From nobody Sat Mar 1 06:14:45 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496151A0BDE for ; Sat, 1 Mar 2014 06:14:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42ET1k_REZnM for ; Sat, 1 Mar 2014 06:14:35 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [IPv6:2607:f170:8000:1500::d3]) by ietfa.amsl.com (Postfix) with ESMTP id 16AF11A0BAF for ; Sat, 1 Mar 2014 06:14:34 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id C1F887FC396; Sat, 1 Mar 2014 06:14:31 -0800 (PST) To: dick.hardt@gmail.com, stephen.farrell@cs.tcd.ie, turners@ieca.com, Hannes.Tschofenig@gmx.net, derek@ihtfp.com From: RFC Errata System Message-Id: <20140301141431.C1F887FC396@rfc-editor.org> Date: Sat, 1 Mar 2014 06:14:31 -0800 (PST) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/J-bPnn594ivVKFR5YXcaKeo9kmA Cc: takahiko.kawasaki@neovisionaries.com, oauth@ietf.org, rfc-editor@rfc-editor.org Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3904) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Mar 2014 14:14:43 -0000 The following errata report has been submitted for RFC6749, "The OAuth 2.0 Authorization Framework". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3904 -------------------------------------- Type: Technical Reported by: Takahiko Kawasaki Section: 11.2.2. Original Text ------------- Corrected Text -------------- o Parameter name: error o Parameter usage location: authorization response, token response o Change controller: IETF o Specification document(s): RFC 6749 Notes ----- "error" is missing and should be added to the list of Initial Registry Contents of OAuth Parameters Registry. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6749 (draft-ietf-oauth-v2-31) -------------------------------------- Title : The OAuth 2.0 Authorization Framework Publication Date : October 2012 Author(s) : D. Hardt, Ed. Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG From nobody Sun Mar 2 18:47:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F701A0C2E; Sun, 2 Mar 2014 18:47:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcE2vAFtu_sV; Sun, 2 Mar 2014 18:47:45 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 217061A0C44; Sun, 2 Mar 2014 18:47:44 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.0.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140303024744.27615.82821.idtracker@ietfa.amsl.com> Date: Sun, 02 Mar 2014 18:47:44 -0800 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/lCbpBRmJdiJm52JPH6842tYXLvc Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-json-web-token-17.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 02:47:46 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Authors : Michael B. Jones John Bradley Nat Sakimura Filename : draft-ietf-oauth-json-web-token-17.txt Pages : 30 Date : 2014-03-02 Abstract: JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted. The suggested pronunciation of JWT is the same as the English word "jot". The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-17 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-json-web-token-17 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Sun Mar 2 18:53:28 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 566F51A0C1F; Sun, 2 Mar 2014 18:53:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qjrp7-LmqI9O; Sun, 2 Mar 2014 18:53:23 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id BFF8D1A0C15; Sun, 2 Mar 2014 18:53:22 -0800 (PST) Received: from BL2PR03CA015.namprd03.prod.outlook.com (10.141.66.23) by BL2PR03MB593.namprd03.prod.outlook.com (10.255.109.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 02:53:18 +0000 Received: from BL2FFO11FD041.protection.gbl (2a01:111:f400:7c09::153) by BL2PR03CA015.outlook.office365.com (2a01:111:e400:c1b::23) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 02:53:18 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD041.mail.protection.outlook.com (10.173.161.137) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 02:53:17 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 02:52:45 +0000 From: Mike Jones To: "jose@ietf.org" , "oauth@ietf.org" Thread-Topic: JOSE -22 drafts fixing requirements language nits Thread-Index: Ac82i6gQfBH4N1XsSdG/qRe30iX1/A== Date: Mon, 3 Mar 2014 02:52:44 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0924C7@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0924C7TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(189002)(199002)(81542001)(87936001)(76176001)(47446002)(74502001)(2656002)(90146001)(31966008)(74662001)(81686001)(87266001)(74366001)(81342001)(85806002)(81816001)(74876001)(20776003)(65816001)(19300405004)(80976001)(6806004)(80022001)(33656001)(19580395003)(83322001)(15202345003)(92566001)(44976005)(92726001)(94946001)(54316002)(86362001)(79102001)(56776001)(69226001)(47736001)(51856001)(93516002)(54356001)(85306002)(49866001)(53806001)(76482001)(66066001)(512954002)(15975445006)(93136001)(56816005)(84326002)(71186001)(46102001)(77096001)(16236675002)(76786001)(95416001)(50986001)(47976001)(4396001)(76796001)(94316002)(83072002)(59766001)(95666003)(86612001)(77982001)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB593; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/0jbjDuKpwH7ZCbvUQQ0a57G1Pd0 Subject: [OAUTH-WG] JOSE -22 drafts fixing requirements language nits X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 02:53:26 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0924C7TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Updated JOSE and JWT drafts have been published that fix a few instances of= incorrect uses of RFC 2119 requirements language, such as changing an occu= rrence of "MUST not" to "MUST NOT". These drafts also reference the newly = completed JSON specification - RFC 7158= . The specifications are available at: * http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-22 * http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-22 * http://tools.ietf.org/html/draft-ietf-jose-json-web-key-22 * http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-22 * http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-17 HTML formatted versions are also available at: * http://self-issued.info/docs/draft-ietf-jose-json-web-signature-22= .html * http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-2= 2.html * http://self-issued.info/docs/draft-ietf-jose-json-web-key-22.html * http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-2= 2.html * http://self-issued.info/docs/draft-ietf-oauth-json-web-token-17.ht= ml -- Mike --_000_4E1F6AAD24975D4BA5B16804296739439A0924C7TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Up= dated JOSE and JWT drafts have been published that fix a few instances of i= ncorrect uses of RFC 2119 requirements language, such as changing an occurr= ence of “MUST not” to “MUST NOT”.  These drafts also reference the newly completed JSON specification – RFC 7158.

 

Th= e specifications are available at:

·        http://tools.ietf.org/html/draft-ietf-jose= -json-web-signature-22

·        http://tools.ietf.org/html/draft-ietf-jos= e-json-web-encryption-22

·        http://tools.ietf.org/html/draft-ietf-jose-json-= web-key-22

·        http://tools.ietf.org/html/draft-ietf-jos= e-json-web-algorithms-22

·        http://tools.ietf.org/html/draft-ietf-oauth-j= son-web-token-17

 

HT= ML formatted versions are also available at:

·        http://self-issued.info/docs/draft-= ietf-jose-json-web-signature-22.html

·        http://self-issued.info/docs/draft= -ietf-jose-json-web-encryption-22.html

·        http://self-issued.info/docs/draft-ietf-j= ose-json-web-key-22.html

·        http://self-issued.info/docs/draft= -ietf-jose-json-web-algorithms-22.html

·        http://self-issued.info/docs/draft-iet= f-oauth-json-web-token-17.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0924C7TK5EX14MBXC286r_-- From nobody Mon Mar 3 05:49:37 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EDD31A0185 for ; Mon, 3 Mar 2014 05:49:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.289 X-Spam-Level: X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvu-PVdeURhG for ; Mon, 3 Mar 2014 05:49:34 -0800 (PST) Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1F61A0186 for ; Mon, 3 Mar 2014 05:49:33 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 5E6E4E2034; Mon, 3 Mar 2014 08:49:30 -0500 (EST) Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 09391-04; Mon, 3 Mar 2014 08:49:29 -0500 (EST) Received: from mocana.ihtfp.org (unknown [IPv6:2001:67c:1232:152:224:d7ff:fee7:8924]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id BDB53E2033; Mon, 3 Mar 2014 08:49:28 -0500 (EST) Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.7/8.14.7/Submit) id s23DnQdI001146; Mon, 3 Mar 2014 08:49:26 -0500 From: Derek Atkins To: oauth@ietf.org Date: Mon, 03 Mar 2014 08:49:26 -0500 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Virus-Scanned: Maia Mailguard 1.0.2a Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/C_o3OeOBfqEamj3EsMWDCkwt3tM Cc: oauth-chairs@tools.ietf.org Subject: [OAUTH-WG] OAUTH Presentation Slides X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 13:49:35 -0000 Hi, If you have a slot to speak tomorrow and are using slides please make sure to send the slides to Hannes and I, preferably in PDF format. This way I can upload them before the meeting tomorrow morning. Thanks! -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From nobody Mon Mar 3 14:08:41 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCF51A00DB; Mon, 3 Mar 2014 14:08:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6VYt254GdjG; Mon, 3 Mar 2014 14:08:27 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F56B1A0131; Mon, 3 Mar 2014 14:08:26 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.0.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140303220826.3544.41230.idtracker@ietfa.amsl.com> Date: Mon, 03 Mar 2014 14:08:26 -0800 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/HsRJLOBIkIQarn-5pJC6WUAKGZk Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-json-web-token-18.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:08:31 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Authors : Michael B. Jones John Bradley Nat Sakimura Filename : draft-ietf-oauth-json-web-token-18.txt Pages : 31 Date : 2014-03-03 Abstract: JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted. The suggested pronunciation of JWT is the same as the English word "jot". The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-json-web-token-18 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Mar 3 14:22:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0271A01CF; Mon, 3 Mar 2014 14:22:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XOu5qJntSTk; Mon, 3 Mar 2014 14:22:08 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id 5D3C31A0132; Mon, 3 Mar 2014 14:22:08 -0800 (PST) Received: from DM2PR03CA010.namprd03.prod.outlook.com (10.141.52.158) by BY2PR03MB596.namprd03.prod.outlook.com (10.255.93.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:22:03 +0000 Received: from BN1BFFO11FD016.protection.gbl (2a01:111:f400:7c10::1:110) by DM2PR03CA010.outlook.office365.com (2a01:111:e400:2414::30) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:03 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD016.mail.protection.outlook.com (10.58.144.79) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:02 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:21:00 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: JWT -18 addressing remaining WGLC comments Thread-Index: Ac83LtxDZA9P3jWRQzOolfGUzK+Ubw== Date: Mon, 3 Mar 2014 22:20:59 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A94F2@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A94F2TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(74366001)(74876001)(93516002)(19300405004)(63696002)(81816001)(46102001)(69226001)(80976001)(74662001)(86612001)(81342001)(77982001)(92566001)(74706001)(95416001)(84326002)(512954002)(71186001)(90146001)(85806002)(31966008)(77096001)(76482001)(56816005)(51856001)(20776003)(15202345003)(76176001)(85852003)(59766001)(53806001)(81686001)(80022001)(83072002)(95666003)(92726001)(4396001)(94316002)(86362001)(44976005)(87266001)(83322001)(6806004)(16236675002)(79102001)(50986001)(2656002)(55846006)(87936001)(94946001)(66066001)(76786001)(47446002)(76796001)(54316002)(81542001)(54356001)(74502001)(47736001)(93136001)(15975445006)(85306002)(47976001)(33656001)(49866001)(65816001)(19580395003)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB596; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:BF4A78B5.B0F6CFDA.6ED03FC3.846876DA.2014C; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1Y9bIeeM9m6NOcG1hCY3g97ojx4 Cc: "jose@ietf.org" Subject: [OAUTH-WG] JWT -18 addressing remaining WGLC comments X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:22:11 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0A94F2TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Draft -18 of the JSON Web Token (JWT) spec has been released, which address= es the few remaining outstanding comments from Working Group Last Call (WGL= C). All edits were clarifications, rather than normative changes. See the= Document History appendix for a description of the changes made. New -23 versions of the JSON Object Signing and Encryption (JOSE) specs wer= e also released since one clarification made to JWT also applied to JWS. The specifications are available at: * http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18 * http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-23 * http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-23 * http://tools.ietf.org/html/draft-ietf-jose-json-web-key-23 * http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-23 HTML formatted versions are also available at: * http://self-issued.info/docs/draft-ietf-oauth-json-web-token-18.ht= ml * http://self-issued.info/docs/draft-ietf-jose-json-web-signature-23= .html * http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-2= 3.html * http://self-issued.info/docs/draft-ietf-jose-json-web-key-23.html * http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-2= 3.html -- Mike --_000_4E1F6AAD24975D4BA5B16804296739439A0A94F2TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Draft -18 of the JSON Web Token (JWT) spec has been = released, which addresses the few remaining outstanding comments from Worki= ng Group Last Call (WGLC).  All edits were clarifications, rather than= normative changes.  See the Document History appendix for a description of the changes made.

 

New -23 versions of the JSON Object Signing and Encr= yption (JOSE) specs were also released since one clarification made to JWT = also applied to JWS.

 

The specifications are available at:

·        http://tools.ietf.org/html/draft-ietf-oauth-j= son-web-token-18

·        http://tools.ietf.org/html/draft-ietf-jose= -json-web-signature-23

·        http://tools.ietf.org/html/draft-ietf-jos= e-json-web-encryption-23

·        http://tools.ietf.org/html/draft-ietf-jose-json-= web-key-23

·        http://tools.ietf.org/html/draft-ietf-jos= e-json-web-algorithms-23

 

HTML formatted versions are also available at:<= /o:p>

·        http://self-issued.info/docs/draft-iet= f-oauth-json-web-token-18.html

·        http://self-issued.info/docs/draft-= ietf-jose-json-web-signature-23.html

·        http://self-issued.info/docs/draft= -ietf-jose-json-web-encryption-23.html

·        http://self-issued.info/docs/draft-ietf-j= ose-json-web-key-23.html

·        http://self-issued.info/docs/draft= -ietf-jose-json-web-algorithms-23.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0A94F2TK5EX14MBXC286r_-- From nobody Mon Mar 3 14:22:48 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F71B1A01CF for ; Mon, 3 Mar 2014 14:22:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.601 X-Spam-Level: X-Spam-Status: No, score=-4.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3HHCMI87MHr for ; Mon, 3 Mar 2014 14:22:37 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id F1C2F1A01EB for ; Mon, 3 Mar 2014 14:22:36 -0800 (PST) Received: from CH1PR03CA011.namprd03.prod.outlook.com (10.255.156.156) by BLUPR03MB017.namprd03.prod.outlook.com (10.255.208.39) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:22:31 +0000 Received: from BN1BFFO11FD023.protection.gbl (10.255.156.132) by CH1PR03CA011.outlook.office365.com (10.255.156.156) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:31 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD023.mail.protection.outlook.com (10.58.144.86) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:31 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:21:59 +0000 From: Mike Jones To: "Manger, James H" , "oauth@ietf.org WG" Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT) Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/ZmLZ98AgUVpnFA= Date: Mon, 3 Mar 2014 22:21:58 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A9521@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <5202113B.1020505@gmx.net> <255B9BB34FB7D647A506DC292726F6E1152869AC01@WSMSG3153V.srv.dir.telstra.com> In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1152869AC01@WSMSG3153V.srv.dir.telstra.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A9521TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(53754006)(377454003)(51704005)(51914003)(1990?= =?us-ascii?Q?02)(189002)(76796001)(16236675002)(81816001)(81686001)(69226?= =?us-ascii?Q?001)(49866001)(47736001)(81342001)(81542001)(50986001)(15202?= =?us-ascii?Q?345003)(19300405004)(33656001)(76482001)(95416001)(4396001)(?= =?us-ascii?Q?46102001)(76786001)(47976001)(74706001)(15975445006)(9272600?= =?us-ascii?Q?1)(66066001)(74502001)(71186001)(512954002)(92566001)(743660?= =?us-ascii?Q?01)(87266001)(86612001)(93136001)(85806002)(79102001)(319660?= =?us-ascii?Q?08)(74876001)(85306002)(56816005)(93516002)(47446002)(863620?= =?us-ascii?Q?01)(53806001)(95666003)(85852003)(59766001)(77096001)(518560?= =?us-ascii?Q?01)(65816001)(74662001)(80976001)(83322001)(54356001)(843260?= =?us-ascii?Q?02)(44976005)(94316002)(77982001)(90146001)(87936001)(800220?= =?us-ascii?Q?01)(54316002)(19580405001)(94946001)(2656002)(19580395003)(2?= =?us-ascii?Q?0776003)(6806004)(63696002)(55846006)(83072002);DIR:OUT;SFP:?= =?us-ascii?Q?1101;SCL:1;SRVR:BLUPR03MB017;H:mail.microsoft.com;CLIP:131.1?= =?us-ascii?Q?07.125.37;FPR:ED3AFDE5.A8FAD3C9.3AF3F17B.82BAC2E2.207C5;MLV:?= =?us-ascii?Q?sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YaEwKaTerc3s6HO6Xm3lE18VgUg Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:22:44 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0A9521TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for taking the time to send in the comments, James. I am sending yo= u this to describe the changes that were made in response to your comments = (mostly in -13 but also a few in -18). See individual responses inline. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= anger, James H Sent: Thursday, August 08, 2013 7:55 AM To: oauth@ietf.org WG Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) Comments on draft-ietf-oauth-json-web-token-11: 1. Should JWT really go to WGLC before the JOSE docs that it depends on so = heavily (JWS/JWE/...)? Even if the "bytes-on-the-wire" are fairly stable, J= WT repeats a lot of text from JWS/JWE some of which is likely to change. Fi= nishing WGLC now and queuing the doc to be auto-published when JWS/JWE are = published would be bad (unless the duplicate text is removed). In practice, it seems that JWT has waited for JOSE (and I've kept them full= y in sync). At this point, I expect them proceed through the rest of the a= pproval steps in parallel. 2. The JWT doc would be so much more readable if it could refer to a "JOSE = message", "JOSE header", and "JOSE compact serialization"; instead of havin= g to explicitly talk about JWS and JWE every time even when talking about a= spects common to both. It would also avoid introducing "JWT Header", "Encod= ed JWT Header", "Nested JWT", "Plaintext JWT" etc as though these are new i= tems, when in fact they are just additional names for JOSE items. For insta= nce, "JWT Header" is effectively shorthand for "JWS or JWE header" but it i= s presented as a JWT-specific thing. I think this really only shows up in a few places - primarily when discussi= ng that the JWT Header is either a JWS Header or a JWE header. Given that = these are actually distinct but related data structures, making it evident = that they are different is arguably a good thing. 3. The doc should not repeat definitions from JWS and JWE. The duplication has been substantially reduced, both within the JOSE docs, = and within this doc. That being said, there's a stylistic tension between = saying things in exactly one place and making each document easier to read = without constantly having to flip back and forth between them. In this cas= e, I believe that the small amount of duplication aids developers who might= not recursively read everything referenced in full detail. For instance, the whole first paragraph of section 5 "JWT Header" (JSON obj= ect; describes crypto ops; unique names; reject duplicates or use last) is = an almost identical copy of paragraphs from JWS and JWE. The duplication (o= ften triplication) adds confusion (eg what is the difference between a JWT = Header and JWS Header?) and gets subtly out of sync (eg "cty" either "decla= res structural information about the JWT" or "declares the type of the secu= red/encrypted content (the payload/Plaintext) in an application-specific ma= nner"). The description of JWT's use of "cty" is not out of sync - it is intentiona= lly more specific than the fully general, application-independent descripti= ons in JWS and JWE. In this case, JWT is the application of JWS and JWE, a= nd needs to specify its requirements about how it uses this header paramete= r. Other examples of unnecessarily duplicated text include: section 7 steps 3 = & 4 (creating) and steps 1-8 (validating); section 7.1 text about comparing= "alg" values; parts of the last 2 paragraphs of section 3 "JWT overview"; = 1st and 3rd paragraphs of section 5.2 "cty"; 1st, 2nd, and 4th sentence of = section 5.1 "typ". Step 4 of creation was removed because it truly was a duplicate. (3 is mor= e specific than the corresponding JWS and JWE steps, and so was not removed= .) The validating steps are necessary because JWT adds two things beyond JWS a= nd JWE: First, the contents can be either a JWS or JWE, and so there's log= ic described for the slightly different actions taken in the two cases. Se= cond, the JWT can be nested, so the logic for nesting and detecting nested = JWTs is defined. It *does* just rely on JWS and JWE for the creation and v= erification aspects of the JWS and JWE aspects of JWTs. Both "typ" and "cty" were reworked when their values where changed to MIME = types, reducing duplication. 4. Hardly anyone pronounces JWT as "jot" -- it is usually spelt out -- so d= rop the sentence in the abstract suggesting the "jot" pronunciation. Your experience may vary, but in in-person conversations, it's usually pron= ounced "jot" in my experience. (It's a lot easier to say than "J W T" or "= JSON Web Token" and people tend to like short names to say.) 5. Collision Resistant Namespace (section 2 "Terminology") mentions domain = names, OIDs, and UUIDs as examples, but fails to mention URIs, which is a l= ikely choice. Domain names will start colliding with "reserved" names soon = with all the new top-level domains. Should UUIDs use a "urn:uuid:" prefix, = or "uuid:", or no prefix? Should UUIDs only use lower-case hex digits (othe= rwise duplicate UUIDs will look like distinct JSON names)? Should an OID be= "2.5.4.3" or "oid:2.5.4.3" or "URN:OID:2.5.4.3" or "commonName" or "cn"? C= ollision resistant namespaces lose collision-resistance when you combine na= mespaces as is done here. As you suggested, domain names are now the first example mentioned. This w= as also rewritten with input from Jim Schaad. Could the reserved/public/private mess be simplified by saying (at the end = of section 4 "JWT Claims"): A claim name can be any string. Using URIs as claim names is one way to ensure claim names are unambiguous. Claim names that are not URIs SHOULD be registered in the IANA Claims registry [section 9.1] Then drop the last paragraph of section 4 "JWT claims" that starts "there a= re three classes of JT Claim Names"; drop section 4.2 "Public claim names";= drop section 4.3 "Private claim names"; drop the "collision resistant name= space" term. Calling out that there are three distinct classes of names has been valuabl= e in helping developers think about how to use claim names, in practice. I= n particular, it lets us describe the benefits and drawbacks of each, helpi= ng developers and deployers make reasonable choices for their application c= ontexts. At Jim Schaad's suggestion, "public" was changed to "registered" and the de= scription changed to talk about this class of names being in the IANA regis= try. 6. The docs says including a "typ" field is OPTIONAL. Even when present "ty= p" can have any value since the two suggestions in the doc ("JWT" or "urn:i= etf:params:oauth:token-type:jwt") are only RECOMMENDED. Given this, there d= oesn't seem to be anything a JWT recipient can usefully do with "typ". If i= t tries to use "typ" it will just be incompatible with compliant JWT sender= s that either omit "typ" or use another value. It would be better to drop s= ection 5.1 "Type Header Parameter" entirely -- leaving any "typ" value defi= nitions to profiles that actually define processing for such values. The description has been reworked to mostly just refer to the JWS and JWE d= efinitions. The URN usage was removed when "typ" and "cty" values were mad= e MIME type values. 7. The doc redefines the "cty" header parameter, which is already defined i= n JWS and JWE (slightly differently in all 3 cases - argh). JWT uses "cty" = to indicate nested JOSE messages, which should be a JOSE feature as it is n= ot specific to JWT (hence "cty":"jwt" is a poor choice). The description has been reworked to mostly just refer to the JWS and JWE d= efinitions. "cty" is not redefined; it's use by JWT is specified. 8. [Editorial] "JWA signing algorithm" and "JWA encryption algorithms" are = the wrong phrases. These are JWS signing algs and JWE encryption algs that = happen to be specified in JWA. The phrases "JWA signing algorithms" and "JWA encryption algorithms" were r= emoved. 9. Including a short description for each claim name in the registry would = be useful. Just a 3-letter abbreviation is not helpful enough. Eg add a Cla= im description field: Claim name: "nbf" Claim description: not before Change controller: IETF Specification document: section 4.1.5. of [[ this doc ]] This was done - both here and in the JOSE documents. Thanks for the useful= suggestion. -- James Manger > ---------- > Sent: Wednesday, 7 August 2013 7:20 PM > Subject: [OAUTH-WG] WGLC on JSON Web Token (JWT) > > Hi all, > > this is a working group last call for the JSON Web Token (JWT). > > Here is the document: > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11 > > Please send you comments to the OAuth mailing list by August 21, 2013. > > Ciao > Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A0A9521TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for taking t= he time to send in the comments, James.  I am sending you this to desc= ribe the changes that were made in response to your comments (mostly in -13= but also a few in -18).  See individual responses inline.

 

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      -- Mike

 

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of M= anger, James H
Sent: Thursday, August 08, 2013 7:55 AM
To: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

 

Comments on draft-ietf-oauth-json-web-token-11:

 

1. Should JWT really go to WGLC before the JOSE d= ocs that it depends on so heavily (JWS/JWE/...)? Even if the "bytes-on= -the-wire" are fairly stable, JWT repeats a lot of text from JWS/JWE s= ome of which is likely to change. Finishing WGLC now and queuing the doc to be auto-published when JWS/JWE are publish= ed would be bad (unless the duplicate text is removed).

 

In practice, it see= ms that JWT has waited for JOSE (and I’ve kept them fully in sync).&n= bsp; At this point, I expect them proceed through the rest of the approval = steps in parallel.

 

2. The JWT doc would be so much more readable if = it could refer to a "JOSE message", "JOSE header", and = "JOSE compact serialization"; instead of having to explicitly tal= k about JWS and JWE every time even when talking about aspects common to both. It would also avoid introducing "JWT Header", "Enc= oded JWT Header", "Nested JWT", "Plaintext JWT" et= c as though these are new items, when in fact they are just additional name= s for JOSE items. For instance, "JWT Header" is effectively short= hand for "JWS or JWE header" but it is presented as a JWT-specific thing.=

 

I think this really= only shows up in a few places – primarily when discussing that the J= WT Header is either a JWS Header or a JWE header.  Given that these ar= e actually distinct but related data structures, making it evident that they are different is arguably a good thing.

