbG9yOmJsYWNrO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRh
dGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRl
eHQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1z
aXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjpi
bGFjazt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1M
IFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl
LWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N
CnNwYW4uaDMNCgl7bXNvLXN0eWxlLW5hbWU6aDM7fQ0Kc3Bhbi5IZWFkaW5nM0NoYXINCgl7bXNv
LXN0eWxlLW5hbWU6IkhlYWRpbmcgMyBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTsNCglt
c28tc3R5bGUtbGluazoiSGVhZGluZyAzIjsNCglmb250LWZhbWlseToiQ2FtYnJpYSIsInNlcmlm
IjsNCgljb2xvcjojNEY4MUJEOw0KCWZvbnQtd2VpZ2h0OmJvbGQ7fQ0Kc3Bhbi5ob2VuemINCgl7
bXNvLXN0eWxlLW5hbWU6aG9lbnpiO30NCnNwYW4uRW1haWxTdHlsZTIyDQoJe21zby1zdHlsZS10
eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29s
b3I6IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUyMw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25h
bC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMx
RjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24g
VGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJh
bGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiOw0KCWNvbG9y
OmJsYWNrO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K
CWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3
OTIuMHB0Ow0KCW1hcmdpbjoyLjBjbSA0Mi41cHQgMi4wY20gMy4wY207fQ0KZGl2LldvcmRTZWN0
aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5
XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4N
CjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlv
dXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286
c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBiZ2NvbG9yPSJ3
aGl0ZSIgbGFuZz0iUlUiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0i
V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBz
dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx
dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBzZWUgdGhhdC4gQnV0IGhvdyB0
aGUgc2VydmVyIHNob3VsZCByZXNwb25kIG9uIGluY29ycmVjdCByZXF1ZXN0ICh3aGVuIGl04oCZ
cyBub3QgcG9zc2libGUgdG8gZGV0ZXJtaW5lIGNvcnJlY3Qgc3RhdGUgdG8gYmUgcGFzc2VkKS48
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlNwZWNpZmljYWxseSwg
d2hhdCBzdGF0ZSBzaG91bGQgYmUgcGFzc2VkIHRvIHRoZSBjbGllbnQg4oCTIG5vIG9uZSwgYW55
IG9yIGFsbCBvZiB0aGVtPzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3
RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+LS0gPGJyPg0KPC9z
cGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0RjgxQkQiPkJlc3QgcmVnYXJkcywg
QWxleGV5IFNrb2x5YXJvdg0KPGJyPg0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0i
Zm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90Oztjb2xvcjojNEY4MUJEIj5EaW5vIFN5c3RlbXMgSmF2YSBUZWFtPC9zcGFu
PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxicj4NCjwvc3Bhbj48c3Bh
biBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6I0ZGQTIwMCI+UGhvbmU6
DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0
RjgxQkQiPiYjNDM7NyAoODEyKSA3NDAtNzctNjEgZXh0LiA0MTYxPC9zcGFuPjxzcGFuIGxhbmc9
IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEY3NEE0Ij4mbmJzcDsmbmJzcDsm
bmJzcDsNCjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTo3LjVwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s
b3I6I0ZGQTIwMCI+U2t5cGU6DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250
LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl
cmlmJnF1b3Q7O2NvbG9yOiM0Rjc0QTQiPmFsZXhleS5za29seWFyb3Y8L3NwYW4+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTo3
LjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv
dDs7Y29sb3I6I0ZGQTIwMCI+Q2VsbDoNCjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9
ImZvbnQtc2l6ZTo3LjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRGNzRBNCI+JiM0Mzs3ICg5MDUpIDIwMC0yOS04MCZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmbmJzcDs8L3NwYW4+
PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6Ny41cHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiNGRkEyMDAiPk1h
aWx0bzoNCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuNXB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEY3NEE0Ij48
YSBocmVmPSJtYWlsdG86YWxleGV5LnNrb2x5YXJvdkBkaW5zLnJ1Ij48c3BhbiBsYW5nPSJFTi1V
UyI+YWxleGV5LnNrb2x5YXJvdkBkaW5zLnJ1PC9zcGFuPjwvYT48L3NwYW4+PHNwYW4gc3R5bGU9
ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj
b2xvcjojMUY0OTdEIj4NCjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPjwvbzpwPjwvc3Bhbj48L3Nw
YW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIg
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z
cGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlk
ICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48Yj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6
d2luZG93dGV4dCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1z
ZXJpZiZxdW90Oztjb2xvcjp3aW5kb3d0ZXh0Ij4gSnVzdGluIFJpY2hlciBbbWFpbHRvOmpyaWNo
ZXJAbWl0cmUub3JnXQ0KPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgRGVjZW1iZXIgMTksIDIw
MTEgNzowMSBQTTxicj4NCjxiPlRvOjwvYj4gQWxleGV5IFNrb2x5YXJvdjxicj4NCjxiPkNjOjwv
Yj4gQnVoYWtlIFNpbmRpOyBvYXV0aEBpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTog
W09BVVRILVdHXSBjb25mbGljdDogZXJyb3IgcmVzcG9uc2UgaW52YWxpZF9yZXF1ZXN0IGFuZCBz
dGF0ZSBwYXJhbWV0ZXIgZHVwbGljYXRpb248bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPlRoZSBzcGVjIGFs
cmVhZHkgc2F5cyB0aGF0IHlvdSBjYW4ndCByZXBlYXQgcmVxdWVzdCBwYXJhbWV0ZXJzIG9uIHRo
ZSBsaW5lIGxpa2UgdGhhdCwgc28gdGhhdCdzIGFuIGludmFsaWRfcmVxdWVzdCBlcnJvciwgYXMg
ZGVzY3JpYmVkIGluIHNlY3Rpb24gNS4yOjxvOnA+PC9vOnA+PC9wPg0KPGgzPjxhIG5hbWU9InNl
Y3Rpb24tNS4yIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv
dDsiPjUuMjwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg
TmV3JnF1b3Q7Ij4uJm5ic3A7IEVycm9yIFJlc3BvbnNlPG86cD48L286cD48L3NwYW4+PC9oMz4N
CjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3By
ZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IFRoZSBhdXRob3JpemF0aW9uIHNlcnZlciByZXNwb25kcyB3
aXRoIGFuIEhUVFAgNDAwIChCYWQgUmVxdWVzdCk8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJz
cDsmbmJzcDsgc3RhdHVzIGNvZGUgYW5kIGluY2x1ZGVzIHRoZSBmb2xsb3dpbmcgcGFyYW1ldGVy
cyB3aXRoIHRoZSByZXNwb25zZTo8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwv
bzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgZXJyb3I8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUkVRVUlS
RUQuJm5ic3A7IEEgc2luZ2xlIGVycm9yIGNvZGUgZnJvbSB0aGUgZm9sbG93aW5nOjxvOnA+PC9v
OnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyBpbnZhbGlkX3JlcXVlc3Q8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsgVGhlIHJlcXVlc3QgaXMgbWlzc2luZyBhIHJlcXVpcmVkIHBhcmFt
ZXRlciwgaW5jbHVkZXMgYW48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsgdW5zdXBwb3J0ZWQgcGFyYW1ldGVyIHZhbHVlLCByZXBlYXRzIGEgcGFyYW1l
dGVyLDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBp
bmNsdWRlcyBtdWx0aXBsZSBjcmVkZW50aWFscywgdXRpbGl6ZXMgbW9yZSB0aGFuIG9uZTxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBtZWNoYW5pc20g
Zm9yIGF1dGhlbnRpY2F0aW5nIHRoZSBjbGllbnQsIG9yIGlzIG90aGVyd2lzZTxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBtYWxmb3JtZWQuPG86cD48
L286cD48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCiZuYnNwOy0tIEp1
c3Rpbjxicj4NCjxicj4NCk9uIDEyLzE5LzIwMTEgMDg6MjAgQU0sIEFsZXhleSBTa29seWFyb3Yg
d3JvdGU6IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5IZWxsbyBCdWhha2Us
PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIg
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBmb3IgeW91ciBhbnN3
ZXIhPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JdCBzZWVtcyBJ
IHNob3VsZCBleHBsYWluIGEgYml0IGhlcmUg4oCTIEnigJltIG5vdCBhYm91dCBob3cgdG8gcGFz
cyB0aGUgc3RhdGUgd2l0aCBtdWx0aXBsZSB2YWx1ZXMsIEnigJltIHRyeWluZyB0byBmaWd1cmUg
b3V0IGhvdyB0aGUgT0F1dGgtMi4wLWRyYWZ0LTIyDQog4oCTIGNvbXBsaWFudCBzZXJ2ZXIgc2hv
dWxkIHJlc3BvbmQgb24gZHVwbGljYXRpb24gb2Ygc3RhdGUgcmVxdWVzdCBwYXJhbWV0ZXIuPC9z
cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t
VVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv
dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv
dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkZvciBpbnN0YW5jZSB3aGF0IHNob3Vs
ZCBiZSByZXR1cm5lZCBpbiByZXNwb25zZSBvbiBmb2xsb3dpbmcgcmVxdWVzdDo8L3NwYW4+PG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsi
PkdFVCAvYXV0aG9yaXplP3Jlc3BvbnNlX3R5cGU9Y29kZSZhbXA7Y2xpZW50X2lkPXM2QmhkUmtx
dDMmYW1wOzxiPnN0YXRlPVFXRTwvYj4mYW1wOzxiPnN0YXRlPUFTRDwvYj4mYW1wO3JlZGlyZWN0
X3VyaT1odHRwcyUzQSUyRiUyRmNsaWVudCUyRWV4YW1wbGUlMkVjb20lMkZjYiBIVFRQLzEuMTwv
c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO
LVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5l
dyZxdW90OyI+SDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls
eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+b3N0OiBzZXJ2ZXIuZXhhbXBsZS5jb208L3NwYW4+
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIg
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SXTigJlzIHVuY2xlYXIgZm9yIG1lIHNob3Vs
ZCBpdCBiZQ0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm
b250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3IDtjb2xvcjpibGFj
ayZxdW90OywmcXVvdDtzZXJpZiZxdW90OyI+SFRUUC8xLjEgMzAyIEZvdW5kPC9zcGFuPjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3Jl
OmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt
ZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3IDtjb2xvcjpibGFjayZxdW90OywmcXVvdDtzZXJpZiZx
dW90OyI+TG9jYXRpb246DQo8YSBocmVmPSJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbS9jYj9l
cnJvcj1pbnZhbGlkX3JlcXVlc3QiPmh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9y
PWludmFsaWRfcmVxdWVzdDwvYT4NCjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPih3aXRob3V0IHRoZSBzdGF0ZSBjb21wbGV0ZWx5
IOKAkyBzZWVtcyB0byBiZSB3cm9uZyBiZWZvcmVoYW5kKQ0KPC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+
PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5v
cg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBh
Z2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNp
emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3IDtjb2xvcjpibGFjayZxdW90
OywmcXVvdDtzZXJpZiZxdW90OyI+SFRUUC8xLjEgMzAyIEZvdW5kPC9zcGFuPjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5
cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5
OiZxdW90O0NvdXJpZXIgTmV3IDtjb2xvcjpibGFjayZxdW90OywmcXVvdDtzZXJpZiZxdW90OyI+
TG9jYXRpb246DQo8YSBocmVmPSJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbS9jYj9lcnJvcj1p
bnZhbGlkX3JlcXVlc3QmYW1wO3N0YXRlPVFXRSI+aHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb20v
Y2I/ZXJyb3I9aW52YWxpZF9yZXF1ZXN0JmFtcDtzdGF0ZT1RV0U8L2E+PC9zcGFuPjxzcGFuIGxh
bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ICggb3IgQVNE
IC0gb25lIG9mIHBhc3NlZA0KIHN0YXRlcyB1c2VkKSA8L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3Bh
biBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPm9yDQo8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1i
cmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox
MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcgO2NvbG9yOmJsYWNrJnF1b3Q7LCZx
dW90O3NlcmlmJnF1b3Q7Ij5IVFRQLzEuMSAzMDIgRm91bmQ8L3NwYW4+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48
c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q291cmllciBOZXcgO2NvbG9yOmJsYWNrJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij5Mb2Nh
dGlvbjoNCjxhIGhyZWY9Imh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFs
aWRfcmVxdWVzdCZhbXA7c3RhdGU9UVdFJTIwQVNEIj5odHRwczovL2NsaWVudC5leGFtcGxlLmNv
bS9jYj9lcnJvcj1pbnZhbGlkX3JlcXVlc3QmYW1wO3N0YXRlPVFXRSUyMEFTRDwvYT4NCjwvc3Bh
bj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi
Pihib3RoIGJ1dCB2aW9sYXRlcyB0aGUgaWRlYSB0aGF0IHN0YXRlIHNob3VsZCBiZSBrZXB0IHVu
Y2hhbmdlZCkuDQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9
ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz
YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTphbHdheXMi
PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom
cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+
SSBob3BlIHRoaXMgZXhhbXBsZSBjb3VsZCBtYWtlIG15IHF1ZXN0aW9uIGNsZWFyZXIuDQo8L3Nw
YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVh
ay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7
O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxhbmc9IkVO
LVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhhbmtzIGluIGFkdmFu
Y2UuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4tLSA8YnI+DQo8L3NwYW4+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRGODFCRCI+QmVzdCByZWdhcmRzLCBBbGV4ZXkgU2tvbHlh
cm92DQo8YnI+DQo8YnI+DQo8YnI+DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y
OiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRl
cjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAw
Y20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls
ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7
c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls
ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7
c2Fucy1zZXJpZiZxdW90OyI+IEJ1aGFrZSBTaW5kaSBbPGEgaHJlZj0ibWFpbHRvOmJ1aGFrZUBn
b29nbGVtYWlsLmNvbSI+bWFpbHRvOmJ1aGFrZUBnb29nbGVtYWlsLmNvbTwvYT5dDQo8YnI+DQo8
Yj5TZW50OjwvYj4gTW9uZGF5LCBEZWNlbWJlciAxOSwgMjAxMSA0OjUzIFBNPGJyPg0KPGI+VG86
PC9iPiBBbGV4ZXkgU2tvbHlhcm92PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0dd
IGNvbmZsaWN0OiBlcnJvciByZXNwb25zZSBpbnZhbGlkX3JlcXVlc3QgYW5kIHN0YXRlIHBhcmFt
ZXRlciBkdXBsaWNhdGlvbjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkhpIEFsZXhleSw8YnI+DQo8YnI+DQpJZiBJJ20g
bm90IG1pc3Rha2VuLCB0byBkZWNsYXJlIG11bHRpcGxlIHZhbHVlcyBpbiAmcXVvdDtzdGF0ZSZx
dW90OywgdGhlIGRvY3VtZW50IHN0YXRlcyB0aGF0IGl0IHNob3VsZCBiZSBzcGFjZS1kZWxpbWl0
ZWQgKCZxdW90OyAmcXVvdDspLiBUaGlzIGlzIHVubGlrZSBGYWNlYm9vayBzdGF0ZSB3aGljaCBp
cyBjb21tYS1kZWxpbWl0ZWQuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+T24gMTkgRGVjZW1iZXIgMjAxMSAxNDo0MSwgQWxleGV5IFNrb2x5YXJvdiAmbHQ7PGEg
aHJlZj0ibWFpbHRvOmFsZXhleS5za29seWFyb3ZAZGlucy5ydSI+YWxleGV5LnNrb2x5YXJvdkBk
aW5zLnJ1PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPkhlbGxvIGV2ZXJ5Ym9keSw8L3Nw
YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVO
LVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i
PjxzcGFuIGxhbmc9IkVOLVVTIj5TaW5jZSB0aGlzIGlzIG15IGZpcnN0IHBvc3Qgb24gdGhpcyBs
aXN0LCBJ4oCZbGwgc2F5IGZldyB3b3JkcyBhYm91dCB3aG9hbWk6PC9zcGFuPjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv
O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+TXkgbmFtZSBp
cyBBbGV4ZXkgU2tvbHlhcm92LCBJIHdvcmsgaW4gU2FpbnQtUGV0ZXJzYnVyZywgUnVzc2lhLiBJ
4oCZbSBpbnRlcmVzdGVkIGluIE9BdXRoMiBiZWNhdXNlIEkgZm91bmQgbm8gdjIgcHJvdmlkZXJz
IGZvcg0KPGEgaHJlZj0iaHR0cDovL2plcnNleS5qYXZhLm5ldC8iIHRhcmdldD0iX2JsYW5rIj5K
ZXJzZXk8L2E+IGV4Y2VwdCBTcHJpbmcgU2VjdXJpdHkgd2hpY2ggaXMgbXVjaCBtb3JlIGNvbXBs
ZXggdGhhbiAxLjBhIGltcGxlbWVudGF0aW9uIGluIEplcnNleS1jb250cmliLiBDdXJyZW50bHkg
SeKAmW0gdW5kZXIgTkRBLCBzbyBJIGNhbuKAmXQgc2F5IG1vcmUNCjwvc3Bhbj48c3BhbiBsYW5n
PSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OldpbmdkaW5ncyI+TDwvc3Bhbj48bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0
bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOzwv
c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy
Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0i
RU4tVVMiPk5ldmVydGhlbGVzcyB3ZeKAmXZlIGRvbmUgc3BlY2lmaWNhdGlvbiBzdHVkeSBhbmQg
Zm91bmQgYSBjb25mbGljdCDigJMgaW4gbGFzdCBwYXJhZ3JhcGggb2YNCjxhIGhyZWY9Imh0dHA6
Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtdjItMjIjc2VjdGlvbi0zLjEi
IHRhcmdldD0iX2JsYW5rIj4NCnNlY3Rpb24gMy4xLiAmcXVvdDtBdXRob3JpemF0aW9uIEVuZHBv
aW50JnF1b3Q7PC9hPiBpdCBpcyBtZW50aW9uZWQgdGhhdCDigJw8aT5SZXF1ZXN0IGFuZCByZXNw
b25zZSBwYXJhbWV0ZXJzIE1VU1QgTk9UIGJlIGluY2x1ZGVkIG1vcmUgdGhhbiBvbmNlPC9pPuKA
nS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxh
bmc9IkVOLVVTIj5UaGlzIHN0YXRlbWVudCBjb25mbGljdHMgd2l0aA0KPGk+c3RhdGU8L2k+IHBh
cmFtZXRlciBkZWZpbml0aW9uIGluIDxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1s
L2RyYWZ0LWlldGYtb2F1dGgtdjItMjIjc2VjdGlvbi00LjEuMi4xIiB0YXJnZXQ9Il9ibGFuayI+
DQpzZWN0aW9uIDQuMS4yLjEgJnF1b3Q7RXJyb3IgcmVzcG9uc2UmcXVvdDs8L2E+LCB3aGVyZSBp
dOKAmXMgc2FpZCB0aGF0IHN0YXRlIGlzIOKAnDxpPlJFUVVJUkVEIGlmIGEgdmFsaWQgJnF1b3Q7
c3RhdGUmcXVvdDsgcGFyYW1ldGVyIHdhcyBwcmVzZW50IGluIHRoZSBjbGllbnQmbmJzcDsgYXV0
aG9yaXphdGlvbiByZXF1ZXN0LiZuYnNwOyBUaGUgZXhhY3QgdmFsdWUgcmVjZWl2ZWQgZnJvbSB0
aGUgY2xpZW50PC9pPuKAnS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5Ib3cgcGFzc2luZw0KPGk+
c3RhdGU9UVdFJmFtcDtzdGF0ZT1BU0Q8L2k+IGluc2lkZSBzYW1lIHJlcXVlc3Qgc2hvdWxkIGJl
IGhhbmRsZWQgdGhlbj88L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp
bi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5Gcm9tIG9uZSBoYW5kIGl0IGlz
IGZvcmJpZGRlbiB0byBwcm9jZXNzIHJlcXVlc3RzIHdpdGggbXVsdGlwbGUgcGFyYW1ldGVyIG9j
Y3VycmVuY2VzLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+
PHNwYW4gbGFuZz0iRU4tVVMiPkJ1dCBmcm9tIGFub3RoZXIgaGFuZCBTcGVjaWZpY2F0aW9uIHJl
cXVpcmVzIHRvIHBhc3MgdGhlIHN0YXRlIGlmIGl0IHdhcyBmb3VuZCBpbiBhIHJlcXVlc3QuDQo8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9
IkVOLVVTIj5WaW9sYXRpb24gb2YgYW55IG9mIHRoZXNlIHN0YXRlbWVudHMgY2FuIGJlIHRyZWF0
ZWQgYXMg4oCccGFydGlhbCBjb21wbGlhbmNl4oCdIHRvIGRyYWZ0LTIyLCBzbyBJ4oCZbSBpbiBk
b3VidCB3aGF0IHdheSBpcyBwcmVmZXJyZWQgdGhlcmUuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PC9zcGFuPjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+
V2hhdCBkbyB5b3UgZ3V5cyB0aGluaz88L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0
b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5UaGFua3MgaW4g
YWR2YW5jZS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+LS0NCjxicj4NCjwvc3Bhbj48
c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9yOiM0RjgxQkQiPkJlc3QgcmVnYXJkcywgQWxl
eGV5IFNrb2x5YXJvdiA8L3NwYW4+DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojODg4ODg4Ij4mbmJzcDs8L3Nw
YW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxh
IGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEg
aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0
PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiciBj
bGVhcj0iYWxsIj4NCjxicj4NCi0tIDxicj4NClRoZSBFbGl0ZSBHZW50bGVtYW48bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCjxicj4NCjxvOnA+PC9vOnA+
PC9wPg0KPHByZT5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
XzxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPk9BdXRoIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8
L2E+PG86cD48L286cD48L3ByZT4NCjxwcmU+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcv
bWFpbG1hbi9saXN0aW5mby9vYXV0aCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0
aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_0433F58A304676408A8AF95199AFEB97CC17B7MS2corpdinsru_--

From jricher@mitre.org  Tue Dec 20 06:23:19 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7464F21F8AF9 for ; Tue, 20 Dec 2011 06:23:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level: 
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwmCCt1Wm2V4 for ; Tue, 20 Dec 2011 06:23:18 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E8B6121F8AF7 for ; Tue, 20 Dec 2011 06:23:17 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4BEAE21B0615; Tue, 20 Dec 2011 09:23:17 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3C18F21B05E8; Tue, 20 Dec 2011 09:23:17 -0500 (EST)
Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 20 Dec 2011 09:23:16 -0500
Message-ID: <4EF09A35.1000807@mitre.org>
Date: Tue, 20 Dec 2011 09:22:45 -0500
From: Justin Richer 
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Alexey Skolyarov 
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru>  <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> <4EEF51BE.7080202@mitre.org> <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
In-Reply-To: <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
Content-Type: multipart/alternative; boundary="------------040608060000070400020108"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" , Buhake Sindi 
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 20 Dec 2011 14:23:19 -0000

--------------040608060000070400020108
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit

None, it responds with an error (400) and not a redirect (302). You 
don't include the state parameter on an error response, only on a valid 
redirection response.

  -- Justin

On 12/20/2011 01:57 AM, Alexey Skolyarov wrote:
>
> I see that. But how the server should respond on incorrect request 
> (when it’s not possible to determine correct state to be passed).
>
> Specifically, what state should be passed to the client – no one, any 
> or all of them?
>
> -- 
> Best regards, Alexey Skolyarov
> Dino Systems Java Team
> Phone: +7 (812) 740-77-61 ext. 4161Skype: alexey.skolyarov
>
> Cell: +7 (905) 200-29-80 Mailto: alexey.skolyarov@dins.ru 
> 
>
> *From:*Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Monday, December 19, 2011 7:01 PM
> *To:* Alexey Skolyarov
> *Cc:* Buhake Sindi; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and 
> state parameter duplication
>
> The spec already says that you can't repeat request parameters on the 
> line like that, so that's an invalid_request error, as described in 
> section 5.2:
>
>
>       5.2.  Error Response
>
>   
>   
>     The authorization server responds with an HTTP 400 (Bad Request)
>     status code and includes the following parameters with the response:
>   
>     error
>           REQUIRED.  A single error code from the following:
>           invalid_request
>                 The request is missing a required parameter, includes an
>                 unsupported parameter value, repeats a parameter,
>                 includes multiple credentials, utilizes more than one
>                 mechanism for authenticating the client, or is otherwise
>                 malformed.
>
>
>
>  -- Justin
>
> On 12/19/2011 08:20 AM, Alexey Skolyarov wrote:
>
> Hello Buhake,
>
> Thanks for your answer!
>
> It seems I should explain a bit here – I’m not about how to pass the 
> state with multiple values, I’m trying to figure out how the 
> OAuth-2.0-draft-22 – compliant server should respond on duplication of 
> state request parameter.
>
> For instance what should be returned in response on following request:
>
> GET 
> /authorize?response_type=code&client_id=s6BhdRkqt3&*state=QWE*&*state=ASD*&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb 
> HTTP/1.1
>
> Host: server.example.com
>
> It’s unclear for me should it be
>
> HTTP/1.1 302 Found
>
> Location: https://client.example.com/cb?error=invalid_request (without 
> the state completely – seems to be wrong beforehand)
>
> or
>
> HTTP/1.1 302 Found
>
> Location: 
> https://client.example.com/cb?error=invalid_request&state=QWE 
> ( or 
> ASD - one of passed states used)
>
> or
>
> HTTP/1.1 302 Found
>
> Location: 
> https://client.example.com/cb?error=invalid_request&state=QWE%20ASD 
>  
> (both but violates the idea that state should be kept unchanged).
>
> I hope this example could make my question clearer.
>
> Thanks in advance.
>
> -- 
> Best regards, Alexey Skolyarov
>
>
> *From:*Buhake Sindi [mailto:buhake@googlemail.com]
> *Sent:* Monday, December 19, 2011 4:53 PM
> *To:* Alexey Skolyarov
> *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and 
> state parameter duplication
>
> Hi Alexey,
>
> If I'm not mistaken, to declare multiple values in "state", the 
> document states that it should be space-delimited (" "). This is 
> unlike Facebook state which is comma-delimited.
>
> On 19 December 2011 14:41, Alexey Skolyarov  > wrote:
>
> Hello everybody,
>
> Since this is my first post on this list, I’ll say few words about whoami:
>
> My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m 
> interested in OAuth2 because I found no v2 providers for Jersey 
>  except Spring Security which is much more 
> complex than 1.0a implementation in Jersey-contrib. Currently I’m 
> under NDA, so I can’t say more L
>
> Nevertheless we’ve done specification study and found a conflict – in 
> last paragraph of section 3.1. "Authorization Endpoint" 
>  it is 
> mentioned that “/Request and response parameters MUST NOT be included 
> more than once/â€.
>
> This statement conflicts with /state/ parameter definition in section 
> 4.1.2.1 "Error response" 
> , 
> where it’s said that state is “/REQUIRED if a valid "state" parameter 
> was present in the client  authorization request.  The exact value 
> received from the client/â€.
>
> How passing /state=QWE&state=ASD/ inside same request should be 
> handled then?
>
> From one hand it is forbidden to process requests with multiple 
> parameter occurrences.
>
> But from another hand Specification requires to pass the state if it 
> was found in a request.
>
> Violation of any of these statements can be treated as “partial 
> compliance†to draft-22, so I’m in doubt what way is preferred there.
>
> What do you guys think?
>
> Thanks in advance.
>
> -- 
> Best regards, Alexey Skolyarov
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> -- 
> The Elite Gentleman
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org  
> https://www.ietf.org/mailman/listinfo/oauth
>


--------------040608060000070400020108
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit


  
    
  
  
    None, it responds with an error (400) and not a redirect (302). You
    don't include the state parameter on an error response, only on a
    valid redirection response.

    

     -- Justin

    

    On 12/20/2011 01:57 AM, Alexey Skolyarov wrote:
    

      
      
      
      

        
I see that. But how the server should respond
            on incorrect request (when it’s not possible to determine
            correct state to be passed).

        
Specifically, what state should be passed to
            the client – no one, any or all of them?

        
 

        

          
--
              

            Best regards, Alexey Skolyarov
              

            Dino Systems Java Team

            Phone:
            +7 (812) 740-77-61 ext. 4161   
            Skype:
            alexey.skolyarov
              

          
Cell:
            +7 (905) 200-29-80                           
               Mailto:
            alexey.skolyarov@dins.ru
              

        

        
 

        

          

            
From: Justin Richer [mailto:jricher@mitre.org]
                

                Sent: Monday, December 19, 2011 7:01 PM

                To: Alexey Skolyarov

                Cc: Buhake Sindi; oauth@ietf.org

                Subject: Re: [OAUTH-WG] conflict: error response
                invalid_request and state parameter duplication

          

        

        
 

        
The spec
          already says that you can't repeat request parameters on the
          line like that, so that's an invalid_request error, as
          described in section 5.2:

        
5.2.  Error
            Response

        
 

        
 

        
   The authorization server responds with an HTTP 400 (Bad Request)

        
   status code and includes the following parameters with the response:

        
 

        
   error

        
         REQUIRED.  A single error code from the following:

        
         invalid_request

        
               The request is missing a required parameter, includes an

        
               unsupported parameter value, repeats a parameter,

        
               includes multiple credentials, utilizes more than one

        
               mechanism for authenticating the client, or is otherwise

        
               malformed.

        


          

           -- Justin

          

          On 12/19/2011 08:20 AM, Alexey Skolyarov wrote: 

        
Hello Buhake,

        
 

        
Thanks for your answer!

        
It seems I should explain a bit here – I’m not
            about how to pass the state with multiple values, I’m trying
            to figure out how the OAuth-2.0-draft-22 – compliant server
            should respond on duplication of state request parameter.

        
 

        
For instance what should be returned in
            response on following request:

        
GET
            /authorize?response_type=code&client_id=s6BhdRkqt3&state=QWE&state=ASD&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
            HTTP/1.1

        
Host:
            server.example.com

        
 

        
It’s unclear for me should it be
          

        
HTTP/1.1
            302 Found

        
Location:
            https://client.example.com/cb?error=invalid_request
          (without the state completely – seems to be
            wrong beforehand)
          

        
or
          

        
HTTP/1.1
            302 Found

        
Location:
            https://client.example.com/cb?error=invalid_request&state=QWE ( or ASD - one of passed states used) 

        
or
          

        
HTTP/1.1
            302 Found

        
Location:
            https://client.example.com/cb?error=invalid_request&state=QWE%20ASD
          (both but violates the idea that state should
            be kept unchanged).
          

        
 

        
I hope this example could make my question
            clearer.
          

        
 

        
Thanks in advance.

        
--
            

          Best regards, Alexey Skolyarov
            

            

            

          

        
 

        

          
From: Buhake Sindi [mailto:buhake@googlemail.com]
              

              Sent: Monday, December 19, 2011 4:53 PM

              To: Alexey Skolyarov

              Subject: Re: [OAUTH-WG] conflict: error response
              invalid_request and state parameter duplication

        

        
 

        
Hi Alexey,

          

          If I'm not mistaken, to declare multiple values in "state",
          the document states that it should be space-delimited (" ").
          This is unlike Facebook state which is comma-delimited.

        

          
On 19 December 2011 14:41, Alexey
            Skolyarov <alexey.skolyarov@dins.ru>
            wrote:

          

            

              
Hello everybody,

              
 

              
Since this is my first post on this list,
                  I’ll say few words about whoami:

              
My name is Alexey Skolyarov, I work in
                  Saint-Petersburg, Russia. I’m interested in OAuth2
                  because I found no v2 providers for
                  Jersey
                  except Spring Security which is much more complex than
                  1.0a implementation in Jersey-contrib. Currently I’m
                  under NDA, so I can’t say more
                L

              
 

              
Nevertheless we’ve done specification
                  study and found a conflict – in last paragraph of
                  
                    section 3.1. "Authorization Endpoint" it is
                  mentioned that “Request and response parameters
                    MUST NOT be included more than onceâ€.

              
This statement conflicts with
                  state parameter definition in 
                    section 4.1.2.1 "Error response", where it’s
                  said that state is “REQUIRED if a valid "state"
                    parameter was present in the client  authorization
                    request.  The exact value received from the clientâ€.

              
 

              
How passing
                  state=QWE&state=ASD inside same request
                  should be handled then?

              
 

              
From one hand it is forbidden to process
                  requests with multiple parameter occurrences.

              
But from another hand Specification
                  requires to pass the state if it was found in a
                  request.
                

              
Violation of any of these statements can
                  be treated as “partial compliance†to draft-22, so I’m
                  in doubt what way is preferred there.

              
 

              
What do you guys think?

              
 

              
Thanks in advance.

              
--
                  

                Best
                  regards, Alexey Skolyarov 
                

              
 

            

          

          


            _______________________________________________

            OAuth mailing list

            OAuth@ietf.org

            https://www.ietf.org/mailman/listinfo/oauth

        

        


          

          

          -- 

          The Elite Gentleman

        


          

          

          

        
_______________________________________________

        
OAuth mailing list

        
OAuth@ietf.org

        
https://www.ietf.org/mailman/listinfo/oauth

        
 

      

    

    

  


--------------040608060000070400020108--

From alexey.skolyarov@dins.ru  Tue Dec 20 08:16:37 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 861A121F8B9C for ; Tue, 20 Dec 2011 08:16:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.695
X-Spam-Level: 
X-Spam-Status: No, score=-0.695 tagged_above=-999 required=5 tests=[AWL=0.433,  BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sqkqkw-7x4G for ; Tue, 20 Dec 2011 08:16:36 -0800 (PST)
Received: from smtp01.dins.ru (smtp01.dins.ru [193.104.181.104]) by ietfa.amsl.com (Postfix) with ESMTP id 876D721F8B9A for ; Tue, 20 Dec 2011 08:16:35 -0800 (PST)
Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru [192.168.12.108]) by smtp01.dins.ru (Postfix) with ESMTP id A3FD6DB49D9; Tue, 20 Dec 2011 19:16:31 +0300 (MSK)
Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Tue, 20 Dec 2011 20:16:34 +0400
From: Alexey Skolyarov 
To: Justin Richer 
Thread-Topic: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7f//wDsA//+4skCAAGsZAP/+tVRwgALSO4D//54jkA==
Date: Tue, 20 Dec 2011 16:16:33 +0000
Message-ID: <0433F58A304676408A8AF95199AFEB97CC1A7B@MS2.corp.dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru>  <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> <4EEF51BE.7080202@mitre.org> <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru> <4EF09A35.1000807@mitre.org>
In-Reply-To: <4EF09A35.1000807@mitre.org>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.14.189]
Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC1A7BMS2corpdinsru_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" , Buhake Sindi 
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 20 Dec 2011 16:16:37 -0000

--_000_0433F58A304676408A8AF95199AFEB97CC1A7BMS2corpdinsru_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSB0aGluayBzYW1lLiBCdXQgbm93IEkgc2VlIHRoYXQgb25seSBmb3IgNS4yLCBub3QgZm9yIDQu
Mi4yLjENCi0tDQpCZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YNCg0KDQpGcm9tOiBKdXN0
aW4gUmljaGVyIFttYWlsdG86anJpY2hlckBtaXRyZS5vcmddDQpTZW50OiBUdWVzZGF5LCBEZWNl
bWJlciAyMCwgMjAxMSA2OjIzIFBNDQpUbzogQWxleGV5IFNrb2x5YXJvdg0KQ2M6IEJ1aGFrZSBT
aW5kaTsgb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIGNvbmZsaWN0OiBl
cnJvciByZXNwb25zZSBpbnZhbGlkX3JlcXVlc3QgYW5kIHN0YXRlIHBhcmFtZXRlciBkdXBsaWNh
dGlvbg0KDQpOb25lLCBpdCByZXNwb25kcyB3aXRoIGFuIGVycm9yICg0MDApIGFuZCBub3QgYSBy
ZWRpcmVjdCAoMzAyKS4gWW91IGRvbid0IGluY2x1ZGUgdGhlIHN0YXRlIHBhcmFtZXRlciBvbiBh
biBlcnJvciByZXNwb25zZSwgb25seSBvbiBhIHZhbGlkIHJlZGlyZWN0aW9uIHJlc3BvbnNlLg0K
DQogLS0gSnVzdGluDQoNCk9uIDEyLzIwLzIwMTEgMDE6NTcgQU0sIEFsZXhleSBTa29seWFyb3Yg
d3JvdGU6DQpJIHNlZSB0aGF0LiBCdXQgaG93IHRoZSBzZXJ2ZXIgc2hvdWxkIHJlc3BvbmQgb24g
aW5jb3JyZWN0IHJlcXVlc3QgKHdoZW4gaXTigJlzIG5vdCBwb3NzaWJsZSB0byBkZXRlcm1pbmUg
Y29ycmVjdCBzdGF0ZSB0byBiZSBwYXNzZWQpLg0KU3BlY2lmaWNhbGx5LCB3aGF0IHN0YXRlIHNo
b3VsZCBiZSBwYXNzZWQgdG8gdGhlIGNsaWVudCDigJMgbm8gb25lLCBhbnkgb3IgYWxsIG9mIHRo
ZW0/DQoNCi0tDQpCZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YNCg0KDQoNCkZyb206IEp1
c3RpbiBSaWNoZXIgW21haWx0bzpqcmljaGVyQG1pdHJlLm9yZ10NClNlbnQ6IE1vbmRheSwgRGVj
ZW1iZXIgMTksIDIwMTEgNzowMSBQTQ0KVG86IEFsZXhleSBTa29seWFyb3YNCkNjOiBCdWhha2Ug
U2luZGk7IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFJl
OiBbT0FVVEgtV0ddIGNvbmZsaWN0OiBlcnJvciByZXNwb25zZSBpbnZhbGlkX3JlcXVlc3QgYW5k
IHN0YXRlIHBhcmFtZXRlciBkdXBsaWNhdGlvbg0KDQpUaGUgc3BlYyBhbHJlYWR5IHNheXMgdGhh
dCB5b3UgY2FuJ3QgcmVwZWF0IHJlcXVlc3QgcGFyYW1ldGVycyBvbiB0aGUgbGluZSBsaWtlIHRo
YXQsIHNvIHRoYXQncyBhbiBpbnZhbGlkX3JlcXVlc3QgZXJyb3IsIGFzIGRlc2NyaWJlZCBpbiBz
ZWN0aW9uIDUuMjoNCjUuMi4gIEVycm9yIFJlc3BvbnNlDQoNCg0KDQoNCg0KICAgVGhlIGF1dGhv
cml6YXRpb24gc2VydmVyIHJlc3BvbmRzIHdpdGggYW4gSFRUUCA0MDAgKEJhZCBSZXF1ZXN0KQ0K
DQogICBzdGF0dXMgY29kZSBhbmQgaW5jbHVkZXMgdGhlIGZvbGxvd2luZyBwYXJhbWV0ZXJzIHdp
dGggdGhlIHJlc3BvbnNlOg0KDQoNCg0KICAgZXJyb3INCg0KICAgICAgICAgUkVRVUlSRUQuICBB
IHNpbmdsZSBlcnJvciBjb2RlIGZyb20gdGhlIGZvbGxvd2luZzoNCg0KICAgICAgICAgaW52YWxp
ZF9yZXF1ZXN0DQoNCiAgICAgICAgICAgICAgIFRoZSByZXF1ZXN0IGlzIG1pc3NpbmcgYSByZXF1
aXJlZCBwYXJhbWV0ZXIsIGluY2x1ZGVzIGFuDQoNCiAgICAgICAgICAgICAgIHVuc3VwcG9ydGVk
IHBhcmFtZXRlciB2YWx1ZSwgcmVwZWF0cyBhIHBhcmFtZXRlciwNCg0KICAgICAgICAgICAgICAg
aW5jbHVkZXMgbXVsdGlwbGUgY3JlZGVudGlhbHMsIHV0aWxpemVzIG1vcmUgdGhhbiBvbmUNCg0K
ICAgICAgICAgICAgICAgbWVjaGFuaXNtIGZvciBhdXRoZW50aWNhdGluZyB0aGUgY2xpZW50LCBv
ciBpcyBvdGhlcndpc2UNCg0KICAgICAgICAgICAgICAgbWFsZm9ybWVkLg0KDQoNCiAtLSBKdXN0
aW4NCg0KT24gMTIvMTkvMjAxMSAwODoyMCBBTSwgQWxleGV5IFNrb2x5YXJvdiB3cm90ZToNCkhl
bGxvIEJ1aGFrZSwNCg0KVGhhbmtzIGZvciB5b3VyIGFuc3dlciENCkl0IHNlZW1zIEkgc2hvdWxk
IGV4cGxhaW4gYSBiaXQgaGVyZSDigJMgSeKAmW0gbm90IGFib3V0IGhvdyB0byBwYXNzIHRoZSBz
dGF0ZSB3aXRoIG11bHRpcGxlIHZhbHVlcywgSeKAmW0gdHJ5aW5nIHRvIGZpZ3VyZSBvdXQgaG93
IHRoZSBPQXV0aC0yLjAtZHJhZnQtMjIg4oCTIGNvbXBsaWFudCBzZXJ2ZXIgc2hvdWxkIHJlc3Bv
bmQgb24gZHVwbGljYXRpb24gb2Ygc3RhdGUgcmVxdWVzdCBwYXJhbWV0ZXIuDQoNCkZvciBpbnN0
YW5jZSB3aGF0IHNob3VsZCBiZSByZXR1cm5lZCBpbiByZXNwb25zZSBvbiBmb2xsb3dpbmcgcmVx
dWVzdDoNCkdFVCAvYXV0aG9yaXplP3Jlc3BvbnNlX3R5cGU9Y29kZSZjbGllbnRfaWQ9czZCaGRS
a3F0MyZzdGF0ZT1RV0Umc3RhdGU9QVNEJnJlZGlyZWN0X3VyaT1odHRwcyUzQSUyRiUyRmNsaWVu
dCUyRWV4YW1wbGUlMkVjb20lMkZjYiBIVFRQLzEuMQ0KSG9zdDogc2VydmVyLmV4YW1wbGUuY29t
DQoNCkl04oCZcyB1bmNsZWFyIGZvciBtZSBzaG91bGQgaXQgYmUNCkhUVFAvMS4xIDMwMiBGb3Vu
ZA0KTG9jYXRpb246IGh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFsaWRf
cmVxdWVzdCAod2l0aG91dCB0aGUgc3RhdGUgY29tcGxldGVseSDigJMgc2VlbXMgdG8gYmUgd3Jv
bmcgYmVmb3JlaGFuZCkNCm9yDQpIVFRQLzEuMSAzMDIgRm91bmQNCkxvY2F0aW9uOiBodHRwczov
L2NsaWVudC5leGFtcGxlLmNvbS9jYj9lcnJvcj1pbnZhbGlkX3JlcXVlc3Qmc3RhdGU9UVdFICgg
b3IgQVNEIC0gb25lIG9mIHBhc3NlZCBzdGF0ZXMgdXNlZCkNCm9yDQpIVFRQLzEuMSAzMDIgRm91
bmQNCkxvY2F0aW9uOiBodHRwczovL2NsaWVudC5leGFtcGxlLmNvbS9jYj9lcnJvcj1pbnZhbGlk
X3JlcXVlc3Qmc3RhdGU9UVdFJTIwQVNEIChib3RoIGJ1dCB2aW9sYXRlcyB0aGUgaWRlYSB0aGF0
IHN0YXRlIHNob3VsZCBiZSBrZXB0IHVuY2hhbmdlZCkuDQoNCkkgaG9wZSB0aGlzIGV4YW1wbGUg
Y291bGQgbWFrZSBteSBxdWVzdGlvbiBjbGVhcmVyLg0KDQpUaGFua3MgaW4gYWR2YW5jZS4NCi0t
DQpCZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YNCg0KDQoNCg0KRnJvbTogQnVoYWtlIFNp
bmRpIFttYWlsdG86YnVoYWtlQGdvb2dsZW1haWwuY29tXQ0KU2VudDogTW9uZGF5LCBEZWNlbWJl
ciAxOSwgMjAxMSA0OjUzIFBNDQpUbzogQWxleGV5IFNrb2x5YXJvdg0KU3ViamVjdDogUmU6IFtP
QVVUSC1XR10gY29uZmxpY3Q6IGVycm9yIHJlc3BvbnNlIGludmFsaWRfcmVxdWVzdCBhbmQgc3Rh
dGUgcGFyYW1ldGVyIGR1cGxpY2F0aW9uDQoNCkhpIEFsZXhleSwNCg0KSWYgSSdtIG5vdCBtaXN0
YWtlbiwgdG8gZGVjbGFyZSBtdWx0aXBsZSB2YWx1ZXMgaW4gInN0YXRlIiwgdGhlIGRvY3VtZW50
IHN0YXRlcyB0aGF0IGl0IHNob3VsZCBiZSBzcGFjZS1kZWxpbWl0ZWQgKCIgIikuIFRoaXMgaXMg
dW5saWtlIEZhY2Vib29rIHN0YXRlIHdoaWNoIGlzIGNvbW1hLWRlbGltaXRlZC4NCk9uIDE5IERl
Y2VtYmVyIDIwMTEgMTQ6NDEsIEFsZXhleSBTa29seWFyb3YgPGFsZXhleS5za29seWFyb3ZAZGlu
cy5ydTxtYWlsdG86YWxleGV5LnNrb2x5YXJvdkBkaW5zLnJ1Pj4gd3JvdGU6DQpIZWxsbyBldmVy
eWJvZHksDQoNClNpbmNlIHRoaXMgaXMgbXkgZmlyc3QgcG9zdCBvbiB0aGlzIGxpc3QsIEnigJls
bCBzYXkgZmV3IHdvcmRzIGFib3V0IHdob2FtaToNCk15IG5hbWUgaXMgQWxleGV5IFNrb2x5YXJv
diwgSSB3b3JrIGluIFNhaW50LVBldGVyc2J1cmcsIFJ1c3NpYS4gSeKAmW0gaW50ZXJlc3RlZCBp
biBPQXV0aDIgYmVjYXVzZSBJIGZvdW5kIG5vIHYyIHByb3ZpZGVycyBmb3IgSmVyc2V5PGh0dHA6
Ly9qZXJzZXkuamF2YS5uZXQvPiBleGNlcHQgU3ByaW5nIFNlY3VyaXR5IHdoaWNoIGlzIG11Y2gg
bW9yZSBjb21wbGV4IHRoYW4gMS4wYSBpbXBsZW1lbnRhdGlvbiBpbiBKZXJzZXktY29udHJpYi4g
Q3VycmVudGx5IEnigJltIHVuZGVyIE5EQSwgc28gSSBjYW7igJl0IHNheSBtb3JlIOKYuQ0KDQpO
ZXZlcnRoZWxlc3Mgd2XigJl2ZSBkb25lIHNwZWNpZmljYXRpb24gc3R1ZHkgYW5kIGZvdW5kIGEg
Y29uZmxpY3Qg4oCTIGluIGxhc3QgcGFyYWdyYXBoIG9mIHNlY3Rpb24gMy4xLiAiQXV0aG9yaXph
dGlvbiBFbmRwb2ludCI8aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0
aC12Mi0yMiNzZWN0aW9uLTMuMT4gaXQgaXMgbWVudGlvbmVkIHRoYXQg4oCcUmVxdWVzdCBhbmQg
cmVzcG9uc2UgcGFyYW1ldGVycyBNVVNUIE5PVCBiZSBpbmNsdWRlZCBtb3JlIHRoYW4gb25jZeKA
nS4NClRoaXMgc3RhdGVtZW50IGNvbmZsaWN0cyB3aXRoIHN0YXRlIHBhcmFtZXRlciBkZWZpbml0
aW9uIGluIHNlY3Rpb24gNC4xLjIuMSAiRXJyb3IgcmVzcG9uc2UiPGh0dHA6Ly90b29scy5pZXRm
Lm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtdjItMjIjc2VjdGlvbi00LjEuMi4xPiwgd2hlcmUg
aXTigJlzIHNhaWQgdGhhdCBzdGF0ZSBpcyDigJxSRVFVSVJFRCBpZiBhIHZhbGlkICJzdGF0ZSIg
cGFyYW1ldGVyIHdhcyBwcmVzZW50IGluIHRoZSBjbGllbnQgIGF1dGhvcml6YXRpb24gcmVxdWVz
dC4gIFRoZSBleGFjdCB2YWx1ZSByZWNlaXZlZCBmcm9tIHRoZSBjbGllbnTigJ0uDQoNCkhvdyBw
YXNzaW5nIHN0YXRlPVFXRSZzdGF0ZT1BU0QgaW5zaWRlIHNhbWUgcmVxdWVzdCBzaG91bGQgYmUg
aGFuZGxlZCB0aGVuPw0KDQpGcm9tIG9uZSBoYW5kIGl0IGlzIGZvcmJpZGRlbiB0byBwcm9jZXNz
IHJlcXVlc3RzIHdpdGggbXVsdGlwbGUgcGFyYW1ldGVyIG9jY3VycmVuY2VzLg0KQnV0IGZyb20g
YW5vdGhlciBoYW5kIFNwZWNpZmljYXRpb24gcmVxdWlyZXMgdG8gcGFzcyB0aGUgc3RhdGUgaWYg
aXQgd2FzIGZvdW5kIGluIGEgcmVxdWVzdC4NClZpb2xhdGlvbiBvZiBhbnkgb2YgdGhlc2Ugc3Rh
dGVtZW50cyBjYW4gYmUgdHJlYXRlZCBhcyDigJxwYXJ0aWFsIGNvbXBsaWFuY2XigJ0gdG8gZHJh
ZnQtMjIsIHNvIEnigJltIGluIGRvdWJ0IHdoYXQgd2F5IGlzIHByZWZlcnJlZCB0aGVyZS4NCg0K
V2hhdCBkbyB5b3UgZ3V5cyB0aGluaz8NCg0KVGhhbmtzIGluIGFkdmFuY2UuDQotLQ0KQmVzdCBy
ZWdhcmRzLCBBbGV4ZXkgU2tvbHlhcm92DQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8
bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0
aW5mby9vYXV0aA0KDQoNCg0KLS0NClRoZSBFbGl0ZSBHZW50bGVtYW4NCg0KDQoNCg0KDQpfX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpPQXV0aCBtYWls
aW5nIGxpc3QNCg0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KDQpodHRw
czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCg0K