 

3. The doc should not repeat definitions from JWS= and JWE.

 

The duplication has= been substantially reduced, both within the JOSE docs, and within this doc= .  That being said, there’s a stylistic tension betw= een saying things in exactly one place and making each document easier to r= ead without constantly having to flip back and forth between them.  In= this case, I believe that the small amount of duplication aids developers who might not recursively read everything refe= renced in full detail.

 

For instance, the whole first paragraph of sectio= n 5 "JWT Header" (JSON object; describes crypto ops; unique names= ; reject duplicates or use last) is an almost identical copy of paragraphs = from JWS and JWE. The duplication (often triplication) adds confusion (eg what is the difference between a JWT Header and JWS Hea= der?) and gets subtly out of sync (eg "cty" either "declares= structural information about the JWT" or "declares the type of t= he secured/encrypted content (the payload/Plaintext) in an application-specific manner").

 

The description of = JWT’s use of “cty” is not out of sync – it is inten= tionally more specific than the fully general, application-independent desc= riptions in JWS and JWE.  In this case, JWT is the application of JWS and JWE, and needs to specify its requirements about how it uses th= is header parameter.

 

Other examples of unnecessarily duplicated text i= nclude: section 7 steps 3 & 4 (creating) and steps 1-8 (validating); se= ction 7.1 text about comparing "alg" values; parts of the last 2 = paragraphs of section 3 "JWT overview"; 1st and 3rd paragraphs of section 5.2 "cty"; 1st, 2nd, and 4th sentence = of section 5.1 "typ".

 

Step 4 of creation = was removed because it truly was a duplicate.  (3 is more specific tha= n the corresponding JWS and JWE steps, and so was not removed.)

 

The validating step= s are necessary because JWT adds two things beyond JWS and JWE:  First= , the contents can be either a JWS or JWE, and so there’s logic descr= ibed for the slightly different actions taken in the two cases.  Second, the JWT can be nested, so the logic for nesti= ng and detecting nested JWTs is defined.  It *does* just rely o= n JWS and JWE for the creation and verification aspects of the JWS and JWE = aspects of JWTs.

 

Both “typR= 21; and “cty” were reworked when their values where changed to = MIME types, reducing duplication.

 

4. Hardly anyone pronounces JWT as "jot"= ; -- it is usually spelt out -- so drop the sentence in the abstract sugges= ting the "jot" pronunciation.

 

Your experience may= vary, but in in-person conversations, it’s usually pronounced “= ;jot” in my experience.  (It’s a lot easier to say than &#= 8220;J W T” or “JSON Web Token” and people tend to like s= hort names to say.)

 

5. Collision Resistant Namespace (section 2 "= ;Terminology") mentions domain names, OIDs, and UUIDs as examples, but= fails to mention URIs, which is a likely choice. Domain names will start c= olliding with "reserved" names soon with all the new top-level domains. Should UUIDs use a "urn:uuid:" prefix= , or "uuid:", or no prefix? Should UUIDs only use lower-case hex = digits (otherwise duplicate UUIDs will look like distinct JSON names)? Shou= ld an OID be "2.5.4.3" or "oid:2.5.4.3" or "URN:OI= D:2.5.4.3" or "commonName" or "cn"? Collision resistant namespace= s lose collision-resistance when you combine namespaces as is done here.

 

As you suggested, d= omain names are now the first example mentioned.  This was also rewrit= ten with input from Jim Schaad.

 

Could the reserved/public/private mess be simplif= ied by saying (at the end of section 4 "JWT Claims"):<= /p>

 

  A claim name can be any string. Using URIs= as claim names is one

  way to ensure claim names are unambiguous.= Claim names that are

  not URIs SHOULD be registered in the IANA = Claims registry [section 9.1]

 

Then drop the last paragraph of section 4 "J= WT claims" that starts "there are three classes of JT Claim Names= "; drop section 4.2 "Public claim names"; drop section 4.3 &= quot;Private claim names"; drop the "collision resistant namespac= e" term.

 

Calling out that th= ere are three distinct classes of names has been valuable in helping develo= pers think about how to use claim names, in practice.  In particular, = it lets us describe the benefits and drawbacks of each, helping developers and deployers make reasonable choices for thei= r application contexts.

 

At Jim Schaad’= ;s suggestion, “public” was changed to “registered”= and the description changed to talk about this class of names being in the= IANA registry.

 

6. The docs says including a "typ" fiel= d is OPTIONAL. Even when present "typ" can have any value since t= he two suggestions in the doc ("JWT" or "urn:ietf:params:oau= th:token-type:jwt") are only RECOMMENDED. Given this, there doesn't se= em to be anything a JWT recipient can usefully do with "typ". If it= tries to use "typ" it will just be incompatible with compliant J= WT senders that either omit "typ" or use another value. It would = be better to drop section 5.1 "Type Header Parameter" entirely -- leaving any "typ" value definitions to profiles that actually= define processing for such values.

 

The description has= been reworked to mostly just refer to the JWS and JWE definitions.  T= he URN usage was removed when “typ” and “cty” value= s were made MIME type values.

 

7. The doc redefines the "cty" header p= arameter, which is already defined in JWS and JWE (slightly differently in = all 3 cases - argh). JWT uses "cty" to indicate nested JOSE messa= ges, which should be a JOSE feature as it is not specific to JWT (hence "cty":"jwt" is a poor choice).

 

The description has= been reworked to mostly just refer to the JWS and JWE definitions.  &= #8220;cty” is not redefined; it’s use by JWT is specified.=

 

8. [Editorial] "JWA signing algorithm" = and "JWA encryption algorithms" are the wrong phrases. These are = JWS signing algs and JWE encryption algs that happen to be specified in JWA= .

 

The phrases "J= WA signing algorithms" and "JWA encryption algorithms" were = removed.

 

9. Including a short description for each claim n= ame in the registry would be useful. Just a 3-letter abbreviation is not he= lpful enough. Eg add a Claim description field:

  Claim name: "nbf"

  Claim description: not before

  Change controller: IETF

  Specification document: section 4.1.5. of = [[ this doc ]]

  <= /span>

This was done ̵= 1; both here and in the JOSE documents.  Thanks for the useful suggest= ion.

 

 

 

--

James Manger

 

> ----------

> Sent: Wednesday, 7 August 2013 7:20 PM<= /o:p>

> Subject: [OAUTH-WG] WGLC on JSON Web Token (= JWT)

>

> Hi all,

>

> this is a working group last call for the JS= ON Web Token (JWT).

>

> Here is the document:

> http://tools.ietf.org= /html/draft-ietf-oauth-json-web-token-11

>

> Please send you comments to the OAuth mailin= g list by August 21, 2013.

>

> Ciao

> Hannes & Derek

 

_______________________________________________

OAuth mailing list

OAuth@ietf.org=

https://www.ie= tf.org/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0A9521TK5EX14MBXC286r_-- From nobody Mon Mar 3 14:23:00 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B63E61A01CF for ; Mon, 3 Mar 2014 14:22:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmPotQXzIsUy for ; Mon, 3 Mar 2014 14:22:49 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0188.outbound.protection.outlook.com [207.46.163.188]) by ietfa.amsl.com (Postfix) with ESMTP id 4FAFC1A020C for ; Mon, 3 Mar 2014 14:22:49 -0800 (PST) Received: from BY2PR03CA064.namprd03.prod.outlook.com (10.141.249.37) by BY2PR03MB596.namprd03.prod.outlook.com (10.255.93.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:22:44 +0000 Received: from BN1AFFO11FD015.protection.gbl (2a01:111:f400:7c10::124) by BY2PR03CA064.outlook.office365.com (2a01:111:e400:2c5d::37) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:44 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD015.mail.protection.outlook.com (10.58.52.75) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:44 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:22:12 +0000 From: Mike Jones To: Prateek Mishra Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT) Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/Zmga/qAgTBtKXA= Date: Mon, 3 Mar 2014 22:22:11 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A9528@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <5202113B.1020505@gmx.net> <52155269.7040302@oracle.com> In-Reply-To: <52155269.7040302@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A9528TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(53754006)(377454003)(57704003)(74366001)(74876001)(93516002)(19300405004)(63696002)(81816001)(46102001)(69226001)(80976001)(74662001)(86612001)(81342001)(77982001)(92566001)(74706001)(95416001)(84326002)(512954002)(71186001)(90146001)(85806002)(31966008)(77096001)(76482001)(56816005)(51856001)(20776003)(15202345003)(85852003)(59766001)(53806001)(81686001)(80022001)(83072002)(95666003)(92726001)(4396001)(94316002)(86362001)(44976005)(19580405001)(87266001)(83322001)(6806004)(16236675002)(79102001)(50986001)(2656002)(55846006)(87936001)(94946001)(66066001)(76786001)(47446002)(76796001)(54316002)(81542001)(54356001)(74502001)(47736001)(93136001)(15975445006)(85306002)(47976001)(33656001)(49866001)(65816001)(19580395003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB596; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:EC38F585.ACF29581.7BD1BD48.49AAD1E3.20498; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/NhHU2qCLDbTvsPTSMZPrft0cdcY Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:22:58 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0A9528TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Prateek, Thanks for taking the time to send in these comments. I am sending you thi= s to describe the changes that were made in response to your comments (most= ly in -13 but also a few in -18). See individual responses inline. -- Mike From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P= rateek Mishra Sent: Wednesday, August 21, 2013 4:51 PM To: Hannes Tschofenig Cc: oauth@ietf.org WG Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) 1) As a JWT is always an instance of JWE or JWS, I am not sure why there is= a need for the the materials found in Section 5, para 1 (these are also fo= und in the JWE and JWS draft specifications). It could simply be removed fr= om the draft. There's a stylistic tension between saying things in exactly one place and = making each document easier to read without constantly having to flip back = and forth between them. In this case, I believe that the small amount of d= uplication aids developers who might not recursively read everything refere= nced in full detail. 2) Why do we need both a "typ" claim and a "typ" header name? Need they hav= e some relationship to each other? Isn't this also covered by Section 5.3? The "typ" claim was removed as part of the JOSE change to use MIME type nam= es for "typ" and "cty" header parameter values. 3) The materials in Section 5.3 could be simplified further. Why should the use of claims as header parameters be restricted to the case= where the JWT=3DJWE; what about the encrypt then sign (symmetric) use-case= ? I see no issue in allowing this feature with a JWT of any type. As written, the specs actually already allow the header to be extended with= any parameters, as needed by applications. Replicating encrypted claims a= s unencrypted header parameter values is only one such permitted usage. The last paragraph of Section 5.3 ("This specification reserves the iss (is= suer), sub (subject),....") seems to be an instance of the previous paragraph. If claims are allowed in the header, then iss (issuer),= sub (subject) are trivially allowed, right? I couldn't find any additional= information in this last paragraph. This text is referring to the fact that these three claims are registered i= n the IANA JSON Web Signature and Encryption Header Parameters registry for= use as header parameters. I clarified this by adding a section number ref= erence. Finally, do we need "SHOULD verify that their values are identical" - given= that this matter is left upto applications, couldnt they choose to verify = only a certain relationship between the corresponding values (e.g., header = carries hash of value, JWT carries the (large) complete value)? Can this b= e weakened to "SHOULD verify that their values have an appropriate (applica= tion-defined) relationship. In many instances, applications may want to ens= ure that they are identical". Agreed. I added a qualifying clause saying that "the application receiving= them SHOULD verify that their values are identical, unless the application= defines other specific processing rules for these Claims". 4) Section 8 - am I correct in reading this as: all conforming JWT implementations MUST im= plement JWS and MAY implement JWE? At least thats what I understood from the last paragraph ("if an implementa= tion provides encryption capabilities..."). Correct - prateek Hi all, this is a working group last call for the JSON Web Token (JWT). Here is the document: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11 Please send you comments to the OAuth mailing list by August 21, 2013. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A0A9528TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Prateek,

 

Thanks for taking t= he time to send in these comments. &nb= sp;I am sending you this to describe the changes that were made in response= to your comments (mostly in -13 but also a few in -18).  See individual responses inline.

 

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      -- Mike

 <= /p>

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf= .org] On Behalf Of Prateek Mishra
Sent: Wednesday, August 21, 2013 4:51 PM
To: Hannes Tschofenig
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

 

1) As a JWT is always an instance of JWE or JWS, = I am not sure why there is a need for the the materials found in Section 5,= para 1 (these are also found in the JWE and JWS draft specifications). It = could simply be removed from the draft.

There’s a sty= listic tension between saying things in exactly one place and making each d= ocument easier to read without constantly having to flip back and forth bet= ween them.  In this case, I believe that the small amount of duplication aids developers who might not recursively read= everything referenced in full detail.


2) Why do we need both a "typ" claim and a "typ"= header name? Need they have some relationship to each other?
Isn't this also covered by Section 5.3?

The “typ̶= 1; claim was removed as part of the JOSE change to use MIME type names for = “typ” and “cty” header parameter values.

3)  The materials in Section 5.3 could be simplified further.

Why should the use of claims as header parameters be restricted to the case= where the JWT=3DJWE; what about the encrypt then sign (symmetric) use-case= ? I see no issue in allowing this feature with a JWT of any type.

As written, the spe= cs actually already allow the header to be extended with any parameters, as= needed by applications.  Replicating encrypted claims as unencrypted = header parameter values is only one such permitted usage.


The last paragraph of Section 5.3 ("This specification reserves the is= s (issuer), sub (subject),....") seems to be an instance of the
previous paragraph. If claims are allowed in the header, then iss (issuer),= sub (subject) are trivially allowed, right? I couldn't find any additional= information in this last paragraph.

This text is referr= ing to the fact that these three claims are registered in the IANA JSON Web= Signature and Encryption Header Parameters registry for use as header para= meters.  I clarified this by adding a section number reference.


Finally, do we need "SHOULD verify that their values are identi= cal" - given that this matter is left upto applications, couldnt they = choose to verify only a certain relationship between the corresponding valu= es (e.g., header carries hash of value, JWT carries the (large) complete value)?  Can this be weakened to "S= HOULD verify that their values have an appropriate (application-defined) re= lationship. In many instances, applications may want to ensure that they ar= e identical".

Agreed.  I add= ed a qualifying clause saying that “the application receiving them SH= OULD verify that their values are identical, unless the application defines= other specific processing rules for these Claims”.=


4) Section 8 -

am I correct in reading this as: all conforming JWT implementations MUST im= plement JWS and MAY implement JWE?
At least thats what I understood from the last paragraph ("if a= n implementation provides encryption capabilities...").

Correct

- prateek

Hi all,

this is a working group last call for the JSON Web Token (JWT).

Here is the document:
h= ttp://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11

Please send you comments to the OAuth mailing list by August 21, 2013.

Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0A9528TK5EX14MBXC286r_-- From nobody Mon Mar 3 14:23:39 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C53E41A01FA for ; Mon, 3 Mar 2014 14:23:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1Kx38RHiQgA for ; Mon, 3 Mar 2014 14:23:29 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0183.outbound.protection.outlook.com [207.46.163.183]) by ietfa.amsl.com (Postfix) with ESMTP id F3CA61A01E8 for ; Mon, 3 Mar 2014 14:23:28 -0800 (PST) Received: from BL2PR03CA017.namprd03.prod.outlook.com (10.141.66.25) by BL2PR03MB114.namprd03.prod.outlook.com (10.255.230.14) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:23:24 +0000 Received: from BY2FFO11FD033.protection.gbl (2a01:111:f400:7c0c::134) by BL2PR03CA017.outlook.office365.com (2a01:111:e400:c1b::25) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:25 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD033.mail.protection.outlook.com (10.1.14.218) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:24 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0158.001; Mon, 3 Mar 2014 22:22:45 +0000 From: Mike Jones To: oauth mailing list Thread-Topic: My review of draft-ietf-oauth-json-web-token-11 Thread-Index: Ac6vjw+PfFfBOYKFQc62YXcVMPsr5SHc/7fg Date: Mon, 3 Mar 2014 22:22:45 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A956A@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <1373E8CE237FCC43BCA36C6558612D2AA347D1@USCHMBX001.nsn-intra.net> In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA347D1@USCHMBX001.nsn-intra.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A956ATK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(6009001)(438001)(199002)(189002)(53754006)(43784003)(?= =?us-ascii?Q?13464003)(377454003)(54356001)(83322001)(19580405001)(195803?= =?us-ascii?Q?95003)(95666003)(56776001)(85806002)(76796001)(77096001)(901?= =?us-ascii?Q?46001)(74876001)(74706001)(85852003)(86612001)(76482001)(558?= =?us-ascii?Q?46006)(94946001)(81686001)(44976005)(76786001)(54316002)(265?= =?us-ascii?Q?6002)(512954002)(87936001)(15202345003)(80976001)(80022001)(?= =?us-ascii?Q?19300405004)(95416001)(83072002)(6806004)(33656001)(74502001?= =?us-ascii?Q?)(66066001)(56816005)(85306002)(65816001)(87266001)(92726001?= =?us-ascii?Q?)(47446002)(63696002)(16236675002)(31966008)(74662001)(77982?= =?us-ascii?Q?001)(59766001)(79102001)(4396001)(81542001)(47736001)(498660?= =?us-ascii?Q?01)(15975445006)(74366001)(93516002)(93136001)(81342001)(207?= =?us-ascii?Q?76003)(92566001)(84326002)(46102001)(53806001)(51856001)(943?= =?us-ascii?Q?16002)(71186001)(69226001)(86362001)(47976001)(50986001);DIR?= =?us-ascii?Q?:OUT;SFP:1101;SCL:1;SRVR:BL2PR03MB114;H:mail.microsoft.com;C?= =?us-ascii?Q?LIP:131.107.125.37;FPR:EC71FDE6.96EAD550.BFD3F14B.8EE8D242.2?= =?us-ascii?Q?07BA;MLV:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vlp4YHRsF-cuZr5D4bcmzxRkdUE Subject: Re: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:23:36 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0A956ATK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Hannes, My replies to your comments follow in-line. Thanks again for writing these= up. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of T= schofenig, Hannes (NSN - FI/Espoo) Sent: Thursday, September 12, 2013 1:07 AM To: oauth mailing list Subject: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11 Hi Mike, Hi all, As part of preparing the shepherd write-up I have read the draft and here a= re a few comments. In general, the draft looks good. The comments are fairly minor. 1. Section 4: JWT Claims In the first paragraph you write: " The Claim Names within a JWT Claims Set MUST be unique; recipients MUST eit= her reject JWTs with duplicate Claim Names or use a JSON parser that return= s only the lexically last duplicate member name " I think what you want to write here is that the sender of a JWT must ensure= that the claims are unique. If a JWT is, however, received with non-unique= claims then some decision must be taken. You list two choices and I am won= dering why not just have one. Let's just reject the JWT if that happens to = ensure consistent behavior. This was extensively discussed within JOSE and the language used is the sam= e. Ideally, yes, we'd reject duplicate names, but both the old and new JSO= N specs allow duplication, so if we're to use existing deployed parsers, th= at isn't really a practical option. (We used to require rejection of dupli= cate names, but objections were raised to that.) I believe it might be good to clarify that unique here means that claims ma= y appear more than once in a JWT but you are concerned about having two cla= ims that actually have a different semantic. Correct? No, the issue is that either parsers will only return one (they will overwr= ite each other) or duplicates will cause a parsing error. Therefore, for t= hings to always work regardless of parser, producers can't include any dupl= icates. You write: "However, in the absence of such requirements, all claims that a= re not understood by implementations SHOULD be ignored." The 'SHOULD' is not good enough here. Either you ignore claims that you don= 't understand or you do something else. Since there does not seem to be a w= ay to declare claims as "critical" to understand I suggest to turn this int= o a MUST. Agreed. I made this change in -18. With every claim you add "Use of this claim is OPTIONAL.". I would suggest = to move that sentence to the front and avoid repeating it with every claim.= In fact you have that necessary sentence currently in Section 4.1 "None of= the claims defined below are intended to be mandatory to use, but rather, = provide a starting point for a set of useful, interoperable claims." For what it's worth, Jim Schaad had requested the opposite - that the "OPTI= ONAL" statements be on a per-name basis - so each definition could be easil= y read in isolation. Since you describe the "use" there is obviously the question about the "imp= lementation". So, what claims in this document are mandatory to implement? = All? None? None. It's up to the application what claims are MTI for its use case. I = added text clarifying this. Claim Types: You distinguish between three types of claims, namely Reserved= Claim Names, Public Claim Names, and Private Claim Names. - Reserved claims are those that are registered with IANA. - Public Claims are (interestingly enough) also registered via IANA or use= a Collision Resistant Namespace. - Private Claims are those that may produce collisions Clear I would suggest to change the definition of a public claim. Let's jus= t call the claims that are registered via IANA reserved claims. "Reserved" was changed to "registered", both here and in JOSE, as a result = of review comments from both working groups. I also wonder why we need private claims at all when it is so easy to const= ruct public claims? In practice, people will use unregistered names in some contexts. (There w= as a 1/2 hour presentation in AppsAWG today about this very thing!) Given = we really can't prevent this and it will happen, it's better to clearly des= cribe the downsides and alternatives than to pretend that private names won= 't be used. At least this way, people will have been warned about the cons= equences of their choices. Section 4.1.1: "iss" (Issuer) Claim You write: " The iss (issuer) claim identifies the principal that issued the JWT. The pr= ocessing of this claim is generally application specific. " Would it be useful to say what people use this claim for. It might also be = useful to indicate that this value cannot be relied on for any trust or acc= ess control decisions without proper cryptographic assurance. I can already= see people who base their security decisions on this value without any rel= ationship to the actual crypto of the JWT. So, one might wonder what the re= lationship of the crypto and the iss claim is. I added language about making trust decisions in the Security Consideration= s section. Did you have particular language in mind about what the claim i= s used for, beyond stating that it identifies the issuer? Section 4.1.3: "aud" (Audience) Claim You write: " The aud (audience) claim identifies the audiences that the JWT is intended = for. " That's not a good description. You could instead write: "The aud (audience)= claim identifies the recipient the JWT is intended for." Agreed - done. You write: " In the special case when the JWT has one audience, the aud value MAY be a s= ingle case sensitive string containing a StringOrURI value. " Shouldn't this read: " In the special case when the JWT has one audience, the aud value is a singl= e case sensitive string containing a StringOrURI value. " No - because either "aud":"foo" or "aud":["foo"] are legal and mean the sam= e thing. Section 4.1.8. "typ" (Type) Claim You write: " The typ (type) claim MAY be used to declare a type for the contents of this= JWT Claims Set in an application-specific manner in contexts where this is= useful to the application. The typ value is a case sensitive string. Use o= f this claim is OPTIONAL. The values used for the typ claim come from the same value space as the typ= header parameter, with the same rules applying. " I believe the first sentence should say: "The typ (type) claim is used to d= eclare a type for the contents of this JWT Claims Set ....". I don't unders= tand what the "MAY" here was supposed to indicate since if it does not decl= are the type of the claims then what else does it do? Why is the typ claim actually there when there is already the same claim in= the header? The "typ" claim was removed as part of the JOSE change to use MIME type nam= es for "typ" and "cty" header parameter values. Section 5.1. "typ" (Type) Header Parameter You write: " The typ (type) header parameter MAY be used to declare the type of this JWT= in an application-specific manner in contexts where this is useful to the = application. This parameter has no effect upon the JWT processing. If prese= nt, it is RECOMMENDED that its value be either JWT or urn:ietf:params:oauth= :token-type:jwt to indicate that this object is a JWT. " Here again I would write: " The typ (type) header parameter is used to decl= are the type of this JWT in an application-specific manner in contexts wher= e this is useful to the application." Why doesn't this value have any impact on the processing? It appears to be = useless? Would it be good to mandate that it is set to JWT or urn:ietf:para= ms:oauth:token-type:jwt when the content is a JWT? Why do you leave two opt= ions for what the value is set to? Why would anyone use the longer string? The URN value was removed as part of the JOSE change to use MIME type names= for "typ" and "cty" header parameter values. Section 5.2. "cty" (Content Type) Header Parameter What is the relationship between cty and typ? As described in the JOSE specs that define them, "typ" is the type of the e= ntire object, whereas "cty" is the type of the message contained in the JWS= or JWE. Both are now MIME type values. "cty" is used by JWTs in the spec= ific way specified whereas "typ" can be used as needed by applications usin= g JWTs. Section 5.3. Replicating Claims as Header Parameters I am not sure why you would want to have encryption of the claims and then = again include them in cleartext. That would defeat the purpose of encryptio= n. Then, you could as well just provide them in cleartext (only signed, for= example). Putting the sub value into the header does not seem to be a good idea since= this may be personal data. This showed up in a use case that Dick Hardt had, in which case he wanted t= o route the contents of the JWT to the recipient without being able to read= the contents of the JWT itself. In his case, there was an intermediary ha= ndling the JWT that did not have the decryption key. It's application-specific whether the audience is private information or no= t. Putting these fields into the header in general does not strike me as a goo= d idea since you loose the ability to sign these values. They will be expos= ed to all security threats since they cannot be protected. Why not use a ne= sted JWT instead? They are still integrity-protected, because JWE uses only authenticated enc= ryption. They are protected from tampering or alteration. The 'SHOULD' in this sentence particularly makes me nervous: "If such repli= cated Claims are present, the application receiving them SHOULD verify that= their values are identical." This essentially means that if you have prote= cted claims and someone adds unprotected stuff into the header it may mean = that an application would accept that. Not a good idea! Per the above, you can't add stuff, because of the authenticated encryption= used. Section 6 Plaintext JWTs Why do we want plaintext JWTs? I thought that the threat analysis concluded= that sending this stuff of information around without any security protect= ion is a bad idea. The JWT can either be cryptographically protected by a signature and/or enc= ryption in the JWT itself or by signature and/or encryption of a data struc= ture in which the JWT is conveyed. For instance, if it is returned from an= OAuth Token Endpoint, it is integrity protected by the channel's use of TL= S and so may not need to be signed and/or encrypted in some application con= texts. OpenID Connect uses this capability in several places, for instance= , as does Phil Hunt's OAuth Authentication draft. Section 7. Rules for Creating and Validating a JWT I am curious why this section is so extensive given that we are essentially= just applying JWS and JWE here. Wouldn't a pointer to the JWS/JWE spec be = sufficient? It's longer because the JWT adds two things: First, the contents can be ei= ther a JWS or JWE, and so there's logic described for the slightly differen= t actions taken in the two cases. Second, the JWT can be nested, so the lo= gic for nesting and detecting nested JWTs is defined. It *does* just rely = on JWS and JWE for the creation and verification aspects of the JWS and JWE= aspects of JWTs. That said, I did remove a step that was actually a pure duplication of a co= rresponding JWS/JWE step. Ciao Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A0A956ATK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Hannes,

 

My replies to your = comments follow in-line.  Thanks again for writing these up.