--_000_0433F58A304676408A8AF95199AFEB97CC1A7BMS2corpdinsru_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg
MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FtYnJpYTsNCglwYW5vc2UtMToyIDQg
NSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglw
YW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5
OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZp
bml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXtt
YXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0K
CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7DQoJY29sb3I6YmxhY2s7fQ0K
aDMNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk7DQoJbXNvLXN0eWxlLWxpbms6IkhlYWRpbmcgMyBD
aGFyIjsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6
MTMuNXB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7DQoJY29sb3I6
YmxhY2s7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6
OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRl
ZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJ
Y29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1z
dHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hh
ciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEw
LjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciOw0KCWNvbG9yOmJsYWNrO30NCnAuTXNv
QWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBj
bTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFt
aWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjpibGFjazt9DQpzcGFuLkhlYWRpbmcz
Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiSGVhZGluZyAzIENoYXIiOw0KCW1zby1zdHlsZS1wcmlv
cml0eTo5Ow0KCW1zby1zdHlsZS1saW5rOiJIZWFkaW5nIDMiOw0KCWZvbnQtZmFtaWx5OiJDYW1i
cmlhIiwic2VyaWYiOw0KCWNvbG9yOiM0RjgxQkQ7DQoJZm9udC13ZWlnaHQ6Ym9sZDt9DQpzcGFu
LkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRl
ZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwg
UHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uQmFsbG9v
blRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbXNvLXN0
eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0KCWZvbnQt
ZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjpibGFjazt9DQpzcGFuLmgzDQoJ
e21zby1zdHlsZS1uYW1lOmgzO30NCnNwYW4uaG9lbnpiDQoJe21zby1zdHlsZS1uYW1lOmhvZW56
Yjt9DQpzcGFuLkVtYWlsU3R5bGUyNA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250
LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5F
bWFpbFN0eWxlMjUNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNh
bGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTI2
DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
Iiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28t
c3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRT
ZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46Mi4wY20gNDIuNXB0IDIu
MGNtIDMuMGNtO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+
PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9
ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBt
c28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0
PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0K
PC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IlJVIiBsaW5rPSJibHVlIiB2bGlu
az0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5
N0QiPkkgdGhpbmsgc2FtZS4gQnV0IG5vdyBJIHNlZSB0aGF0IG9ubHkgZm9yIDUuMiwgbm90IGZv
ciA0LjIuMi4xPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4tLSA8YnI+DQo8L3NwYW4+PHNw
YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx
dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRGODFCRCI+QmVzdCByZWdhcmRzLCBBbGV4ZXkg
U2tvbHlhcm92DQo8YnI+DQo8YnI+DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7
O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2
IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGlu
ZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5n
PSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h
JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4dCI+RnJvbTo8L3Nw
YW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh
bWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjp3aW5k
b3d0ZXh0Ij4gSnVzdGluIFJpY2hlciBbbWFpbHRvOmpyaWNoZXJAbWl0cmUub3JnXQ0KPGJyPg0K
PGI+U2VudDo8L2I+IFR1ZXNkYXksIERlY2VtYmVyIDIwLCAyMDExIDY6MjMgUE08YnI+DQo8Yj5U
bzo8L2I+IEFsZXhleSBTa29seWFyb3Y8YnI+DQo8Yj5DYzo8L2I+IEJ1aGFrZSBTaW5kaTsgb2F1
dGhAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gY29uZmxpY3Q6
IGVycm9yIHJlc3BvbnNlIGludmFsaWRfcmVxdWVzdCBhbmQgc3RhdGUgcGFyYW1ldGVyIGR1cGxp
Y2F0aW9uPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Ob25lLCBpdCByZXNwb25kcyB3aXRoIGFuIGVycm9yICg0
MDApIGFuZCBub3QgYSByZWRpcmVjdCAoMzAyKS4gWW91IGRvbid0IGluY2x1ZGUgdGhlIHN0YXRl
IHBhcmFtZXRlciBvbiBhbiBlcnJvciByZXNwb25zZSwgb25seSBvbiBhIHZhbGlkIHJlZGlyZWN0
aW9uIHJlc3BvbnNlLjxicj4NCjxicj4NCiZuYnNwOy0tIEp1c3Rpbjxicj4NCjxicj4NCk9uIDEy
LzIwLzIwMTEgMDE6NTcgQU0sIEFsZXhleSBTa29seWFyb3Ygd3JvdGU6IDxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIHNlZSB0aGF0LiBCdXQgaG93IHRoZSBzZXJ2ZXIgc2hv
dWxkIHJlc3BvbmQgb24gaW5jb3JyZWN0IHJlcXVlc3QgKHdoZW4gaXTigJlzIG5vdCBwb3NzaWJs
ZSB0byBkZXRlcm1pbmUgY29ycmVjdCBzdGF0ZSB0byBiZSBwYXNzZWQpLjwvc3Bhbj48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+U3BlY2lmaWNhbGx5LCB3aGF0IHN0YXRlIHNo
b3VsZCBiZSBwYXNzZWQgdG8gdGhlIGNsaWVudCDigJMgbm8gb25lLCBhbnkgb3IgYWxsIG9mIHRo
ZW0/PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3Nw
YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPi0tIDxicj4NCjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1V
UyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjojNEY4MUJEIj5CZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YNCjxi
cj4NCjxicj4NCjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7
O2NvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3
RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJz
cDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7
Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20i
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250
LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNl
cmlmJnF1b3Q7O2NvbG9yOndpbmRvd3RleHQiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4dCI+IEp1c3RpbiBSaWNo
ZXIgWzxhIGhyZWY9Im1haWx0bzpqcmljaGVyQG1pdHJlLm9yZyI+bWFpbHRvOmpyaWNoZXJAbWl0
cmUub3JnPC9hPl0NCjxicj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIERlY2VtYmVyIDE5LCAyMDEx
IDc6MDEgUE08YnI+DQo8Yj5Ubzo8L2I+IEFsZXhleSBTa29seWFyb3Y8YnI+DQo8Yj5DYzo8L2I+
IEJ1aGFrZSBTaW5kaTsgPGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRm
Lm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gY29uZmxpY3Q6IGVy
cm9yIHJlc3BvbnNlIGludmFsaWRfcmVxdWVzdCBhbmQgc3RhdGUgcGFyYW1ldGVyIGR1cGxpY2F0
aW9uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5UaGUgc3BlYyBhbHJlYWR5IHNheXMgdGhhdCB5b3UgY2Fu
J3QgcmVwZWF0IHJlcXVlc3QgcGFyYW1ldGVycyBvbiB0aGUgbGluZSBsaWtlIHRoYXQsIHNvIHRo
YXQncyBhbiBpbnZhbGlkX3JlcXVlc3QgZXJyb3IsIGFzIGRlc2NyaWJlZCBpbiBzZWN0aW9uIDUu
Mjo8bzpwPjwvbzpwPjwvcD4NCjxoMz48YSBuYW1lPSJzZWN0aW9uLTUuMiI+PHNwYW4gc3R5bGU9
ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij41LjI8L3NwYW4+PC9hPjxzcGFu
IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+LiZuYnNwOyBFcnJv
ciBSZXNwb25zZTwvc3Bhbj48bzpwPjwvbzpwPjwvaDM+DQo8cHJlPiZuYnNwOzxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPiZuYnNwOzxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyBU
aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgcmVzcG9uZHMgd2l0aCBhbiBIVFRQIDQwMCAoQmFkIFJl
cXVlc3QpPG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IHN0YXR1cyBjb2RlIGFu
ZCBpbmNsdWRlcyB0aGUgZm9sbG93aW5nIHBhcmFtZXRlcnMgd2l0aCB0aGUgcmVzcG9uc2U6PG86
cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7PG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7
Jm5ic3A7IGVycm9yPG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFJFUVVJUkVELiZuYnNwOyBBIHNpbmdsZSBlcnJv
ciBjb2RlIGZyb20gdGhlIGZvbGxvd2luZzo8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgaW52YWxpZF9yZXF1ZXN0
PG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRoZSBy
ZXF1ZXN0IGlzIG1pc3NpbmcgYSByZXF1aXJlZCBwYXJhbWV0ZXIsIGluY2x1ZGVzIGFuPG86cD48
L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHVuc3VwcG9ydGVk
IHBhcmFtZXRlciB2YWx1ZSwgcmVwZWF0cyBhIHBhcmFtZXRlciw8bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgaW5jbHVkZXMgbXVsdGlwbGUgY3JlZGVu
dGlhbHMsIHV0aWxpemVzIG1vcmUgdGhhbiBvbmU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgbWVjaGFuaXNtIGZvciBhdXRoZW50aWNhdGluZyB0aGUg
Y2xpZW50LCBvciBpcyBvdGhlcndpc2U8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsgbWFsZm9ybWVkLjxvOnA+PC9vOnA+PC9wcmU+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48YnI+DQo8YnI+DQombmJzcDstLSBKdXN0aW48YnI+DQo8YnI+DQpPbiAxMi8x
OS8yMDExIDA4OjIwIEFNLCBBbGV4ZXkgU2tvbHlhcm92IHdyb3RlOiA8bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXpl
OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm
cXVvdDs7Y29sb3I6IzFGNDk3RCI+SGVsbG8gQnVoYWtlLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXpl
OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm
cXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj
b2xvcjojMUY0OTdEIj5UaGFua3MgZm9yIHlvdXIgYW5zd2VyITwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1z
aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy
aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SXQgc2VlbXMgSSBzaG91bGQgZXhwbGFpbiBhIGJpdCBo
ZXJlIOKAkyBJ4oCZbSBub3QgYWJvdXQgaG93IHRvIHBhc3MgdGhlIHN0YXRlIHdpdGggbXVsdGlw
bGUgdmFsdWVzLCBJ4oCZbSB0cnlpbmcgdG8gZmlndXJlIG91dCBob3cgdGhlIE9BdXRoLTIuMC1k
cmFmdC0yMg0KIOKAkyBjb21wbGlhbnQgc2VydmVyIHNob3VsZCByZXNwb25kIG9uIGR1cGxpY2F0
aW9uIG9mIHN0YXRlIHJlcXVlc3QgcGFyYW1ldGVyLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv
dDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv
bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv
cjojMUY0OTdEIj5Gb3IgaW5zdGFuY2Ugd2hhdCBzaG91bGQgYmUgcmV0dXJuZWQgaW4gcmVzcG9u
c2Ugb24gZm9sbG93aW5nIHJlcXVlc3Q6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv
bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5HRVQgL2F1dGhvcml6ZT9yZXNwb25z
ZV90eXBlPWNvZGUmYW1wO2NsaWVudF9pZD1zNkJoZFJrcXQzJmFtcDs8Yj5zdGF0ZT1RV0U8L2I+
JmFtcDs8Yj5zdGF0ZT1BU0Q8L2I+JmFtcDtyZWRpcmVjdF91cmk9aHR0cHMlM0ElMkYlMkZjbGll
bnQlMkVleGFtcGxlJTJFY29tJTJGY2IgSFRUUC8xLjE8L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox
MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPkg8L3NwYW4+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv
dDsiPm9zdDogc2VydmVyLmV4YW1wbGUuY29tPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj
b2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx
RjQ5N0QiPkl04oCZcyB1bmNsZWFyIGZvciBtZSBzaG91bGQgaXQgYmUNCjwvc3Bhbj48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTph
bHdheXMiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh
bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+SFRUUC8xLjEgMzAyIEZvdW5kPC9zcGFuPjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVm
b3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv
bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5Mb2NhdGlvbjoNCjxhIGhyZWY9Imh0
dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NiP2Vycm9yPWludmFsaWRfcmVxdWVzdCI+aHR0cHM6
Ly9jbGllbnQuZXhhbXBsZS5jb20vY2I/ZXJyb3I9aW52YWxpZF9yZXF1ZXN0PC9hPg0KPC9zcGFu
PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom
cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+
KHdpdGhvdXQgdGhlIHN0YXRlIGNvbXBsZXRlbHkg4oCTIHNlZW1zIHRvIGJlIHdyb25nIGJlZm9y
ZWhhbmQpDQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPm9yDQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3Bh
biBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
Q291cmllciBOZXcmcXVvdDsiPkhUVFAvMS4xIDMwMiBGb3VuZDwvc3Bhbj48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTphbHdheXMi
PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom
cXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+TG9jYXRpb246DQo8YSBocmVmPSJodHRwczovL2NsaWVu
dC5leGFtcGxlLmNvbS9jYj9lcnJvcj1pbnZhbGlkX3JlcXVlc3QmYW1wO3N0YXRlPVFXRSI+aHR0
cHM6Ly9jbGllbnQuZXhhbXBsZS5jb20vY2I/ZXJyb3I9aW52YWxpZF9yZXF1ZXN0JmFtcDtzdGF0
ZT1RV0U8L2E+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7
Y29sb3I6IzFGNDk3RCI+ICggb3IgQVNEIC0gb25lIG9mIHBhc3NlZA0KIHN0YXRlcyB1c2VkKSA8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1i
cmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox
MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1
b3Q7O2NvbG9yOiMxRjQ5N0QiPm9yDQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJF
Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO
ZXcmcXVvdDsiPkhUVFAvMS4xIDMwMiBGb3VuZDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxh
bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3Vy
aWVyIE5ldyZxdW90OyI+TG9jYXRpb246DQo8YSBocmVmPSJodHRwczovL2NsaWVudC5leGFtcGxl
LmNvbS9jYj9lcnJvcj1pbnZhbGlkX3JlcXVlc3QmYW1wO3N0YXRlPVFXRSUyMEFTRCI+aHR0cHM6
Ly9jbGllbnQuZXhhbXBsZS5jb20vY2I/ZXJyb3I9aW52YWxpZF9yZXF1ZXN0JmFtcDtzdGF0ZT1R
V0UlMjBBU0Q8L2E+DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx
dW90Oztjb2xvcjojMUY0OTdEIj4oYm90aCBidXQgdmlvbGF0ZXMgdGhlIGlkZWEgdGhhdCBzdGF0
ZSBzaG91bGQgYmUga2VwdCB1bmNoYW5nZWQpLg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4g
bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1i
cmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTox
MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1
b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgaG9wZSB0aGlzIGV4YW1wbGUgY291bGQgbWFrZSBteSBxdWVz
dGlvbiBjbGVhcmVyLg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1
b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3
YXlzIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5
N0QiPlRoYW5rcyBpbiBhZHZhbmNlLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+LS0gPGJy
Pg0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0RjgxQkQiPkJlc3QgcmVn
YXJkcywgQWxleGV5IFNrb2x5YXJvdg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPC9zcGFuPjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1
b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286
cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYg
MS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
Yj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwv
Yj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBCdWhha2UgU2luZGkg
WzxhIGhyZWY9Im1haWx0bzpidWhha2VAZ29vZ2xlbWFpbC5jb20iPm1haWx0bzpidWhha2VAZ29v
Z2xlbWFpbC5jb208L2E+XQ0KPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgRGVjZW1iZXIgMTks
IDIwMTEgNDo1MyBQTTxicj4NCjxiPlRvOjwvYj4gQWxleGV5IFNrb2x5YXJvdjxicj4NCjxiPlN1
YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBjb25mbGljdDogZXJyb3IgcmVzcG9uc2UgaW52YWxp
ZF9yZXF1ZXN0IGFuZCBzdGF0ZSBwYXJhbWV0ZXIgZHVwbGljYXRpb248L3NwYW4+PG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5IaSBB
bGV4ZXksPGJyPg0KPGJyPg0KSWYgSSdtIG5vdCBtaXN0YWtlbiwgdG8gZGVjbGFyZSBtdWx0aXBs
ZSB2YWx1ZXMgaW4gJnF1b3Q7c3RhdGUmcXVvdDssIHRoZSBkb2N1bWVudCBzdGF0ZXMgdGhhdCBp
dCBzaG91bGQgYmUgc3BhY2UtZGVsaW1pdGVkICgmcXVvdDsgJnF1b3Q7KS4gVGhpcyBpcyB1bmxp
a2UgRmFjZWJvb2sgc3RhdGUgd2hpY2ggaXMgY29tbWEtZGVsaW1pdGVkLjxvOnA+PC9vOnA+PC9w
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIDE5IERlY2VtYmVyIDIwMTEgMTQ6NDEs
IEFsZXhleSBTa29seWFyb3YgJmx0OzxhIGhyZWY9Im1haWx0bzphbGV4ZXkuc2tvbHlhcm92QGRp
bnMucnUiPmFsZXhleS5za29seWFyb3ZAZGlucy5ydTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+
PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVO
LVVTIj5IZWxsbyBldmVyeWJvZHksPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+U2luY2UgdGhpcyBp
cyBteSBmaXJzdCBwb3N0IG9uIHRoaXMgbGlzdCwgSeKAmWxsIHNheSBmZXcgd29yZHMgYWJvdXQg
d2hvYW1pOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw
YW4gbGFuZz0iRU4tVVMiPk15IG5hbWUgaXMgQWxleGV5IFNrb2x5YXJvdiwgSSB3b3JrIGluIFNh
aW50LVBldGVyc2J1cmcsIFJ1c3NpYS4gSeKAmW0gaW50ZXJlc3RlZCBpbiBPQXV0aDIgYmVjYXVz
ZSBJIGZvdW5kIG5vIHYyIHByb3ZpZGVycyBmb3INCjxhIGhyZWY9Imh0dHA6Ly9qZXJzZXkuamF2
YS5uZXQvIiB0YXJnZXQ9Il9ibGFuayI+SmVyc2V5PC9hPiBleGNlcHQgU3ByaW5nIFNlY3VyaXR5
IHdoaWNoIGlzIG11Y2ggbW9yZSBjb21wbGV4IHRoYW4gMS4wYSBpbXBsZW1lbnRhdGlvbiBpbiBK
ZXJzZXktY29udHJpYi4gQ3VycmVudGx5IEnigJltIHVuZGVyIE5EQSwgc28gSSBjYW7igJl0IHNh
eSBtb3JlDQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTpXaW5n
ZGluZ3MiPkw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0
b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5OZXZlcnRoZWxlc3Mgd2XigJl2ZSBkb25l
IHNwZWNpZmljYXRpb24gc3R1ZHkgYW5kIGZvdW5kIGEgY29uZmxpY3Qg4oCTIGluIGxhc3QgcGFy
YWdyYXBoIG9mDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm
LW9hdXRoLXYyLTIyI3NlY3Rpb24tMy4xIiB0YXJnZXQ9Il9ibGFuayI+DQpzZWN0aW9uIDMuMS4g
JnF1b3Q7QXV0aG9yaXphdGlvbiBFbmRwb2ludCZxdW90OzwvYT4gaXQgaXMgbWVudGlvbmVkIHRo
YXQg4oCcPGk+UmVxdWVzdCBhbmQgcmVzcG9uc2UgcGFyYW1ldGVycyBNVVNUIE5PVCBiZSBpbmNs
dWRlZCBtb3JlIHRoYW4gb25jZTwvaT7igJ0uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhpcyBzdGF0ZW1lbnQgY29uZmxp
Y3RzIHdpdGgNCjxpPnN0YXRlPC9pPiBwYXJhbWV0ZXIgZGVmaW5pdGlvbiBpbiA8YSBocmVmPSJo
dHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXYyLTIyI3NlY3Rpb24t
NC4xLjIuMSIgdGFyZ2V0PSJfYmxhbmsiPg0Kc2VjdGlvbiA0LjEuMi4xICZxdW90O0Vycm9yIHJl
c3BvbnNlJnF1b3Q7PC9hPiwgd2hlcmUgaXTigJlzIHNhaWQgdGhhdCBzdGF0ZSBpcyDigJw8aT5S
RVFVSVJFRCBpZiBhIHZhbGlkICZxdW90O3N0YXRlJnF1b3Q7IHBhcmFtZXRlciB3YXMgcHJlc2Vu
dCBpbiB0aGUgY2xpZW50Jm5ic3A7IGF1dGhvcml6YXRpb24gcmVxdWVzdC4mbmJzcDsgVGhlIGV4
YWN0IHZhbHVlIHJlY2VpdmVkIGZyb20gdGhlIGNsaWVudDwvaT7igJ0uPC9zcGFuPjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7
PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t
YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5n
PSJFTi1VUyI+SG93IHBhc3NpbmcNCjxpPnN0YXRlPVFXRSZhbXA7c3RhdGU9QVNEPC9pPiBpbnNp
ZGUgc2FtZSByZXF1ZXN0IHNob3VsZCBiZSBoYW5kbGVkIHRoZW4/PC9zcGFuPjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv
O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PC9z
cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJF
Ti1VUyI+RnJvbSBvbmUgaGFuZCBpdCBpcyBmb3JiaWRkZW4gdG8gcHJvY2VzcyByZXF1ZXN0cyB3
aXRoIG11bHRpcGxlIHBhcmFtZXRlciBvY2N1cnJlbmNlcy48L3NwYW4+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5CdXQgZnJvbSBhbm90
aGVyIGhhbmQgU3BlY2lmaWNhdGlvbiByZXF1aXJlcyB0byBwYXNzIHRoZSBzdGF0ZSBpZiBpdCB3
YXMgZm91bmQgaW4gYSByZXF1ZXN0Lg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VmlvbGF0aW9uIG9mIGFueSBvZiB0aGVz
ZSBzdGF0ZW1lbnRzIGNhbiBiZSB0cmVhdGVkIGFzIOKAnHBhcnRpYWwgY29tcGxpYW5jZeKAnSB0
byBkcmFmdC0yMiwgc28gSeKAmW0gaW4gZG91YnQgd2hhdCB3YXkgaXMgcHJlZmVycmVkIHRoZXJl
Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFu
Zz0iRU4tVVMiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPldoYXQgZG8geW91IGd1eXMgdGhpbms/PC9zcGFuPjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+
Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh
biBsYW5nPSJFTi1VUyI+VGhhbmtzIGluIGFkdmFuY2UuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9yOiM4
ODg4ODgiPi0tDQo8YnI+DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjoj
NEY4MUJEIj5CZXN0IHJlZ2FyZHMsIEFsZXhleSBTa29seWFyb3YgPC9zcGFuPg0KPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0i
Y29sb3I6Izg4ODg4OCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJy
Pg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpP
QXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9B
dXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt
YW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9t
YWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8YnI+DQotLSA8YnI+DQpUaGUg
RWxpdGUgR2VudGxlbWFuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+
DQo8YnI+DQo8YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjxwcmU+X19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5P
QXV0aCBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48YSBocmVmPSJtYWlsdG86
T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJl
PjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPmh0
dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48
L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwv
aHRtbD4NCg==