 

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      -- Mike

 

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of T= schofenig, Hannes (NSN - FI/Espoo)
Sent: Thursday, September 12, 2013 1:07 AM
To: oauth mailing list
Subject: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11

 

Hi Mike, Hi all,

 

As part of preparing the shepherd write-up I have= read the draft and here are a few comments.

 

In general, the draft looks good. The comments ar= e fairly minor.

 

1. Section 4: JWT Claims

 

In the first paragraph you write:

"

The Claim Names within a JWT Claims Set MUST be u= nique; recipients MUST either reject JWTs with duplicate Claim Names or use= a JSON parser that returns only the lexically last duplicate member name &= quot;

 

I think what you want to write here is that the s= ender of a JWT must ensure that the claims are unique. If a JWT is, however= , received with non-unique claims then some decision must be taken. You lis= t two choices and I am wondering why not just have one. Let's just reject the JWT if that happens to ensure con= sistent behavior.

 

This was extensivel= y discussed within JOSE and the language used is the same.  Ideally, y= es, we’d reject duplicate names, but both the old and new JSON specs = allow duplication, so if we’re to use existing deployed parsers, that isn’t really a practical option.  (We us= ed to require rejection of duplicate names, but objections were raised to t= hat.)

 

I believe it might be good to clarify that unique= here means that claims may appear more than once in a JWT but you are conc= erned about having two claims that actually have a different semantic. Corr= ect?

 

No, the issue is th= at either parsers will only return one (they will overwrite each other) or = duplicates will cause a parsing error.  Therefore, for things to alway= s work regardless of parser, producers can’t include any duplicates.

 

You write: "However, in the absence of such = requirements, all claims that are not understood by implementations SHOULD = be ignored."

 

The 'SHOULD' is not good enough here. Either you = ignore claims that you don't understand or you do something else. Since the= re does not seem to be a way to declare claims as "critical" to u= nderstand I suggest to turn this into a MUST.

 

Agreed.  I mad= e this change in -18.

 

With every claim you add "Use of this claim = is OPTIONAL.". I would suggest to move that sentence to the front and = avoid repeating it with every claim. In fact you have that necessary senten= ce currently in Section 4.1 "None of the claims defined below are intended to be mandatory to use, but rather, provide a s= tarting point for a set of useful, interoperable claims."

 

For what it’s= worth, Jim Schaad had requested the opposite – that the “OPTIO= NAL” statements be on a per-name basis – so each definition cou= ld be easily read in isolation.

 

Since you describe the "use" there is o= bviously the question about the "implementation". So, what claims= in this document are mandatory to implement? All? None?

 

None.  It̵= 7;s up to the application what claims are MTI for its use case.  I add= ed text clarifying this.

 

Claim Types: You distinguish between three types = of claims, namely Reserved Claim Names, Public Claim Names, and Private Cla= im Names.

 

- Reserved claims are those that are registered w= ith IANA.

 - Public Claims are (interestingly enough) = also registered via IANA or use a Collision Resistant Namespace.

 - Private Claims are those that may produce= collisions

 

Clear I would suggest to change the definition of= a public claim. Let's just call the claims that are registered via IANA re= served claims.

 

“ReservedR= 21; was changed to “registered”, both here and in JOSE, as a re= sult of review comments from both working groups.

 

I also wonder why we need private claims at all w= hen it is so easy to construct public claims?

 

In practice, people= will use unregistered names in some contexts.  (There was a 1/2 hour = presentation in AppsAWG today about this very thing!)  Given we really= can’t prevent this and it will happen, it’s better to clearly describe the downsides and alternatives than to pretend that pr= ivate names won’t be used.  At least this way, people will have = been warned about the consequences of their choices.

 

Section 4.1.1: "iss" (Issuer) Claim

 

You write:

"

The iss (issuer) claim identifies the principal t= hat issued the JWT. The processing of this claim is generally application s= pecific.

"

 

Would it be useful to say what people use this cl= aim for. It might also be useful to indicate that this value cannot be reli= ed on for any trust or access control decisions without proper cryptographi= c assurance. I can already see people who base their security decisions on this value without any relationship t= o the actual crypto of the JWT. So, one might wonder what the relationship = of the crypto and the iss claim is.

 

I added language ab= out making trust decisions in the Security Considerations section.  Di= d you have particular language in mind about what the claim is used for, be= yond stating that it identifies the issuer?

 

Section 4.1.3: "aud" (Audience) Claim

 

You write:

"

The aud (audience) claim identifies the audiences= that the JWT is intended for.

"

 

That's not a good description. You could instead = write: "The aud (audience) claim identifies the recipient the JWT is i= ntended for."

 

Agreed – done= .

 

You write:

"

In the special case when the JWT has one audience= , the aud value MAY be a single case sensitive string containing a StringOr= URI value.

"

 

Shouldn't this read:

"

In the special case when the JWT has one audience= , the aud value is a single case sensitive string containing a StringOrURI = value.

"

 

No – because = either “aud”:”foo” or “aud”:[“foo= ”] are legal and mean the same thing.

 

Section 4.1.8. "typ" (Type) Claim<= /o:p>

 

You write:

"

The typ (type) claim MAY be used to declare a typ= e for the contents of this JWT Claims Set in an application-specific manner= in contexts where this is useful to the application. The typ value is a ca= se sensitive string. Use of this claim is OPTIONAL.

 

The values used for the typ claim come from the s= ame value space as the typ header parameter, with the same rules applying.<= o:p>

"

 

I believe the first sentence should say: "Th= e typ (type) claim is used to declare a type for the contents of this JWT C= laims Set ....". I don't understand what the "MAY" here was = supposed to indicate since if it does not declare the type of the claims then what else does it do?

 

Why is the typ claim actually there when there is= already the same claim in the header?

 

The “typ̶= 1; claim was removed as part of the JOSE change to use MIME type names for = “typ” and “cty” header parameter values.

Section 5.1. "typ" (Type) Header Parame= ter

 

You write:

"

The typ (type) header parameter MAY be used to de= clare the type of this JWT in an application-specific manner in contexts wh= ere this is useful to the application. This parameter has no effect upon th= e JWT processing. If present, it is RECOMMENDED that its value be either JWT or urn:ietf:params:oauth:token-ty= pe:jwt to indicate that this object is a JWT.

"

 

Here again I would write: " The typ (type) h= eader parameter is used to declare the type of this JWT in an application-s= pecific manner in contexts where this is useful to the application."

 

Why doesn't this value have any impact on the pro= cessing? It appears to be useless? Would it be good to mandate that it is s= et to JWT or urn:ietf:params:oauth:token-type:jwt when the content is a JWT= ? Why do you leave two options for what the value is set to? Why would anyone use the longer string?

 

The URN value was r= emoved as part of the JOSE change to use MIME type names for “typR= 21; and “cty” header parameter values.

 

Section 5.2. "cty" (Content Type) Heade= r Parameter

 

What is the relationship between cty and typ?

 

As described in the= JOSE specs that define them, “typ” is the type of the entire o= bject, whereas “cty” is the type of the message contained in th= e JWS or JWE.  Both are now MIME type values.  “cty” = is used by JWTs in the specific way specified whereas “typ” can be use= d as needed by applications using JWTs.

 

Section 5.3. Replicating Claims as Header Paramet= ers

 

I am not sure why you would want to have encrypti= on of the claims and then again include them in cleartext. That would defea= t the purpose of encryption. Then, you could as well just provide them in c= leartext (only signed, for example).

 

Putting the sub value into the header does not se= em to be a good idea since this may be personal data.

 

This showed up in a= use case that Dick Hardt had, in which case he wanted to route the content= s of the JWT to the recipient without being able to read the contents of th= e JWT itself.  In his case, there was an intermediary handling the JWT that did not have the decryption key.

 

It’s applicat= ion-specific whether the audience is private information or not.=

 

Putting these fields into the header in general d= oes not strike me as a good idea since you loose the ability to sign these = values. They will be exposed to all security threats since they cannot be p= rotected. Why not use a nested JWT instead?

 

They are still inte= grity-protected, because JWE uses only authenticated encryption.  They= are protected from tampering or alteration.

 

The 'SHOULD' in this sentence particularly makes = me nervous: "If such replicated Claims are present, the application re= ceiving them SHOULD verify that their values are identical." This esse= ntially means that if you have protected claims and someone adds unprotected stuff into the header it may mean that an app= lication would accept that. Not a good idea!

 

Per the above, you = can’t add stuff, because of the authenticated encryption used.

 

Section 6 Plaintext JWTs

 

Why do we want plaintext JWTs? I thought that the= threat analysis concluded that sending this stuff of information around wi= thout any security protection is a bad idea.

 

The JWT can either = be cryptographically protected by a signature and/or encryption in the JWT = itself or by signature and/or encryption of a data structure in which the J= WT is conveyed.  For instance, if it is returned from an OAuth Token Endpoint, it is integrity protected by the= channel’s use of TLS and so may not need to be signed and/or encrypt= ed in some application contexts.  OpenID Connect uses this capability = in several places, for instance, as does Phil Hunt’s OAuth Authentication draft.

 

Section 7. Rules for Creating and Validating a JW= T

 

I am curious why this section is so extensive giv= en that we are essentially just applying JWS and JWE here. Wouldn't a point= er to the JWS/JWE spec be sufficient?

 

It’s longer b= ecause the JWT adds two things:  First, the contents can be either a J= WS or JWE, and so there’s logic described for the slightly different = actions taken in the two cases.  Second, the JWT can be nested, so the logic for nesting and detecting nested JWTs is defined.&= nbsp; It *does* just rely on JWS and JWE for the creation and verifi= cation aspects of the JWS and JWE aspects of JWTs.

 

That said, I did re= move a step that was actually a pure duplication of a corresponding JWS/JWE= step.

 

Ciao

Hannes

 

 

 

 

 

 

_______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth<= /o:p>

--_000_4E1F6AAD24975D4BA5B16804296739439A0A956ATK5EX14MBXC286r_-- From nobody Mon Mar 3 14:24:00 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BFC51A0132 for ; Mon, 3 Mar 2014 14:23:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwcr9D6LtOMQ for ; Mon, 3 Mar 2014 14:23:54 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5731A0217 for ; Mon, 3 Mar 2014 14:23:54 -0800 (PST) Received: from CH1PR03CA009.namprd03.prod.outlook.com (10.255.156.154) by BN1PR03MB006.namprd03.prod.outlook.com (10.255.224.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:23:44 +0000 Received: from BN1BFFO11FD012.protection.gbl (10.255.156.132) by CH1PR03CA009.outlook.office365.com (10.255.156.154) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:43 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD012.mail.protection.outlook.com (10.58.144.75) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:23:43 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:23:10 +0000 From: Mike Jones To: Brian Campbell Thread-Topic: [OAUTH-WG] Next Steps for the JSON Web Token Document Thread-Index: Ac6uLCi0s+NnkeGAQiKoedy9ftGvOApD9IKAF/o4MbA= Date: Mon, 3 Mar 2014 22:23:09 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A959A@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <1373E8CE237FCC43BCA36C6558612D2AA3396C@USCHMBX001.nsn-intra.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A959ATK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(377454003)(43544003)(164054003)(199002)(18900?= =?us-ascii?Q?2)(83072002)(54356001)(87936001)(33656001)(47736001)(4797600?= =?us-ascii?Q?1)(54316002)(74366001)(90146001)(53806001)(31966008)(7466200?= =?us-ascii?Q?1)(92726001)(81816001)(81686001)(56816005)(84326002)(5098600?= =?us-ascii?Q?1)(85852003)(85806002)(76482001)(18206015023)(15975445006)(8?= =?us-ascii?Q?5306002)(2656002)(51856001)(49866001)(79102001)(74876001)(46?= =?us-ascii?Q?102001)(20776003)(66066001)(87266001)(63696002)(16236675002)?= =?us-ascii?Q?(19580395003)(44976005)(83322001)(19300405004)(93516002)(558?= =?us-ascii?Q?46006)(80976001)(95666003)(93136001)(81342001)(77096001)(943?= =?us-ascii?Q?16002)(94946001)(74706001)(16297215004)(47446002)(71186001)(?= =?us-ascii?Q?86612001)(65816001)(69226001)(512954002)(6806004)(59766001)(?= =?us-ascii?Q?77982001)(95416001)(4396001)(74502001)(15202345003)(80022001?= =?us-ascii?Q?)(92566001)(76786001)(19580405001)(81542001)(76796001)(86362?= =?us-ascii?Q?001)(6606295002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN1PR03MB006;H:?= =?us-ascii?Q?mail.microsoft.com;CLIP:131.107.125.37;FPR:AFCDC1C4.A2F267C1?= =?us-ascii?Q?.CBD37D3B.8986FA42.205FB;MLV:sfv;PTR:InfoDomainNonexistent;A?= =?us-ascii?Q?:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7Kjteux7c1-vnabyPSQXIx8TVrU Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:23:59 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0A959ATK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for your useful comments, Brian. See my replies inline. -- Mike From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B= rian Campbell Sent: Friday, November 01, 2013 12:53 PM To: Tschofenig, Hannes (NSN - FI/Espoo) Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document I just saw http://www.ietf.org/mail-archive/web/oauth/current/msg12218.html= from Hannes noting reviews on draft-ietf-oauth-json-web-token and was surp= rised that mine wasn't included. So I went looking for it and apparently I = didn't actually send it to the list. But I did find it and am including wha= t I wrote and tried but failed to send back in September. Sorry about that. And here it s: Below are my review comments on the JSON Web Token Document that I (had for= gotten until reminded by Hannes yesterday) committed to reviewing at the me= eting in Berlin. Review of draft-ietf-oauth-json-web-token-11: * The sentence about the suggested pronunciation being 'jot' is in both the= intro and the abstract. Seems like just once would be sufficient. Yes, but some people start reading with the abstract and some start reading= with the introduction. I want them to read that whichever place they star= t. So I didn't change this. * Should "Base64url Encoding" in the Terminology section also mention the o= mission/prohibition of line wrapping? Good catch. I've added this, both here and in the JWS spec, which defines = it for JOSE. * References to sections or appendices in other documents often don't have = the correct href value. For example, "Base64url Encoding" in the Terminolo= gy section has this problem for Section 3.2, which should point to RFC 4648= and Appendix C, which should go to JWS but both refer to the local documen= t. There are many other instances of the same issue. I assume this is due t= o some tool in the xml2rfc or I-D upload process (and I know I have it in s= ome of the drafts I author) but is this the kind of thing that the RFC edit= or will take care of? That's something the IETF post-processing tools are doing and getting wrong= . You'll notice that this problem doesn't exist in the HTML version that's= directly generated by xml2rfc that's posted at http://self-issued.info/doc= s/draft-ietf-oauth-json-web-token-17.html, for instance. So yes, this is i= n the RFC Editor domain. * I continue to struggle to understand how the type and content type Header= parameters and the type claim can or will be used in a meaningful and reli= able way. I can't help but wonder if it couldn't be simplified. For exampl= e. what if we only had the cty header and defined a cty value for a JWT Cla= ims Set - couldn't all the same things be conveyed? As described in the JOSE specs that define them, "typ" is the type of the e= ntire object, whereas "cty" is the type of the message contained in the JWS= or JWE. Both are now MIME type values. "cty" is used by JWTs in the spec= ific way specified whereas "typ" can be used as needed by applications usin= g JWTs. * There are a number of the reserved claims that say the use of the claim i= s OPTIONAL while also stating that the "JWT MUST be rejected" if some condi= tion about the claim doesn't hold. There seems to be some potential ambigui= ty here regarding whether (in the absence of tighter context-dependent requ= irements, which is what generalized JWT libraries need to be built for) the= optionality applies only to the producer or also to the consumer of a JWT.= My guess is that the claims are optional to include for the producer but, = if they are present, they must be validated by the consumer and the JWT mus= t be rejected if whatever condition isn't satisfied. Do I have that right? = Regardless, I think there is some ambiguity as currently written that shoul= d be clarified. Many of these have been revised since WGLC. The only "MUST be rejected" re= maining is for the audience claim, in which I've qualified the "MUST be rej= ected" with "if this claim is present" - clearing up this ambiguity. Note that some of these comments relate to or even apply directly to JWS an= d JWE as well. Which I suppose underscores the point James made a while ago= about progressing this document so far ahead of the JOSE drafts. [https://mail.google.com/mail/u/0/images/cleardot.gif] There was one comment - the one about base64url encoding - that also requir= ed a coordinated change in JWS, hence the publication of the -23 JOSE draft= s. On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) > wrote: Hi again, I also checked the minutes from IETF#87 regarding the JWT and here are the = action items: ** I issued a WGLC, as discussed during the meeting: http://www.ietf.org/ma= il-archive/web/oauth/current/msg11894.html ** We got some reviews from James, and Prateek. Thanks, guys! Here are the reviews: http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html (James) http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html (Prateek) During the meeting a few others, namely Torsten, Karen, Paul Hoffman, and = Brian volunteered to provide their review comments. Please send your review= to the list. ** I will have to do my shepherd write-up as well. Ciao Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A0A959ATK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for your useful co= mments, Brian.  See my replies inline.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: oauth-bo= unces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, November 01, 2013 12:53 PM
To: Tschofenig, Hannes (NSN - FI/Espoo)
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document

 

I just saw http://www.ietf.org/mail-archive/web/oauth/current/msg12218.html from H= annes noting reviews on draft-ietf-oauth-json-web-token and was surprised t= hat mine wasn't included. So I went looking for it and apparently I didn't = actually send it to the list. But I did find it and am including what I wrote and tried but failed to send b= ack in September. Sorry about that.

And here it s:


Below are my review comments on the JSON Web Token Document that I (had for= gotten until reminded by Hannes yesterday) committed to reviewing at the me= eting in Berlin.

Review of draft-ietf-oauth-json-web-token-11:


* The sentence about the suggested pronunciation being 'jot' is in both the= intro and the abstract. Seems like just once would be sufficient.

Yes, but some people star= t reading with the abstract and some start reading with the introduction.&n= bsp; I want them to read that whichever place they start.  So I didn’t change this.

 <= /p>

* Should "Base64url Encoding" in the Termi= nology section also mention the omission/prohibition of line wrapping?

Good catch.  I’= ;ve added this, both here and in the JWS spec, which defines it for JOSE.


* References to sections or appendices in other documents often don'= t have the correct href value.  For example, "Base64url Encoding&= quot; in the Terminology section has this problem for Section 3.2, which sh= ould point to RFC 4648 and Appendix C, which should go to JWS but both refer to the local document. There are many other insta= nces of the same issue. I assume this is due to some tool in the xml2rfc or= I-D upload process (and I know I have it in some of the drafts I author) b= ut is this the kind of thing that the RFC editor will take care of?

That’s something th= e IETF post-processing tools are doing and getting wrong.  You’l= l notice that this problem doesn’t exist in the HTML version thatR= 17;s directly generated by xml2rfc that’s posted at http://self-issued.info/docs/draft-ietf-oauth-json-web-token-17.h= tml, for instance.  So yes, this is in the RFC Editor domain.


* I continue to struggle to understand how the type and content type= Header parameters and the type claim can or will be used in a meaningful a= nd reliable way.  I can't help but wonder if it couldn't be simplified= . For example. what if we only had the cty header and defined a cty value for a JWT Claims Set - couldn't all the= same things be conveyed?

As described in the= JOSE specs that define them, “typ” is the type of the entire o= bject, whereas “cty” is the type of the message contained in th= e JWS or JWE.  Both are now MIME type values.  “cty” = is used by JWTs in the specific way specified whereas “typ” can be use= d as needed by applications using JWTs.


* There are a number of the reserved claims that say the use of the claim i= s OPTIONAL while also stating that the "JWT MUST be rejected" if = some condition about the claim doesn't hold. There seems to be some potenti= al ambiguity here regarding whether (in the absence of tighter context-dependent requirements, which is what generaliz= ed JWT libraries need to be built for) the optionality applies only to the = producer or also to the consumer of a JWT. My guess is that the claims are = optional to include for the producer but, if they are present, they must be validated by the consumer and the J= WT must be rejected if whatever condition isn't satisfied. Do I have that r= ight? Regardless, I think there is some ambiguity as currently written that= should be clarified.

Many of these have been r= evised since WGLC.  The only “MUST be rejected” remaining = is for the audience claim, in which I’ve qualified the “MUST be= rejected” with “if this claim is present” – clearing up this ambig= uity.

 <= /p>

Note that some of these comments relate to or even a= pply directly to JWS and JWE as well. Which I suppose underscores the point= James made a while ago about progressing this document so far ahead of the= JOSE drafts.

There was one comment = – the one about base64url encoding – that also required a coord= inated change in JWS, hence the publication of the -23 JOSE drafts.

 

On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes = (NSN - FI/Espoo) <hannes.tschofenig@nsn.com> wrote:

Hi again,

I also checked the minutes from IETF#87 regarding the JWT and here are the = action items:

** I issued a WGLC, as discussed during the meeting: http://www.ietf.org/mail-archive/web/oauth/current/msg11894.html

** We got some reviews from James, and Prateek. Thanks, guys!
Here are the reviews:
http://www.ietf.org/mail-archive/web/oauth/current/msg1= 1905.html (James)
http://www.ietf.org/mail-archive/web/oauth/current/msg1= 2003.html (Prateek)

 During the meeting a few others, namely Torsten, Karen, Paul Hoffman,= and Brian volunteered to provide their review comments. Please send your r= eview to the list.