--_000_0433F58A304676408A8AF95199AFEB97CC1A7BMS2corpdinsru_--

From gffletch@aol.com  Wed Dec 21 05:56:21 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20CB121F8A70 for ; Wed, 21 Dec 2011 05:56:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oty61kODlvSq for ; Wed, 21 Dec 2011 05:56:19 -0800 (PST)
Received: from imr-ma02.mx.aol.com (imr-ma02.mx.aol.com [64.12.206.40]) by ietfa.amsl.com (Postfix) with ESMTP id 716C221F8A64 for ; Wed, 21 Dec 2011 05:56:19 -0800 (PST)
Received: from mtaout-ma06.r1000.mx.aol.com (mtaout-ma06.r1000.mx.aol.com [172.29.41.6]) by imr-ma02.mx.aol.com (8.14.1/8.14.1) with ESMTP id pBLDttTp011230; Wed, 21 Dec 2011 08:55:55 -0500
Received: from palantir.local (unknown [10.172.1.214]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma06.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id D5910E000081; Wed, 21 Dec 2011 08:55:54 -0500 (EST)
Message-ID: <4EF1E569.5090104@aol.com>
Date: Wed, 21 Dec 2011 08:55:53 -0500
From: George Fletcher 
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Paul Madsen 
References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org> <4EEF7DEF.6090009@gmail.com> <4EEF8C2A.8030205@aol.com> <4EEF9A6B.7070307@gmail.com>
In-Reply-To: <4EEF9A6B.7070307@gmail.com>
Content-Type: multipart/alternative; boundary="------------010803070705040202000104"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1324475755; bh=mt8btd8w01NlpjKhli34CeZeT0TOyfOjvLbRcSLQscE=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=LKGBa1z66ltcqZBg2xtn6hcUdA2Kz7D5Axn2tYhKKoLrXXXW4qT09ayYchssNz84N /JwrpJlNm9uc18+KKNbAhg0akR5Rtq4Dd8nQB1fIUFSlcK8TZQOxCsOoJPt6/vXKBj lXb3OJjqyO1E2blI3zLMuxNW9UTdXx/fb1mr+4xQ=
X-AOL-SCOLL-SCORE: 0:2:460849248:93952408  
X-AOL-SCOLL-URL_COUNT: 0  
x-aol-sid: 3039ac1d29064ef1e56a7698
X-AOL-IP: 10.172.1.214
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 21 Dec 2011 13:56:21 -0000

This is a multi-part message in MIME format.
--------------010803070705040202000104
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

More inline:)

On 12/19/11 3:11 PM, Paul Madsen wrote:
> Hi George, inline
>
> thanks
>
> paul
>
> On 12/19/11 2:10 PM, George Fletcher wrote:
>> Hi Paul,
>>
>> Is the need to authenticate the client a need to ensure that the 
>> content is only displayed on certain devices/clients? Or prevent 
>> phishing/stealing of authz bearer tokens?
> I'm not best qualified to answer but I believe it's the latter, ie not 
> DRM motivated
>>
>> As you point out, it's possible to protect the bearer tokens and 
>> associated refresh tokens "via other mitigating mechanisms". I'm not 
>> sure it's possible to authenticate the device/client with out the 
>> device/client having some special "hardware" that can be leveraged in 
>> the authentication step.
> are you referring to a 'bootstrap' problem?
Well... more thinking about whether the set of devices/clients allowed 
to go through the "dynamic registration" process is "restricted" in some 
way (e.g. a certain manufacturer, or application running on a device). 
Given that the dynamic registration steps can be discovered, it become 
difficult to restrict what devices/clients can go through the dynamic 
registration steps.

>>
>> Even dynamic registration doesn't solve the security issues (the 
>> device/client can still be disassembled and associated values 
>> discovered) of the device/client, just mitigates the exposure risk. 
>> However, this does cause increased work for the AS as it will now be 
>> tracking each and every device as a unique client. It's also likely 
>> for the device registration steps to be discovered, in which case 
>> restricting to a particular device again fails.
> yes, but as you imply an attacker will only access those credentials 
> specific to that particular copy of the native client. Hopefully too 
> much work to be able to see Glee Season 2.
>
> Can you clarify what you mean about the device registration steps 
> being 'discovered'?
(see above). Basically, the question becomes... is any device/client ok 
to be used as long as it goes through the dynamic registration process 
and is "authorized" by the AS? If the answer is yes, then I think 
dynamic registration is a great solution.  Given all transactions are 
over SSL, getting any of client credentials, refresh_token or 
access_token is going to be difficult without access to the device/client.

There is the issue of the client sending the token to a rogue protected 
resource. Though that is pretty unlikely based on a native 
device/client. It would require a both a rogue client and a rogue 
protected resource. If this is a concern, then you are sort of back into 
the problem of needing to be able to at least identify the device/client.

Seems like a unique set of client credentials for every instance of the 
device/client plus short-lived access_tokens should be good enough for 
this use case. The associated refresh_token can always be revoked as 
well. All this doesn't obviate the need for "risk based authN/authZ" at 
the AS.
>>
>> It seems like trying to bind the bearer token to a device/client 
>> instance might be a better approach. That way you know that the 
>> customer correctly authorized that device/client instance and it is 
>> "allowed" to present the bearer token. Of course enforcing/proving 
>> the "allowed" part sort of breaks the "bearer" part:)
> yeah, how do we bind a bearer token to anything? :-) Doesnt that by 
> definition take us towards MAC?
I know, I'm stating the obvious... but thankfully it sounds like you 
don't need that level of security:)
>
>
>>
>> Thanks,
>> George
>>
>> On 12/19/11 1:09 PM, Paul Madsen wrote:
>>> Thanks Justin, FWIW, I agree with your analysis
>>>
>>> Seems to me we have the following breakdown of clients
>>>
>>> - confidential server clients
>>>
>>> - confidential native clients (somewhat theoretical at the moment, 
>>> assumes either 1) a client registration mechanism to deliver 
>>> credentials post installation, such as OpenID Connects Client 
>>> Registration spec, or 2) a distribution channel in which uniquely 
>>> credentials can be packaged into the binary before delivery)
>>>
>>> - public clients (no option of client authn, but still possible to 
>>> have some protection against token leakage via other mitigating 
>>> mechanisms)
>>>
>>> thanks again
>>>
>>> paul
>>>
>>> On 12/19/11 12:44 PM, Justin Richer wrote:
>>>> Native mobile clients can't really be confidential clients.
>>>>
>>>> The distinction between "public" and "confidential" clients is 
>>>> whether or not they can keep deployment-time secrets; which is to 
>>>> say, a client_secret. This is not to say that they can't keep *any* 
>>>> secrets. In particular those generated at runtime, like an access 
>>>> token or refresh token, could be held perfectly safe. But at the 
>>>> time the app is deployed to its running environment, you have to 
>>>> ask "who has access to its code and configuration?"
>>>>
>>>> Think of it this way. In the standard world, a native app gets 
>>>> copied to every device with the client_id and client_secret baked 
>>>> in. This makes the client_secret not very secret, and not at all 
>>>> unique. Anybody with access to the binary -- which is to say, every 
>>>> user -- could decompile the client_secret out of it and bake it 
>>>> into their *own* client, pretending to be your app and causing all 
>>>> kinds of havoc. This is a very different problem from somebody 
>>>> breaking into the token store and stealing an access token, which 
>>>> lets them only get to their own account.
>>>>
>>>> Compare this to a server-based app where the only ones with access 
>>>> to the binary and configuration are the administrators of the 
>>>> server, not the end users. It's a much more limited list of folks 
>>>> that can potentially see it, and therefore the client_secret can 
>>>> actually mean something and add a small extra layer of security.
>>>>
>>>> There are a few ways to mitigate this difference for public 
>>>> clients, such as using some kind of dynamic registration for all 
>>>> clients (which doesn't buy you much in terms of overall security) 
>>>> or putting up scary messages about native clients to try and 
>>>> educate your users. You can also use a trusted callback URL for 
>>>> your app on a hosted website that works in conjunction with your 
>>>> native app. This is actually the suggested use for the Implicit 
>>>> Flow, which was made for public clients in the browser.
>>>>
>>>> Native apps also have the concern of embedded browsers vs. external 
>>>> native browsers, and what trust the user puts into them. For all 
>>>> OAuth flows, you have to trust the browser provider on the platform 
>>>> of choice, since the user's going to be logging in directly through 
>>>> that browser. It's very much outside the scope of OAuth to make 
>>>> that world any better though, and there have been long and detailed 
>>>> discussions on this list about that very topic, leading to some 
>>>> concrete recommendations in the draft as it stands today.
>>>>
>>>> To answer your original query: I don't think that mandating one 
>>>> kind of client vs. the other will really help. OAuth 1.0 only had 
>>>> "confidential" clients, and that led to inane workarounds like 
>>>> Google's "anonymous/anonymous" client id/secret.
>>>>
>>>> Hope this helps.
>>>>
>>>>  -- Justin
>>>>
>>>> On 12/19/2011 07:19 AM, Paul Madsen wrote:
>>>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet 
>>>>> unreleased) profile of OAuth 2.0 for online delivery of video 
>>>>> content based on a user's subscriptions (the TV Everywhere use case)
>>>>>
>>>>> We want to support both server & native mobile clients. It is for 
>>>>> the second class of clients that I'd appreciate some clarification 
>>>>> of 'confidentiality' as defined in OAuth 2.
>>>>>
>>>>> OAuth 2 distinguishes confidential & public clients based on their 
>>>>> ability to secure the credentials they'd use to authenticate to an 
>>>>> AS - confidential clients can protect those credentials, public 
>>>>> clients can't.
>>>>>
>>>>> Notwithstanding the above definition, the spec gives a degree of 
>>>>> discretion to the AS
>>>>>
>>>>>     The client type designation is based on the authorization server's
>>>>>     definition of secure authentication and its acceptable exposure
>>>>>     levels of client credentials.
>>>>>
>>>>>
>>>>> Give this discretion, is itpractical for the OMAP spec to 
>>>>> stipulate that 'All Clients (both server & native mobile), MUST be 
>>>>> confidential', ie let each individual OMAP AS specify its own 
>>>>> requirements of clients and their ability to securely authenticate?
>>>>>
>>>>> Is this consistent with the OAuth definition of confidentiality?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>


--------------010803070705040202000104
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


  
    
  
  
    More inline:)

    

    On 12/19/11 3:11 PM, Paul Madsen wrote:
    

      
      Hi George, inline

      

      thanks 

      

      paul

      

      On 12/19/11 2:10 PM, George Fletcher wrote:
      

        
        Hi Paul,

          

          Is the need to authenticate the client a need to ensure that
          the content is only displayed on certain devices/clients? Or
          prevent phishing/stealing of authz bearer tokens?

        

      I'm not best qualified to answer but I believe it's the latter, ie
      not DRM motivated

      
 

          As you point out, it's possible to protect the bearer tokens
          and associated refresh tokens "via other mitigating
          mechanisms". I'm not sure it's possible to authenticate the
          device/client with out the device/client having some special
          "hardware" that can be leveraged in the authentication step.

        

      are you referring to a 'bootstrap' problem?

    

    Well... more thinking about whether the set of devices/clients
    allowed to go through the "dynamic registration" process is
    "restricted" in some way (e.g. a certain manufacturer, or
    application running on a device). Given that the dynamic
    registration steps can be discovered, it become difficult to
    restrict what devices/clients can go through the dynamic
    registration steps.

    

    

      
 

          Even dynamic registration doesn't solve the security issues
          (the device/client can still be disassembled and associated
          values discovered) of the device/client, just mitigates the
          exposure risk. However, this does cause increased work for the
          AS as it will now be tracking each and every device as a
          unique client. It's also likely for the device registration
          steps to be discovered, in which case restricting to a
          particular device again fails.

        

      yes, but as you imply an attacker will only access those
      credentials specific to that particular copy of the native client.
      Hopefully too much work to be able to see Glee Season 2.

      

      Can you clarify what you mean about the device registration steps
      being 'discovered'?

    

    (see above). Basically, the question becomes... is any device/client
    ok to be used as long as it goes through the dynamic registration
    process and is "authorized" by the AS? If the answer is yes, then I
    think dynamic registration is a great solution.  Given all
    transactions are over SSL, getting any of client credentials,
    refresh_token or access_token is going to be difficult without
    access to the device/client.

    

    There is the issue of the client sending the token to a rogue
    protected resource. Though that is pretty unlikely based on a native
    device/client. It would require a both a rogue client and a rogue
    protected resource. If this is a concern, then you are sort of back
    into the problem of needing to be able to at least identify the
    device/client.

    

    Seems like a unique set of client credentials for every instance of
    the device/client plus short-lived access_tokens should be good
    enough for this use case. The associated refresh_token can always be
    revoked as well. All this doesn't obviate the need for "risk based
    authN/authZ" at the AS.

    

      
 

          It seems like trying to bind the bearer token to a
          device/client instance might be a better approach. That way
          you know that the customer correctly authorized that
          device/client instance and it is "allowed" to present the
          bearer token. Of course enforcing/proving the "allowed" part
          sort of breaks the "bearer" part:)

        

      yeah, how do we bind a bearer token to anything? :-) Doesnt that
      by definition take us towards MAC?

    

    I know, I'm stating the obvious... but thankfully it sounds like you
    don't need that level of security:)

    
 

      

      
 

          Thanks,

          George

        

        On 12/19/11 1:09 PM, Paul Madsen wrote:
        

          
          Thanks Justin, FWIW, I agree with your
            analysis

            

            Seems to me we have the following breakdown of
          clients

          

          - confidential server clients

          

          - confidential native clients (somewhat theoretical at the
          moment, assumes either 1) a client registration mechanism to
          deliver credentials post installation, such as OpenID Connects
          Client Registration spec, or 2) a distribution channel in
          which uniquely credentials can be packaged into the binary
          before delivery)

          

          - public clients (no option of client authn, but still
          possible to have some protection against token leakage via
          other mitigating mechanisms)

          

          thanks again

          

          paul

          

          On 12/19/11 12:44 PM, Justin Richer wrote:
          

            
            Native mobile clients can't really be confidential clients.
            

            

            The distinction between "public" and "confidential" clients
            is whether or not they can keep deployment-time secrets;
            which is to say, a client_secret. This is not to say that
            they can't keep *any* secrets. In particular those generated
            at runtime, like an access token or refresh token, could be
            held perfectly safe. But at the time the app is deployed to
            its running environment, you have to ask "who has access to
            its code and configuration?"

            

            Think of it this way. In the standard world, a native app
            gets copied to every device with the client_id and
            client_secret baked in. This makes the client_secret not
            very secret, and not at all unique. Anybody with access to
            the binary -- which is to say, every user -- could decompile
            the client_secret out of it and bake it into their *own*
            client, pretending to be your app and causing all kinds of
            havoc. This is a very different problem from somebody
            breaking into the token store and stealing an access token,
            which lets them only get to their own account. 

            

            Compare this to a server-based app where the only ones with
            access to the binary and configuration are the
            administrators of the server, not the end users. It's a much
            more limited list of folks that can potentially see it, and
            therefore the client_secret can actually mean something and
            add a small extra layer of security. 

            

            There are a few ways to mitigate this difference for public
            clients, such as using some kind of dynamic registration for
            all clients (which doesn't buy you much in terms of overall
            security) or putting up scary messages about native clients
            to try and educate your users. You can also use a trusted
            callback URL for your app on a hosted website that works in
            conjunction with your native app. This is actually the
            suggested use for the Implicit Flow, which was made for
            public clients in the browser.

            

            Native apps also have the concern of embedded browsers vs.
            external native browsers, and what trust the user puts into
            them. For all OAuth flows, you have to trust the browser
            provider on the platform of choice, since the user's going
            to be logging in directly through that browser. It's very
            much outside the scope of OAuth to make that world any
            better though, and there have been long and detailed
            discussions on this list about that very topic, leading to
            some concrete recommendations in the draft as it stands
            today.

            

            To answer your original query: I don't think that mandating
            one kind of client vs. the other will really help. OAuth 1.0
            only had "confidential" clients, and that led to inane
            workarounds like Google's "anonymous/anonymous" client
            id/secret. 

            

            Hope this helps.

            

             -- Justin

            

            On 12/19/2011 07:19 AM, Paul Madsen wrote:
            

              
              Hi, the Online Media Authorization
                Protocol (OMAP) is a (as yet unreleased) profile of
                OAuth 2.0 for online delivery of video content based on
                a user's subscriptions (the TV Everywhere use case)

                

                We want to support both server & native mobile
                clients. It is for the second class of clients that I'd
                appreciate some clarification of 'confidentiality' as
                defined in OAuth 2.

                

                OAuth 2 distinguishes confidential & public clients
                based on their ability to secure the credentials they'd
                use to authenticate to an AS - confidential clients can
                protect those credentials, public clients can't.

                

                Notwithstanding the above definition, the spec gives a
                degree of discretion to the AS

                

              
              
   The client type designation is based on the authorization server's
   definition of secure authentication and its acceptable exposure
   levels of client credentials.




               Give this discretion, is it
                  practical for the OMAP spec to stipulate
                that 'All Clients (both server & native mobile),
                MUST be confidential', ie let each individual OMAP AS
                specify its own requirements of clients and their
                ability to securely authenticate? 

                

                Is this consistent with the OAuth definition of
                confidentiality?