** I will have to do my shepherd write-up as well.

Ciao
Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0A959ATK5EX14MBXC286r_-- From nobody Mon Mar 3 14:28:16 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58E461A0233 for ; Mon, 3 Mar 2014 14:28:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.602 X-Spam-Level: X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dX0JuzwiRP2Q for ; Mon, 3 Mar 2014 14:28:11 -0800 (PST) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) by ietfa.amsl.com (Postfix) with ESMTP id 1987C1A01E8 for ; Mon, 3 Mar 2014 14:28:10 -0800 (PST) Received: from BLUPR03CA035.namprd03.prod.outlook.com (10.141.30.28) by BLUPR03MB017.namprd03.prod.outlook.com (10.255.208.39) with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:28:06 +0000 Received: from BN1AFFO11FD041.protection.gbl (2a01:111:f400:7c10::192) by BLUPR03CA035.outlook.office365.com (2a01:111:e400:879::28) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:28:06 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD041.mail.protection.outlook.com (10.58.52.252) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:28:06 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:27:37 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org WG" Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-12 Thread-Index: AQHO1zhaddbyc4KU+UWJrMJ6EdGL+5rQsHvQ Date: Mon, 3 Mar 2014 22:27:36 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0A9614@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <52740076.7050609@gmx.net> In-Reply-To: <52740076.7050609@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(52314003)(53754006)(377454003)(199002)(189002)(76796001)(81816001)(81686001)(69226001)(49866001)(47736001)(81342001)(81542001)(50986001)(15202345003)(33656001)(76482001)(95416001)(23726002)(4396001)(46102001)(76786001)(47976001)(74706001)(15975445006)(92726001)(66066001)(74502001)(92566001)(74366001)(87266001)(86612001)(93136001)(85806002)(79102001)(31966008)(74876001)(85306002)(56816005)(93516002)(47446002)(86362001)(53806001)(95666003)(85852003)(59766001)(50466002)(46406003)(77096001)(51856001)(65816001)(74662001)(80976001)(83322001)(54356001)(44976005)(94316002)(77982001)(90146001)(87936001)(80022001)(54316002)(19580405001)(94946001)(2656002)(19580395003)(20776003)(6806004)(47776003)(63696002)(55846006)(83072002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB017; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:80B5E1A9.A933ACEA.31EE3E4B.508ADE99.202A4; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0139052FDB Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/fV-O7yHxVihXeCNAhdpza4bb8Dg Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-12 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 22:28:14 -0000 Hi Hannes and WG, I just did what you had asked - sending detailed replies to everyone who ha= d sent JWT WGLC comments. I'd addressed most of the comments earlier but d= iscovered a few requested clarifications that I hadn't incorporated yet - h= ence the -18 release just now. As you can see from the diffs, the actual c= hanges are quite small. Anyway, this was a useful step. Thanks for pinging me about it. Cheers, -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of H= annes Tschofenig Sent: Friday, November 01, 2013 12:27 PM To: oauth@ietf.org WG Subject: [OAUTH-WG] draft-ietf-oauth-json-web-token-12 Hi Mike, Hi all, I was just trying to find out whether version -12 of the JWT spec addresses= prior comments and the diff version of the document does not really give t= hat indication. To me it seems that version -12 of the document was publish= ed to update -11 in an attempt to create an alignment with the JOSE work. I believe it would be useful to respond to the review comments so that we c= an be sure that those had been taken into account (or that they had been re= jected for a good reason). Here are the comments I have found: * Review by James Manger: http://www.ietf.org/mail-archive/web/oauth/current/msg11905.html * Review by Mishra Prateek: http://www.ietf.org/mail-archive/web/oauth/current/msg12003.html * My own shepherd review: http://www.ietf.org/mail-archive/web/oauth/current/msg12125.html Ciao Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Tue Mar 4 04:36:15 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E04571A0070 for ; Tue, 4 Mar 2014 04:36:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.913 X-Spam-Level: X-Spam-Status: No, score=-2.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UALiKN2mrd2z for ; Tue, 4 Mar 2014 04:36:09 -0800 (PST) Received: from na3sys009aog105.obsmtp.com (na3sys009aog105.obsmtp.com [74.125.149.75]) by ietfa.amsl.com (Postfix) with ESMTP id E77DB1A0064 for ; Tue, 4 Mar 2014 04:36:08 -0800 (PST) Received: from mail-ig0-f174.google.com ([209.85.213.174]) (using TLSv1) by na3sys009aob105.postini.com ([74.125.148.12]) with SMTP ID DSNKUxXItfO54qZNXGQSkJHOsShWATdBI1r3@postini.com; Tue, 04 Mar 2014 04:36:06 PST Received: by mail-ig0-f174.google.com with SMTP id h18so10348648igc.1 for ; Tue, 04 Mar 2014 04:36:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=3etySBTxlBXaTdCEaRi5hyg1sqeGkWzoVznLNUC4V2U=; b=TZ2aRBKtYfPtjo838fYG2O5TyTYH0ib15NI3G6zyVifpZMrsuTImUW6OLJFgwN0wIo tS9rFGg/a4jrrWejK+2ajkbTfunCKHwmD+IdKmZCpGbARnVJC2/9rBNB2WjZ/1iSDswc dqpcL3/paNmtovob/ZiEE4jjNJ03G0EDOG/yOu9W729/VVZNo4FYc1dwLx1onhdeYkDb yJsKaUPwPJuVYcyRDdXUIrTbLoCqjND8cXU0fus4zon8wqg9REvE42BgyU0jqEMYhDQ4 5txunv2wLRPOq4+vqKXBI+jd2M8eNzWHivGFxnrvhfY+mE9V+z4zQXKw9WAZOThHJ/Tw y2aA== X-Gm-Message-State: ALoCoQkbK9dgnHMtVhS2XYJVHPRbUI1d+a2PgfQz5fAbWQV/1BkruebDj10zcNtnOrCIgCLMY/Z9CDnWtDI75LOI3HVrqjpz0SEF7IlpTS9hWYd5vzYmhOlaIj5xkT8MijLPTrejrOtrfaxFyaBK+Zxi+fbWl8Z/3A== X-Received: by 10.50.153.79 with SMTP id ve15mr3134400igb.40.1393936565518; Tue, 04 Mar 2014 04:36:05 -0800 (PST) X-Received: by 10.50.153.79 with SMTP id ve15mr3134381igb.40.1393936565289; Tue, 04 Mar 2014 04:36:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Tue, 4 Mar 2014 04:35:34 -0800 (PST) In-Reply-To: References: From: Brian Campbell Date: Tue, 4 Mar 2014 12:35:34 +0000 Message-ID: To: oauth Content-Type: multipart/mixed; boundary=089e01294672d0e5c904f3c72574 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qtmb3StqbzgTA_asrwRNS44YDkE Subject: Re: [OAUTH-WG] OAUTH Presentation Slides X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 12:36:12 -0000 --089e01294672d0e5c904f3c72574 Content-Type: text/plain; charset=ISO-8859-1 So that they'll be in the email archives, my slides (both of them!) from today on the assertion drafts are attached. On Mon, Mar 3, 2014 at 1:49 PM, Derek Atkins wrote: > Hi, > > If you have a slot to speak tomorrow and are using slides please make > sure to send the slides to Hannes and I, preferably in PDF format. This > way I can upload them before the meeting tomorrow morning. > > Thanks! > > -derek > -- > Derek Atkins 617-623-3745 > derek@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --089e01294672d0e5c904f3c72574 Content-Type: application/pdf; name="oauth-assertions-ietf89.pdf" Content-Disposition: attachment; filename="oauth-assertions-ietf89.pdf" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hsczgz2p0 JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVyIC9G bGF0ZURlY29kZSA+PgpzdHJlYW0KeAGtWEtv3DYQvvNXDFCg0BZYRXyJ1NFxkyJB0ibwAjk0PaQb G7brR7LrwEB/fT8+hpIlrb3ZZvcgajScGc7j45Bf6T19Jd3WjVNOxUHTNIqc7OoOP7Kmoc0pfaAb ena8lbTekoz/7bqfZp2N3OKanI2yWmIaXfW0oAc/DdpYZaCd09kv1Fll6V5IukwKj0+oif+TY1ja RAHOO9NIE8nLh6RWqrCWlkwnk03ra8ySsnOu8RhpaVTTSQpU34HLGTKms75pYMIJ/NFq29D9Xsqg O/nNGgE9wRYtIQqOg86ula0LmrxSXQv5stbWe++youD6VvpkrzYKnE6nVxFe4bn8SsrpWjvTgVZm DGjnMUD5i8vclqRqqPV1q2yjBUfx3elmffrl7tunK9pcwILAFP7MyAp6MVjZs1fXkn69hXdgtBgH b2e+qJAvTa2CgtoQcgb6ojZJ1tZIuZB0uqvb4L7nK8q24CGNQXy8oSVeVrBgtZI1yLQ6oz+pOloE byuqtpPB6UKkTxv+dHexiFZUt/l5k5+Uny/zs8z4xFOvWdgpU+4zL8sqc/5hDpZ6NmIRFX/5I8so q/iWCXfnecCcioXW+UOTCL2sY+a4yhy82GIxr/Zugcxwtadgx1+0ek0vVvRezIVE2rqlSUisqxUS fGdIst8ni5lawjau2fji8BwrsTNWhZOX9XnkspFTRVWcOooHVWzGv0XoE6kiqt+ythL2MpXtuUNK Bj+7h34OiGC6BqgQq0GHUePFfE0ooNc0AMCu2rcAr74mgHa5JkQFR+TELzadZWsR+lgtS6w48ZSY 8CdmXd5yyhcpCGiaxLzI0kRYFp7ttkjcMNsFS4LjEz98lAbZR6NcnIMH1broCvEAHqx2AFg9hIfi ipDeq8uY3HHVj4GPMnoGfEzdaWcHbh5Cz8kRL+Ltm1HqKV5wnT/kao2ZEAPwruQNJ+MZJyHXb/Zj X+FjHOml7YsjotqFI72sfXEE9cTgVBxxWMVnuHii5KgqOcYVhkRX7kHqiLCXTnYWhS5mpooQct9q vSO8RxzDyaI4YiWEHLmd8CEqNplddjB8iFn42LGlym4Ov5X3qJlOhYWLtKWWmsGWeih8wDLswwP4 yCVewvYIfGwL0zXSP0DDIFWXf3OhFWgp7JtCQjRmdrW5dJAOoDppNH4UkkgDnJqRXns0OH5Hsr3m FZ5wKf/OFFokx37IUFIWDK9Ej3NKrfI7p2fpQ8qMmyyKZ3ysil6WzkI+LphpJ1KJaoRUPYZ8N1IN NmfWezBSiWqw4OQibET75obCPvBox5MrZrgTHHGsJlAxtYSxInc8oke1g/BvkAGib4YndnBO7AdZ KeF+BGSJ0FnO1WAHRMYREAfJUb+vJTb0xg433QhOIvX7h4JTyoMETqJCb/Md4HTJzGj5U9fCjQ2Q KW9eJdD/C5lwfo5emYGP/dqcfvPDMQ5I5HAAVqr2puuyTJzjwx8PaWRtjMX+h5fpyYqBaC65U4Jw pf7MbgEB7Zh+4lSWfZhTEZXPJcFJyolXjnSsCM9yXBkkVatQBfGsb9o6HsDRIsrYXqfHEi/Tfe75 BopTPEvQoDpRkkpRlW6osFx/YZ7ptpT3LgrIOJQTkFHMmo4YJNOVw8E4FcNTpovqVYb6FwzXL0d7 wU+s3/Og48HQmSKf/YbOND5b1PhiUbxbUbRa73YrbmpQodWb25vPtzfQwY33ICO1SpK174rknWtN 8tCOvC2e36zLeYMXUTaJ0mBLXqfhwQPXBzCyKl6uOLJtuhvChUvrXbzD6Wm4YWGasS0uXHiaSK/p roWJFIjSdiSbtlyUTa5Y8D0UX+AZTgyliZsVlW9W/gP0Z9xGCmVuZHN0cmVhbQplbmRvYmoKNSAw IG9iagoxMzgzCmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jl c291cmNlcyA2IDAgUiAvQ29udGVudHMgNCAwIFIgL01lZGlhQm94IFswIDAgNzkyIDYxMl0KPj4K ZW5kb2JqCjYgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IC9JbWFnZUIgL0ltYWdlQyAv SW1hZ2VJIF0gL0NvbG9yU3BhY2UgPDwgL0NzMiAxMCAwIFIKL0NzMSA3IDAgUiA+PiAvRm9udCA8 PCAvVFQxLjAgMTEgMCBSIC9UVDIuMCAxMiAwIFIgPj4gL1hPYmplY3QgPDwgL0ltMSA4IDAgUgov SW0yIDEzIDAgUiA+PiA+PgplbmRvYmoKOCAwIG9iago8PCAvTGVuZ3RoIDkgMCBSIC9UeXBlIC9Y T2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggMjgwIC9IZWlnaHQgMTYwIC9JbnRlcnBvbGF0 ZQp0cnVlIC9Db2xvclNwYWNlIDEwIDAgUiAvU01hc2sgMTUgMCBSIC9CaXRzUGVyQ29tcG9uZW50 IDggL0ZpbHRlciAvRmxhdGVEZWNvZGUKPj4Kc3RyZWFtCngB7Vy9lhu5ztzX2dChU4cOHTp1OOGE Th06dLjphhtu7ifwI9xXubdm6ptyHYBkU1L/SR/6zOkFQRAFFItqjUbenz/rKgaKgWKgGCgGioFi oBgoBoqBYqAYKAaKgWKgGCgGioFioBgoBoqBYqAYKAaKgWKgGCgGioFioBgoBoqBYqAYKAaKgWKg GCgGioFioBgoBoqBYqAYKAaKgWKgGCgGioFi4DAG/vrrr8Owf/48EP1A6AMJL+gtGICWeG2RfDHn G/gBB/lA6EVaKuC+GKCW/v7770OO0oHoB0Lfl0Kq2kUGgpZ4mn79+rW4cJWAA9EPhF6FukpyHgao paaidijyQPQDoXcgtiD2ZABa4tNH7+iCsWkxB6IfCL0ppZV8fwb8BZl2OER0blTYgegHQm9EZqU9 igE/OONHEmZXL/JA9AOhV6exEh7LALTUfPQ0nRTeigUfiH4g9IoEVqozMNA8LNlJj99XKT4DNbXt uLRvRz8Q+vbiK8OpGODDRXeXq+uZARKepm7sRbieXygyfNbtW9APhL6l7Fp7QgZck4uiVYAMLId9 dV8Hoh8IfTVdtfCcDLiW3NYxoaEhYmTL4MIrGnREt5WZhoYrojuc28LaDvoKomrJmRlwWbodtESZ eYDbrreLmvUkbu+A7nBu7wB9EUUVfH4GoB+/soSCh0O/Y7liZE827tBaOzAcV6AytHAG/UDomfIq 5o4YoJZcnJKiTwUnp5oBkjSMRR48gy9U/qZTszBCgA8d/Y8//vAh7N2ggZXRQzE1vGsGxjqUXF2c WiKnPDkengE/vpDZlFNGL6YZwAJ8iuiQ8X//88HFnCO1SsYq0Cggow84qam7Y0CCkUF1Zf24hzFa EozmsMlMiBS0Y/Visp+e4OeQMsY50lHKEGFhDlB5vUj5fS0az+hNNsp5pwxIGDQoA7+7HiSSxQDP 5nZgiVO6e9qAhZjgCUMPYEIFYOgy1lFSgIywUP5ghGGA5qxieuiBihreOwN5310Y0kM2xqprxv/z zz9Ol4AUPM6peIb5UBlo+DAfIh2lnMEXEiV7en5FesAA3ako+wEY8H2XGBaNxQCkZQzvz8/PP378 +Pfff/2f/hE6RGo4MCbRezJuHiUWs5h5PmAR/QHEc3gL3LVDynBoqBraljYG0vUpZtCqgcHIjx8/ Pj09ffv2DY8keLzrkHaQSlOT6GMZ56Ok/ANjEhphk+hOxXY26tku+YGZuR2871wGQSkVPhqgbTwp 3A97oCVOLQYo4fv373GOvnz5gnOkzOia6MqjqRlDq3pGU8Y95wyiYnqICoDRA+Lh9TsitxaACtsa aOf86EutcVN2K8ChWQMfRjhHFHkO6Hl6/iCzd+/effjw4fPnz3hfxyW6o2uiA1qrMCt7YIzRezLG qsHUKtBjiB76dgIgUbpvB7RzZt8sdQdjhzIcWhKV8/v371+/fpV/0VgMQGY8iXCIPn36hIeRgLiQ d77Nwyl2aEUOjAF6T6vKNghQzMAYQGNqkJwLewFbCABdqBGV7b+fbgG6Q071QiPcNy0gQAd6oWRc OEp4avQiteRlb16vcSSfROEQhYUcEhpHCcNxTsaHJL6kp1KPwfJe2CDzIvQg7ST6ugIgqKBRnux1 gXbO5hvhTbm9UUmCFpMyOIXh60l6OUqTelaGpjF5iLg2QDshzeQeoPph9E6HklwUrFXBCEMVswr6 WgJgp34PZa8FtHMe30F1pC3w2dUL8+TBZiWq5yI9N1PBiWx+iJQ8YMnPJRma/h6K+5mqJ2NGKptw YQyWeJhjhWxKO0jlyz1tb8ntAsiIjqvZ24F2zqDKaeDOvnr3FctzaIdTDSEg67m5Bb48BORDFAK0 Vn56MrQis+FrMdvTpBZ6vGwYiwuVQYYvhxPXYhItQbDsAfotAnit6DeKI+apW4B2XuuNkEMxyb7C nbOrFOnQjuIFuM2YrGfFyGCkhjLCBwsCVYCMPAWPQysyG46O2UUZZyzlxNTMco/HEg23Q79OAF6b 2yzYy9bsdUA7r0K1utRF8HiPHnNjqUKB0YPIfnpm9OylEqL3JFKkjGZJGVph2VCq+VOgJTKUdpBE MTJ8+WChwmiEIbIpYS/JpQJgTt2biAJlGGMuBdo53ksNTYWhR6pTxFxdsCcUljK7wUiPp62jxL/7 KIkMXwKnHyKfoo27FmZDMTQEzU88mmsZ2VNgb4mgc0AvlZbIIDSGvSU5uZbQyAG9VPMCcAiVKkOI 8sjg1DzQzpGqnA36kC2oERkeo1VXlJ3zNCG8DAW4M+uZVXkMPX6IlEplyNMzPCHtDB3WYtjTnnBZ WxhmLAUMEjKVrx0Eq1Rf5bbnWUSfEYCSyFANAUsBbsDGNQO0c0yvC/lZuQ9l0/D7RcU38wS4EBNm fRj0nBfC478T5QDPBjsHyOOzsAN0mO3JWNlo9IbIxisETKadDAvJNXwDj2z00o4FoLQycv7QLIYK