                

                Thanks

                

                Paul

                

              

              

              

                

                

                

                

                

               

              

              

              
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


            

            

          

          

          

          

          
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


        

        

      

    

    

  


--------------010803070705040202000104--

From zhang.ruishan@zte.com.cn  Wed Dec 21 18:58:24 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 734F011E809C; Wed, 21 Dec 2011 18:58:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.085
X-Spam-Level: 
X-Spam-Status: No, score=-100.085 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUNHxspdr4eL; Wed, 21 Dec 2011 18:58:23 -0800 (PST)
Received: from mx5.zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 86FE511E8097; Wed, 21 Dec 2011 18:58:22 -0800 (PST)
Received: from [10.30.17.99] by mx5.zte.com.cn with surfront esmtp id 59528609479330; Thu, 22 Dec 2011 10:56:41 +0800 (CST)
Received: from [10.30.3.20] by [192.168.168.15] with StormMail ESMTP id 95341.2621071999; Thu, 22 Dec 2011 10:58:13 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse01.zte.com.cn with ESMTP id pBM2w8rm056802; Thu, 22 Dec 2011 10:58:08 +0800 (GMT-8) (envelope-from zhang.ruishan@zte.com.cn)
In-Reply-To: 
To: Anthony Nadalin 
MIME-Version: 1.0
X-KeepSent: FBB7FCC2:A3164010-4825796E:000A5AC6; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: 
From: zhang.ruishan@zte.com.cn
Date: Thu, 22 Dec 2011 10:58:04 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2011-12-22 10:58:09, Serialize complete at 2011-12-22 10:58:09
Content-Type: multipart/alternative; boundary="=_alternative 00104FCE4825796E_="
X-MAIL: mse01.zte.com.cn pBM2w8rm056802
Cc: oauth-bounces@ietf.org, "oauth@ietf.org" 
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 22 Dec 2011 02:58:24 -0000

This is a multipart message in MIME format.
--=_alternative 00104FCE4825796E_=
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: base64

SW4gdGhlb3J5LCAgaWYgb25seSBuYXRpdmUgY2xpZW50cyBjb3VsZCBrZWVwICBkZXBsb3ltZW50
LXRpbWUgc2VjcmV0IA0KdW5kaXNjbG9zZWQsIHRoZW4gd2UgY2FuIHNheSB0aGV5IGFyZSBjb25m
aWRlbnRpYWwgY2xpZW50cy4gDQpBY3R1YWxseSwgaWYgbmF0aXZlIGNsaWVudCBhcHBsaWNhdGlv
bnMgYXJlIGRpZmZpY3VsdCB0byBiZSANCnJldmVyc2UtZW5naW5uZXJlZCwgZS5nLiwgU2t5cGUs
ICBpdCdzIHBvc3NpYmxlIHRvIGdhaW4gdGhlIGFib3ZlIGdvYWwuDQpIb3dldmVyLCBpbiBtb3N0
IGV4aXN0aW5nIG1vYmlsZSBhcHBzLCBJIGd1ZXNzIHJldmVyc2UgZW5naWVlcmluZyAgc2hvdWxk
IA0KYmUgcXVpdGUgZWFzeS4gDQpJbiB0aGlzIGNhc2UsIHRoZXJlIGlzIGFsbW9zdCBubyB3YXkg
Zm9yIHRoZXNlIGFwcHMgdG8gaGlkZSBhbnl0aGluZy4gDQoNCkJlc3Qgd2lzaGVzLA0KDQpSdWlz
aGFuIA0KDQpkZXBsb3ltZW50LXRpbWUgc2VjcmV0cw0KDQoNCg0KTm90IHJlYWxseSBzdXJlIGhv
dyB5b3UgY2FtZSB0byB0aGUgY29uY2x1c2lvbiB0aGF0IG5hdGl2ZSBtb2JpbGUgY2xpZW50cyAN
CmNhbqGvdCBiZSBjb25maWRlbnRpYWw/IEFzIHBvaW50ZWQgb3V0IGluIHNlY3Rpb24gMy43IG9m
IHRoZSANCmh0dHA6Ly93d3cuaWV0Zi5vcmcvaWQvZHJhZnQtaWV0Zi1vYXV0aC12Mi10aHJlYXRt
b2RlbC0wMS50eHQgdGhlcmUgYXJlIA0KZ3VpZGVsaW5lcyB0aGF0IGNvbmZpZGVudGlhbCBjbGll
bnRzIHNob3VsZCBmb2xsb3csIGJ1dCBkb2VzIG5vdCANCmRpc3Rpbmd1aXNoIGJldHdlZW4gbmF0
aXZlIGNsaWVudHMgb3IgbmF0aXZlIG1vYmlsZSBjbGllbnRzLg0KIA0KRnJvbTogb2F1dGgtYm91
bmNlc0BpZXRmLm9yZyBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBP
ZiANCkp1c3RpbiBSaWNoZXINClNlbnQ6IE1vbmRheSwgRGVjZW1iZXIgMTksIDIwMTEgOTo0NCBB
TQ0KVG86IFBhdWwgTWFkc2VuDQpDYzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FV
VEgtV0ddIE5hdGl2ZSBjbGllbnRzICYgJ2NvbmZpZGVudGlhbGl0eScNCiANCk5hdGl2ZSBtb2Jp
bGUgY2xpZW50cyBjYW4ndCByZWFsbHkgYmUgY29uZmlkZW50aWFsIGNsaWVudHMuIA0KDQpUaGUg
ZGlzdGluY3Rpb24gYmV0d2VlbiAicHVibGljIiBhbmQgImNvbmZpZGVudGlhbCIgY2xpZW50cyBp
cyB3aGV0aGVyIG9yIA0Kbm90IHRoZXkgY2FuIGtlZXAgZGVwbG95bWVudC10aW1lIHNlY3JldHM7
IHdoaWNoIGlzIHRvIHNheSwgYSANCmNsaWVudF9zZWNyZXQuIFRoaXMgaXMgbm90IHRvIHNheSB0
aGF0IHRoZXkgY2FuJ3Qga2VlcCAqYW55KiBzZWNyZXRzLiBJbiANCnBhcnRpY3VsYXIgdGhvc2Ug
Z2VuZXJhdGVkIGF0IHJ1bnRpbWUsIGxpa2UgYW4gYWNjZXNzIHRva2VuIG9yIHJlZnJlc2ggDQp0
b2tlbiwgY291bGQgYmUgaGVsZCBwZXJmZWN0bHkgc2FmZS4gQnV0IGF0IHRoZSB0aW1lIHRoZSBh
cHAgaXMgZGVwbG95ZWQgDQp0byBpdHMgcnVubmluZyBlbnZpcm9ubWVudCwgeW91IGhhdmUgdG8g
YXNrICJ3aG8gaGFzIGFjY2VzcyB0byBpdHMgY29kZSANCmFuZCBjb25maWd1cmF0aW9uPyINCg0K
VGhpbmsgb2YgaXQgdGhpcyB3YXkuIEluIHRoZSBzdGFuZGFyZCB3b3JsZCwgYSBuYXRpdmUgYXBw
IGdldHMgY29waWVkIHRvIA0KZXZlcnkgZGV2aWNlIHdpdGggdGhlIGNsaWVudF9pZCBhbmQgY2xp
ZW50X3NlY3JldCBiYWtlZCBpbi4gVGhpcyBtYWtlcyB0aGUgDQpjbGllbnRfc2VjcmV0IG5vdCB2
ZXJ5IHNlY3JldCwgYW5kIG5vdCBhdCBhbGwgdW5pcXVlLiBBbnlib2R5IHdpdGggYWNjZXNzIA0K
dG8gdGhlIGJpbmFyeSAtLSB3aGljaCBpcyB0byBzYXksIGV2ZXJ5IHVzZXIgLS0gY291bGQgZGVj
b21waWxlIHRoZSANCmNsaWVudF9zZWNyZXQgb3V0IG9mIGl0IGFuZCBiYWtlIGl0IGludG8gdGhl
aXIgKm93biogY2xpZW50LCBwcmV0ZW5kaW5nIHRvIA0KYmUgeW91ciBhcHAgYW5kIGNhdXNpbmcg
YWxsIGtpbmRzIG9mIGhhdm9jLiBUaGlzIGlzIGEgdmVyeSBkaWZmZXJlbnQgDQpwcm9ibGVtIGZy
b20gc29tZWJvZHkgYnJlYWtpbmcgaW50byB0aGUgdG9rZW4gc3RvcmUgYW5kIHN0ZWFsaW5nIGFu
IGFjY2VzcyANCnRva2VuLCB3aGljaCBsZXRzIHRoZW0gb25seSBnZXQgdG8gdGhlaXIgb3duIGFj
Y291bnQuIA0KDQpDb21wYXJlIHRoaXMgdG8gYSBzZXJ2ZXItYmFzZWQgYXBwIHdoZXJlIHRoZSBv
bmx5IG9uZXMgd2l0aCBhY2Nlc3MgdG8gdGhlIA0KYmluYXJ5IGFuZCBjb25maWd1cmF0aW9uIGFy
ZSB0aGUgYWRtaW5pc3RyYXRvcnMgb2YgdGhlIHNlcnZlciwgbm90IHRoZSBlbmQgDQp1c2Vycy4g
SXQncyBhIG11Y2ggbW9yZSBsaW1pdGVkIGxpc3Qgb2YgZm9sa3MgdGhhdCBjYW4gcG90ZW50aWFs
bHkgc2VlIGl0LCANCmFuZCB0aGVyZWZvcmUgdGhlIGNsaWVudF9zZWNyZXQgY2FuIGFjdHVhbGx5
IG1lYW4gc29tZXRoaW5nIGFuZCBhZGQgYSANCnNtYWxsIGV4dHJhIGxheWVyIG9mIHNlY3VyaXR5
LiANCg0KVGhlcmUgYXJlIGEgZmV3IHdheXMgdG8gbWl0aWdhdGUgdGhpcyBkaWZmZXJlbmNlIGZv
ciBwdWJsaWMgY2xpZW50cywgc3VjaCANCmFzIHVzaW5nIHNvbWUga2luZCBvZiBkeW5hbWljIHJl
Z2lzdHJhdGlvbiBmb3IgYWxsIGNsaWVudHMgKHdoaWNoIGRvZXNuJ3QgDQpidXkgeW91IG11Y2gg
aW4gdGVybXMgb2Ygb3ZlcmFsbCBzZWN1cml0eSkgb3IgcHV0dGluZyB1cCBzY2FyeSBtZXNzYWdl
cyANCmFib3V0IG5hdGl2ZSBjbGllbnRzIHRvIHRyeSBhbmQgZWR1Y2F0ZSB5b3VyIHVzZXJzLiBZ
b3UgY2FuIGFsc28gdXNlIGEgDQp0cnVzdGVkIGNhbGxiYWNrIFVSTCBmb3IgeW91ciBhcHAgb24g
YSBob3N0ZWQgd2Vic2l0ZSB0aGF0IHdvcmtzIGluIA0KY29uanVuY3Rpb24gd2l0aCB5b3VyIG5h
dGl2ZSBhcHAuIFRoaXMgaXMgYWN0dWFsbHkgdGhlIHN1Z2dlc3RlZCB1c2UgZm9yIA0KdGhlIElt
cGxpY2l0IEZsb3csIHdoaWNoIHdhcyBtYWRlIGZvciBwdWJsaWMgY2xpZW50cyBpbiB0aGUgYnJv
d3Nlci4NCg0KTmF0aXZlIGFwcHMgYWxzbyBoYXZlIHRoZSBjb25jZXJuIG9mIGVtYmVkZGVkIGJy
b3dzZXJzIHZzLiBleHRlcm5hbCBuYXRpdmUgDQpicm93c2VycywgYW5kIHdoYXQgdHJ1c3QgdGhl
IHVzZXIgcHV0cyBpbnRvIHRoZW0uIEZvciBhbGwgT0F1dGggZmxvd3MsIHlvdSANCmhhdmUgdG8g
dHJ1c3QgdGhlIGJyb3dzZXIgcHJvdmlkZXIgb24gdGhlIHBsYXRmb3JtIG9mIGNob2ljZSwgc2lu
Y2UgdGhlIA0KdXNlcidzIGdvaW5nIHRvIGJlIGxvZ2dpbmcgaW4gZGlyZWN0bHkgdGhyb3VnaCB0
aGF0IGJyb3dzZXIuIEl0J3MgdmVyeSANCm11Y2ggb3V0c2lkZSB0aGUgc2NvcGUgb2YgT0F1dGgg
dG8gbWFrZSB0aGF0IHdvcmxkIGFueSBiZXR0ZXIgdGhvdWdoLCBhbmQgDQp0aGVyZSBoYXZlIGJl
ZW4gbG9uZyBhbmQgZGV0YWlsZWQgZGlzY3Vzc2lvbnMgb24gdGhpcyBsaXN0IGFib3V0IHRoYXQg
dmVyeSANCnRvcGljLCBsZWFkaW5nIHRvIHNvbWUgY29uY3JldGUgcmVjb21tZW5kYXRpb25zIGlu
IHRoZSBkcmFmdCBhcyBpdCBzdGFuZHMgDQp0b2RheS4NCg0KVG8gYW5zd2VyIHlvdXIgb3JpZ2lu
YWwgcXVlcnk6IEkgZG9uJ3QgdGhpbmsgdGhhdCBtYW5kYXRpbmcgb25lIGtpbmQgb2YgDQpjbGll
bnQgdnMuIHRoZSBvdGhlciB3aWxsIHJlYWxseSBoZWxwLiBPQXV0aCAxLjAgb25seSBoYWQgImNv
bmZpZGVudGlhbCIgDQpjbGllbnRzLCBhbmQgdGhhdCBsZWQgdG8gaW5hbmUgd29ya2Fyb3VuZHMg
bGlrZSBHb29nbGUncyANCiJhbm9ueW1vdXMvYW5vbnltb3VzIiBjbGllbnQgaWQvc2VjcmV0LiAN
Cg0KSG9wZSB0aGlzIGhlbHBzLg0KDQogLS0gSnVzdGluDQoNCk9uIDEyLzE5LzIwMTEgMDc6MTkg
QU0sIFBhdWwgTWFkc2VuIHdyb3RlOiANCkhpLCB0aGUgT25saW5lIE1lZGlhIEF1dGhvcml6YXRp
b24gUHJvdG9jb2wgKE9NQVApIGlzIGEgKGFzIHlldCANCnVucmVsZWFzZWQpIHByb2ZpbGUgb2Yg
T0F1dGggMi4wIGZvciBvbmxpbmUgZGVsaXZlcnkgb2YgdmlkZW8gY29udGVudCANCmJhc2VkIG9u
IGEgdXNlcidzIHN1YnNjcmlwdGlvbnMgKHRoZSBUViBFdmVyeXdoZXJlIHVzZSBjYXNlKQ0KDQpX
ZSB3YW50IHRvIHN1cHBvcnQgYm90aCBzZXJ2ZXIgJiBuYXRpdmUgbW9iaWxlIGNsaWVudHMuIEl0
IGlzIGZvciB0aGUgDQpzZWNvbmQgY2xhc3Mgb2YgY2xpZW50cyB0aGF0IEknZCBhcHByZWNpYXRl
IHNvbWUgY2xhcmlmaWNhdGlvbiBvZiANCidjb25maWRlbnRpYWxpdHknIGFzIGRlZmluZWQgaW4g
T0F1dGggMi4NCg0KT0F1dGggMiBkaXN0aW5ndWlzaGVzIGNvbmZpZGVudGlhbCAmIHB1YmxpYyBj
bGllbnRzIGJhc2VkIG9uIHRoZWlyIGFiaWxpdHkgDQp0byBzZWN1cmUgdGhlIGNyZWRlbnRpYWxz
IHRoZXknZCB1c2UgdG8gYXV0aGVudGljYXRlIHRvIGFuIEFTIC0gDQpjb25maWRlbnRpYWwgY2xp
ZW50cyBjYW4gcHJvdGVjdCB0aG9zZSBjcmVkZW50aWFscywgcHVibGljIGNsaWVudHMgY2FuJ3Qu
DQoNCk5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUgZGVmaW5pdGlvbiwgdGhlIHNwZWMgZ2l2ZXMg
YSBkZWdyZWUgb2YgDQpkaXNjcmV0aW9uIHRvIHRoZSBBUw0KDQoNCiAgIFRoZSBjbGllbnQgdHlw
ZSBkZXNpZ25hdGlvbiBpcyBiYXNlZCBvbiB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIncw0KICAg
ZGVmaW5pdGlvbiBvZiBzZWN1cmUgYXV0aGVudGljYXRpb24gYW5kIGl0cyBhY2NlcHRhYmxlIGV4
cG9zdXJlDQogICBsZXZlbHMgb2YgY2xpZW50IGNyZWRlbnRpYWxzLg0KIA0KIA0KR2l2ZSB0aGlz
IGRpc2NyZXRpb24sIGlzIGl0IHByYWN0aWNhbCBmb3IgdGhlIE9NQVAgc3BlYyB0byBzdGlwdWxh
dGUgdGhhdCANCidBbGwgQ2xpZW50cyAoYm90aCBzZXJ2ZXIgJiBuYXRpdmUgbW9iaWxlKSwgTVVT
VCBiZSBjb25maWRlbnRpYWwnLCBpZSBsZXQgDQplYWNoIGluZGl2aWR1YWwgT01BUCBBUyBzcGVj
aWZ5IGl0cyBvd24gcmVxdWlyZW1lbnRzIG9mIGNsaWVudHMgYW5kIHRoZWlyIA0KYWJpbGl0eSB0
byBzZWN1cmVseSBhdXRoZW50aWNhdGU/IA0KDQpJcyB0aGlzIGNvbnNpc3RlbnQgd2l0aCB0aGUg
T0F1dGggZGVmaW5pdGlvbiBvZiBjb25maWRlbnRpYWxpdHk/DQoNClRoYW5rcw0KDQpQYXVsDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZw0KaHR0cHM6
Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KIF9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRo
QGlldGYub3JnDQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoN
Cg0K
--=_alternative 00104FCE4825796E_=
Content-Type: text/html; charset="GB2312"
Content-Transfer-Encoding: base64

DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+SW4gdGhlb3J5LCAmbmJz
cDtpZiBvbmx5IG5hdGl2ZQ0KY2xpZW50cyBjb3VsZCBrZWVwICZuYnNwO2RlcGxveW1lbnQtdGlt
ZSBzZWNyZXQgdW5kaXNjbG9zZWQsIHRoZW4gd2UgY2FuDQpzYXkgdGhleSBhcmUgY29uZmlkZW50
aWFsIGNsaWVudHMuIDwvZm9udD4NCjxicj48Zm9udCBzaXplPTMgZmFjZT0iVGltZXMgTmV3IFJv
bWFuIj5BY3R1YWxseSwgaWYgbmF0aXZlIGNsaWVudCBhcHBsaWNhdGlvbnMNCmFyZSBkaWZmaWN1
bHQgdG8gYmUgcmV2ZXJzZS1lbmdpbm5lcmVkLCBlLmcuLCBTa3lwZSwgJm5ic3A7aXQncyBwb3Nz
aWJsZQ0KdG8gZ2FpbiB0aGUgYWJvdmUgZ29hbC48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZh
Y2U9IlRpbWVzIE5ldyBSb21hbiI+SG93ZXZlciwgaW4gbW9zdCBleGlzdGluZyBtb2JpbGUNCmFw
cHMsIEkgZ3Vlc3MgcmV2ZXJzZSBlbmdpZWVyaW5nICZuYnNwO3Nob3VsZCBiZSBxdWl0ZSBlYXN5
LiA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+SW4gdGhp
cyBjYXNlLCB0aGVyZSBpcyBhbG1vc3Qgbm8NCndheSBmb3IgdGhlc2UgYXBwcyB0byBoaWRlIGFu
eXRoaW5nLiA8L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBS
b21hbiI+QmVzdCB3aXNoZXMsPC9mb250Pg0KPGJyPg0KPGJyPjxmb250IHNpemU9MyBmYWNlPSJU
aW1lcyBOZXcgUm9tYW4iPlJ1aXNoYW4gJm5ic3A7IDwvZm9udD4NCjxicj4NCjxicj48Zm9udCBz
aXplPTMgZmFjZT0iVGltZXMgTmV3IFJvbWFuIj5kZXBsb3ltZW50LXRpbWUgc2VjcmV0czwvZm9u
dD4NCjxicj4NCjxicj4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgY29sb3I9IzFmNDk3ZCBmYWNl
PSJDYWxpYnJpIj5Ob3QgcmVhbGx5IHN1cmUgaG93IHlvdSBjYW1lDQp0byB0aGUgY29uY2x1c2lv
biB0aGF0IG5hdGl2ZSBtb2JpbGUgY2xpZW50cyBjYW6hr3QgYmUgY29uZmlkZW50aWFsPyBBcw0K
cG9pbnRlZCBvdXQgaW4gc2VjdGlvbiAzLjcgb2YgdGhlIDwvZm9udD48YSBocmVmPSJodHRwOi8v
d3d3LmlldGYub3JnL2lkL2RyYWZ0LWlldGYtb2F1dGgtdjItdGhyZWF0bW9kZWwtMDEudHh0Ij48
Zm9udCBzaXplPTIgY29sb3I9Ymx1ZSBmYWNlPSJDYWxpYnJpIj48dT5odHRwOi8vd3d3LmlldGYu
b3JnL2lkL2RyYWZ0LWlldGYtb2F1dGgtdjItdGhyZWF0bW9kZWwtMDEudHh0PC91PjwvZm9udD48
L2E+PGZvbnQgc2l6ZT0yIGNvbG9yPSMxZjQ5N2QgZmFjZT0iQ2FsaWJyaSI+DQp0aGVyZSBhcmUg
Z3VpZGVsaW5lcyB0aGF0IGNvbmZpZGVudGlhbCBjbGllbnRzIHNob3VsZCBmb2xsb3csIGJ1dCBk
b2VzDQpub3QgZGlzdGluZ3Vpc2ggYmV0d2VlbiBuYXRpdmUgY2xpZW50cyBvciBuYXRpdmUgbW9i
aWxlIGNsaWVudHMuPC9mb250Pg0KPGJyPjxmb250IHNpemU9MiBjb2xvcj0jMWY0OTdkIGZhY2U9
IkNhbGlicmkiPiZuYnNwOzwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0iVGFob21hIj48
Yj5Gcm9tOjwvYj4gb2F1dGgtYm91bmNlc0BpZXRmLm9yZyBbbWFpbHRvOm9hdXRoLWJvdW5jZXNA
aWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkp1c3RpbiBSaWNoZXI8Yj48YnI+DQpTZW50
OjwvYj4gTW9uZGF5LCBEZWNlbWJlciAxOSwgMjAxMSA5OjQ0IEFNPGI+PGJyPg0KVG86PC9iPiBQ
YXVsIE1hZHNlbjxiPjxicj4NCkNjOjwvYj4gb2F1dGhAaWV0Zi5vcmc8Yj48YnI+DQpTdWJqZWN0
OjwvYj4gUmU6IFtPQVVUSC1XR10gTmF0aXZlIGNsaWVudHMgJmFtcDsgJ2NvbmZpZGVudGlhbGl0
eSc8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+Jm5ic3A7
PC9mb250Pg0KPGJyPjxmb250IHNpemU9MyBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPk5hdGl2ZSBt
b2JpbGUgY2xpZW50cyBjYW4ndCByZWFsbHkNCmJlIGNvbmZpZGVudGlhbCBjbGllbnRzLiA8YnI+
DQo8YnI+DQpUaGUgZGlzdGluY3Rpb24gYmV0d2VlbiAmcXVvdDtwdWJsaWMmcXVvdDsgYW5kICZx
dW90O2NvbmZpZGVudGlhbCZxdW90Ow0KY2xpZW50cyBpcyB3aGV0aGVyIG9yIG5vdCB0aGV5IGNh
biBrZWVwIGRlcGxveW1lbnQtdGltZSBzZWNyZXRzOyB3aGljaA0KaXMgdG8gc2F5LCBhIGNsaWVu
dF9zZWNyZXQuIFRoaXMgaXMgbm90IHRvIHNheSB0aGF0IHRoZXkgY2FuJ3Qga2VlcCAqYW55Kg0K
c2VjcmV0cy4gSW4gcGFydGljdWxhciB0aG9zZSBnZW5lcmF0ZWQgYXQgcnVudGltZSwgbGlrZSBh
biBhY2Nlc3MgdG9rZW4NCm9yIHJlZnJlc2ggdG9rZW4sIGNvdWxkIGJlIGhlbGQgcGVyZmVjdGx5
IHNhZmUuIEJ1dCBhdCB0aGUgdGltZSB0aGUgYXBwDQppcyBkZXBsb3llZCB0byBpdHMgcnVubmlu
ZyBlbnZpcm9ubWVudCwgeW91IGhhdmUgdG8gYXNrICZxdW90O3dobyBoYXMgYWNjZXNzDQp0byBp
dHMgY29kZSBhbmQgY29uZmlndXJhdGlvbj8mcXVvdDs8YnI+DQo8YnI+DQpUaGluayBvZiBpdCB0
aGlzIHdheS4gSW4gdGhlIHN0YW5kYXJkIHdvcmxkLCBhIG5hdGl2ZSBhcHAgZ2V0cyBjb3BpZWQg
dG8NCmV2ZXJ5IGRldmljZSB3aXRoIHRoZSBjbGllbnRfaWQgYW5kIGNsaWVudF9zZWNyZXQgYmFr
ZWQgaW4uIFRoaXMgbWFrZXMNCnRoZSBjbGllbnRfc2VjcmV0IG5vdCB2ZXJ5IHNlY3JldCwgYW5k
IG5vdCBhdCBhbGwgdW5pcXVlLiBBbnlib2R5IHdpdGgNCmFjY2VzcyB0byB0aGUgYmluYXJ5IC0t
IHdoaWNoIGlzIHRvIHNheSwgZXZlcnkgdXNlciAtLSBjb3VsZCBkZWNvbXBpbGUNCnRoZSBjbGll
bnRfc2VjcmV0IG91dCBvZiBpdCBhbmQgYmFrZSBpdCBpbnRvIHRoZWlyICpvd24qIGNsaWVudCwg
cHJldGVuZGluZw0KdG8gYmUgeW91ciBhcHAgYW5kIGNhdXNpbmcgYWxsIGtpbmRzIG9mIGhhdm9j
LiBUaGlzIGlzIGEgdmVyeSBkaWZmZXJlbnQNCnByb2JsZW0gZnJvbSBzb21lYm9keSBicmVha2lu
ZyBpbnRvIHRoZSB0b2tlbiBzdG9yZSBhbmQgc3RlYWxpbmcgYW4gYWNjZXNzDQp0b2tlbiwgd2hp
Y2ggbGV0cyB0aGVtIG9ubHkgZ2V0IHRvIHRoZWlyIG93biBhY2NvdW50LiA8YnI+DQo8YnI+DQpD
b21wYXJlIHRoaXMgdG8gYSBzZXJ2ZXItYmFzZWQgYXBwIHdoZXJlIHRoZSBvbmx5IG9uZXMgd2l0
aCBhY2Nlc3MgdG8gdGhlDQpiaW5hcnkgYW5kIGNvbmZpZ3VyYXRpb24gYXJlIHRoZSBhZG1pbmlz
dHJhdG9ycyBvZiB0aGUgc2VydmVyLCBub3QgdGhlDQplbmQgdXNlcnMuIEl0J3MgYSBtdWNoIG1v
cmUgbGltaXRlZCBsaXN0IG9mIGZvbGtzIHRoYXQgY2FuIHBvdGVudGlhbGx5DQpzZWUgaXQsIGFu
ZCB0aGVyZWZvcmUgdGhlIGNsaWVudF9zZWNyZXQgY2FuIGFjdHVhbGx5IG1lYW4gc29tZXRoaW5n
IGFuZA0KYWRkIGEgc21hbGwgZXh0cmEgbGF5ZXIgb2Ygc2VjdXJpdHkuIDxicj4NCjxicj4NClRo
ZXJlIGFyZSBhIGZldyB3YXlzIHRvIG1pdGlnYXRlIHRoaXMgZGlmZmVyZW5jZSBmb3IgcHVibGlj
IGNsaWVudHMsIHN1Y2gNCmFzIHVzaW5nIHNvbWUga2luZCBvZiBkeW5hbWljIHJlZ2lzdHJhdGlv
biBmb3IgYWxsIGNsaWVudHMgKHdoaWNoIGRvZXNuJ3QNCmJ1eSB5b3UgbXVjaCBpbiB0ZXJtcyBv
ZiBvdmVyYWxsIHNlY3VyaXR5KSBvciBwdXR0aW5nIHVwIHNjYXJ5IG1lc3NhZ2VzDQphYm91dCBu
YXRpdmUgY2xpZW50cyB0byB0cnkgYW5kIGVkdWNhdGUgeW91ciB1c2Vycy4gWW91IGNhbiBhbHNv
IHVzZSBhDQp0cnVzdGVkIGNhbGxiYWNrIFVSTCBmb3IgeW91ciBhcHAgb24gYSBob3N0ZWQgd2Vi
c2l0ZSB0aGF0IHdvcmtzIGluIGNvbmp1bmN0aW9uDQp3aXRoIHlvdXIgbmF0aXZlIGFwcC4gVGhp
cyBpcyBhY3R1YWxseSB0aGUgc3VnZ2VzdGVkIHVzZSBmb3IgdGhlIEltcGxpY2l0DQpGbG93LCB3
aGljaCB3YXMgbWFkZSBmb3IgcHVibGljIGNsaWVudHMgaW4gdGhlIGJyb3dzZXIuPGJyPg0KPGJy
Pg0KTmF0aXZlIGFwcHMgYWxzbyBoYXZlIHRoZSBjb25jZXJuIG9mIGVtYmVkZGVkIGJyb3dzZXJz
IHZzLiBleHRlcm5hbCBuYXRpdmUNCmJyb3dzZXJzLCBhbmQgd2hhdCB0cnVzdCB0aGUgdXNlciBw
dXRzIGludG8gdGhlbS4gRm9yIGFsbCBPQXV0aCBmbG93cywNCnlvdSBoYXZlIHRvIHRydXN0IHRo
ZSBicm93c2VyIHByb3ZpZGVyIG9uIHRoZSBwbGF0Zm9ybSBvZiBjaG9pY2UsIHNpbmNlDQp0aGUg
dXNlcidzIGdvaW5nIHRvIGJlIGxvZ2dpbmcgaW4gZGlyZWN0bHkgdGhyb3VnaCB0aGF0IGJyb3dz
ZXIuIEl0J3MgdmVyeQ0KbXVjaCBvdXRzaWRlIHRoZSBzY29wZSBvZiBPQXV0aCB0byBtYWtlIHRo
YXQgd29ybGQgYW55IGJldHRlciB0aG91Z2gsIGFuZA0KdGhlcmUgaGF2ZSBiZWVuIGxvbmcgYW5k
IGRldGFpbGVkIGRpc2N1c3Npb25zIG9uIHRoaXMgbGlzdCBhYm91dCB0aGF0IHZlcnkNCnRvcGlj
LCBsZWFkaW5nIHRvIHNvbWUgY29uY3JldGUgcmVjb21tZW5kYXRpb25zIGluIHRoZSBkcmFmdCBh
cyBpdCBzdGFuZHMNCnRvZGF5Ljxicj4NCjxicj4NClRvIGFuc3dlciB5b3VyIG9yaWdpbmFsIHF1
ZXJ5OiBJIGRvbid0IHRoaW5rIHRoYXQgbWFuZGF0aW5nIG9uZSBraW5kIG9mDQpjbGllbnQgdnMu
IHRoZSBvdGhlciB3aWxsIHJlYWxseSBoZWxwLiBPQXV0aCAxLjAgb25seSBoYWQgJnF1b3Q7Y29u
ZmlkZW50aWFsJnF1b3Q7DQpjbGllbnRzLCBhbmQgdGhhdCBsZWQgdG8gaW5hbmUgd29ya2Fyb3Vu
ZHMgbGlrZSBHb29nbGUncyAmcXVvdDthbm9ueW1vdXMvYW5vbnltb3VzJnF1b3Q7DQpjbGllbnQg
aWQvc2VjcmV0LiA8YnI+DQo8YnI+DQpIb3BlIHRoaXMgaGVscHMuPGJyPg0KPGJyPg0KIC0tIEp1
c3Rpbjxicj4NCjxicj4NCk9uIDEyLzE5LzIwMTEgMDc6MTkgQU0sIFBhdWwgTWFkc2VuIHdyb3Rl
OiA8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5IaSwgdGhlIE9ubGluZSBN
ZWRpYSBBdXRob3JpemF0aW9uIFByb3RvY29sDQooT01BUCkgaXMgYSAoYXMgeWV0IHVucmVsZWFz
ZWQpIHByb2ZpbGUgb2YgT0F1dGggMi4wIGZvciBvbmxpbmUgZGVsaXZlcnkNCm9mIHZpZGVvIGNv
bnRlbnQgYmFzZWQgb24gYSB1c2VyJ3Mgc3Vic2NyaXB0aW9ucyAodGhlIFRWIEV2ZXJ5d2hlcmUg
dXNlDQpjYXNlKTxicj4NCjxicj4NCldlIHdhbnQgdG8gc3VwcG9ydCBib3RoIHNlcnZlciAmYW1w
OyBuYXRpdmUgbW9iaWxlIGNsaWVudHMuIEl0IGlzIGZvciB0aGUNCnNlY29uZCBjbGFzcyBvZiBj
bGllbnRzIHRoYXQgSSdkIGFwcHJlY2lhdGUgc29tZSBjbGFyaWZpY2F0aW9uIG9mICdjb25maWRl
bnRpYWxpdHknDQphcyBkZWZpbmVkIGluIE9BdXRoIDIuPGJyPg0KPGJyPg0KT0F1dGggMiBkaXN0
aW5ndWlzaGVzIGNvbmZpZGVudGlhbCAmYW1wOyBwdWJsaWMgY2xpZW50cyBiYXNlZCBvbiB0aGVp
cg0KYWJpbGl0eSB0byBzZWN1cmUgdGhlIGNyZWRlbnRpYWxzIHRoZXknZCB1c2UgdG8gYXV0aGVu
dGljYXRlIHRvIGFuIEFTIC0NCmNvbmZpZGVudGlhbCBjbGllbnRzIGNhbiBwcm90ZWN0IHRob3Nl
IGNyZWRlbnRpYWxzLCBwdWJsaWMgY2xpZW50cyBjYW4ndC48YnI+DQo8YnI+DQpOb3R3aXRoc3Rh
bmRpbmcgdGhlIGFib3ZlIGRlZmluaXRpb24sIHRoZSBzcGVjIGdpdmVzIGEgZGVncmVlIG9mIGRp
c2NyZXRpb24NCnRvIHRoZSBBUzxicj4NCjxicj4NCjwvZm9udD4NCjxicj48Zm9udCBzaXplPTMg
ZmFjZT0iQ291cmllciBOZXciPiZuYnNwOyAmbmJzcDtUaGUgY2xpZW50IHR5cGUgZGVzaWduYXRp
b24NCmlzIGJhc2VkIG9uIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlcidzPC9mb250Pg0KPGJyPjxm
b250IHNpemU9MyBmYWNlPSJDb3VyaWVyIE5ldyI+Jm5ic3A7ICZuYnNwO2RlZmluaXRpb24gb2Yg
c2VjdXJlIGF1dGhlbnRpY2F0aW9uDQphbmQgaXRzIGFjY2VwdGFibGUgZXhwb3N1cmU8L2ZvbnQ+
DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkNvdXJpZXIgTmV3Ij4mbmJzcDsgJm5ic3A7bGV2ZWxz
IG9mIGNsaWVudCBjcmVkZW50aWFscy48L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkNv
dXJpZXIgTmV3Ij4mbmJzcDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj4m
bmJzcDs8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5HaXZlIHRoaXMgZGlz
Y3JldGlvbiwgaXMgaXQ8L2ZvbnQ+PGZvbnQgc2l6ZT01IGZhY2U9IkFyaWFsIj4NCjwvZm9udD48
Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPnByYWN0aWNhbCBmb3IgdGhlIE9NQVAgc3BlYyB0byBz
dGlwdWxhdGUNCnRoYXQgJ0FsbCBDbGllbnRzIChib3RoIHNlcnZlciAmYW1wOyBuYXRpdmUgbW9i
aWxlKSwgTVVTVCBiZSBjb25maWRlbnRpYWwnLA0KaWUgbGV0IGVhY2ggaW5kaXZpZHVhbCBPTUFQ
IEFTIHNwZWNpZnkgaXRzIG93biByZXF1aXJlbWVudHMgb2YgY2xpZW50cw0KYW5kIHRoZWlyIGFi
aWxpdHkgdG8gc2VjdXJlbHkgYXV0aGVudGljYXRlPyA8YnI+DQo8YnI+DQpJcyB0aGlzIGNvbnNp
c3RlbnQgd2l0aCB0aGUgT0F1dGggZGVmaW5pdGlvbiBvZiBjb25maWRlbnRpYWxpdHk/PGJyPg0K
PGJyPg0KVGhhbmtzPGJyPg0KPGJyPg0KUGF1bDwvZm9udD48Zm9udCBzaXplPTMgZmFjZT0iVGlt
ZXMgTmV3IFJvbWFuIj48YnI+DQo8YnI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQgc2l6ZT0zIGZhY2U9
IkFyaWFsIj48YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8L2ZvbnQ+PGZvbnQg
c2l6ZT0zIGZhY2U9IlRpbWVzIE5ldyBSb21hbiI+PGJyPg0KPGJyPg0KPGJyPg0KPC9mb250Pg0K
PGJyPjxmb250IHNpemU9MiBmYWNlPSJDb3VyaWVyIE5ldyI+X19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX188L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9
IkNvdXJpZXIgTmV3Ij5PQXV0aCBtYWlsaW5nIGxpc3Q8L2ZvbnQ+DQo8YnI+PGEgaHJlZj1tYWls
dG86T0F1dGhAaWV0Zi5vcmc+PGZvbnQgc2l6ZT0yIGNvbG9yPWJsdWUgZmFjZT0iQ291cmllciBO
ZXciPjx1Pk9BdXRoQGlldGYub3JnPC91PjwvZm9udD48L2E+DQo8YnI+PGEgaHJlZj1odHRwczov
L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPjxmb250IHNpemU9MiBjb2xvcj1i
bHVlIGZhY2U9IkNvdXJpZXIgTmV3Ij48dT5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL29hdXRoPC91PjwvZm9udD48L2E+DQo8YnI+PGZvbnQgc2l6ZT0zIGZhY2U9IlRpbWVz
IE5ldyBSb21hbiI+Jm5ic3A7PC9mb250Pjx0dD48Zm9udCBzaXplPTI+X19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8
YnI+DQpPQXV0aEBpZXRmLm9yZzxicj4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz
dGluZm8vb2F1dGg8YnI+DQo8L2ZvbnQ+PC90dD4NCjxicj4NCg==
--=_alternative 00104FCE4825796E_=--


From mnot@mnot.net  Sat Dec 24 05:47:20 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8289B21F8468 for ; Sat, 24 Dec 2011 05:47:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ICQnwNVzvXI for ; Sat, 24 Dec 2011 05:47:19 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id D163221F8467 for ; Sat, 24 Dec 2011 05:47:18 -0800 (PST)
Received: from [192.168.2.106] (unknown [96.244.180.242]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 39A6322E257; Sat, 24 Dec 2011 08:47:09 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: Mark Nottingham 
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Sat, 24 Dec 2011 08:47:09 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <33DF45D6-47C3-4EC8-9EC2-F51B6026A97E@mnot.net>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com>  <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com>
To: Mike Jones 
X-Mailer: Apple Mail (2.1251.1)
Cc: Barry Leiba , OAuth WG 
Subject: Re: [OAUTH-WG] OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 24 Dec 2011 13:47:20 -0000

Hi Mike,

On 18/12/2011, at 8:00 PM, Mike Jones wrote:

> Thanks for your comments, Mark.  Here are my thoughts on the issues =
that you see as being outstanding.  I'd also welcome additional input =
from the working group on these topics:
>=20
> ON THE URI QUERY PARAMETER METHOD:
>=20
> It seems like your objection to this is based on it using a standard =
query parameter name.  It therefore seems like there are four possible =
resolutions to this issue:
>=20
> 1.  Delete the query parameter method, as you suggested in your =
initial comments.  Given that I know this method is in widespread use in =
certain contexts, I doubt that there would be working group consensus =
for this resolution.
>=20
> 2.  Use a method for discovering the query parameter name.  It's my =
understanding that discovery work is presently out of scope for the =
OAuth working group as currently chartered.  The chairs and area =
directors could obviously change this, but it's my sense that developing =
a discovery spec for this purpose would delay the approval of this spec =
by a significant period of time.  I also question whether working group =
consensus could be developed for this resolution.
>=20
> 3.  Change the normative requirement for using the name access_token =
to a recommendation.  Specifically, we could change the text "When =
sending the access token in the HTTP request URI, the client adds the =
access token to the request URI query component ... using the =
'access_token' parameter" to "When sending the access token in the HTTP =
request URI, the client adds the access token to the request URI query =
component ... using a query parameter.  It is RECOMMENDED that the query =
parameter name 'access_token' be used".  (If we change this to =
RECOMMENDED, I suspect we'd also do the same for the name of the =
form-encoded body parameter.)  This would seem to resolve your core =
objection, while still providing clear guidance to aid interoperability. =
 What would people think of this?
>=20
> 4.  Leave the specification as-is.
>=20
> I'd like to hear working group opinions on which of these potential =
resolutions members support.

One other possibility would be to split the query term out in a separate =
draft and publish as Informational, to emphasise that it's not the =
preferred mechanism (with suitable language in-document).


> ON THE WWW-AUTHENTICATE RESPONSE HEADER FIELD: =20
>=20
> See the follow-up discussion with Julian.
>=20
> ON THE REALM AND SCOPE DEFINITIONS:
>=20
> You wrote "That's not a great story for interop. How are people =
actually supposed to use them? Can you at least give an example?"  I =
agree with you that that's not a great story for interop but it's also =
the current reality of OAuth usage.  Indeed, I know that different =
deployments use them in different ways for different things.  There's a =
bunch of information that currently needs to be exchanged in a manner =
not covered by the specifications to use OAuth between parties.  Among =
other things, this includes the endpoint addresses, the ways that realm =
and scope are used, and (when not opaque) the format of the access =
token.

So, why are these things exchanged in a field called "scope"? It seems =
to me that if they're really that broad, then either they should be =
transferred using a broad name (e.g., "cookie", "opaque"), or =
(preferably, IMO) they should be transferred in extensions.


> (Profiles of OAuth such as OpenID Connect address this by providing =
specific guidance, but that guidance, I believe, is too specific to add =
to the OAuth specs themselves.)
>=20
> Given that both scope and realm are used in practice in different ways =
by different deployments, I don't see a clear resolution to this issue =
other than to leave the spec as-is.  I'd welcome specific alternative =
wording proposals, however.
>=20
> ON SPECIFYING ONLY A QUOTED-STRING SERIALIZATION:
>=20
> I understand and agree with your desire to promote code reuse.  You =
cite HTTPbis P7 2.3.1 to support adding a requirement for supporting =
token serialization in addition to quoted-string serialization for all =
parameters.  I believe that the relevant text there is:
>      When the auth-param syntax is used, all parameters ought
>      to support both token and quoted-string syntax, and syntactical
>      constraints ought to be defined on the field value after parsing
>      (i.e., quoted-string processing).  This is necessary so that
>      recipients can use a generic parser that applies to all
>      authentication schemes.
>=20
>      Note: the fact that the value syntax for the "realm" parameter is
>      restricted to quoted-string was a bad design choice not to be
>      repeated for new parameters.
>=20
> First, it's my understanding that this text was added between -16 and =
-17 explicitly to try to force a change the definitions used in the =
Bearer spec.  While this seems heavy-handed, be that as it may.   =
Assuming the specification remains as-is, I think there are two code =
reusability cases to consider:
>=20
> Recipient Case:  Recipients are able to use code capable of parsing =
both token and quoted-string syntax to parse fields that may only =
contain quoted string syntax.  Thus, the rationale for this requirement =
given in P7 is actually incorrect; recipients *can* use a generic parser =
that applies to all authentication schemes.  (Perhaps P7 should be =
corrected?)  There is no code-reuse problem for recipients.
>=20
> Producer Case:  I will grant that it is possible for generic parameter =
producer code to exist that does not give the caller control over how =
the parameter is serialized.  If such code is used, it would be possible =
for a parameter value such as "xyz" to be erroneously serialized as xyz, =
thus creating an interoperability problem.  Note however, that =
serialization of the HTTP-defined realm parameter MUST occur using =
quoted-string serialization.  Thus, in practice, it would seem that =
generic frameworks still need to enable callers to control the =
serialization formats of specific parameters.  Hence, I doubt that this =
problem-in-theory is actually a problem-in-practice.  I'd be interested =
in data points from the working group about whether HTTP frameworks they =
use would have his problem in practice or not.
>=20
> It seems that there are two possible resolutions to this issue:
>=20
> 1.  Change the spec to allow both quoted-string and token =
serialization for these parameters.
>=20
> 2.  Leave the specification as-is.
>=20
> I'd like to hear working group opinions on which of these potential =
resolutions members support.
>=20
> ON SUITABILITY AS A PROXY AUTHENTICATION SCHEME:
>=20
> Could someone who is a member of ietf-http-wg@w3.org volunteer to ask =
that list whether they would like to make any review comments on =
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 as to its =
suitability for use as a proxy authentication scheme (and to cc: me when =
you ask the question)?  I'm not a member of this list.

I've done that.