psH7GGjnWXURim9W7jEhwKcmWxC0UsFDW55sKEaGYuAZ6BlhzSeRltMIQ6G40bQd2pP09OYxSMhr 4NSUR/aSI4bxvQBlk6Elbsj2MDl7yXsCwEK/mNPvmPWh25piBk71gLbzo+XeFar1gjnFyt2fPR4J e7ERZgirlDZgKUxGCNAQAa5nJYTfn0Tup+2ZlW1s5FlB69c0cO7f8/SvbQdcL0B2z3D/AGIwtTV6 FoAjqn53wg5+zrqfAbz39Ax/Rl/LMwBVnV6knDJ8ljamNOvGq3v0DtaDc1ol9ykt0WzTQ2jXMxvH F+fyd+cYrIRNOKFkI8Q3oXuHSKA5LfMoIBs5AD02gZpOR3RbQE2nz4aAHrpLF0t8lWylDQaHcir+ JcvrhamBpB16XXsAuucUmnpj4uW/ThT98sgYh/kqLuGdR0lbDAPfncMXuT2bIGR4tmakOxnsS5rQ LmaU4RkcV/aikQOQU506XLB3RgfcURdkttEXXAcdBbY3HaIMCUl6yJ48hZgQxhhFylAYsLwXDBGj sJ7R87/i/z74DPO7BwRoluG9q8iQYYyuVW7IboKKgWPRVcaKBjrqXeAk/FvmtZ5KPUT4V2xtJhUQ tfWTRjMMTl7SHoaym331oH1hyKmEA0PLGXMpdA9RaWUMahhAY1MGje+APqOKK2LQVO/iP09b6+x4 nh4i/Fe0cOMSgEobMwZFElSkoTIobNBUE1qpZCjnpIEwXk3oAMpIVfu29PeLQJi6qKpcwLHoN0pl sBx99S78bwHwxh6PJD8Cq9g9RPgHpW43BVzoRwrJhs9mpdET9EbnYkeEzvlzDTMe5UFwExpOfFSI yyNZKu+hC4Eq3sPcqUg3/vzzTy8DNj7t9wwKbjp9tmkPnADC5ejb6QeZAdS7+L8FwL+7XP23pB7i bv5MKaB9K10hTXuwg8qDnBkoexCmbDTC0AsYTHlYExpOnCB8VMg769SqycyKXzQg45cT+/49i8Fd HmEpiTzZUAwM2SEsDAn0+rHoSOEoaYcLHyjhrd3O5ygQRX5uvGv7SCz+zyFgb0bPKkaG9gseOd2Q 3YPo+bUQhtuOKHtsjCFAAhjIHxg6qNvCmndiiZQMLAxREu7iH07PBjsMBSojBLyu+P0WwmcB7T3i cQAlo19cwHVoJl/ljgZ711HniBStdfcNBZNoChcMdN08SsLVDvYM51/7SOcgOQLGs70CchmMDP6Z 5GAA6sL7dlzNJE0ngQJcGHKhlAwgepSQWwB0XHA2cyrYDY8UqDIoktBAQX78ARoPAnxlFxdsNAsn d5/xK95Be+8C6EbPI/yShV+7+P80QMt4ieArFe5iJvN2hYfvK7h3oBFk4hKraLx5lLRN2VB5YQsU Cf9i2kGM8iuhDE3JyFOL0FyCO3kgFcqTDWHB8EuRcAYbnGMfqWRO+R3x2gieYi3PRkjOAnKY8vsh gnTx2z2meMGG3nis0LtDI0BAV9uAxkW9kQE9EwEH6C0+Z+CHFSgefQGFrxJ8oQD/pEutccgGL7LR lzYUgkEvzMlUGMLZE56jN6Ez4VzSS5iT9CInoRGmSCbvJRS0DK4FA7ywBUolg8Fa4kM5FcyE8Dvn dGpKQ4RxO6jqEDAGErSHIQOGgsYZQWY4g3QxxC8pXIjGUYOXdIvNE0Sx8UUbYsalZyKSr/IBXU6C zy7QF/KjI3TNC63xtUJ0IeA6O7MKDr0MDJEcuD35YRaX0AeGwsapFCZjHJ8RtdAN2LjGqRAQsnHI L1q4qBT2mvXlJo8MOeWhIc6hnxwjDwxcAOUzQnpWNgbwTmeYykNB8xAhwPdatj4x0+57qutsHiJ/ z4OOcFHSaBONQOqCVjFrGczMVwm+ULARQOM00b7urrcWzmpohEP0uNZRGig5dwFcOgerFOOG20o7 SMIYrPKFHPLeO0rNhQOnOMchUhiN3n0MHZKE+j2nHyKIB1OLEvXd91SX2t41zg5PDZLggqRxQd4o JmhvsbzrAoDCi8uBDtIgb9/uedtZRRJ0NK4KAbccJe7vpJLZBRDdGKz1MALR4/ZgeQDybJzivadn R1GqplOc80nkMQT1u6caQIckWhUMKdlfM8c77rPItpbSUDCky+Rviv7lWDvbqAGIapC8Td6vY5VY PUES2rdVHjp7C32JbF8r50wGLvQ7ll+9UNAwcLmeVWE2EBkKwNAPUZ4NS5RT/ia0ZmG4reU0BH3d IaKwkUrPEWEx/+AelIaFyEbp7nxeFuHQBV8r2M4LoW/72LRvYZVY87JUJVcs0Vr1BWMmD7tW7zNL BKG19MgvQ3pufuygmpWHHnHub+cYo8x5rU9htgftC7VEhqBxiCbfzvUkh5y7Ka1Xw6b++QadVXCC hZcWRqyLxDkfjORZXUEni9mYhPfFYMIJQgUEvwJgSM94q88wrXJoOcV5eDunABlCkYeGhgHaZxXj hqBveRK5QpB88iitDu1lbGerQe1F3uLwkMWS6+oh1oxEEdkLw1SoMAwZ0Azr5WQG3LmqFxZyhqGW yy+PjKBn+WH4hQzinIfIcyLSh277lPw0MnRA5BDBGykZmXmUvEi3EaCu1zq/1wn1ulVsEHc1RZvD dVklVk+oQOTVC/DCGOllv63+LTPFY4p2L/NigFLJ8AK03J2KpMG767kZAKc490PkSQTXzKBZGQzL 0DmnoLdQMuD4ZiYUxuGm0NcdjUtXsUG0o4sMe2s3vklWScTq6RmzvalQG4YsMvjl7BmD/IMpooSc YdgrSRUyQHoOvytxVpzn34mYR6BhKH82FOnQCiMu7oK+/XcibXcwAKqnkqraBzpUstGQDTq32z1k idUTbfPbRNprJ19OL1vOgbEiNOvJWCqJhoaMl57D70rivPk7kZKEnME/KAZTgtafEVmSoLd4Erlo Ua2eSjtDexnb2WyQu4Bv5emPyOx6XVxiNfUczhFiWBI5z5pxf57teVaBZnJBeJ1uK8DjpWccJfpf vi398SO/8eKR3qCndTtA+JQvZ5hDMxK4m253EA/K4FMJxs7QoZKNhugL79/wSoUXJbwkwljr7Vwu mGSO9TxziJDHpeISylMeeSO0kgsxezTlhmzXMwnHHRcCFBPsSQiF0dBQaTP01tsdBICSdlNagN5n iAZBMl4u0CYM/RF5C3RgAain58VDJHnIkE4GhoJhrAstUIeAU343aFPPuINtUIErx8DDK6eFPzuz JyznqgC9w3YHCaFO1ICW94cOlWw01Lfy+P2ljVCYFmSCyazncIiCErJU6On5XW9uI3476MWaQyUe 7+2oqWZ806klnscj3UYMrx22O2hpT6UF6H2G/pW8rRGxieEoQdtwYq+13WHoU4rpObXWI+Wc/78c aIkMT+g2AxQmI8egcbwmI4Aaxh0xzWuQBPGanTfwexmg9W1P7PIhX7zZU2lbK/nw/Nh9HSUcInx2 hM9gXR5uUypZMDnGPW5rLVCAhYtPJULTo5jmwlBDMwZO97vN5fhIAb+BUszcAirZk/fsnO0iT4Y+ XANVwCoMQDA8SthifHb08tHV6/9nwOXRs11sHkN/0wMn/1wCFMDhwiGiobsvdFtp5ZQnGGGoeBj4 h2kSMx5D/izAM0ILfQlsXpqVAb/sRWMAvcpWVpJjGYAA8Csn3m/wYyt8goQrKMcF47bEE+LlDwYe OpATDhHEDDg8F3ARlzaHDuG2srlzDK0lMIBOaP79KNPeTKUMDjp2albGInQupjx3xwBeiiESnCZc eDzhgp6lARlNIXFWMTJysP/hHkoGFt5c5Qt+6jxngCc7hZgNxnOJ0NEaIJqfiMKJKYdgBmbO+Sc9 M9B3p5kqODPAtzd4n4OLb28gb4rZJTSQjest2FwlLeHpg3OKGCmZuLizMPgxi5gMB3/T2fMzGPeA Dk8mgR5M8SghZzMtc85PzUP3Sir/3TGgj3GgagiGgn8V1P/dpKIsJE1lo6kl/93EiaJf6DmbPKpB nqbh6DgjiHG4bCNg/hQ3EUkWpi6FzsWU564ZcDFTKlkwknE2PPgKLTl6Ti6PUOTJhqPzdMzsCzLf fpSug54pr2LujoGeoqThbEDMvDB1o5aIrmzBCENVAj9tfqyBTwL5ZhLOef4FrbQXGbdAzxdZkXfE wEWKkoax6sZDRIqI3tMw/WGWw9vRkUe/KwUIHmE1GwyHnnkneUdiqFJvYQAq4u9KTTllJzwrammM niUNz1rogvaTInux8fl3krfsTq29IwakqCCe5tBlvIqWxuihhnXfUwk6Hx95ZKze+B0ppEqdZCAr CvqRhGjjvq6MVZvQw6khrpxbKJnQggiI8m/UuBgo42EYyIqSiqAu2C7j1X81IHqQMXHp3E7Jgma/ fs+Nr/IIfhjNVCNNBoKiXNV+iDbSEtEpYz9BsLc7ROSh2Xg+RKu/ejR3oZwPwEBQFFW9tYzF24Ho TegdXj3UexkPxoAUxecRv3163V9qrmDmQHRBw0DvOzd+BVe15OQMUFG448vbvPgVUHh2qLyJvtGb ydAOoPl3pbe+X/5BU72dCyzVcJ4BKgrfaIWQ+BXufQ4RKzwQ/UDo+d2pyDtigF/P5rs7fYV7t/oP RD8Qejd6C2g3Bnpf296ngAPRD4Teh9tCKQaKgWKgGCgGioFioBgoBoqBYqAYKAaKgWKgGCgGioFi oBgoBoqBYqAYKAaKgWKgGCgGioFioBgoBoqBYqAYKAaKgWKgGCgGHpiB9++fxj8fPjx9+PB8WgbG xV80e6oeL6p8Phi7eao2Ucx88TnyVZxPHz8+8+fA1lDbu3dfxj+IObDCMfRM/ePuOHu2HtfqK/R+ znMUirxuiKM0lsqmszP7dTaNOSEz9c/sy9l6XKuv0PsJ31qs1emxLxEzXZxNY3WOwumYHx4rNt84 2TMKnGnwWJXOdHFshSK8aczUf/5dyK2t1Vfo/YGfR8eqdGa/jq0wa8w9M/UHLTWHZ+txrb5Cs/U8 cvGsaM/s19k05u3P1B+01Byerce1+grN1jly8axoz+zX2TTm7c/UH7TUHJ6tx7X6Cs2erU1s5Vqd HtvaTBfHVuinJtsz9QctNYdn63GtvkKzZ2uzzlGW9CGeGb0hZubnkPp7oDN9hTMyM0TaHuJR/slO T76DM12ckHxt+r3Xr0aCMZDN5HnpZQhAhw9ndhAtI+zwUgcFzHRx5hYm60fY4GfAz9mmZvo9v+qc 1cfoaKYLxHjjp7Jn6h+/gJ+5u0z1ZL931NR8R4gc/GSu9vTMdIGYPUu6CGum/jpHF1G6c/DtO3iG 5+9MF3WOdpbWAG5mv86gq0ELYWqyo5O/GM508djn6IR/mgxK8+HMftU5csb2sWf25dHP0ZHft790 l2f2q87RpazeHj+zL499jo79dyuX7uDMftU5upTV2+Nn9qXO0e08r5VhZr/qHK3F9nyemX2pczTP 59aRM/tV52jrXcj5Z/bl3s8R6g8/+Gzh9ecZ/x6n3tdlVezpmVEgXxm4idg4GG87+NvYs+aMNdMF YvLCk3juvf5LaYR+IKrFnzNvWWh5ZgfP/4Sd6eLMm3Lv9QdRLQ7x9Fw8ROdXnbc5s4Pn72imiwc4 R2hh8cc397T2p09f6xydcHf+P5yjRxLe5891jk54jKb+NeK9P48e6Rw9PX1/pHZwJGZeydHymUU4 2cWZW5jchUXtnblHf/19fq5z5HycxZ7R4Zk1NlP/4iE6/8ud5FLnSFScypjRYZ2j82zZ5DnCx+Pn qXlcyYwCz/9CN9NFnaOxEvacfX7+MfN4rXO056YA697P0eTfJRe1dy/CmzxHd/QljRkF3sXzCI0s /ux8uufhIJjwg7+wwKM7DP24P9gYzoMeGIn3da8/P97uMr7jozz8fPnyDT+fP387sMiLoBe1p4CL 0lZwMVAMFAPFQDFQDBQDxUAxUAwUA8VAMVAMFAPFQDFQDBQDxUAxUAwUA8VAMVAMFAPFQDFQDBQD xUAxUAwUA8VAMVAMFAPFQDFQDBQDxUAxUAwUA8VAMVAMFAMrMvA/W5eHowplbmRzdHJlYW0KZW5k b2JqCjkgMCBvYmoKNjMzNgplbmRvYmoKMTMgMCBvYmoKPDwgL0xlbmd0aCAxNCAwIFIgL1R5cGUg L1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCAzMDAgL0hlaWdodCAyMDAgL0ludGVycG9s YXRlCnRydWUgL0NvbG9yU3BhY2UgMTcgMCBSIC9JbnRlbnQgL1BlcmNlcHR1YWwgL1NNYXNrIDE4 IDAgUiAvQml0c1BlckNvbXBvbmVudAo4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4 Acy9B1ij6X3u/aqLPjD0DhICISGKJIR6AwkkISQ6zAzMMEyl9957h+m97sxs89qJe+L4SvLZjtuJ 7bjHdhx/Sb7k5OQ49cRe79rz3a9eEBoQ63Wu85W9br/XowfB7LWeH/e/PY8iS6aPF0/5KrJkGgoz jh8zTUDh5kkooniKUnTxdJR59/1Rlplo62yUR3GWmT1NxVmmYksmY4onYorHjulGgzRD7KIBhqKP XtRPqIdommFCM8xQDuAbo82TMboRReOVir4Xyubt48rLhLQ9qnQmpnQ2VDMcrh+LMk5H6SZjjTNx toUw9bi4ar1m+EnphavR8k4iuZmV2coRjQRJxwjhZUJ4jpHfQWRfIjLbA8X9tOx2QtiGJzOniyHq JrI6IHp2V7i8L1MzUWScz5IOcNPOEOlnGdldLGEfm9/OzuxkZXbSBJcJwSV6ZhtbSIqTeppIPUtI +rnGTY7tLr30EWF5QpifMC336MV3aObb1JMw3YLwkma64VeE4Yof6XcIw/a+9FuEV9pNwp9o6g3/ 0qzT9kSo17yiqdYoEcpVUkUrlOiKJa9ohYv7ks/QC2cZijk8Cdk0RJPP4CWhHWLlb7Pz5onCfkK+ xCrYYMlGabI+6j2Hn3TptFe0gikfTdIK/IheMEmJlj8BEXnj/0VJRojfTYOExJ/EA8RhifppWX1+ Rc/q8StC0OVHGZ1ERrtXFHGHn17oDixiSmYoDPEtfhmMt06DQQrD2JLxSNNkhGE8WDvMVQ2BQZpy F0N60SBbNYivxhmB4ZCocqW4/ZG152mkcZQQtQYV9fErN+JL5znyvmDVcJxlKdw4E2sdC1d3ZJTN 1Qx8rLL3WbK2j4g9CWromR0hhcNEThuRdZ4j7acJOwk+1pd3JWwDekxxDyVO9uWo/N4s9USeaTZd NcoVnCeSz7CFHRxhN5HRRmRcpmV1QATvAj3jElfYGZh5ic67CK6J/HGGbpNT9pBpf0aUPAJ6jJK7 ELUAklh/EIPGq4RXr/DowyB43GOQptvyK7pm06+8AGLhBRCLoxgkFEuvqHCR8AjEeRnE2vuSUM4y 83aYBdOEsosoGmcWLLGkM4R0l9MPZpCCkcKQLp3yr6MYBI9+dQSktNxRvzoaTH8ASgZpOaQOY0gX 9vvXEQzSMrshfxjuMwiO/AoGR4n6qhdSikFgSJLo8UHqbZQJxltnwWBC6QyeHk3GW+ZiLbP49lDD GFczDAxJqQYI+QBd3s8tGiTNzjQRZ57IqlnXtT0p636RVjrDzWsLUw7gjzhungkzToeZZsJN45HF AzGW0Wj9TIZts2b4ncbht4XmaSKqkiO6RM+6xJJ0c6VDhKibmdtHZHfSRR0McSfphiSMHRSApBvy z7HFbRGyvkzzrMK+ylMMBqSdYfHOcCUDhADowUZhl/iP1kHjtTF47dzsHmBOpF8k0i4ROSNs81VO xWuE4ylw82WQZb0PDEkrPMIHaaZr0D6G+zy+yuAehn4BxKZfALHpy6Avhl4Gsdi1QsoNDzCIlxSD hfM0f6IrJlh56wzpAqEaIpQTbOk8yaBs8TB91A5DNuOV1xA9C/8M+prjPnQAzS+ARxulXwCx+V9j 8DCG/gEU4jd/j395GPRDoo8PAhAozjpHiXoJ0A7vYJPcL5mlMMQTb44pnYOAoYe+2YTSOQCYWDa7 J/A4l1g2n1A2jzeHmyaCtMMc9RBLORCgn2JrxomCHoa8/5hhMkw/EaIbwc+xt73m6Hohq79yrKgv QNGLeDXGvhRWMhde0oEANcGxGW6c4sp60ktWytveuDj3MZFtmsE7SRe0hsmGWTl9JGWiTpqkB0hC CEQ9GHaQ5ogvZbbDNOm53UR+e4isK8c4rS1dFCoHAjNO0hCFCruIrE5CSC6Y2T10QTeR3o7/sExh N5t/mUhuJdLbCPwat9yku55Sxkf5IKzQG5HSzDf9y8MgReKrMO4QRo98g1LD9lEM+g1QsXmAQS+G vgz6YkgrWqb0ihuSAerCYYFKVmEPoKPJNhDKMgqXgqWzXNkEUURGqh9SFJv+TVCKYPWVAPVI9LxI /r/ig37cMLuf8Cd6di+lgyT6MPiKIfowSLGGqM8rXxgpJH2f8DVgGFtM8oh9vJnCEAx6AARxs0m2 uT3NJFlnkkuxs5BsXwSJsLZQ/WiAaiBQO8lUDHNUY0zVKCHtYxUNhRqng/WT0YVdpnMPT0x9tuj0 3aCiHk5Rb3TZbKxjMc4xBDMNUCFFnYq2zAfkD8ZrRpxd9y6t/EGOc44pOEukneWIe4OkIwCQEHcA PQhWCAwRiwJAYAg3ZOf0EpJuQoL08HykuL3IMmeoWE5XtBMp52mCdpa4hyHCL7QuIMnI7IEIARlL BGR2BCBP5F0gBJ2EYo5tv8WxP2KVPWBY7zFL79MtdwnzLYhWggzRP4N0803osEvuAkhhiOceiTRg 6FdHxajaDbp24zCJ1I5vdLq7Vi4TvipaIjw6ACCjaJHaYRcOsuRTROEGodgJLpyOlg4Fy8YJ1TxN NudXCGihw3gexSC1f4BEvPztMHqp9CyO8sGj9oncIb+i5Qx7RYiH9uUPQFDpZRALXwy9SSJlhftP BFp7otBLKFuglGhbhLAGaF6BO68SrPMUhuRX99wTiz0A5/foozCcSbHOkiqbS7MvpDuWAWMMSkCG MZZ8gIU4UDPG1U0yVKMM5QhbPRGkm04wTURrh0WVG+WD75R0v4gxjdDzWqOLh1GTiSgeCTONRJYs R5esRJeMxZgGjmtHTOdvnVn4rLRqk0htJnjnOOLuQOkAK78XBRkIDLJzyUyQYpCV08sW9xGCNgL+ mNPJyDiXIO1R2OY15Qvhkl6O4BIoo2W14f0IR0EiQ9hLkBh2IBwNyO5gZbUTyA2zuznKWTBIiW17 CBKJ4tsQFvTiW/7lYdAfhldopisHSTTu+AfwaH8EgJSOwtC7TzFIU61Ar2DoQfKwP2KHrlxhy1bJ Ko1ilaVciC26lC5rjZBNEsqrdPm8f/kDEFZ4FIOEbOqgpJME9Cpiv/XlUawdte8XQGx6AaQWv5VB mqgPIrJ7dyXsITzyMojFPoAwxz0AsUgsXaCUVLYIJduWoBT7shc6agH0vPJlkEKYYhAxJ3SAwTTb LJRaOrenhRTrfLJlLto0haiSiUqpoj/AMM3STBDSAbZyLNo0gy9FaIb5jiV77xuugTeFztmAnGau YiLONp9asYCqLJRQPh3jgG9ORyi7TRcenF/5E2XDFQaviUg/zRBe5ub3UYEoGITgg7uxaFYHA9Fm Rjsjq4st6UfOyMw6nyTvUZXNy8rWE6WDrHQEnK1MUSdoJUSUe8JGwSMC1E5GdgfqpQz+JTZKNOZb oC+g/AncEPYHKyQBtNyllcAN/egoHwSAlA5geBSD3qLNgYWXwQ9wQy+G5MLD4GEMgRsloEdmiIhO lStM9RpTfoUomkMgGqxY4Cuac+UNcbIxoui6fwDl84R85hV5Sqy/G4MUlf//YBAk7mIo6if8iWJw H0N/DFI87pL4gQymOlagJMu8XyVbFygr3IXUE8SCQQrAwwzyyxd4jnlgmGyZSSqZxjOtbDGjfDXD uY64NFg3xtaM0oqGmeox+CBdNsJVjQRrRlEvjTaMZtimrG33awae65s2WPKhAPk4CE2tmIgt6w/R j4YULxxzLMfoR4+r+pQnr5yd/4OS1rvB4ksEugn8i5y8XjggACQ7FJ4olIxIUfYUtAdn93H43fA4 pmyQEF3i8s9mywfK6u9KLcvRuT30tBaC10pmkWAwm2SWTDOxRiya1cEVdQTxzwckNhGqLUDHdTym AlFEpIARVugXQGz+VgYPuCHduONXR7H5X2bwAIYgjqFaxXOXwcJFrFmadXrRJqGaJhSbYbKNHPl5 hbQ2UdZL4J1H+KBfAMEg4wgdNME9WzwcnVI7RxkiPW/Mr35XH6RLRg5Y4Z4h+utZiAeOYhB/zXyt 0Lv29UG+czndsZgKi7HNe8LFRTyxTq9YTXOupDiWUm2LKWULyaXzSda5pJLZ1LIl2CWskyTRJ4vE V/EevNMr6lvSyubTbQs8+yIpxzyldPtchnU+076U4VyMs0wEqvsYhV2ol3L044QC6eEgRzsRaZkL 14/GG0e1p240jnzMeOYOWhgsWftx63SMfeG4cSpWO5NhXkt0XAvWTrOknQWnrpxe/kNH17ME9TCR 2ERL7wlAU6+gk8g+j2CSKRkNyBugZZ4DXFSNdDfaFPWxxENQhrpDX7Wsr1hNye8JTj3H4l0Cs4yC QQLfknUJJKIyg/QQeSJZt0Fth3eZkTMSYEKZ9CnheEyU3mNY77BLrpMYIjSlMsTi23Rki6X3CRhl MdnF8FZv/KaNhOmGV15/PLB4xS73kkdkkUfVcOjaNZpmlVCv4OnlFD5IKLcZ+iWaeotQXmHqlhia NSR6TM0irWiVoVqnK/ESGJJr6mVA4RC7cJKLeFV1M1YzmKGtIVT9hGqbUKA6uknIdwjVKF2zSFdt IbChF86w5QuEcolQLRHyWRreo4YtTgTL57kF42RxFQXVggUUTlmFYwz5JCGfppLH3brNXi7p8c39 PuOr9VVy36ftOEXkI3A9InY9ooBzsAWZO0Z4BePzJ6pKc7hW491HO4MmGvDWbXxzQ++ayEJktV9H BXG88qWMihUIMFIYYgf0gUGQyCtfSbMvUWTBwlJKSXkjWG8i6UUV6FHCt2CTYnAXwz0GQSK/dF5g I6lMtc/GWMZDjaMB6AKrh5jqyQDDHDJEpmIQ1Zso/VhS8URBzdapiU8Zz99PKp0KVPZEmCfSnWsp lqVIxRjV0Ee1J0zZl+VeaZj8uL3rcZZtlEhqofPbQqTjQYVjKNEQosssSSddeJkMKUXdEBhE+YWV M8AUkwl1SHZLurrfWLOtca7Hijo46ecCxOhQtBGZl2B/DAC4+wutCz190lgzYIvdKBgG2h8GuJ97 oLvOKrvDsj+iGGSgYuNxRrJWQ+aJ+wx6iqj+Szf/ZQbp+m2/Ymi3SOk2PQCCx2VKhO46Hb1IFFTV SCRX6OpVmhK4wQHXKAFACGuKQYb8Fjdvma18Hqa+k1lYlyM3Jcs6wwrwi3EuVTPGKlgi0DEEWYhX 9VOcgk2WbJ5QLBLqRUKOdv8MocJz6phiMVk5GaFqY0lXCOkSrXAY30LSp9gtrlIMUk1JPH8nBvd4 JOurR7mkn31fPL0AYnFEo9/LGha+3UPv/gEG/RdLfQAEjALXKmWFABDoYQ1hgTJmavkyGOQ7SYFE iO9Y8Zod+MJ7IJRZILz0xZACkGJw3wp9GASAGWULPNsczzmXXrGY4JgPL54I1AwxVBM09RhdM8bU jKCLQTYszJPxxdN861Tl0Dv23rcSTGMh8u6Ekhn8EYiWw0wdqZVzyeULscapcOWgqGqpfurN+smn KboBeup5Iq07KG+SmdfFKmjjyrsJZHMkfSREZMmFZLCPgWwa0bugNSjncqZx0lR9RV2+FifpIpKa 0Z2niXsgJNqYjsB/T5aol4mfIGxnCy8hsiWE/WztVnjFa6jPEMW3CNt9ZIiISyHsIGEkazXmW4ha acVIFe/46BZRfBM6bIgUhgfsz/vyFR/8EHVUhnaHqbvC0u8w9VseT1ymaRcZ+mXCcJOmu0kmlbol TysfGC4j4KSI8yWRwpAlX01XdkVqriXLxwoKsgtkAqmsMkk6LivpMZd0hktXCdn1EASuRbOEeY0r 2eLIlgjlIqFZAEpM+SxDOccunI5SLqm03Rl6R5h0BT8QAxt06RYZzRbtVlC9DFIF1d/K4AEr9GC4 2+Pwg5vf1NKXQay9GH4IBn0x/GAGDxRLfU0Q60z3GoijYlHQBzfESzIcLV+GFQIxFDMFrvVM9wae YBBWCKXblrAPwSIpDPehs+PbyQiWQhIA7lsh7K98gZKwfCXDsUQy6JjlVyD0XUy0o5s/E2KeoytH WJpxjmmSoR5GtohmRJhxMlTezi+bdnS9UTf6ifzqzVB5Z5imLwk26pqBjSbb53mutYSSqXBVN98x 4Rp51jz5dnbZNJHYTCSf4+T2swvIhgUh7mZIemkwuGzkiRhs66IQIynL60WllCM4L9SP2ZtuF9mW w9DNT2lhSwbpYk9LKIsseTHFvajMEIILLOEFDAYQ6BuKR4INV4+5n7GdT4nSu+gbcm2PIKprzy59 AJFtxBKyYuMp2lAk7tZtvEXUAzAS5iv+5e1ieBeeiPSoPBEhKEO3zjJsQlgAQ8DIRrJpuE6o7hD6 dZphjlBhzm0VESldeY2h2aBainT1OoS2Pl5iE/NLlqoGpemSOPekopCfr8oQKUr4qlKducxouBgh vUKodriqGaJwmdCuBOQvc+WrDECtg83NsGTk8Bu3cCZOveDU10q1+hjZKBexLn7fyrZpMnDqv89I Ifk7PX3zxw+F4QEGvRh+OAa9GFIMUs6IWNQbjlI++MFuCPsDenBDyhABIGWIVDIIgwNQGRVrYJDE 0LmW5VzHEzACQ5JH+y6MpOV56POySZFIMbhrhR4f9DIoKF/McMzxHdPp9imQiNwQvwFirAvHS2aZ qkGisI+tG2NpR2mKIaSHPNdKpHYgtXjS3va8duTj0sarYaoupvRCkm0j3rJEzp0Wj8FSU2wzqKnG GWZq+p80T75ZUDlHJDUSqRe4uXDDMZZsGAzSc2BtexiCRFEXNol81Gc6aZkXj4nbcsxTZSduq5xr xzPPM1G/Itv3HisUwQpJE8Tb6FnnYYUMFGrQuJeMhVpvhVW9TtgfgjIUaiDK8qj+BdZeBvdI9FM7 RemGMkfSH4uv+penjnrQDY/uZdB180zDMsu4CgZBH2yRpbvOMdxmasHXVToyQcOMJxzdwNvo6utM 7SbQo7ijeMRLbB7T7xicDWUqvTy/Vqm1KHQWka5Za1Bq9QViVXO4cofQbxJIM+WYeesLKFrkyNeQ HjKQViimEZcyFYvBRXNJuoVTxQatujRJcTlQhaIr3HOVHFUFg4hIPXqlmHP0AMBRYP6uDB45nnoE g3TJEOR1Pe/ilbjUwyBF4odhED4IAUD8/acCUayxAwYpIQQFVniCxCzXRk71VrZ7XVC+zAOennpL RjmJMPU2CkMvjOSmbWFfdrjenhXaFzOdS1kViwLnLOqfUFb5vNi9jBYGXDi6eIqjHkCVBhEpSqaM olGEqXHW2UgdqqADihPXq0Y/brz8KKl0gp03Gle8HFsynWibJFU2m1a+GaKYStb12NpuNE+/UVi3 SuZuaV2B+eMc2RAsj57TC+j2DLGNELXDAWkeNjmSHnrGhcCsi/llS2Wnbqnti4EZF9kZF5meINYT lCKpbGdldzKE2LwADMkZb347/koElt4NqniN7XiMlBCZIFWNoRbIB2nW+7u1GpRrIOttSnTLbchP NfUDGURoehBDn/qMt9GPBcu4xDKueBhcB4OIS5naa0ztjSDtbIBqiatZYGlRkNmg6TZphg1CtwPc 8BLc4Umt8WTptjiqp2mKCnVOar7UIJaqRUJZWra9KCOZx0sIEWg4ihGm6Tqhe0j2MorOB+B7ZSuE Zp4wTNKV46zCBbZyNVi1kGJYOF2qM2oqU1QXApRzZDGncIlRNA9OASAdg+KKOSx8MaSC0sNPL4MH v/Q7zttQDPqZEv9ABg9j+GEYPCoiza7eBHEUgHhSAGKHzATd6xDQo/hCVphZsS52kRK61rIqVjOd K4I94T2+GFLY+mWQwhCBKHwwuwKazyqfyXJMZ9lnhI5ZScVCdvmCsHI1yb7IVQ1wVCOBBvwfNEzI etFMxDAbhksxxiY/eb1x6lMV/W+hVxKhHiH/oIplclDcOoWANqNqK143HKvuMbfebJ3/pObUVZyw INJOo2lIz+0jccvtZeT1kUNrZIB6GfPeaDpwc3a7+WgChud2SOC5J6/k6Cfic8kYFfUcykCRTmKc hg33FOxiSNZtBJ2EfCG47F5g5XOm4xGt7D7D/pBaoGRKtz2gGNzH8FUGD2NIlFz1K29ieBDDIxhE 2MkybCMKZeo3YIVs4xYVlMaaJvFfMky3yFWvo/WAsiqhv0qYydINCjhUDQdPYItvhwJz+2LSslPT wmPTUqOjwkMDOXR6YABBsAmCCAonspoZxmsBqkdM+Q7TMM5WLzExUaOdJ8yTCDhhgizlepByPlE/ U2sqVmktyUV9XEyokm3ENbZmkakcA30kjEXzvhge4NGXzV0GD3Qh4ZuvMvhb6zNeBg9i+NsYPIDh h2TQL4aYYAF6opotKKtynSrIkNFp1WZG5QbFIDCEyOKMYwUNhWznqqRyM7d2R1KzjYEW+CDpdJ70 ECx4azi7O8govVZon0NXgmKQ5Ld8Ed6HFrzYNY95s2z7dFbZVJ59OtcJKucRFSc5V8LN05hnC9BM hpYuBRgn4YxhhjHM5IQX9aWYxss7nldOvCmsXgou7I4xT6eVr8aVTkeXjsTaBzPLN+O1MzGFQ+aW W5fXPqE9vUxkNKDxx5YOAUNC3IWRNhoKL5J28sCFpD046xInCycsuln5w6y8AVbmhSjJhQLzUHXT 7RxMm2ecIXhngTA7H3XUHpRGuTn9ZCDKb2GKzjNAMRJD4XCAdieg+gXD+RjFGcL+gF7+CKI5HmLt ZXAXw0MMHsDQL4DYPJJBb3r46oKlu8XQXEcPAkCxjRvc4nW2aZlpnE+zTKRYhyN1i0HKHZZ21TOG eo0oJvsXpF2SBRwSRiDMMV0BgwQrNhS4cQIJIjiQYHFYbBpeMqLDWURsWCRd2MIuvRapvMbJRW3q NlGIQzHbhHGJKJ4gNAhjMGmzzlHMxGnGSxVl+WppnHSCW7hOFA3RFDtc3SKiHYpBpnIBGFLoUc74 Cne+xFFNf58dvJ/8lkOjp4epfGXHc1SKItG3VXFUP5GKRamnNxDF4igGUfHzDUe9a9+yDM80Kyyb l7iXJNULQvdspmsxu3o7t/4WsjYkaJmuZaF7XVS1mV25gUAUmSDafIAOXQBR9XpO7SYkrlkTVa+K nIsC2zzPOpNeNk96nHNN4FznOVbxcwAdxZ2gYgnCj8VLBKIZDrIuiqfQtSKqXMMTmxJEpPbZbI8n iisWhM65ZPNwuLKDoRvG2UNCNUzXTQSZZiOLZzGGyrfPW1p2ytvuy2rWwqRdYYoB9Cx47nWSxGJE p5i7W4gyjeU3breufL6m/83ArCZWejeRfB51FbYMKeFF5IDc3FFG1jCqnXA3cl4UbUHK6TDYltNr cQ40tNxW2bfZyRdRKWXndnjOZYBilGjI4ioOOnFz+pjIK1PPsETtROlmQNWDMPczeukDksSKxzBE TskdovQ+DQGq7SEEZySsCEfvYuEJU3efZIxKiayg3jgsovg6zZ8I8zXCvONHpm2W6XqA5Ta35DrL vM00baF/QWiu0bV3M3Tny0WueGVvoHKKq7rLNlxjaa+QKlngamcYhTuE9hrLPB2gXOAUPWbZPioQ GPJTYyVpsQnHk4VJaSJx5vHEBEF8vFLMNwvSJYWnAnFsRLsZKB8JwDS48hbZMdTPo+vBVexwVCsg mqW6cVx1szC7MEsi4cquE/r7LFU3XY4azixNOUdXLdGUixBRtEBKgYOKc5DfQxzk5pGpIso7u3ql 7y+dwrz9Yfny+EoN53CthtrxO1+KE4i++z4HEr29e98FWWb3aU9YLt6SVq+kmieSjFMZ9lVx9Zak bk1cT0IBZbtXqbATkSfSQJF7CzxmudaAEuDCE0GjpG4Df8nzqxGjrmY5UGZZgsdRwMI3gRj8DgIv OJSUXjZLhqBuxLEkg9gk3bBi2fMHkQwCQJFjVlw+J3LO57gWxW545Wy6dZytHUShBpVSmnoUGSIG TY8Zx5EGZpRNqE5dtXc+N7Y+4Fnnjil6o3Uj8HEMElAtzmPawZDCdsXJnRPjv1/V8yIk53JQDqZf 2tGkYKMOg/MUgjZOwaAXQDp6f6Jubm4/R9KHdbzwtKps1tF8W1q6FIi8MvUCCEUKSVZWEbvm9uPn YLbNUyzFuaeLROEku/RKUPVTesVjouwhzf4EESm97C4AhECiR/eoABV4UmkjReI+g2QF9SZ0GEN6 yQ3IH4lkDedwKZWhu8MyXWWaVxkoy5iu4yVDd4tjvl1gOXOiSJOsvRSkHWXr1wnTJmFYh+iGDY5+ nau9jXeiaopKaaDqebj1sVZtKRQJ5QJhVmJ2ZnJatjgtNT0pK1kg42fKeIlisThW2crQ4+ffY6OP XzjCQJVGR7YFGfJ1pmYFeDKV148rNxVZIhEvjZY/RtPcCVBh6nuOWYSIFBiSAL7CIDBU+D9I9f8h g7S8YegV4nzpo9Y+DKKoDvkCuLv2YdDV+8jW9kB58prQvsyzLoCLLNe8wDWdW7uVU71B2RMwhEgG KzcAKemJ7hXK1DyGuJpTuy6t35I3XMWZI0nlbsWGhLFilQIQT/AFYQHuKPujvkTtA0MIVpjjnM91 Lea5lwAgJWAoci2kOBZiSqbxF4alJqs0aF6gasrRjmGWBoaoOXvP3fOm6cydTJxb1A7FaoZFNTso DeFYImYAMCkXqewG12emP1098jyjdBLT2jgPyBIOBOSPMDHgnX2ORIk8NEGOhuJJtjMk5EkoZurl mNwOrXvedeZmvnmBk3KJSGnl5neR0SxVXCXbHORwOCJVgn+Bzm+nySfpjuuM2ueMimeMMvjgI8L5 CPbnZRDZIjJECAxiTYk0R0oei6RqNdTTt2JDMeiPxP06qi+JdN0juhFh4QzdvMQ03WToHzON9wJK b2rsF8+ViFP1HTjAAu8jUOQxbRPmLYZhh2HcRD+RzBANN+im52Hau3FFPdI8kUiQnZ8mliSLMlIF /IwYQXpMVrpEHHc8NTEhKyEigy9mK0cJ6zOW6QpbMcJS4ydMeRAjGyIEakGqK9HqWZM4TZ4Uxypo CFZfD0Zt1jAdqCDbH14G9zH0GOKRPrhXR6UCV2/I6jVBarFvhf5MELbo64NY71vhET7ojVEPNvF9 STzEoB8MfRjEiYOyy49qR9+2d9/Pr51LKR5Ot06KKjay3cs4205ZoQcQ0gfFnqAUViiu2YAQjsIH Eb5mAJzqNVnDdtHJGyDRgyEMkXRA/AR8O9YQcMOawtD7ktrBJr5KMuhaJANjD4OIReGGEBYFtduw V7TmcdgwyDjFMU4z9JOEdpyrRwK4hHEaoWO+uueNqu7Xcx2LSeohnL/A1Dfo4zkXsqvWYvXDkYqu PNfK2ZVPYZCGXzwRLGoLEndxc3uJnE4in2zcg0GMagNAckrNgyR22LlTnKyOWMkFo3MOuaHEMM1M wUDpOW7eAE5FoVFIXqMh7qBLujChiuJMUEoreeheOctwPQisfwsYEmDN9YRACOoRzb6XJCJSLb1L wXgQQzJY3S2c7i4stwiPfBl81RD3GfQ1RLb5AQPtDOMyw7zGMt+g629BXMtdpWW0pTgrUT3GUe+w StYJ4wPCdB/jBCy4IfI4wyyhnyVM15llzyO1EymCIkFKFE+QI0nLLuQJJWKFJDuzICMxW5gvTYzM TBfk8ZLyU+MiJVWE5Q5+1XCKJlga4DzDMiwGoOIKn9Vc4ag2cPWBJSOiIDH8uER5XLUSoLpBqIeZ smWWYtuXQWq9H5R6DJGMTn2E/JGq3lBp4FEMgsRdDD8cg/sY/jYGAeMrGB7JIPrLu6K6FQd6FghK 892rKIZIa+YcnXfrJ96wdz0sqFlLK55MK53KdC7kVK9RhohYkSqEwgTB4F4muIG/3lluZHkLItcS JKlalTfuqJpvFJ26BiozHWS6R6GHp5dEsEbtY0Ex6H2ZXT4HUYEoBSMAhHKdS7kwSgzRlc1FmCcD 9BMM/QRdPxlkWSXk5DgNAl3UVG2XHtX0vq2s3T5e2Bmr7cePhVMnW6dSrYhaF5INE5Hq3trRd84v fybbNkIkVdKyzmKYDQO6lAl6MYQDgkS4IZGLL/UH8C+lFLRbqhfcZ6+LDFNE9Glm5iWUCnHyAgCS tR2chMrtxjBqIO88Zk3JE0+6lYD6p8zGF4TzMdvxhI6OIcbYACDGvD21GhRqiDKyZOqVL4m00juU DsBIxaiHw1R6yTVKB7qKHAsywRsM4w2m+Srbsk03rdP0N9im18T6mSpdWmThBEv5kGPBPRv3EUZy jOgvrBDGVaJkkVG8jGsB2CXX4hSnBInx4vS0LFFBbia/gJecxS/ISc+T8ni8jHRZLD+HxxeL0yXp 0elJ+SFoLlifE0UTTJLBOY5hiWtYI7se2ushRYsZRfWlyVxRSrggMy0WpVH9PZZmiiha5hRsIx/0 poS+PO6SSCWJPk+KwcMYYiQAOuCGHhLJu3EO66hzi7710lfWPndl/G9hEFUaReOstAYdgVn8DVc1 XrVcuFfe9RA8olUnsCMRmwRH+TVbaMkVNl7DAskgMIQJAkNJ3RaeKMhkV60IXUtCJ0ooC8CwsGFL 3XQNaZrixBYKNUgSs53LIlRfPcIaKMH4QB8lrCnhJYowEBgEgHlVK/mVywhNSTkX8l1LeIm4FMVV xKXBhnGynqYcD9CR61D9SFzxGN8+q266UTvwjv70jSTDYJSqB3EvwuY0tB0RaZctRaqGU0vGHT0P Ts29mVs9TaQ3YpCGKxpn5fVTsSWeu018URcW5IHf7J5AyXCI8HJcXovlxGrV+Udi7RwRczIouyMA 3OUgN2yDyJNQOPSU1R6IoxY87HTTreuBjU+5NS9Y9qeMchLDXTf0lExRPmVWPEHVlCqckkhCMEeP /Ndq9vLEw9mirz/6ZosMywYDRxqND/BklW7SS1Zwjphd/JZA3WspCA9TtLE1DzjWHXrxNkO9GaBb ZRpx4QaG6K5gwJVjfhqhn07NMQgj48Tp2cIsiVjMz8mI5SekihJzC4VScU6mNDlDkpIOi0xPTsmK CkvKdgSarzCNd1j6qzTtAkO9wNEu0Y1odtyJKhwT5qnK+RHirJT8lOORYhdbdz0cFVfjRlDhFYrB wyQexaDnINXc7lOBg427ohg8jOFh+qgd73nGA0HpK9z51E5pueO+wnjGrj6ED8IQvVaIeqm3ZCp0 9Mtq59DIhong77m6cbu49WrJ+Z2K/jcM5+4BKEyIAUbUW3KrNiCUSQ8wiLooBMckTbN6DekbaVtV S0UNm7rmK4AXYSToA4lADz8nx70GUfTBHL2iMKSyPzxzQd8egAXuZXntugxIuudJVS4hVEYaiLto grTjbOUwkkR0LoL0I2G6wTTbdNGpK6iClpy/x7dOHFf1YJYAddqUEmAI2Jejtf0J5v7Snocty58t qt/hwrmSLlDo7XYAc3qocRoUXhh5PaidMvP7MfJN4zclK7rK6ncazz5IzBsIyWpjZ11E35Ds8uPY flYbKxtJZT9b1MvCJTb8c+A3wLodUvOCXvkGGITggySGaFU4HgJAtvs1isFXSKQw9KaH3sVunkjW anxF1W18GaTWFImAi1lyk2G+QzdfZVo3mZZtVsm9AOubQkWTkc88pqgP0N3hWm8yynCGYgOeBd9k GG8RhttEybMg0/3EwhN8XorweEoWT5gjyOELMnj8aHlmYkGqOPG4ICYiOj87PZ8vEqbL0lMEggQW LzU8UnqGW/oJpuEW0kCWapGlnqPpV/GnpMj6CkQ8a2asTCJBOBqeLMGkaDBiY90SV7GFwTZKBzD8 UAySBxt35WXwAIa/lcGDTQ1f7nzXrzIIHn8bg8N08SuiiYYgikEKw2R9f4qxJ8s+IK+dUtTP5Lom cuxTeeULlrZH9u5n9u4X+ta7OZUr6ZZpKNO+kFd/VVK7Ax9EFAp5OhTrufWb+fVbBQ3bSAnzalZF FXMix4y4fBr2qmu5pzl9ByTCQwEgZYhgkIpCvQBiAQYROgrdCGtJITEEyyjRwP4Ka9YRIRdULedX zEkrZmSV8/LaNfx+wIRAlHESN7aRVRrzNNs0GVI8HmUaiVB1yqtWKnte2DtfgzNGaYdTSxcyy9d5 Zcue0biZCG1vtHG4uO21i4tfKD39KDyjFccDYYW4FYr0PlwJlYNxGhyFJiNSJg5A5V4k8siuBD2p JUl8rq5pveL0s7i8fhw2ZGS3cfLIu2twMpGd1cWRTOAANTOnjZnVSqQ0c2VTYVWv0U5+lFHxlBKt /DFR/hCioVBTQcalXgx3rdBjiIhL96s0XgzJE1K3fAH0rhkA01MyPfg032RZbjAtV2jmLXrxFfDI sT4Msj+TSKv08URkoTtYf5djfcy0rxGa65zimwhBUVQhK7SlLwK16wlCmSCRIYnnoQqTLxDHxPPS s5Jbq5S1xcXHgnkcIjg+PpGXlCJKJEs0qbyI5AgiOlnOsL7OMNxFVzFAt85Rz+OkRqD2doa8Ry1K 0GUlGKQahSAxMZXHVUxxTI9YSrQhVlA7hcgRU5+g9GgA0b/Y5853/f80g/S8CV8f9K5fqZT61GRw wO0Ag9RLL4NYlDesKMvGJSUj2aWTQts0IkBp7TpMJ6OsI7dyuPjCVs3Qa67eJ6oTm6grQrnVKyQg lUsFdZtwPeAJoEh3IxuFGzn1W3knruQ17KCmKnGv5bvXheVdqlMLZW13Sy8+VjbcEDtWRPZF1EZE FWto9ANMvBMTaxgczQS5VUsYkkGrUVyx5FWOaxmSVa1KK1dgiEAST6zl1WtgM9ON+2pGjxv7QvT9 OP2EYikbpbaSpRhVL35CadtTW8fT/Nq1lOKRpJJhvDPFNcKrmMbEXWbpWpRsoOjEVVRpygbuBGc0 sfktYfnDAXmAiBwIBINk8z2vky7pIIdk8jpxRSpRQB6AChV12Zrm3Odu8RXjrPhLQZndgTkd7Fz0 LLpZgksBuMRGhHOLnQSyRZwFLhqOqbzGOvEOUf2CqHhCuJ4wK1+DCTLs9xm2eyCRQvKVp2M/SUS2 SOWJu8+9PPFAwkgrvUVYb5Ky3CDlWXs2XyOKt46h1Fn8FPkgDnQQ9k9nWsZdOTHmJIKfKgk24hfC M8KwFG56HOjcYhseB+mXgxCIFt8Py63Jio7MPR6WlhhdFJ8ujkyLDwgzS/kbI9XjrYaTFmVqaHxs OJEnDMlOjUyN4CVGpkVGc6PTjqdLdITl9RDz7XDcGmSYhPWzi3Zk0uYGRY6t3GRTpZYpFIbsJJ60 mmN5QWgnUbbFrRo4TYwjVAyQqCEPcdDUuMNtnjx84VdHMeip1Ryo2JB1G3/9RI85HrpDA8eHpa9c MOUNUz1V01Ei34+89dIPWavx7Va89amvdo7fLijp5qv6cqyzmSVjGcW9BZUjmqb1osblXPdUtmNc fWqjYeTt+uG3NCe3Eo2DmC4rPLEtb9zKr91ASwICibh9l8oQxWCzfhsz1fL6Kyi6ymu20WjIq5xV nlgpPn+t+NytooatbNtClh21lwVknQBZUoOKKxqRaN+jJ7hM0YeFxL1CCWugB+5AItCD9pGswxTB bJJlNFw3EKIbDjNP4eQFiqXHTENRhiFB2Zy19UFt9xvwzRhjX0LZaFoF5rqneLYZ/AvwLOPpllFV 89WmxU9Xdj8/JsFY6RnYGTdvmDx1mNWO20rpsh5kfDA7xKLgkchHD6ITBdVEUautcfNkx7N0XG0U 0cQVdQXI+3FNDRhkZ17GhaUsMVloRW0HhzU4haPMmtcY1c9oVc8I12uE8ynQYzoesBwHGdxF0uHJ DakMkXru5YloNZLdxkMk7jNIkbjHIKP8Nbr1ejCGunGAsXSbgZZl2UczDG31OUHGtEBhdGJQ0Rjh fJNuuEqYbqI4w9bPs6038SsC80jpPIUgMoIXHyXiJ0tjjgvCg5VZyQPnHLOdZRdd4tmORoeq0Fkg aHEVaXIFAfSIkKDY5NTjaWkxKdHCIOMSaqo4okjTjqAFE1y4XigsqZSEKqSZxQXJRkl2TuqxJJ7y GA5x2FC0maMApBgkT1F5GASGNPTu/cnX+3zX3lqNb7kGDOKUInVM+BCMZEN/v4Wxd37/qFoNUTDm V78rg1TfkHr+2y9+9dO//7fHH/lidetypupckuy0QH8hz9ZBFicdswj/NKe21Sc2C2uXSlqvNo68 XjPyEVn9eryuFxUPhIsov0DS2k1Eobm1KNSARFJ5ZPS4Ia/ZlFfdlpRvYO4l1z2jOrliat0xtV7R n75aWLOW71pEyIoxURRUkUvCRoXg0Y32BIkhxWAuZgA8O0hXwbK0ehUeXVi3gcGYgqoV7OTXLBXU LkuqlpEGoht43DhBXpOonWAYBo+ZR5OME9nFM6b6K+6uZ9pzt2JLB+PNM4klaFtMidzTeTWzvLJR lE8xd4eLoRC4xih6ibQmDGODoMCCIdLLpKh5trHEHWy0MMRttNwOVj4majpiMtrT87pqz96yNWzH 5nTjcgxC0I5LwnE1N0qmnOzO4Ny+AFEvjXcZ95RyhD10yw634j639nVa1RtEOY7eP2Q57wdW3EM4 6rVCLPbXB2o1ezzSyHb/vohSTOCQAoMHMKR2SGBLbrHN12i220T5dVxQHGp9lKOta8xhGrPTC6KQ vrmOud4MsuDS1OthVpRG+wgX/g1vxUpK8iLDebGRvJyMEnX+xQq1MSfqQr1ydbS+vV7RXCqc66w6 YS84kZt+ulhSJEoP4EYHR6RmZqWL0xJSudHRIhthfUiUPacZV9jW2zHSfnVauoVPKATRWn6SJCkq JoKICYmKFJ1h2rYCyBm5NUr7p4w1C+TxQ38AkpvKeb/yZfAAhqQbeuRtZGDhraAewPCoWo1fALHp y+ArVnhkrYbs3VP6Df55+fIX77/89l/97Z3XP3luYFPn7E6U1OIyeZFtDnaDFCy3fCrHMSqrmrKc 27F1PnL1Py/veapuviqwTfKsYyCx6MSODNMyyNFqV6G8+nVZwyZ2wAtIKazdUtRdK6jcyilfzK9c 0J5eLevYsZy7pmlcz62YxbQ2GdxWk6klZsWB3mEBSbJk5Ond4weCRDBIwYgSTUHVImwOfxwmwBPN k5GaESjIMhliHI3QD0er+tMMIxjbLut4rG25gTJpvHGYXzaJQfEMG6q+06klJIaS2pWTM588Nfl7 aYZBIqGalnE2ML+fgTa9pG2XQTQBhZeZmLFBgz6n7bi487igN0Z4qfrcdmXrjaC0Dlpye0DepUAp kkHynRjqBoPMjHY2vyMMlxvIRjkl2yHVzzl173j+kj+kO+8Fue5SDFL04elF0pskvlKuQUHVhnbG PV8Md9ceBinufJ/MshvwPrbtPs15jSi/ySh9mmRZLlIX1+QGaXNyxJHcZGFuum073PaYsN8IM12l m+eImo8GF08JU5KlUUEpyYk8UaqhKOOERVQqO36xVjJ6sXi4xTbW4hw+W9pcLuwoLjhdkpfDi2ey I45F8zMyBZnJcZmRsQkx0cGqdqLsBWF8jhHQzFyTNSfCKQtvMuc1aDU6SVpUDI0XzMzIshIlW1zT OqbKqeONXgZx1pjUUQzCIv3J1xN3156SqRfAAxh6GTzghl4GD9RqPiSD+xh+KAbff+/9X7z7/v96 /+V7v3j58sd/+8+vffSLF3q3ZfYJkbmPp27LNPUoq2f0J5dl7jGhpVvimjafu147/Hr9yNuOjkfq k1uovfBLRpFLKuo3NWduIEzNqVkBj/L6TYSdCGiVjRuqEztF9VcRlwIfac0CKrGG5g0Ya8m5G+RP cM3j7BJiURR2SNzcK5T9YY3cEEjiJRnQupeoPgU6FPg5cEP8fFn1Aolh5YKifgP/Auiw8CyTycaR OPNUmHaYrewONg5FWcdjjUP4DeDufL20406Oey7RMJpumYdwc35u9bLAMRJnGgSV7r6np6d/D78Z iOQ6Ir3lGC63EV8GdIg/SQARkaIbmNuBiJSWfRmXXXB4rQJ1f9XZG9bajRRJT1hKOz7zggXrFOOy /Yts+KO4F4UaLq68E1xmFk6FOO6G1n+ExNCNcPQex30P7XuKOzy98iLptUVvtkgx6PvcZdB2G053 WKyyK0yyEnub5thGXsaxPc4v7SnVKpzyNH1+fkZikDAtJVd3Lr58K8D+OMi4QpS9jiA5TeKSHQ/N SIxJTE9HrieXRNpkiRfd+Rfc4p4G7XLP2bGzDRfcqpOWtO563cV6fW5GAo3ghB9LzhDgbEWCQJDM