Cheers,

>=20
> 				Thanks all,
> 				-- Mike
>=20
> -----Original Message-----
> From: Mark Nottingham [mailto:mnot@mnot.net]=20
> Sent: Wednesday, December 14, 2011 6:37 PM
> To: Mike Jones
> Cc: Stephen Farrell; Hannes Tschofenig; Peter Saint-Andre; Barry =
Leiba; OAuth WG
> Subject: Re: OK to post OAuth Bearer draft 15?
>=20
> Hi Mike -
>=20
> It's not my function to object (or not) to the publication of the =
draft; I merely provided the APPS review, which will be considered by =
the responsible AD (like all other Last Call comments), and potentially =
the IESG.
>=20
> If you're asking whether my concerns have been addressed, see some =
specifics below.
>=20
> Regards,
>=20
>=20
> On 15/12/2011, at 1:13 PM, Mike Jones wrote:
>=20
>> Mark, Stephen, Hannes, and Barry,
>>=20
>> Any objections to posting the updated Bearer draft incorporating the =
results of the APPS Area review and the TLS requirements?
>>=20
>>                                                            -- Mike
>>=20
>> From: Mike Jones=20
>> Sent: Monday, December 12, 2011 8:51 AM
>> To: Mark Nottingham; 'Stephen Farrell'; oauth@ietf.org
>> Subject: RE: [OAUTH-WG] FW: [apps-discuss] APPS Area review of =
draft-ietf-oauth-v2-bearer-14
>>=20
>> Thanks for the detailed review, Mark.
>>=20
>> Preliminary draft 15 of the OAuth Bearer specification is attached.  =
It resolves the form encoding issues raised by Julian Reschke in the =
manner discussed at the working group meeting in Taipei, incorporates =
the consensus text on TLS version requirements, and contains several =
improvements suggested by Mark Nottingham during APPS area review.
>>=20
>> Mark, comments on all your proposed changes follow below:
>>=20
>>> * Section 2.3 URI Query Parameter
>>>=20
>>> This section effectively reserves a URI query parameter for the =
draft's use. This should not be done lightly, since this would be a =
precedent for the IETF encroaching upon a server's URIs (done previously =
in RFC5785, but in a much more limited fashion, as a tactic to prevent =
further, uncontrolled encroachment).
>>>=20
>>> Given that the draft already discourages the use of this mechanism, =
I'd recommend dropping it altogether. If the Working Group wishes it to =
remain, this issues should be vetted both through the APPS area and the =
W3C liaison.
>>>=20
>>> (The same criticism could be leveled at Section 2.2 Form-Encoded =
Body Parameter, but that at least isn't surfaced in an identifier)
>>>=20
>> There are some contexts, especially limited browsers and/or =
development environments
>=20
> What does "developmental environments" mean here?
>=20
>> , where query parameters are usable but the other methods are not.  =
Thus, the query parameter method must be retained.  Also, Justin =
Richter's comments describing the value to him of the query parameter =
method are pertinent:  "A URL with all parameters including =
authorization is a powerful artifact which can be passed around between =
systems as a unit".
>>=20
>> As to using a standard parameter name, this is essential for =
interoperability.
>=20
> I find it hard to believe that you could not find or design a =
mechanism to discover a URI.
>=20
>=20
>> It is not "reserved" in any contexts other than when the Bearer spec =
is employed, which is a voluntary act by both parties.  Thus, this poses =
no undue burdens or namespace restrictions on implementations in =
practice.
>>=20
>> Finally, you'll find that OAuth 1.0 [RFC 5849] similarly defined, not =
one, but two standard query parameter values:  oauth_token and =
oauth_verifier.  As this didn't cause any problems in practice then, I'm =
sure that defining an access_token parameter within the Bearer spec for =
interoperability purposes won't cause a problem either.
>=20
> The fact that a non-standards-track document did something that's =
potentially harmful doesn't make it OK. Saying that problems won't occur =
based upon such short-term implementation experience with this type of =
issue is ludicrous; the nature of the issue is long-term encroachment =
and setting precedent.
>=20
>=20
>>> * Section 3 The WWW-Authenticate Response Header Field
>>>=20
>>> The draft references the quoted-string ABNF from HTTP, but changes =
its processing in a later paragraph:
>>>=20
>>> """In all these cases, no character quoting will occur, as senders =
are prohibited from using the %5C ('\') character."""
>>>=20
>>> This is at best surprising (as many readers will reasonably surmise =
that using the quoted-string ABNF implies that the same code can be =
used).
>>> Please either use quoted-string as defined (i.e., with escaping).
>>>=20
>> This parameter definition was a result of significant working group =
discussion and reflects a solid consensus position.  Using the quoted =
string BNF makes it clear, per Julian Reschke's suggestions, that =
generic parameter parsing code can be safely used.  Whereas prohibiting =
the use of backslash quoting by senders also makes it clear that custom =
implementations can directly utilize the parameter values as transmitted =
without performing any quote processing.
>>=20
>> In short, the spec doesn't change the processing of quoted strings.  =
It simply restricts the set of legal input characters within the quoted =
strings.
>=20
> See follow-up discussion with Julian.
>=20
>=20
>>> * Section 3 The WWW-Authenticate Response Header Field
>>>=20
>>> The difference between a realm and a scope is not explained. Are the =
functionally equivalent, just a single value vs. a list?
>>>=20
>> Realm is as defined by HTTPbis.  It says that "The realm value is a =
string, generally assigned by the origin server, which can have =
additional semantics specific to the authentication scheme."
>=20
> Yes...
>=20
>> The Bearer specification intentionally adds no extra semantics to the =
realm definition.  Whereas the scope parameter is defined as an =
order-independent space-separated list of scope values.  The contextual =
meaning of both the realm and scope parameters is deployment-dependent.
>=20
> That's not a great story for interop. How are people actually supposed =
to use them? Can you at least give an example?
>=20
>=20
>>> Do you really intend to disallow *all* extension parameters on the =
challenge?
>>=20
>> Yes.  There was an explicit working group consensus decision to do =
so.
>=20
> It would be good to note this.
>=20
>=20
>>> Also, the scope, error, error_description and error_uri parameters =
all specify only a quoted-string serialisation. HTTPbis strongly =
suggests that new schemes allow both forms, because implementation =
experience has shown that implementations will likely support both, no =
matter how defined; this improves interoperability (see p7 2.3.1).
>>=20
>> Once again, the current text reflects a consensus decision of the =
working group.  It was viewed that requiring support for multiple ways =
of doing the same thing unnecessarily complicated implementations =
without any compensating benefit; better to support one syntax for each =
semantic operation and require all implementations to use it.
>=20
> And I'm sure you're aware that the goal of this text in HTTPbis is to =
encourage reuse of code, rather than having multiple implementations of =
slightly different things. This is doubly true when you're not actually =
defining the syntax, but instead reusing syntax from elsewhere (HTTP), =
which already has parsers and generators implemented.=20
>=20
>=20
>>> * General
>>>=20
>>> The draft currently doesn't mention whether Bearer is suitable for =
use as a proxy authentication scheme. I suspect it *may*; it would be =
worth discussing this with some proxy implementers to gauge their =
interest (e.g., Squid).
>>>=20
>> Who would you recommend review the draft from this perspective?
>=20
> The easiest way would be to ask on the ietf-http-wg@w3.org mailing =
list; there are several intermediary implementers active there.
>=20
> Regards,
>=20
> --
> Mark Nottingham   http://www.mnot.net/
>=20
>=20
>=20
>=20
>=20

--
Mark Nottingham
http://www.mnot.net/





From Michael.Jones@microsoft.com  Mon Dec 26 13:40:09 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4B9621F8C4E for ; Mon, 26 Dec 2011 13:40:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.865
X-Spam-Level: 
X-Spam-Status: No, score=-1.865 tagged_above=-999 required=5 tests=[AWL=-0.867, BAYES_50=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLdQVo39SRel for ; Mon, 26 Dec 2011 13:40:08 -0800 (PST)
Received: from VA3EHSOBE008.bigfish.com (va3ehsobe001.messaging.microsoft.com [216.32.180.11]) by ietfa.amsl.com (Postfix) with ESMTP id 7EFDC21F8C50 for ; Mon, 26 Dec 2011 13:40:08 -0800 (PST)
Received: from mail23-va3-R.bigfish.com (10.7.14.239) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.23; Mon, 26 Dec 2011 21:39:48 +0000
Received: from mail23-va3 (localhost [127.0.0.1])	by mail23-va3-R.bigfish.com (Postfix) with ESMTP id 8A971801DB	for ; Mon, 26 Dec 2011 21:39:13 +0000 (UTC)
X-SpamScore: -4
X-BigFish: VS-4(zzc85fh1b0bMzz1202hzz8275ch8275eh8275bh8275dha1495iz2fh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail23-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail23-va3 (localhost.localdomain [127.0.0.1]) by mail23-va3 (MessageSwitch) id 1324935551442542_23001; Mon, 26 Dec 2011 21:39:11 +0000 (UTC)
Received: from VA3EHSMHS025.bigfish.com (unknown [10.7.14.253])	by mail23-va3.bigfish.com (Postfix) with ESMTP id 5C94A2A0042	for ; Mon, 26 Dec 2011 21:39:11 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS025.bigfish.com (10.7.99.35) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 26 Dec 2011 21:39:45 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0247.005; Mon, 26 Dec 2011 13:40:03 -0800
From: Mike Jones 
To: "oauth@ietf.org" 
Thread-Topic: OpenID Connect specs being reviewed as Implementer's Drafts
Thread-Index: AczEFuuhaYjI8faFQoiOqgTjHef8nA==
Date: Mon, 26 Dec 2011 21:39:59 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F78D06E@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F78D06ETK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: [OAUTH-WG] OpenID Connect specs being reviewed as Implementer's Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 26 Dec 2011 21:40:10 -0000

--_000_4E1F6AAD24975D4BA5B16804296739435F78D06ETK5EX14MBXC283r_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

FYI, the OpenID Connect specs began a 45 day pu=
blic review period for adoption as Implementer's Drafts last week.  An Impl=
ementer's Drafts is a stable draft that is not yet final, but that is inten=
ded for implementation, evaluation, and trial deployment.  Intellectual pro=
perty protections are granted to implementers for these drafts as well.

These drafts can be thought of as a profile of the OAuth 2.0 and JOSE specs=
 that enables single-sign-on and exchange of claims through the use of JSON=
 and JWT.  They use these OAuth- and JOSE-related specs:

OAuth 2.0 Core
OAuth 2.0 Bearer
OAuth 2.0 Assertions
OAuth 2.0 JWT Assertions Profile
OAuth 2.0 Threat Model
Simple Web Discovery (SWD)
JSON Web Token (JWT)
JSON Web Signature (JWS)
JSON Web Encryption (JWE)
JSON Web Key (JWK)

See these pages for more details:
http://openid.net/2011/12/23/review-of-proposed-openid-connect-implementer%=
e2%80%99s-drafts/
http://self-issued.info/?p=3D619

                                                            -- Mike


--_000_4E1F6AAD24975D4BA5B16804296739435F78D06ETK5EX14MBXC283r_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











FYI, the Open=
ID Connect specs began a 45 day public review period for adoption as Im=
plementer’s Drafts last week.  An Implementer’s Drafts is =
a stable draft that is not yet final, but that is intended
 for implementation, evaluation, and trial deployment.  Intellectual p=
roperty protections are granted to implementers for these drafts as well.


 


These drafts can be thought of as a profile of the O=
Auth 2.0 and JOSE specs that enables single-sign-on and exchange of claims =
through the use of JSON and JWT.  They use these OAuth- and JOSE-relat=
ed specs:


 


OAuth 2.0 Core=



OAuth 2.0 Bearer


OAuth 2.0 Assertions=



OAuth 2.0 JWT Assertions =
Profile


OAuth 2.0 Threat Model


Simple Web Discovery (SWD=
)


JSON Web Token (JWT)=



JSON Web Signature (JWS)<=
o:p>


JSON Web Encryption (JWE)=



JSON Web Key (JWK)


 


See these pages for more details:


http://openid.net/2011=
/12/23/review-of-proposed-openid-connect-implementer%e2%80%99s-drafts/<=
o:p>


http://=
self-issued.info/?p=3D619


 


        &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p; -- Mike


 






--_000_4E1F6AAD24975D4BA5B16804296739435F78D06ETK5EX14MBXC283r_--

From internet-drafts@ietf.org  Wed Dec 28 13:15:46 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF95121F8564; Wed, 28 Dec 2011 13:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.574
X-Spam-Level: 
X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ocazb38UmTjJ; Wed, 28 Dec 2011 13:15:46 -0800 (PST)
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 867E021F84CE; Wed, 28 Dec 2011 13:15:46 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 3.64p1
Message-ID: <20111228211546.11068.51423.idtracker@ietfa.amsl.com>
Date: Wed, 28 Dec 2011 13:15:46 -0800
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 28 Dec 2011 21:15:47 -0000

A New Internet-Draft is available from the on-line Internet-Drafts director=
ies. This draft is a work item of the Web Authorization Protocol Working Gr=
oup of the IETF.

	Title           : An IETF URN Sub-Namespace for OAuth
	Author(s)       : Hannes Tschofenig
	Filename        : draft-ietf-oauth-urn-sub-ns-01.txt
	Pages           : 5
	Date            : 2011-12-28

   This document establishes an IETF URN Sub-namespace for use with
   OAuth related specifications.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-oauth-urn-sub-ns-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-urn-sub-ns-01.txt


From bcampbell@pingidentity.com  Wed Dec 28 13:23:57 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E957821F84DB for ; Wed, 28 Dec 2011 13:23:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level: 
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0B3HSzkjzTZX for ; Wed, 28 Dec 2011 13:23:57 -0800 (PST)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) by ietfa.amsl.com (Postfix) with ESMTP id D9AA721F84D2 for ; Wed, 28 Dec 2011 13:23:56 -0800 (PST)
Received: from mail-vx0-f182.google.com ([209.85.220.182]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKTvuI4Eq5FW5AyXVAS1nsORx9XQw552q7@postini.com; Wed, 28 Dec 2011 13:23:56 PST
Received: by mail-vx0-f182.google.com with SMTP id fk1so17613513vcb.27 for ; Wed, 28 Dec 2011 13:23:44 -0800 (PST)
Received: by 10.52.70.199 with SMTP id o7mr11795837vdu.88.1325107424169; Wed, 28 Dec 2011 13:23:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.111.33 with HTTP; Wed, 28 Dec 2011 13:23:13 -0800 (PST)
In-Reply-To: <4EBB1C07.6060407@stpeter.im>
References: <20110830195516.9445.90096.idtracker@ietfa.amsl.com> <4EBB1C07.6060407@stpeter.im>
From: Brian Campbell 
Date: Wed, 28 Dec 2011 14:23:13 -0700
Message-ID: 
To: Peter Saint-Andre 
Content-Type: multipart/alternative; boundary=20cf3071c9744e8f3304b52d9db9
Cc: OAuth WG 
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 28 Dec 2011 21:23:58 -0000

--20cf3071c9744e8f3304b52d9db9
Content-Type: text/plain; charset=ISO-8859-1

Done.

See draft -01 at http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-01

Sorry it took so long to get that little change done. Thanks for the
feedback, Peter.



On Wed, Nov 9, 2011 at 5:34 PM, Peter Saint-Andre wrote:

> On 8/30/11 1:55 PM, internet-drafts@ietf.org wrote:
>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories. This draft is a work item of the Web Authorization Protocol
>> Working Group of the IETF.
>>
>>        Title           : An IETF URN Sub-Namespace for OAuth
>>        Author(s)       : Hannes Tschofenig
>>        Filename        : draft-ietf-oauth-urn-sub-ns-**00.txt
>>        Pages           : 5
>>        Date            : 2011-08-30
>>
>>    This document establishes an IETF URN Sub-namespace for use with
>>    OAuth related specifications.
>>
>
> Seems like a good idea.
>
> The security considerations point to RFC 3553, but that just points to RFC
> 2141, so you might as well point to the latter spec.
>
> Peter
>
> --
> Peter Saint-Andre
> https://stpeter.im/
>
>
>
> ______________________________**_________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/**listinfo/oauth
>

--20cf3071c9744e8f3304b52d9db9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Done. 

See draft -01 at http://tools.ietf.org/html/draft-ietf-oauth-urn-s=
ub-ns-01

Sorry it took so long to get that little change done. T=
hanks for the feedback, Peter.





On Wed, Nov 9, 2011 at 5:34 PM, Pete=
r Saint-Andre <s=
tpeter@stpeter.im> wrote:



On 8/30/11 1:55 PM, internet-drafts@ietf.org wrote:



A New Internet-Draft is available from the on-line Internet-Drafts director=
ies. This draft is a work item of the Web Authorization Protocol Working Gr=
oup of the IETF.



 =A0 =A0 =A0 =A0Title =A0 =A0 =A0 =A0 =A0 : An IETF URN Sub-Namespace for O=
Auth

 =A0 =A0 =A0 =A0Author(s) =A0 =A0 =A0 : Hannes Tschofenig

 =A0 =A0 =A0 =A0Filename =A0 =A0 =A0 =A0: draft-ietf-oauth-urn-sub-ns-00.txt

 =A0 =A0 =A0 =A0Pages =A0 =A0 =A0 =A0 =A0 : 5

 =A0 =A0 =A0 =A0Date =A0 =A0 =A0 =A0 =A0 =A0: 2011-08-30



 =A0 =A0This document establishes an IETF URN Sub-namespace for use with
 =A0 =A0OAuth related specifications.





Seems like a good idea.



The security considerations point to RFC 3553, but that just points to RFC =
2141, so you might as well point to the latter spec.



Peter



-- 

Peter Saint-Andre

https://stpeter.im/






_______________________________________________

OAuth mailing list

OAuth@ietf.org

h=
ttps://www.ietf.org/mailman/listinfo/oauth





--20cf3071c9744e8f3304b52d9db9--

From Michael.Jones@microsoft.com  Thu Dec 29 13:18:21 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 257DC21F8B9A for ; Thu, 29 Dec 2011 13:18:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.199
X-Spam-Level: 
X-Spam-Status: No, score=-3.199 tagged_above=-999 required=5 tests=[AWL=0.400,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpK7KVyTnHo8 for ; Thu, 29 Dec 2011 13:18:20 -0800 (PST)
Received: from VA3EHSOBE005.bigfish.com (va3ehsobe005.messaging.microsoft.com [216.32.180.31]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB6E21F8B98 for ; Thu, 29 Dec 2011 13:18:20 -0800 (PST)
Received: from mail186-va3-R.bigfish.com (10.7.14.241) by VA3EHSOBE005.bigfish.com (10.7.40.25) with Microsoft SMTP Server id 14.1.225.23; Thu, 29 Dec 2011 21:17:56 +0000
Received: from mail186-va3 (localhost [127.0.0.1])	by mail186-va3-R.bigfish.com (Postfix) with ESMTP id 2E3346201DD; Thu, 29 Dec 2011 21:17:56 +0000 (UTC)
X-SpamScore: -18
X-BigFish: VS-18(zz9371I936eK542M1432N98dKzz1202hzzz2fh2a8h668h839h944h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-FB-SS: 0,
Received-SPF: pass (mail186-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail186-va3 (localhost.localdomain [127.0.0.1]) by mail186-va3 (MessageSwitch) id 1325193472435271_7126; Thu, 29 Dec 2011 21:17:52 +0000 (UTC)
Received: from VA3EHSMHS033.bigfish.com (unknown [10.7.14.235])	by mail186-va3.bigfish.com (Postfix) with ESMTP id 56B4A340044; Thu, 29 Dec 2011 21:17:52 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS033.bigfish.com (10.7.99.43) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 29 Dec 2011 21:17:51 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0247.005; Thu, 29 Dec 2011 13:18:11 -0800
From: Mike Jones 
To: Julian Reschke , Barry Leiba 
Thread-Topic: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?
Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEgARlkuAAK9WC5AAKqDYgAH8LmDA
Date: Thu, 29 Dec 2011 21:18:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com>  <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de>
In-Reply-To: <4EEF13F1.7030409@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham , OAuth WG 
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 29 Dec 2011 21:18:21 -0000

You proposed, Julian "3. Do not specify the ABNF. The ABNF of the WWW-Authe=
nticate is defined in HTTPbis. Just state the names of the parameters, thei=
r syntax *after* parsing and their semantics."

About some of Mark Nottingham's comments, Barry wrote "Let me point out tha=
t "this represents working-group consensus" is not always a valid response.=
  If the working group has actually considered the *issue*, that might be O=
K.  But if there's consensus for the chosen solution and someone brings up =
a *new* issue with it, that issue needs to be addressed anew."

Relative to these two statements, I believe that I should remark at this po=
int that your proposed semantics of only considering the syntax after poten=
tial quoting was explicitly considered earlier by the working group and rej=
ected.  The consensus, instead, was for the present "no quoting will occur =
for legal inputs" semantics.

I believe that in the New Year the chairs and area directors will need to d=
ecide how to proceed on this issue.  (The working group consensus, as I see=
 it, is already both well-informed and clear on this point, but I understan=
d that that's not the only consideration.)  It would be good to see the spe=
c finished shortly.

				Best Wishes,
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de]=20
Sent: Monday, December 19, 2011 2:38 AM
To: Mike Jones
Cc: Mark Nottingham; Barry Leiba; OAuth WG
Subject: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 1=
5?

On 2011-12-19 02:00, Mike Jones wrote:
> ...
> ON SPECIFYING ONLY A QUOTED-STRING SERIALIZATION:
>
> I understand and agree with your desire to promote code reuse.  You cite =
HTTPbis P7 2.3.1 to support adding a requirement for supporting token seria=
lization in addition to quoted-string serialization for all parameters.  I =
believe that the relevant text there is:
>        When the auth-param syntax is used, all parameters ought
>        to support both token and quoted-string syntax, and syntactical
>        constraints ought to be defined on the field value after parsing
>        (i.e., quoted-string processing).  This is necessary so that
>        recipients can use a generic parser that applies to all
>        authentication schemes.
>
>        Note: the fact that the value syntax for the "realm" parameter is
>        restricted to quoted-string was a bad design choice not to be
>        repeated for new parameters.
>
> First, it's my understanding that this text was added between -16 and -17=
 explicitly to try to force a change the definitions used in the Bearer spe=
c.  While this seems heavy-handed, be that as it may.   Assuming the specif=
ication remains as-is, I think there are two code reusability cases to cons=
ider:
> ...

The text change was caused by both the early interactions with OAuth (mainl=
y thanks to James), and the fact that we see that was defined for Realm isn=
't implemented in practice ().

(Note: we had a working feedback loop between WG's here; that's a feature)

If you disagree with what HTTPbis P7 now says than you really really ought =
to come over to the HTTPbis WG's mailing list (*) and argue your point.

(*) Similarly to how I'm arguing my point over here.

> Recipient Case:  Recipients are able to use code capable of parsing both =
token and quoted-string syntax to parse fields that may only contain quoted=
 string syntax.  Thus, the rationale for this requirement given in P7 is ac=
tually incorrect; recipients *can* use a generic parser that applies to all=
 authentication schemes.  (Perhaps P7 should be corrected?)  There is no co=
de-reuse problem for recipients.

Yes, there is. As the test case above shows, all UA recipients accept both =
forms; none of them rejects the token syntax. This is a problem as people f=
requently do not code against specs but just do "what works".

I'm pretty sure that changing a UA's behavior here would cause breakage in =
practice.

> Producer Case:  I will grant that it is possible for generic parameter pr=
oducer code to exist that does not give the caller control over how the par=
ameter is serialized.  If such code is used, it would be possible for a par=
ameter value such as "xyz" to be erroneously serialized as xyz, thus creati=
ng an interoperability problem.  Note however, that serialization of the HT=
TP-defined realm parameter MUST occur using quoted-string serialization.  T=
hus, in practice, it would seem that generic frameworks still need to enabl=
e callers to control the serialization formats of specific parameters.  Hen=
ce, I doubt that this problem-in-theory is actually a problem-in-practice. =
 I'd be interested in data points from the working group about whether HTTP=
 frameworks they use would have his problem in practice or not.
>
> It seems that there are two possible resolutions to this issue:
>
> 1.  Change the spec to allow both quoted-string and token serialization f=
or these parameters.
>
> 2.  Leave the specification as-is.
> ...

3. Do not specify the ABNF. The ABNF of the WWW-Authenticate is defined in =
HTTPbis. Just state the names of the parameters, their syntax *after* parsi=
ng and their semantics.