i+KmZmQFmtYJ55/F6SdKdOl1loQTNnNPpaGnprq6tCg5iSuNZho05UzrDc/ZRsyKY0ocQzW4+oa8 cAP1Umgfyb1bOHZ3/AFIUunxx8Mkev3xAIz/uxikLpI64IYkiR+CwX/6t5+///LX7//6JdwQ+uV7 L3/565cAcvvh5073bBmq+grLu3JK2kTWLkX1tLpxWX1iVewYyyod0jVt1Q6+gErO3VI2rOeho1c+ l1e9XHhiS964mVezgrWHC6CxpmhYQiCqPrWmbNySVm3nODZk1XO6po2yS7dKL99BC0NWsyypXERH gyIO06d5VbtxKQD0vASYyBDJERosyNZh9SqKpQiSFXWrhbUrsuolec2yAgUlxKjO+VTdKGZjgvX9 TEM/yziA+2qSi2dzyzdKzm85Oh+gXZJqWUqzLqNvmO1CMDyOkmy8vj9B31c3/Fbr/KdRfQqVYCzt JFOErLCX9D7RZawpBsniDGZNBY3HFN3c9A5cA9XUvlNRt5yePkykNbMk7dz8HrqIHGDD8Aw1e4Mr E1Gx4WpXQlyPQ+rfYtW+INyPaK77YJDCEAB6174MetcUhjTHfUqE/Z6vKPro9jteUTsM6xWG4y5h v86xX6M7PhrmfGCwum1SnjwtXi7O4PNCM6LDBaniaEVrRMkjjm2HVfl55NEFSfyC46EJGfxUPk/F izJJE89WKGYvO0ebTZcrVH0nKtpqbM2Wgp7aotOVijq73KgQpcbEhwZFJyVlpGfyEnjRmUnHRVFE VH5DkP2jYtOlektsvY1XUew4V1p01lFcbpHxEwPkcTSNtiLAgE/uuIo5VYicqMGQwK6WaPrd22/8 kPiBDILEwxju7+w1E9FV9GXQ1wp9fdDXCo/yQe9lbgcw/DAMPv/Y537yd//yq9+8/PVvXv7qV+// 6le//A0M8d3/ePfly5/+w7++8ekvtPSu5JW05lg6ZVUzea4ZoW1I2bikPbUurZrNc01pT226e57A O2zn7hW4FmGIOe4FZdMV5akdecNGYR1ZYsVT0bBS1LgETyxqWIchKutvSeuWcqvm4ImGliuu7scV XY90JzfFtnGqCAPuvAKMENUuBHoHBB9UNqyqGtcUNUvoWRRWL6rrVjT1q9LyxVTzCC4HDjaP0LR9 gYbxSMvCMe0k39xrOX+7rP1JXt02+oa4MIpXOgH2sx0rYtxqZZ1M1A9Y2x6eX/hDRc0a7sBHgYXs DEq7UZBhiNuBIcqk5Ev07nMvsPPaw/JHOCnnMhWXT529brevhIo68DExIeKOENCXTRZIMXeKbiMu EMY1+5iswIB0SOWj4BNv0uteEJVPmO6nFIMUgF4M/XoiyeMeg94FRSKI89LnXWCTZbvFrbxLVFwJ s91hl372WOnVYl2eOSMkO4STJ07NEQQnhhFRbEZ0oi4YN95UvhXgejNLUqpMDM4TJKbnCDP5SXph cq1K4tbyLzoVk01l523ySk3mWaeys1a32V07ft7dUqFrdOgVEiGXERAeGifgZ8bFhWWkpWdHMWMT Mxn8ioS0fLea12iROLWFp8vUp2zKcptSlRkrTWJlSStCi+4QJde9DKKZuKflD2AQqaJf+SaJ+9D5 LaJSMereIQsvjFRieIBBL4a/lUHA6Ivhh2Gwf/p57/jNnVtP/vIn33v58t9/85t/e/nyPaSIvyHN 8L3/+Yt3v/3X//L003/R0HeLb+7B4fT8yqk89yTaiNLqGWXDMlRUDyQ3a7qf1Q28YW97kFe9yLOO iCpmFCc2yHrOqTVwh+JMYe2OsuGa+uQV1UlUXJcUpzbz6xbFGA53z+AnkEeQLt1yt98FelQIiifl gHh6zNHTsvc07r0YwgpltYuQog5DPmuq+tWi6nlF1ZyqdhHWjPMgmLg7bhjBx83g1kQUyYNKl4Tm SVz3hH83W99jzfkbaBfG60YzrEu5zs0M6yJueyPnyW1TMPem0bed526y0s+TpyGkXfRCXJLfjoiU HIwRXWJIznLyR8hjF8JTUfLueNGYpHDgYuey1nn1OA5iJLdE5vYH53TjgAZ1XXCYuJuNexEzOgjp RID99rFTH2Gf+ghR9RrFoC+AWHsBpBZeK8SCXo5jiWjx77rh/mKPQbgeRGFIWmHJDZYLmeB6qOkG Q/+Hx0rWnOZMd85xhyDObisqVyYLU9gZEUGFmcWxJ94MOP9NjnVJlJAsiSJSRfF8fnx2coS5UNLv sLXXa7f7m54v9F7pa2ooFjY5c1Z6q24MnrrVe266tb7Rpk6ND8WJwtiI5OyUzKyEqISETFFaOj8l jhPKCQ0JqtToLjvN9WZBXYmytVZz8kSZS54t5QWmKhqSdC8I/TYccE+rdMOaRyt0Aw49+ZdfAMlN tDO8wlH9PR3ljAda+V4ScQ/qYQxJEqXjfuX1wQ/JICNnwKs7n/zc7O0XvfN3Rpae3Hr8+S989a// 8V9+8x4Zl/76/d+8+977//ny5a9++et3v/Wjv3z8sU+2TS4UOgbi85r56h5Z+aIMeVnNnKR6JLd+ 0HBmvbLvUe3gs4qOhyVnb8sBjnW2wLGia9pRNZKGiLgUgSiKqIrGbVzJW1S/hi8ZTl/FV/Pc8xCA Lbt8v7rntvksRmKm8t2zciBWvZHnWhOVr6KlSCaDbtRXp3Ldk2h2oLyD+gw2kR7Kalbx80mTbVwt rF+W1y0pa5ZUNWhk4GDjfKp1MsY0FKEfPKYfYupnQgxTqWVTcE/npRuOizcRwaYahxCpJpdMYyyc Xzobrx9EoUbVfK15/jOOyw/Cc88ScRXHpB1hcnz23CVcpE8eIcyDFeL4Etk9DJX1kcYnvJxtnB/v vFJWucJJvxCQfi6+oJcrhHV2BuZ1hSGjRNMfn16ReClI3BPt2o5oepNV+U6Ak7SesIaPoWlIlN0F gBiewWF8hgv1mYcQzfmA0u5LF84k3iPK71JCYYeGteMOYb8J0e23IIbjNstxB2KX36WXv86peMyp uIsGAe7Ea3NZd04LLp7OvVBumGkwtNv4Zdkh2dFEorousuXPOM0vlGkpooSgzJREfnpGliAmOy2i vDBv+GTxQnvxrcmGWxPNd6Za5y6WX66QzV209TUUTXc47s61nSvTqnhJHIKIi48US4QpacmpPHFy XCra9/HxxyKCiUZz/mSTtc0lby63X64qP+PUV2tFTmWyWFPD0T5kld7GTClG2iAcmCJ0nhFTarFv i6t7MaonWNXi4OEhaZb8s4k5gb066q45+oSj3jk3Ancw7smnhbF/IJE8ESPDTdS78oVx98DFK52L ESKfPOjk1aue2I8PtaT0vX/6x6//9G/e+eOvLlx/1jm2Ob12//lH//jzX/r2T3/2Y6SHQPE//wMx 6stf/frlP//y33/4dz+89/YXL4/dNteM5Zi6BLpOiW1EUTurObWYbR/MdY1pm9ZcPQ/qh1+Udzww NG2r6teFZeOomaC7oWu+BgYBi7RuDXVUMEhuNu1oT22jaIOcUY6crmbZdvmqq+tuefsdhLt5rrk8 N2qeCF93PP2IVXAHWvOr5lALJcdmKskqDZ6wPJRGMXGHoBcMQuqaZWCoqMHPXJVUofM4m2jFhyEO cnSTYcbJWPNoWskIbnwyNu8YT99QNm7jVD46hpm22XR0Lsom0dOHUN1tnf2Us/NxgqaXSK3niC6E yPswFUOOaovaceiJPPckbuPkdgRLOgP44K61yDxyoe1umWuRHncSRdEY+QAX185I+jg5nZjxxplE fMAowcPnJI5Hlj+IPf2JgJq32JWvB9S8wal5AQzZVc9Yu0+EqcgQd0kEgFh7XqLCucsgAKTkwXCX PgDILN8FEAwy3K9xXA859nuAMdF98+LJ02tnFC01BS2lGROnC1vs4pK8JEEUIzC2AD2X4MKKvIRY UXKomJ+WmZGVwYvkJwSXK/PGzpQOn9b0nVC2lInGW6yb/ScGThg6qgsd0siT1sLxVsfACVNXgz0V HXpWcGpqsiArHginHI/CtRdJScdjIlkubW5/o73jhLXBZr7gtjQ7NRVFWY7C5HzzCa7hIa34ymEG yUlvwHgUg1TOeAhDqpp6mMSDDCI6PYzhHoAg8XdlkOrjvxqpjhAFI14AD5463AMQGH7pe1//5k9/ 8IN/+Ltv/NXPPv6nX9l5/M7Q0o2Lw8tvvPn57/7g7//x5+/+53sv33/58t33fvX+e8gRf43//f2/ vPvo7c/Vn582uHrVzmG5fTyvZFTfBCcCGpOymmljy0bV4IP6saeuvrvKOlRLFvC3HXbjKZCiWOrx xPpNJQqndRuYUAWehjMAYQvEIes0nt50dtx1dt43tezI6xYKqufha4AONIFHdCWoQW68GZu5LlBJ Yuh5A8ZKV/BmMKhvWNXUwg0XiupX8CcW1K9kVuDTZ0Zx5iLKPIkANULdF6sfxHw4Uldz621N4zbP NJyi60fLUlA2lVY8mmYZQ89CXrV0YfFz7t7XwwouM7NauLj7Iut8kLQHh5VgiIxcDMNcRoAaJOmM yO/FBCkj/azGMnbx0m2TcxmTqEFZlzGNg8QQM284Oxych88SbSNrpGk9EYrlpIYnoc0f4za8yXA/ Dah9PaTxbQx4k4bofsKpBo9PWWTCSJIIYeFZP6BXkBgyKu5TYpbfQ/AJ7ihR9gf6uB4Rrptc170g xyPC8XaQ835F7cWhGlWNQVRtietvza8tyXdrhMrUQDYRQrATj0dxcxKjRGlRQn4qLz01KSFUmBre 7NDNtbnPOnPrzXyDKLS1Qrbe34hy6JmyHIc8uqww62KldrK1fLX/vDg1nU3j4hsF/BhhWrIwPkaY GJ2aHBEVzipRiLtOVZ07WV5dqrlQVXq+1lquyC6VJitKWzgmHJtaJee6ccyf8kHyxsUNkkEyQPWm h+TiFSv0Vm98SNztaHj6Gr4kehl8JSg9GsMPwyAMcd8KqXtspPg4P28T/yCDr2Dow+DXvvON/+PP v/yFb335v/34u9/8m59+6S9/9Htf/PrDT/7x6MzdwZmrSzfu/+HXvvo/fvHviE5f/vrlu//6/nvv vQt//I9fvvezf/i3tz/xZ02XltTWHmXJgL5xBYVTVd0cYCxqmM2vHlc3zds7r52Z/qij7Y68ek7i nEANE9VUJI+IGHWnrmlPXlU1bCtqEaMCw+s46YAuHjK73IrJfPe0uXWnqv+xq+ceolxp9YTENQkH RPBZULmBETgcuSK5q0YQiwO/EBnNwiWl1UswU5BoPLmma1hW1S4ooLpFgJlXPY/0ExMy6NHjOiN0 8yP0o+Sh+7JJWLP9wm1d43qWZTTTOppVNokRGvLgFd6s6cpxzJ6e+VT9yEcj5B1E2omQ/A7cm4Hi DIFrfgXnMaIGZ0TbIji3KzSvG3eycfnn5MUT7Z0PTfZZWnILW9QTWdAbmDsYhHsw8s4wCs7jkH5w xlCQoA8fHxx6+s3w0x8BcbiIJrSBZBDjNITrAbfqNU7lU7b7Ccv1GMICwg7L/ZDpekAJBseueIBe PzDkoNOxpwDnPa84rmsR7kcxztc5jt/jlD8pru8ZrDOdNghr7fLey+Z6S1FXpeyENiGWGRbMCUlP DM5NjxemxvDTEtNwNDcuRJWfPnS+crm79pRdWm3KNkiiL1SpVwdPtdfqTlrFFYoEl1Hc3egYO13X f6ouPSoklENIMtOSI4+nJ8XkpiaJk2LjogIjQ+klsuze07UXmipqyrTtja6+lvpKVWFJAb+w7ALX 9JQwrgFAikGKvv3nqwz+Vgx9GcTaiyFdtQB5Sdwv1xyB4VEMEvjUxQMCd0gS9xgElXsY+mFwH0Mf Br/49e987bvf//oPvvOVH37jq3/17T//mx9/+a9+9Eff/e6nvvrlR5/81OL9Z2M7D5Zuv/jMF775 z//+Puh7H1Gp5x+Y48///d2//Oufv/OJrze3zgrU5zNUF7KNHarKSfPpVZCoObUMQzQ1r9X0Pmia eMvd/UBePZtR0g8YEWeqGrb0TdcMzdc1JxBnkrVT1YltbdNVU8t1TMR5rHNG17xa3nnT1XPH3nFV f3qjsHYB7Q9J+aK8ekNZv0VO2rjJrJAKUCkM9+xyTV23qKlfUjUsKesXFbXz8pp5fDtgxJthcwnm SVw4gw/pDtMMxRgGURrFwIDt4h1L6y30ONLNw5gCwqFgNP3TTEMQ4l5Xz3PchoGBHyK+KkDYEpCL gic8ER8u043mBXhEqohbf8Nz247JRxipLVrreE/fazLzJBF3MiS7Myp3NBA32BScYYnPhkv6w8TD +FxRVnIT03k9+vQbkafeDK19nVv1HIEop/YZveoJ1/WKAmCU7qeBCFMrHwFDMrx0PeS6HwW4HnEr HrLL7wcA2woM3uwKlkcpzHkVQW982bNQ29uh7ifO1vGFC+WDTlGr3dp/sbJSW9Rdo6gxpYUywwI5 oRnpSTm8uPS4SNRSsjNTk6JD9VLeeJt75lKFQyO2FvL1kvjz1bq5rrpWZyEiydwYQpef2t5gB4Nt 1Y6MmOAgGpGREJEVFx0UyMJxJn7UsVAWkZkUXqMv6G6wt50sa3AUdzZU95xucBUVFkt4MuvFAPNz AnfdmLe9GMINKQaxoOozB9zQ9+UBZ6S6imRjkWrx7z0pBv1j6C8upWbbPE/yQOKeppASQgcxhCEe wSA9fwTyjUipNZE74NUffOl7X/jmj7/8/R9/8bvf+ZO/+Poff+drX/j+t776kx9+/3/896/89Cef +tqfP/j9zy7dfjp39dHNZ7//9me+9Nf/58/RQ3wPjQz0MIAkZmx+9fJb3/7p1r3PDcw+Ka4eTJc1 ZmrPg0Q4I2xIXT9rbFp2XLpa2/ewbvCJs+M2mozZZeiYTyM63S3LYBYOqVw9uofo5m+bzt4oPn8D jUgUYKWVk6aWNXfPncq+B6WXsIkS6zIqLQAQC7Tm0d2AG1Ik4glYkBsiakXfBNzhhyBFVZ9cAYwQ /mj9CXzjosA+HWcchw8iKEVuGG8e4RWPSCrmEZRaL95HjskrJqcOcNxeXD6bYRnD6RK4Ye3AW2dn PyN1LxEJFXR+K4wvsAAf9YuJ0DYUSxGd4gQTS3Q5St57TNIZnHlZb1+4ePGOvnSKSG4N47Vz8jqZ 8o7QnI7jmGRD+150KSijhZCOHq+4ldT8kcgTH6EYDKx7EVT/HAx6uQN6XgVUPgZ6UKD7MaWgikcB 5Q+C3Q8phbgeQsEVD6AQ54PI8msRjkcxtqfHSp+FO+6VN40uXnSOV2ZNOEun28+49eqzlTq9LptG CwmgB2alRmUlRyRGhPOTYrJ5cZEBrEJBTPcp/dCp4mKpKC8lShQf2GCVjl+ovFiprlTyMkOJhJDg GrMckzMzbbUVusJINis1IsClzwkMJBx6pbkgmx8bjKuBR09XdVSZTjmKTpQXn3NaTjtNpXkCY3Zs nvFUoOkxmpheBqkFhaGXQZDoy92BtS+GXgYPYMhQ4/NoSCv0xfAD4tIPZvAwhr4M7lkh6YMUg4cx 9AKIxfPPfvntz3/941/8xh/9+Xe/8O3vfeEvvv3l73znWz/68de++9Ovf/8nP/jbv/1rFG1+8IOH 73xy7ipIfPPqw7c+86df/+5f/d2//PI9MPiLd3/5i19gvuYl8sQf/uznz9/5k97JG+bKvkxVS7b+ cpFzouTMiq5xVl03VdKyXtf/oHn8eVXvg+KzW4hLpVXz8Dv0FLTNW5qmTfQslCfQyNhEhRM1UlPL VQSuhTXzyBCBT9nl6/b2m7i2t/jcNpgCXzAskEj1JkAiolAKQDCIKRpJJc4mL3hmA1Zhu5DmxCoY NDUuG06sIuLFASvUSxMsE9HmcVzkfkzZk2gexfENjKCbz99DeJxRPCYsncLbgCGuXuQXDwmtYw1D b1xa+LTMNcvEVYeZF1DwBFkYXcMxQ/K20mz05dvZgjMJyiFOVhcR02hzL7d3vaYwjgemncOH+Ybk Dh7PH4qQdIXmnA/KvRRYgGvzOwIUs9EVD2IaPoJYFO17GOIxYFj5WnDVM8y2hda8wBNr7ATCDSv3 0Kt8Elr5NMT9BAwGOvcBDHU/gsJcu4qtvBtW9Tyy5o1I1+vHbfds9RMTLe5el2jQKZ/sPlehz2u2 KQ2avJCAwAiCkZVEEyQey0hIFPOSBYkRsVwuwsW+k5qeGq05PzclmH2cRtjk/MHm8o5qA6bOipKC MxPjq8yyzgbdUk/DXM+5sqJ8rShl5Fy5Vp4+crYG6NVbFbNdpxfamppLVTZ9Tm2JvNYgQrfRIok0 iQKyiqwc/TWObZNCD09W8Q50mMEPxhBUUiT6MkitKUMEg34x3A9KX3XDoxjEnV37kk/gw6QoHWDQ g+ErDB7A0JfBkWsPN5793sOPf/7tz33lj77y3a/8xY++9hc//vo3f/iNb3/vW9/64fe+87Pvf+// +tFP/uknf/+v3/jZ3/3BN765+ejt4ZWra7ef/Ol/+/bf/vf/+b/+85dkovjyvfdf/vJXL8mqzd/+ /FdP3vlSS88VQ+WozNqb5+jTNsxYWlaNpxYUSBLrZ51t15smX1T3PzWc3qJSP9XJVd3pTbKT2LiM o/ewQgywoV5qOL1T3HIN9VX03NGX1DYt2dqvOLtvWC/u6JrX0QEsqttEokcJaSDsjwIQDMpPrBbU LiIHBKQ4soGZHM3JNXXjiqZyRl+3YGraNJ65Iq1fx6Q3AAwzjOLTgWOKJ/DxiLj1Ql6PLskjdeNO ludghbAct2TM/t+svXV4lOfa9hugpbhrAiHE3SeejHtmMhn3jCSTibu7u5MECCEkRCA4FKmuursi pbiV2qqutbra7nMyNKW0fb/97m/3OI/neGZWCP+sH+d1X3YDeU9W6dboLIaup7D7WX9+52LMU3gg Fs20jDUFzVQr4IluhsWB6NZOW+uTscIjfYlbJiOutTZv57rg3FUuOStcS1YEli4LSFvhoV/sa5oT lrPMPXeuay4m9VZJJtfqTkArZPtXivda6Vtu4XE/nvgIBhcKxhYLx2B/eC4R7QWD0BIBZo5GrOjd D+CK+FFonWTXQyLLWXKZYNyWPxanaivRa5JifZNEfqXF6VK6R3ZscAIn1G/LKpfFiwLc57jZLw/x 9I3w80Jl0GuDbXI8rS6NnSOKZAQRfO3W+29abeQRK0zi1LioVF60huSvEFJSlTwDNxpgjnYV1eVr jAJiS05Srp5enyRoTZOVGuPBoJ5NjPbaGhXiyY9y5odu4IQuZwcupPrYOAYEA41Fsc2zDM6n90KI SxGO3u+DDzD4wMdZZ8R1Nn/GEN9YGZzF8C8Ohv93DN4r4v+helg6J6h01gf/BwaNpbvSasfK+o50 TTy1++TL+59568SrHzz2ztmXz15CgPrquXOvnfvolY/fe/3jD9+/eOnC9Tvnr91+6e2P9h5+tLl3 qK1/5OjjL52/+d33KCKigAES//vdv/719b9/+deNr78bP/WCPKPWlaQP4GZHimoiJY1kVTvH1Mkw 1oVJs2Wp/cbivYllU3Rdly+nFC2ayIuSErcDrihNK6r2OLuBGrghREzoBj5hMpzsGpA1FWQN4zoJ VnIfyiJYeoPNqMGKhhA5zoltwfFtocImNLgGoHVc3IipihmjhGnWhckaiNp2iqY1RtEYKa+PUTVR AKaqJUBQ6UrPW0nMW0MtWUUuWRFTYs+uRter5a/Wdvhz6nw4td6YrOTVwQ3dWBVoMkcLUG7LP5iG wUUeOpvNshVhBYuD821cTJgCfigQDaWYrDdjjHeJf+ZynzT7kNxgTn1TcVkAodzGNhMZ1PWEigWe OQs9dRv8LUuDFziqFrpqV1Da1imP2CUc36DYv1IyuVI4vk62f618/2rpFLRCPAHLwzjwMtHo/ULL jVXLBFhqOrJSNLpCNLpcjJ/Zs0RsEaqNy4Rd60UNq4TTa6TjgqTS+mQjesxS5aS6HFUCL1xGC8pW cTQsQoTLCpMwQkR007CCTPExEpIPGmC6KzIb85IMfGpKfGhNmrizKKmzKKUoQZQuZbXkGwdrs4aa shpxumOE5RkE9fmqhjxNRbK6OMGQbxCnq7iG+Gh1bJCY5smN3MqNdJTQvaVcL2mAR0JUSHhYMDlo Y3zkIjd6HDrGLXsRKT1zGR1z2S02zCYb+kymlNRjgwU41I5Z4aNF5La/Fgm505numpmn5Uqp3/TA 8dD60ZKxmS3oW2YV76/pY0a49p5wf6JVIdU294tQZTOre0NPMxmbmSwNuvQt+j1NWvaHwcP79ngn lg0llQ+l1u7OaRmt3La/Y/zRkVMvHHrx3afeOvvse+dfPnfxzYsX37xw4bWzZ988e/7t8598fPX6 OxcuvfTuh2eef3X88On+kX19e/YP7Tt28fqX6G/D8dBSyPj1529++s9n3/1w/sbdsdNvqLPbXCM0 LhFJobxysqKJoW9nJ3aRtPU0fYskdyeiU3neHlpCe0BsmS+7OEKFQ2IHqhJkPWam0AjahOICglLM WVD03dHqNsSlAIei74pNG7SEtYkoWNShkghbBLzW3TiY0UD3KRpWfYXY4F2DoBcHSctvk9RTde1k bSsAjFI0zOZt8Dsd2BXryIUYQsROYOyl2UIrQ9UD1UNm0hB6UD0sA85oEEJjD64urQKGrMQBY+UJ Qeb4upAsG3slahZLCLj5McXGI3FhaN5cTFt4pKwIKUBp/hFn3Xq/tDhpR2pWu09ovs2aTPzwmqD0 NV5Fi70Sl/hm4GBo42xE3X9d7IB9wjFb7bH18n0gEc/V4nFYG2xxtXRilWR8pXR8hWQvtFw89oBW xP3OIDAEg1atEo+tjZ3cwN6+NPbEcvExdmJRhV6UzoqIDXdHoZwf6SOICkiXskuM0hQxtTxZWpsu w8muOSehKVe/rTJ7rL2qLtugZEQiCVOVIqxOkRXrRUYeSRjli8qglh2iEfhTg7c6rF5MDvYVMcMZ kS5RPutIAba0ICei76YYn43UIFsrfVp+KJBUsAPFIcEaUlRIYECg46oIzxW2ZO1i9p4F9AHLGg1m tw2jDQDa0NrmUTssE/0z0M0yiJd7GP4NjH/H4P1x6f08/oHB+zDE2uG/YBAk3s8g3v//YDCzaSK9 cdRcO5xUMWgs60up3V7SNd4wdHTXkWf2Pf7K6Vfff/6DC6+d++T1CxdeP3f+1Y/Pvnnu3EdXrn16 5+7F25+9/+nVZ994Z/rkY9v3TnUNHRg/+vRzb5+99c2/EJGCRIst/vQjQtU3P742Mv1kduWOKH7u 1hCjD7WAJOsgGpqjdY0kQzMjsVWUNaAr2iNN72cnWAoTSKfAttAFB/TggHhGqTuooFLXRUroxMBF tNpysiMltMEK5Xnd+OMwLJ/YMm9ecZimCd2qfiJLqRHHQ0u5UIpyBmYraoEzSASAEMZAopWWxGm0 opmsaafru2GamJvYTCtbTypeG1WAO3/RO4qxrBhdN4SUEcZDEJRaN2ygbLE5Kg2NqQmlRySZk7ah OXBDRKHz/FPm+KTO8cM9MoDRjAZvuB6SMKv8M1d4lcoTW9MyezyCC+fZGVf7Za4LzFnklbkKGAaX zvUtwHUYi/wzbYUjW/Qn7ZTTDglH8FwnmVgl2gsS10gm1sgmgeGfBUItEoygBrFGNAboIKshAsbN ogNb4k44iravFh5ZLjhDFGeZef5ywnqS/0Yh2YcR5BjmsobsuzlLyaxMFZabBUVaVpowBiW/FCEp RUjRssPEMf7MAKdo96V6bpCaESCK8hRGe3NDnASR7qgz8mM2kwNsAx1X04LdZKygeJozO3JdHGkj J9yNGmhPC95MCbTDU0TxTRRRTWKGlESIDYsQkaIIPl6e61d6OLuvYVctit2zmD2wkNX/MLNvLqML mkfvepjeMZ/WNUvcLIaz3/z+cp8t3s8g3md9cDZAvR9AvD/I4G8YgsG/xvABBmcxvN8HUbyAFd7z Qcup8HcFFKN5xqL75ikKew7nd03ntE9lNI2Zqof0ZQOG0m2myu0FLaO1gwf79z02fvrFR19+69n3 zr1y/pNXL1x85aOPYIvvfPrp+1eunL99++qXX56/eRNJm6ljj+8cP7Rt7MCBx5577eNL1z//6kcc ENEJ/ssvP/33FxT60QE+ffq1lNLtUXFF7tGpLvRMTOuTtY0UbSPb0CrLHFTn79TmDzGS+uBxKCgE xlejqoib6BmJAxAsDEkVmrGXaYIhdoHBMFldhKIBlirK2ibJ72OltCNS9YXrSRqiEpqQYkXiFIc4 