Best regards, Julian



From julian.reschke@gmx.de  Fri Dec 30 02:26:02 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9641821F8B8B for ; Fri, 30 Dec 2011 02:26:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.382
X-Spam-Level: 
X-Spam-Status: No, score=-103.382 tagged_above=-999 required=5 tests=[AWL=-0.783, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZCLyoHjBPXf for ; Fri, 30 Dec 2011 02:26:02 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id A70E621F8B21 for ; Fri, 30 Dec 2011 02:26:01 -0800 (PST)
Received: (qmail invoked by alias); 30 Dec 2011 10:26:00 -0000
Received: from p3EE2751C.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.117.28] by mail.gmx.net (mp033) with SMTP; 30 Dec 2011 11:26:00 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18n1tcK904n3liX+fNzapcx7I+T8dKj2zmR0ZwK/3 rb10yc0ssk+b34
Message-ID: <4EFD91B4.5050904@gmx.de>
Date: Fri, 30 Dec 2011 11:25:56 +0100
From: Julian Reschke 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mike Jones 
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com>  <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Mark Nottingham , Barry Leiba , OAuth WG 
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 30 Dec 2011 10:26:02 -0000

On 2011-12-29 22:18, Mike Jones wrote:
> You proposed, Julian "3. Do not specify the ABNF. The ABNF of the WWW-Authenticate is defined in HTTPbis. Just state the names of the parameters, their syntax *after* parsing and their semantics."
>
> About some of Mark Nottingham's comments, Barry wrote "Let me point out that "this represents working-group consensus" is not always a valid response.  If the working group has actually considered the *issue*, that might be OK.  But if there's consensus for the chosen solution and someone brings up a *new* issue with it, that issue needs to be addressed anew."
>
> Relative to these two statements, I believe that I should remark at this point that your proposed semantics of only considering the syntax after potential quoting was explicitly considered earlier by the working group and rejected.  The consensus, instead, was for the present "no quoting will occur for legal inputs" semantics.

It would be helpful if you could back this statement with pointers to 
mails. As far as I can tell it's just you disagreeing with me.

Back to the facts:

a) the bearer spec defines an HTTP authentication scheme, and 
normatively refers to HTTPbis Part7 for that

b) HTTPbis recommends new scheme definitions not to have their own ABNF, 
as the header field syntax is defined by HTTPbis, not the individual scheme

c) the bearer spec defines it's own ABNF nevertheless

So the two specs are in conflict, and we should resolve the conflict one 
way or the other.

If you disagree with the recommendation in HTTPbis, then you really 
really should come over to HTTPbis WG and argue your point of view.

If you agree with it, but think that the bearer spec can't follow the 
recommendation, then it would be good to explain the reasoning 
(optimally in the spec).

If you agree with it, and think the bearer spec *could* follow it, 
then... change it, by all means.

Anyway, if this issue isn't resolved before IETF LC then it will be 
raised again at that time.


> I believe that in the New Year the chairs and area directors will need to decide how to proceed on this issue.  (The working group consensus, as I see it, is already both well-informed and clear on this point, but I understand that that's not the only consideration.)  It would be good to see the spec finished shortly.
> ...

Best regards, Julian


From asanso@adobe.com  Fri Dec 30 10:22:49 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCD0A21F8888 for ; Fri, 30 Dec 2011 10:22:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.739
X-Spam-Level: 
X-Spam-Status: No, score=-104.739 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrjyABe28nbu for ; Fri, 30 Dec 2011 10:22:48 -0800 (PST)
Received: from exprod6og111.obsmtp.com (exprod6og111.obsmtp.com [64.18.1.27]) by ietfa.amsl.com (Postfix) with ESMTP id 452A121F84FB for ; Fri, 30 Dec 2011 10:22:47 -0800 (PST)
Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKTv4BZkG0YQEZO0tlBu/Ho114w7m32Vut@postini.com; Fri, 30 Dec 2011 10:22:48 PST
Received: from inner-relay-4.eur.adobe.com (inner-relay-4b [10.128.4.237]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id pBUIMTlQ021117 for ; Fri, 30 Dec 2011 10:22:30 -0800 (PST)
Received: from nacas01.corp.adobe.com (nacas01.corp.adobe.com [10.8.189.99]) by inner-relay-4.eur.adobe.com (8.12.10/8.12.9) with ESMTP id pBUIMR7o024577 for ; Fri, 30 Dec 2011 10:22:29 -0800 (PST)
Received: from eurhub01.eur.adobe.com (10.128.4.30) by nacas01.corp.adobe.com (10.8.189.99) with Microsoft SMTP Server (TLS) id 8.3.192.1; Fri, 30 Dec 2011 10:22:27 -0800
Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurhub01.eur.adobe.com ([10.128.4.30]) with mapi; Fri, 30 Dec 2011 18:22:24 +0000
From: Antonio Sanso 
To: OAuth WG 
Date: Fri, 30 Dec 2011 18:22:18 +0000
Thread-Topic: Error code for access token request
Thread-Index: AczHH/oz+E6plhXyQYi/VbPh53dC0w==
Message-ID: <4A1DD0C1-77F2-4824-973A-25F225D94F93@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_4A1DD0C177F24824973A25F225D94F93adobecom_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Error code for access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 30 Dec 2011 18:22:49 -0000

--_000_4A1DD0C177F24824973A25F225D94F93adobecom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi *,

Error response for Authorization Request defines some kind of server error =
code response:


server_error
               The authorization server encountered an unexpected
               condition which prevented it from fulfilling the request.


as in [0].

I was wondering if would be possible/useful having same for error code for =
access token request [1]

WDYT?

Regards

Antonio


[0] http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1
[1] http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.2

--_000_4A1DD0C177F24824973A25F225D94F93adobecom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi *,

E=
rror response for Authorization Request defines some kind of server error c=
ode response:

<=
pre class=3D"newpage" style=3D"font-size: 1em; margin-top: 0px; margin-bott=
om: 0px; page-break-before: always; ">server_error
               The authorization server encountered an unexpected
               condition which prevented it from fulfilling the request.


<=
div>=
as in [0].

I=
 was wondering if would be possible/useful having same for error code for a=
ccess token request [1]

WDYT?
<=
br>
Regards<=
/span>

<=
/font>
Antonio
=

--_000_4A1DD0C177F24824973A25F225D94F93adobecom_--

From Michael.Jones@microsoft.com  Fri Dec 30 15:20:17 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ABA221F84F8 for ; Fri, 30 Dec 2011 15:20:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.256
X-Spam-Level: 
X-Spam-Status: No, score=-3.256 tagged_above=-999 required=5 tests=[AWL=0.343,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyBovu-ZhgJq for ; Fri, 30 Dec 2011 15:20:17 -0800 (PST)
Received: from AM1EHSOBE002.bigfish.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE6921F84A9 for ; Fri, 30 Dec 2011 15:20:16 -0800 (PST)
Received: from mail8-am1-R.bigfish.com (10.3.201.253) by AM1EHSOBE002.bigfish.com (10.3.204.22) with Microsoft SMTP Server id 14.1.225.23; Fri, 30 Dec 2011 23:19:50 +0000
Received: from mail8-am1 (localhost [127.0.0.1])	by mail8-am1-R.bigfish.com (Postfix) with ESMTP id 2E6AB4C03BC; Fri, 30 Dec 2011 23:19:52 +0000 (UTC)
X-SpamScore: -43
X-BigFish: VS-43(zz9371I1415J936eK146fK542M1432N98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail8-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail8-am1 (localhost.localdomain [127.0.0.1]) by mail8-am1 (MessageSwitch) id 13252871922887_10105; Fri, 30 Dec 2011 23:19:52 +0000 (UTC)
Received: from AM1EHSMHS015.bigfish.com (unknown [10.3.201.252])	by mail8-am1.bigfish.com (Postfix) with ESMTP id EDC748021A; Fri, 30 Dec 2011 23:19:51 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS015.bigfish.com (10.3.207.153) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 30 Dec 2011 23:19:50 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0247.005; Fri, 30 Dec 2011 15:19:58 -0800
From: Mike Jones 
To: Julian Reschke 
Thread-Topic: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?
Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEgARlkuAAK9WC5AAKqDYgAH8LmDAACydzgAACThoEA==
Date: Fri, 30 Dec 2011 23:19:56 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com>  <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFD91B4.5050904@gmx.de>
In-Reply-To: <4EFD91B4.5050904@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham , Barry Leiba , OAuth WG 
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 30 Dec 2011 23:20:17 -0000

I did already back the statement that this is the working group consensus w=
ith the e-mails attached in this note sent to you on December 12, 2011:
  - http://www.ietf.org/mail-archive/web/oauth/current/msg08042.html

But since that apparently wasn't convincing to you that this working group =
decision represents more than "just me disagreeing with you", here are refe=
rences to individual messages referenced in the above e-mail:
  - Eran Hammer-Lahav: http://www.ietf.org/mail-archive/web/oauth/current/m=
sg07698.html
  - John Bradley:  http://www.ietf.org/mail-archive/web/oauth/current/msg07=
699.html
  - William Mills:  http://www.ietf.org/mail-archive/web/oauth/current/msg0=
7700.html
  - Mike Jones:  http://www.ietf.org/mail-archive/web/oauth/current/msg0770=
1.html
  - Phil Hunt:  http://www.ietf.org/mail-archive/web/oauth/current/msg07702=
.html
  - Justin Richer:  http://www.ietf.org/mail-archive/web/oauth/current/msg0=
7692.html

As for your assertion that the specs are in conflict, yes, the Bearer spec =
includes a different decision than a RECOMMENDED clause in the HTTPbis spec=
 (which was added after the Bearer text was already in place).  However, it=
 is not violating any MUST clauses in the HTTPbis spec.  Given that no MUST=
S are violated, I don't see it mandatory for this tension to be resolved in=
 favor of one spec or the other in order for both to be approved as RFCs.  =
I look forward to seeing that happen soon in both cases (and for the OAuth =
core spec as well).

				Best wishes,
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de]=20
Sent: Friday, December 30, 2011 2:26 AM
To: Mike Jones
Cc: Barry Leiba; Mark Nottingham; OAuth WG
Subject: Re: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer dra=
ft 15?

On 2011-12-29 22:18, Mike Jones wrote:
> You proposed, Julian "3. Do not specify the ABNF. The ABNF of the WWW-Aut=
henticate is defined in HTTPbis. Just state the names of the parameters, th=
eir syntax *after* parsing and their semantics."
>
> About some of Mark Nottingham's comments, Barry wrote "Let me point out t=
hat "this represents working-group consensus" is not always a valid respons=
e.  If the working group has actually considered the *issue*, that might be=
 OK.  But if there's consensus for the chosen solution and someone brings u=
p a *new* issue with it, that issue needs to be addressed anew."
>
> Relative to these two statements, I believe that I should remark at this =
point that your proposed semantics of only considering the syntax after pot=
ential quoting was explicitly considered earlier by the working group and r=
ejected.  The consensus, instead, was for the present "no quoting will occu=
r for legal inputs" semantics.

It would be helpful if you could back this statement with pointers to mails=
. As far as I can tell it's just you disagreeing with me.

Back to the facts:

a) the bearer spec defines an HTTP authentication scheme, and normatively r=
efers to HTTPbis Part7 for that

b) HTTPbis recommends new scheme definitions not to have their own ABNF, as=
 the header field syntax is defined by HTTPbis, not the individual scheme

c) the bearer spec defines it's own ABNF nevertheless

So the two specs are in conflict, and we should resolve the conflict one wa=
y or the other.

If you disagree with the recommendation in HTTPbis, then you really really =
should come over to HTTPbis WG and argue your point of view.

If you agree with it, but think that the bearer spec can't follow the recom=
mendation, then it would be good to explain the reasoning (optimally in the=
 spec).

If you agree with it, and think the bearer spec *could* follow it, then... =
change it, by all means.

Anyway, if this issue isn't resolved before IETF LC then it will be raised =
again at that time.


> I believe that in the New Year the chairs and area directors will need to=
 decide how to proceed on this issue.  (The working group consensus, as I s=
ee it, is already both well-informed and clear on this point, but I underst=
and that that's not the only consideration.)  It would be good to see the s=
pec finished shortly.
> ...

Best regards, Julian




From squid3@treenet.co.nz  Fri Dec 30 19:14:52 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C31221F84DD for ; Fri, 30 Dec 2011 19:14:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.662
X-Spam-Level: 
X-Spam-Status: No, score=-0.662 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HOST_EQ_STATIC=1.172]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EeT7p8CoW3X for ; Fri, 30 Dec 2011 19:14:51 -0800 (PST)
Received: from treenet.co.nz (ip-58-28-153-233.static-xdsl.xnet.co.nz [58.28.153.233]) by ietfa.amsl.com (Postfix) with ESMTP id BA29321F84DB for ; Fri, 30 Dec 2011 19:14:51 -0800 (PST)
Received: from [192.168.1.3] (unknown [119.224.36.238]) by treenet.co.nz (Postfix) with ESMTP id 5C9F1E7080; Sat, 31 Dec 2011 16:14:46 +1300 (NZDT)
Message-ID: <4EFE7E22.9010200@treenet.co.nz>
Date: Sat, 31 Dec 2011 16:14:42 +1300
From: Amos Jeffries 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org, oauth@ietf.org
References: <301AF9A4-395C-4B5A-8610-CD86BEE1401A@mnot.net> 
In-Reply-To: 
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] OAuth Bearer authentication - for proxies?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 31 Dec 2011 03:29:45 -0000

re-posting for cc to OAuth WG

On 25/12/2011 7:21 p.m., Amos Jeffries wrote:
> On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote:
>> The OAUTH WG is creating a new authentication scheme for bearer tokens:
>>   http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15
>>
>
> Reading section 2.3, it appears this method of transferring the 
> credentials is open to replay attacks when caching TLS middleware is 
> present. I believe this spec should mandate cache controls on 
> responses using that method. Otherwise a lot of HTTP compliant 
> middleware will feel free to store and supply the protected response 
> to later replay attacks.
>
>
>> During review, I wondered whether this might be a suitable scheme for
>> proxies; the draft doesn't currently specify it as such, and our list
>> of considerations for new schemes asks them to consider this.
>>
>> Do any of the proxy implementers on the list have thoughts about this
>> / possible interest in it?
>>
>
> I think it would be a good idea to prepare for. Quite a few admin 
> these days consider transit to be a service that needs authenticating 
> as much as any origin server resource. It might even encourage 
> progress on the TLS proxy connection developments we have been waiting 
> for.
>
> AYJ
>
>


From julian.reschke@gmx.de  Sat Dec 31 03:58:53 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A6021F8464 for ; Sat, 31 Dec 2011 03:58:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.304
X-Spam-Level: 
X-Spam-Status: No, score=-103.304 tagged_above=-999 required=5 tests=[AWL=-0.705, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NySt5FnAo+C2 for ; Sat, 31 Dec 2011 03:58:53 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id D155B21F8463 for ; Sat, 31 Dec 2011 03:58:52 -0800 (PST)
Received: (qmail invoked by alias); 31 Dec 2011 11:58:50 -0000
Received: from p3EE26C70.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.108.112] by mail.gmx.net (mp024) with SMTP; 31 Dec 2011 12:58:50 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18zqolcocgzUuac5pglPBlVHlkEpTqhP1bXbkhzDE piAURjndrruUrI
Message-ID: <4EFEF8F1.9070406@gmx.de>
Date: Sat, 31 Dec 2011 12:58:41 +0100
From: Julian Reschke 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mike Jones 
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com>  <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFD91B4.5050904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Mark Nottingham , Barry Leiba , OAuth WG 
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 31 Dec 2011 11:58:54 -0000

On 2011-12-31 00:19, Mike Jones wrote:
> I did already back the statement that this is the working group consensus with the e-mails attached in this note sent to you on December 12, 2011:
>    - http://www.ietf.org/mail-archive/web/oauth/current/msg08042.html

I replied in 
:

"I'm not disagreeing with the decision not to allow "\" in the value. 
What I'm disagreeing with is writing the ABNF in a way that will make it 
likely for implementers to special-case OAuth parameters when they 
should not."

So you're citing a consensus for a related but different question. I 
recommend to read the mailing thread to the end.

> As for your assertion that the specs are in conflict, yes, the Bearer spec includes a different decision than a RECOMMENDED clause in the HTTPbis spec (which was added after the Bearer text was already in place).  However, it is not violating any MUST clauses in the HTTPbis spec.  Given that no MUSTS are violated, I don't see it mandatory for this tension to be resolved in favor of one spec or the other in order for both to be approved as RFCs.  I look forward to seeing that happen soon in both cases (and for the OAuth core spec as well).

As a matter of fact, the HTTPbis P7 text on considerations for new 
schemes doesn't use any BCP14 keywords at all. That's on purpose, 
because we think they should be used with care, and in particular that 
they should only be used to discuss the protocol, not the style of other 
specifications.

So it's really not relevant; what's essential is the intent of the spec 
text, and I believe that is VERY clear:

    o  The parsing of challenges and credentials is defined by this
       specification, and cannot be modified by new authentication
       schemes.  When the auth-param syntax is used, all parameters ought
       to support both token and quoted-string syntax, and syntactical
       constraints ought to be defined on the field value after parsing
       (i.e., quoted-string processing).  This is necessary so that
       recipients can use a generic parser that applies to all
       authentication schemes.

(Note the "cannot").

So again, if you disagree with this statement, please argue your case in 
the HTTPbis WG.

If you *do* agree, but somehow feel that the bearer spec can't do this, 
the bearer spec should document the reason (just like when an 
implementation fails to implement a SHOULD).

As to the question of timing (when certain paragraphs were added): yes, 
HTTPbis P7 changed based on feedback and review of the OAuth bearer spec 
(triggered by James Manger). That's a feature.

If it hadn't, for instance, the bearer spec wouldn't conform to the base 
grammar *at all*. See 
.

Best regards, Julian



From Michael.Jones@microsoft.com  Sat Dec 31 11:40:19 2011
Return-Path: 
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A54021F84A5 for ; Sat, 31 Dec 2011 11:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level: 
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.300,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4-Xvp7jHMo7 for ; Sat, 31 Dec 2011 11:40:18 -0800 (PST)
Received: from VA3EHSOBE005.bigfish.com (va3ehsobe005.messaging.microsoft.com [216.32.180.31]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA9C21F84A2 for ; Sat, 31 Dec 2011 11:40:18 -0800 (PST)
Received: from mail88-va3-R.bigfish.com (10.7.14.246) by VA3EHSOBE005.bigfish.com (10.7.40.25) with Microsoft SMTP Server id 14.1.225.23; Sat, 31 Dec 2011 19:40:17 +0000
Received: from mail88-va3 (localhost [127.0.0.1])	by mail88-va3-R.bigfish.com (Postfix) with ESMTP id 81E0470016F; Sat, 31 Dec 2011 19:40:19 +0000 (UTC)
X-SpamScore: -34
X-BigFish: VS-34(zz9371I1415J936eK542M98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail88-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail88-va3 (localhost.localdomain [127.0.0.1]) by mail88-va3 (MessageSwitch) id 132536041847895_32322; Sat, 31 Dec 2011 19:40:18 +0000 (UTC)
Received: from VA3EHSMHS006.bigfish.com (unknown [10.7.14.242])	by mail88-va3.bigfish.com (Postfix) with ESMTP id 05B4268004B; Sat, 31 Dec 2011 19:40:18 +0000 (UTC)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS006.bigfish.com (10.7.99.16) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 31 Dec 2011 19:40:15 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0247.005; Sat, 31 Dec 2011 11:40:15 -0800
From: Mike Jones 
To: Julian Reschke 
Thread-Topic: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?
Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEgARlkuAAK9WC5AAKqDYgAH8LmDAACydzgAACThoEAAsT3KAAADdvvA=
Date: Sat, 31 Dec 2011 19:40:14 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F790F3D@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com>  <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFD91B4.5050904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFEF8F1.9070406@gmx.de>
In-Reply-To: <4EFEF8F1.9070406@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham , Barry Leiba , OAuth WG 
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 31 Dec 2011 19:40:19 -0000

Maybe I misunderstood your position.  If you agree that '\' may not occur i=
n the INPUT string, then that issue can be closed.  That was the working gr=
oup consensus position, per the cited e-mails.  I thought that you were arg=
uing that syntax restrictions on the parameters should only be placed upon =
the OUTPUT string - which forces all implementations to support unnecessary=
 encodings like "\a\b\c" for "abc".  Please let me know whether you're fine=
 with the working group prohibiting the use of '\' in the input string as t=
he spec presently currently does.

				Happy New Year!
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de]=20
Sent: Saturday, December 31, 2011 3:59 AM
To: Mike Jones
Cc: Barry Leiba; Mark Nottingham; OAuth WG
Subject: Re: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer dra=
ft 15?

On 2011-12-31 00:19, Mike Jones wrote:
> I did already back the statement that this is the working group consensus=
 with the e-mails attached in this note sent to you on December 12, 2011:
>    - http://www.ietf.org/mail-archive/web/oauth/current/msg08042.html

I replied in
:

"I'm not disagreeing with the decision not to allow "\" in the value.=20
What I'm disagreeing with is writing the ABNF in a way that will make it li=
kely for implementers to special-case OAuth parameters when they should not=
."

So you're citing a consensus for a related but different question. I recomm=
end to read the mailing thread to the end.

> As for your assertion that the specs are in conflict, yes, the Bearer spe=
c includes a different decision than a RECOMMENDED clause in the HTTPbis sp=
ec (which was added after the Bearer text was already in place).  However, =
it is not violating any MUST clauses in the HTTPbis spec.  Given that no MU=
STS are violated, I don't see it mandatory for this tension to be resolved =
in favor of one spec or the other in order for both to be approved as RFCs.=
  I look forward to seeing that happen soon in both cases (and for the OAut=
h core spec as well).

As a matter of fact, the HTTPbis P7 text on considerations for new schemes =
doesn't use any BCP14 keywords at all. That's on purpose, because we think =
they should be used with care, and in particular that they should only be u=
sed to discuss the protocol, not the style of other specifications.

So it's really not relevant; what's essential is the intent of the spec tex=
t, and I believe that is VERY clear:

    o  The parsing of challenges and credentials is defined by this
       specification, and cannot be modified by new authentication
       schemes.  When the auth-param syntax is used, all parameters ought
       to support both token and quoted-string syntax, and syntactical
       constraints ought to be defined on the field value after parsing
       (i.e., quoted-string processing).  This is necessary so that
       recipients can use a generic parser that applies to all
       authentication schemes.

(Note the "cannot").

So again, if you disagree with this statement, please argue your case in th=
e HTTPbis WG.

If you *do* agree, but somehow feel that the bearer spec can't do this, the=
 bearer spec should document the reason (just like when an implementation f=
ails to implement a SHOULD).

As to the question of timing (when certain paragraphs were added): yes, HTT=
Pbis P7 changed based on feedback and review of the OAuth bearer spec (trig=
gered by James Manger). That's a feature.

If it hadn't, for instance, the bearer spec wouldn't conform to the base gr=
ammar *at all*. See =
.

Best regards, Julian