NORAeLn3LmvAL49RtgA9mr4DtkjStFhsUdkO0pHYQWXQjoT1pGWbqOUbSageFgbJG6J03WgxRX7G jVONRlaMJ6NeaRtujhA3pdeckWdObY7MmeeumR+QuBCDS57JSJPOD8zDdU4oIy4Nyl0dWoC7s1d6 FeizetPTmz08crAreKGvcUNI5Rpv82L/wkXB5Ys9UbhXLQst2Szd66A/sUV90FY2tVE+tUk1bafc v04+adVa2QSEqPJBxY+uFY6tF49Da8V7Z2UnHLOT7N+i7F0nHrHlbufGCXPj3Q3creyIjfEUPO2i vZcFOT4UG2Wn5riKKZsk0U6cwA0s/3WcQFtmwEbClgUU77WcEHui52JTfKCa6SmluCXFh+l5wbo4 Qoo8BkfFPHl0jjzcEOuWpQjMVQYXqMJa0vkmCVnJJig5QSKqd2ykm4QWbJZykiVcSUQQLSyMQwqN 8PMI2Lje3Zu5WjqMLoIFrF7sJ8elFfNZA4+wAWMPNsLNpbRYQZsFcPbldwD/aIgPMDiL4SyDePkD hr/NXzwA498xaLkyeEYPGuIDDFpqiNZY9D4ArTD+icHMtv1QVvt0XufB3I4DWa37MpsmocTygbS6 4YK2vVXb9neOHx8/8/yjr7z99Lsfv/zROaRPn3///Zc//OjVjz+GLX5w+dNPbt+89cW1C9cvPfXK awMTB7uG9x167MX3zt+4dfcHa3cN6hg//fozPPHS59/tOvhkYn4bUVAWRMtCm00sSg/mXmpCE9Kn nOQuQ9UBZdHe2JR+oIHSRrikHk8IMMZo2i1JFVULrJBm7KEaOlGFRGY1XFnHTm9Xlu2W5SOm7QwV lYYJ8zBDgeQnhEoEHBBdqSARhgiugTOCT4v9GToZ+k6KpjlGUU/RtOMbsqYjUtEGy7MjFayNyttA LtlMyXJk5gdIGojG/ggtFsThbpoaNOoQlIC6zoOaH86v0xVMKwumHRkYXBLO9zEvDMDIUiZuHUX3 F4r4NhgHDszCGRB3c28iZOgSm4zaRmef7PkOaUv90tcF5+O6GbSbrgktWe5tXuioWh1V6aR/1FFz aLN8HwQYHTSHNin22yr2gcf10okHtE4yDq2XjNlK9tpJxyG8WIX31ZLeZdLd65Sj9tL9IdLydHVE rTI0Rc1WxfqJ6e44pomoHtwIe6LfshislglcLCVukcTYoyVGw/JIlYTgmaGMyNORkuL9y8zMFCkh XRFely3ITiCrOL5Supee4lOuZ3QXKZRUZ3bAWpLr8gSK/0hVti4umh/tBfuT0oMktEAlKyJFxjMK 2IqYUAaRwKUTKCGeYVts3fzjV8onHxb0WRa+MXvAIHaAL2IPgEcwOIfWOgvd3708AKOlzZvU8mcS /48MWieCZ0m0MvhnK5xl8AESrc3ef6gbEspsCGVIy0C/++Bvnnh/xTC5YQpKazmQ03m4oPd4fs+x gq6jUHbrRGbz3tT6kdTaXTlNu6sH9/fuOzV84ukTL7zx5Jsfvnr20lsXr771yaV3Llx879NPP7h8 +eKV9z68+N4nN65+cuvuM2+d2zV9unP3oT2Hnzh74fI3P/z7P7/+8s2/v/n+V0to+u3P/7382eeH T7ybVdAfQjK6haoiBEXc5C6WuYeR3MswtsWlb1MWjSgKd7OSukLFlRAqjFYGYYXAJ0bTBgbpid1k XTsuVLKsvpG3IKoUZHTpyrbLsnoo8prA+Cq0BCAPg0wOqvMzagKMKGog2xOhaMbPIxwlq5toCa1s fQdyNSRVM550XQf+Cg9u2WZKoS2l0I6Y40DO9+RWIqZF88BM/0ATmmA9+ZXYtBMUX+fNKIEkeRPK 0gNbqHnzXHU2zjrcEIopQktc6pP6kG/qPJ+U1YSKDYSchVv1W0MyjBndycYBV28M7MtX+Rfa+aWv 9Upe7p+3jlCw2j1hiadpNa3bNeEwtFU9ba+YclDt36zaZyufsFNMwhwt/iidfEBWADdLJ6BNkvHN 4nF7yQS0QTm5TD6yVjHmLDtB1Xbka+JK+XRFLCNRzNTH04SkkHhiUGyENz3QiRvuIiJ7CSLtTfHB pcnsHC0pN4GcwPcvTmY35EuVDB8R0TXaY5mC7lmWKsAOmUiPtW5r5vlsno9TXkOxOcBxs+2ipesf WUD19+yvzxeRCWS/rdwITwHRLy7GVxDjb4xnGgQMBSmcRQmMY4XQQ30jtmxw9WIj0TQ/vvchVh8C USy0WcjshWCL2MSI4yGCUmgurfMB3Y/k/RhaGfwzhvczeL8V4qJS6C9G8mdi0T8ziGu7LTd3/+aG v7/cm4G6r3x/j8HiOUEW2WA1yn2a4184K131lL4GGB5Ibz2c2X44q/0glN1xoHDbYYSpuR3TWc1T 6Q17Mxv3FLaPVmyb7B49NvbocydffO/Zt8+/fvbyh5dvfnj5+tvnLrzx8bsfXbl4+bO7567d+ODS tXc+vfLEm29PP/2PgbHDU48+9da5S1+j4RTp019+Rv8phjK++9evV259e/yJ10wFrYF0ozc1KVRQ DEvip3axk1ohQXqPomCXLG8nK7EtXFIeJKxBQgaj96APVgi4olRNYJCX1sMwdkXJm8NE1VHyCrap UZo7qCme4KVui1E1EISVBHE1Bh5D5TMYomdGZpm3gp8iIg1Ht7mslqZu5iZ2ULVtVG0LVd1AUdUh PI7WNAaIqp3YxZui8xypJa70MtQHfbgV8GLYZVAclniUWE6aokZPTplfXDXo5qTuSGt73JlcMt9F a+OkeQRFQ5+UxYSc5eF5Nm76ea6mDQF5m4JzF7sb/OnlpoyheEmDI259cjJtCcrdEpix0iN5pV8W bHGFT8pCV8M63rCH4ZhX4okt8il72aQFQ/nkJpkFwwcENiFwZ0FPauEOAG4RjztIJrZKJ53VJyzf S3o3CQ96Sw8qxZkZdHoCM1LNYRgEfDGFxAoOogV4xUb4q9mREkoQN8wtMR708RnBDgEOS1zW2Kg4 IY0Feqa/u+eahbYP2SCNU5yoUDKiA+w32M5/ONB5vVnNb68t9HNxCnTzCffxk7CIOztKRaRwWqB7 XHRAXLRfbKQXN9zLGE9HOCokRtKjvAS0MFpwKBj0cqUhKbpIPDyfu2M+e3Ahu28hq2sBs/MRZtdD rJ55lhNiDywSeoDE+xm0vltJnGXwAQwfYHAWQyuDf4Hhbww+gKGVwb/A8DcGfy/f/5HBBzCcBRAv ytK9qrJxbeVEYu0+U/1kSvOUBcC+Y/m904XbjpYOniwfOF3YdTijcTy1dmda/c78hh0VnXs6dx8e O/rUsadeffqVd19+7+zbZy++e/Wzty5e/+DSjbOXr3166/qVL2+du3vp47uXnn738uiJZ7GpZvrR p5998a1r1+/8gnzNL8idInXz07e//vre5TvDh58zlQyG83KdI4zu9KRIeTErqYltao5L71QV7VIW DsWlwfK6YF7WMBIlBoSjCEQhurKJoa5j6+s4iZYjHlrEUd1AGVFTMirK3k7VNQeJyv3jygjSmnBV M4RSBUwTOVKcKNHdGiGpJsprKKp6xKV0XRsjoYmuqWPoGmiG5pgEBJyNbowqB2Lx5ohc+6hsV0p+ EL+CqGzCvxWoRWKdDtI4wco2DCM70Qvwr0R8xnBS9Wm/2PqHnDU2jpp5Xqb5/vBB3LBmeMTJgBsu NgTn2QfmLN6qcSHnJOfuyVQPPLxRvszF7BCc4+BnXuaWvDSofB2hcI19nE1QtYtmOijtjKNq3xb5 hLNmeqt6n4Nqaotyn1Xwx/tlJ95rtb97AIrGHUTjW8UTrrIdHvH7/OQ7t8ge3Sh7kiTOMjLC0plk BYssokQyQ/yYwb5Mglc8McAyyxDtEePppGKRcxPkLIJvmOsmL9sVWh61uShDTqQTNjn4btyQq1EP VNdmKzXs4GjCFq9wJ9ecBMlobwU1dAuF4BzqZsuNcB/pKFAwKJzQABE5VEgKFJGD8PsThTRjPFUQ E0MN9YiPiaAGEKO3bEazzEraMCqe2HizgLtjMbdvMadjIattPtaDYwMAyxKUWjF8gEHY4p8xxDd/ x+Df1Q1nGXwAw7kRGHeypGX+jsEHMfy/YFBeMAopCsfUJRO6iqmk2oOpTcfSW05ktR/O7TqG6LS4 /yRILBk8UdR/rKDvSE7beHrjSEbT7oKuycrBQy1jp3adfPXwyxdeePfjl94/B7+DCX746bUPP7n6 ybU7N7/49quffvz0s9tPvf76+PETuw8cmz7z7AvvXfzks+//+cM3GEsEjjDHH3765eLV2weOnqqo aQ2Nz/WkpQRw8qiqJpaunWlsFWb1qIoHjIUDgpTmSHWZv7jQT1KKZlR6QjdV3oHkJEndzkrcxk0e YCdtYyX1UBLQPV7JMtRJs3vUJUOi7F6Krj5MWh4qq4xU1ZK0tRGyKssBU9URo+4Ok6LzrTZUVg3j I+ubmYn4G0FiM13dwNA0cnQtwM2PX+pIy9lCy9lEyraLyvFkVhEVvbBg9NH5x1UEi2oD4mqw+cqb U2kflcsz95lqDuIfh1VBurmu8jmumgX+lp1suJoQbWwL/DOXBGUut+Cm8SHmpBdPS7RVdg7K9fYm h+A8VO0X+mXACjcFmFfZK5cEFW5R7glMO+qpnd6qOOyiOeqiGHNCylQ2BTkq9m/FaVE6CeHdUbYX 2iodm5X1G0fJpL1o1Emx1y3pDIJbnqjIQAyXRwUIGFFSTgwnJpAd6UsP9cTWUISLMKwY3y1SRni2 TiRjx9BCvCK8nTISpJ01JRo6neSxlUNwrMkQ91bpM5VkXphLtNtG7/WrEoWMlqIUP/t1Gxcu2rBw WbivZ29zuZASJCQHCMl+8SRfGTNUzonWibhyHpMbHMP2c9SGeIcHB3htWrvFhThHMryG37mC1Qst 4/Qu5vRAi9jdS1jdS5ndi3/TAkYX9Ai9E0LK9GFL4rTrIVqnVShkWDWX0opNblbZkJotIjZZ9Fuh 8A8vlm7ShllZLu+eVUQdLo16UOG/VQzDq22gMFyWAVVYFFI+qzkh5bOaG1w2K+vZ8N4zsGjOb1IW TiAHYpW6ZK+2zEKioQodWdNpzdOZbYdyu44U9B4t2na8eOA4SCwfPF7YO53bPpHTNpbTPlrQOV69 41D7xGOHnnjh0edef/r191/+4BOQ+O75S+9/cuXjT6+/e/Hcp5/d/PxfP3z5n/98dP3WsadfGJ4+ PnLw5Cvvf3jx1u2v//PTD/DEn1HG+OXf//7pu+9+2Ln/mbSybWRhdhDTHMLPjVZUwpKoxhZBapu6 cIe+ZESU2kdV1sdI69FyhgMONaELDMIBUZ5AkhNxKU6RNH1bmKSIqK6EkyaU7VGX7uaYOyMVVaGS MrKyGy2jKA6GSSpAZZTaUri3lB2VdcAQvomWHpa+la5tpKnqqco6rrELFhkiq3VmYNtMFs6GGHFy iMmHjeJP4bCJmogHsyRQUItlGjge+jIKcahMrD6CauaKQMNCb8MCbxMKgo94pj6CAXzXJBwVcd3J Gj/Tajd1GL0ks2iMJ2pwcE1cuinBDpd9R2Yv8jQial3uk7HM3WgbVe6RsN/TfNJFM+WimHBSHQWD zqoDeAJAkIinVU7y8b+Um3zKGf+TbA+KHVuV+8FgEi1aQQkGgzIOmUsMAoPkINdoH3tepA8/2gcM 6uMphSYFO9x76+oFm5bNU/PpDUWZjEA3bJ+I8lwnpnjr+GG8CI9Qpw0+G1eQ/Nxio/zkrHCH5Q+7 bVgbsBW51qCiVCUrzEtMCVawwvA7uZHeAgqGFnl6kSA2NJgf7mqkBEWH+HvZrnJ0pS6QjdsKdq5m 961k9y1n38NwKbvHyiCe0GJmF2SJURkdVlkZ/DOGYHBW95NozdL8AcAZKmcBtL7MMjgHY7+RGMn/ E4bWwv2fGJwTWmEVSLQCiIQMNAsgXv6OQUnOHkiaO4qkIgwRMKqK4Yl7DZUTxqpxU+1UahMSpwfy ui0Ylgw8WrnjFDAs7T9a3Hsgr2M8s3kko3k4q3l30+BU79ix0WNPH3/m9Wfe/Oi1jy+++8ll6KOr n0IfX7ty8c6da199demzz1Hif/6t97ZPH957/PTTr7555c7nsELLf7/895f//Ihu8Ou3vz322EtZ 5R1RvGRPqiFYUIQcKSWxhZ3UIU7uTUjfYcjaJU3ZhgAyUFiGyBC5TTbWlmpacbiDbTENHeCImdxB 0uH0VxGjrhZm9hkrxhR5A/SE2jBhA0YLAS9+Z5SiLlqJ8n09AAxX1KKPDh/RU4ceV2DI1DbBDVkJ bcyENvwwOgG8eGXOjEJ7UrZtZKYbvQjcwUYt6Alr/PgV/nGVGNAI4dV4UwvwVxirLENby/0MNvai FQHJuJlivkfKQ56QGenQlb7m1e76TT5Glrgxp2SKxatfsVG7xsNsF5m6Ksi8zKtoOSF/hbN+lXOi Pa3Ny3TQN+WQqxbGd9xVdcBDexhyVux3ku9zUU5DeHFVTv6l3GVTnqp9rvLRzcoDsEuuqMjIiJHR CGwigUcKRXKSGe7LivBhhXlIaSEQJ8LLKKJlaPjUIFf3DYsdVz3MDvNVsoko9kV7b4jwWM8Oc9fx SUpWDNHbBUdCRphXpj4+Uy+I8Nysi2OaJXwFMzJJTEF8i8OgmBbKi/Znhngzwvy0cawkabwME4t0 P0NsDC0y0NduqYsbaTlyufyRtextazjbVnK3Lef2wQ0tYvUsZ/bgCcEQrSQuYnSCRGg+w6IZQ4Qn djxEa7cKV7xZNUviPWf82/6Z333wfgytDP4FifczeM8KLT44N6zyfgatAP6/ZJCXPsTP2IXuL2HO iDhvVFowiukGedFebelYQtlefcU4SEyu25feciC74wg8Mb/nSHH/CZBYPXSqcsejZf2HC7v357bv zWsYLm7dU7ttX9eeo3twVHzutWff+fi1c5+i6/vcjRsfXb1qyZ3euXP7u+/ufPsdUjfvXb723Dvv H37sialjx5987rlL165jTBizUT///CuWvH337/9evHl3/8nnUcUIpBg3Y+k6KwuN37zEDlnqNm3O UGLpXpwTOeb2EGFpAK8AT1Q3rF2pyKiwEtsZKT30ZPTbtMSoayOkZRR1lSyrL612XJbbRdWAxDqK ahsjYTs6UdHFGq0uQwIHDIZLqwEySV0PBpGoiU3qZOtaaaoGoA03jNa2ePPLtlJz7EmZmyKynSmF frwanEDD5U0ISj3ZBb68kpDYhnCsPhbURYgbFAXj8vzxTVizuYHziFviUr/MZYHZc92T57omYsRp Y0DGGjidm4rKq8wtOULnNi3aKFjtpVofkrUyoHSdb+oqn+xlbinrfZLdY1sD0k56pz7lpDzoqtrv oT0IualBHxi8JzfVlFXu6n3Q7EdX0bi3ar+nctxJc8Q94QhHlK9lREjohFhKGJ8cRiF4syL8YIWw LZzakD9BAzYwRC83TnAQNcDJIKBUZSTo4yNw0GMEu5rEnPaS3Npsk5AUHOa6IUFMqchOMClYnraL YXxabjT6Zxpz1DgJcsP9QB85yJ0W4sOLIiSKYtPkYhU3ODLMj0ONpkcFhWxZ7uYZuVG2Z7NgZCNn YD13YDW3f1VsP0hcwbHY4qqZANVijjMkzhoiPBFJG+h+Eh9gECT+AcP7GJwtGsIW58Y0WvWAId7P IN5/N8QHGLRgeI/BWQzhg/8rBgFgXOawIGs3hBE/kGiVsgieOKouGdWCxCpkbCaTG/abG6czWqdn qhgWW6zYfhIk1g6fgcq6DxS1T+W3jhYhfdo92rRz3/bpU1OPPf/M2x+g7/SDqzfO3ryFBhuQeO7G tauf3/38m69vfXH3/LWrL7/z9vEnnzpw6szjL7761rmL3//8K8Yw0GkDffvTL++fv75n4kxJ5baw 2CwvapJPbBqOhJSkOm56m6Jwe0LRELKg3OT2GGVVmLgsRllD0zVRExpJ6roQRQ1R18JJ7YlN7abp 4H2VDG2tKKVTX9mtKe6LM3fHYNOFoJGoaEebHLBFYQKWGi2vA4N4wg2Zuha2oY2jb0ULAd5pOmDY jkEqpHdcWEjR5G4l5rnRS3xjkXpFt0ATduC4MXLD4lsiMGiMPd6MAlizrmwfFlU5xWQ87KhG0WEx ShWe5ofcTYs8k1f5pQG09R6ydS7aWGlffvmhKGY+MESz9/qQQltPsy2heD0hD9WKjX5pHoIh/5Qz PmmnPNQH3FXTnpqDXtpDeLop97sq9uEbQGel7/4nvnSVTHip93mpJtx1J7z1R+j8LAuDLAKfFilm ElmRgWCQEuxB9HOEbQE6Vpg7CE2WMkwSuiGOJCIFpMpYVamKRBEZUSUrxFPNIaXKY5XscGaoAzt8 i4jpJ2EHaXjRwU6r46K8zCJSkiA6T8PihvryInAkDOdGEWgEX25EUKo0rkin5Mf4LtvgaOcSEOHv G7J5obOHzxZJ3ybhzk2x2+1it6/nDa6JtZAIwRZhjis5PVatYHcvY3dBS1mdS1iduNAKmj0kzqeh qcaiv/RBC4wzdcMHkqWAcZbBB0icG9Vg1QMw3svSWGPRe89Km/BKAGiVxQ1nwlErhn8Xi84NKoas R0Je2jDET99thRE8xmWCyl0YvLVM/OXvURTusZKoqxyfgXHckj5t2p/eYqnswxbLBx+t2nm6fviJ qh2Plg8cKUVCtX00u2lHQetQec/YtslHYYsnXnjrxfc/efOTK+9fuW4l8crNyzfv3vrq+2//+dN/ Lt/94pm33j3w+D8mTj/x2KuvvvXJJzf++c9vsXt4JkRFMeOL218dOPVGdk1/tDzDNz7JJz4lSJKD rIsia5umaHtS1Zi2eIiT2BQjrwBrFHUNnI5qbCXpmqLUdWhM5aV0y7K3I3EaIiigqSvVBX3ozZPn oUBfRVbW4lwZg945ZRMwJKtbSKpGlOxBImwXIic0oDgSm9TB1DVDiIeRtyEmNAI9J3KefVQmnt7c UiRs0aWD9u+AuAasv/BiFgUJyr3ZBYG8UlXhXlXhhC+zYq6D1GazZGVYzmKMLDnrlninrA7I2OCj tMNEoaORr2ourJiKpJSscFCv8TGu98p1CMrcGpa5xj9riZPJ1ifLSzwQVPSMj+4I0IO8Ew5DFvqU +wEmAk7IS71/VtZvPDT7vRKmvVR73ROO4edpnHQDM0rKDpFwKSo+I5YYwgz3h1WR/J3ga2JKCNFv C4DK1HCThGSTiAKgTHHRUqJPPNErPsaHG+bBDnFDb1u423JelH2yjCCmu/JjXJBTxWmRSdiaIiai 31vLQu93MC8yQESPkrBInGgCg+CTLGCVJ2IJYsjcdaGPOJII3gHh9gudfTwdRR2bpcNbeDs383bY 8nds4FtIROvsOk7/BjZI7IVWcXtBIjBczrlHIpI2EAoZ92oZM+fE+fT2WQYfeJll8AEM5xGboAdI tHz8jUG8/AFDa7I0ApfUzKRlLM8HGZx7H4b/M4NWDOnGfnSCsUzbMUWO84vVE4U5e4SZw5Aoazdg xNwfSETdHDCiHSWhYtRQPZ5UN2FqGE9pnMxo3ZfTebBsx8nynadqdp2u3326eueJ4u59eW1781r2 wBYRoHbvfXTo0BPTT7z43Ltn3/702tsXL3946dNLd25/evvWh1euXLp798v//vfGt9++cf7C2MkT e08cf/yll85fvf7Vtz9YAlRA+NO/wOP1u98eeezFzMpOuiInjJcaJsglyctZxhpBWgtITKwckef2 k5QV4aJimraOYUCpoh6GSNc3I9NCwinP0IrqP1XZSJSV8ZKrTTXbTHX9/JR6C7boPpU3op98FkNY IcoWYaLKSA3W4zRwTG18UztX38zQIkxtiTV3UQ3d6KbbSsqyj07fSsxxpuTjRoBoVQdqH07UXB9+ GWY6CMJyT3ouetEV+XsTiqbcaYUPu6qWBJiXBuNGmOQFXkkPu+hWuWk3+Kev9kha66zSGPvyCiZ9 QlM3eSes8Mq19011Csyw889Z4ZG21EVvG1Xiq99LMJ0IMBzxTTjooz1glbdm+n+Qm/6Au27aU73X Q3fcX3+Uzc80cWLiKX7wQTmXyieHc6KCkP+kBLjxo/xhc1JGiIjij2SmnBGYLqOlionoHTWwCcJo x1RJBDq3tSx/DRO7ZdyThYRcTUxJMjVZFCGjBATYLY3x3sCLdMNhM1crSRUzYaxUgic9zI8dFSSI CU4TMfNkXCYpZKm3clGw1s8jKHTTYhc/XzdRN5JFDvyhLXFDm/k7geFG3HYRO4jo1JYzsJbbZxVI nDVEwDibPrUyOJuumT0YPvByP4PWd2uWxsrgX2B4H4N/MMTfGJzzO4a/M2g9Es4yCEP8PzIIDDHJ TkzoxZwO1s5zUi2blOJz9ojyxlDqmtEuC4nZsMVdIFFeMCwrGlaUjABDYw0C1PGk2rHUpikYYnbX gfzeg8UDR3FIrBs+0zDyeP2uMzUAs+cgGt6KO8Zq+yfbdx/cfeSxUy++8fx76Hm78O7la+dv30XT 6dnrVy/cvHrt81t3v/vq+rdfvn/10pnnXxyePDB18OjZTy6iz21mah+9Nr/+9P2v1y59ferUO6kF fQF0syslmaGv5JkbYpMb+GYLiabqvSARDPqx06Nl5SxLJqedktCEThuKHh1uXbH6do6uiawoIyry Bak1idUD+oq+uLQaMIi5QqRbo+UNsEIcAEmaJqK6MVBRGqasIGtqOYbmuKR2fmIbXlBAxG9Dow5a BdwYBY6kXIeYXBdqEUbs0cOG1Ys+glLfuGKkjFCCDI6rREtbbGKvuf4ENsLZbIq3cdfiZop5bhgh NC93Nq7xS1wXYN7olebkbkjQN5fX7HcLMGHEfoNfwWa4obtpU0Aq+t8WBGQ5EkvCU0+Hmk8CQyt3 frpDEN7/zKP1m60J+1x1+721E97GkyFJJ+OEeWYOkRXq4rhhebS/Oy3UjxsdjLQMg4DzIAHUCKn+ mtgICPPyBl6YITbUyAmWEz144WsqUmglSRSzOAgNbPzwTWqGb4ooMlsZlIbrCIl+hC0rWQRn9IHD TJUsGj/ME5XBeGpYTLBntL8bvsxRxpp5UV5udo/4aOcGGuzWOjkvsrFzdd/Kad8kOejE37U1bpd9 3JBd3D0MbbmDYHA9d9ssg7MYAsZZBq1u+ACDs7ma2Zd55N/D0ft5nGXwAQznRf/BCmdt8V7RMKLm AQat9M0yCAzv6W9qE9ZY1PqMTR/B3mlgiC4sPGmJg+yUXVjVy8sc5WXswYrCmejUYoji7BFpDg6M mN2DJ44ifaoq3pNQNpZUsy+18VBG60EUMnLaDuZ3HinuO4YAtWbnmbpdj9fuPFU1eKys71Bh52RR x3h571T90KG2sUcPPfP2429eeO2Tmx/d+Pzi3S8vf/75hRvXP7h4/s5nVz/74ubtL26du3rp6dde 23f68YNPP/fk2x/+8N///uu/PyFhg7TN1999f/7KrYNnXkgqqHenpbmQTcH8PMSi6FJT5vQkFPab K3ahLEjVVEeJC0myEkt0qmslGbojdduQL+Wm9fJSelAEpKCvRluhzm7JqhlMKOqLS64jKYrhkhRV PYJS5DYhkqI2WlqFOj5ZXkNT1sQaWsTmjvikVmZCA0hEfEvXN8Lv3Gn5jsSirTGlvuzKSFkT5hMD +MW+/CIcEpE+RenQl1eGeQ195WS4tNJmM3ueiwRz9KhWLHJPXBWQvMJXt9JdbetlDI7O1yR0l5WO uQSULLaTbQo0bg1PcgxNdwnKXb9Z5eSq8hT1hKYcD818xs9wMkg5EambDDVOe+gP+Cccgvy0B301 ByC84GOA7nCY8oS37iBBNhJoGglNPK3gthjF5NCQQJtN4qCwWHFMkJIUxAnx44cHswkgEZMU3trY GL0ghhvuI6FEicmRqPHFkZxiQ5aaBB64YEJK3CwI38gJWCUnOogi7OQxfoncUFmMO9VnLT/CEdNM CkaoJRCN9pfQw3jRvqg8UgIdmaFuYnqgNi6KHOE51zXKhlpo4yFePW++l/3iMFmas3Cfk2hoa/yO LXGD9vwBqzbz+i2K3WbVJm6fLad3I7tnA6sbWsXqnNVKZtesFjG6rJotJqKeiNTNQ9RWiyht0AyP ljXClslfUtOfZUNE3bBuVjZRtbOaE1U9K5vIqlnNDaueE1r1gCwT9/cG7S11ChtCyVxC0VxC4Zzg gvlBRRYFlswLLJYVTQtzJ8AdALRMpsvbACNW79JNO5gpO7hpu/iZI/HZlkQNGITwgqm93wLU3YhO gSHSp0k1k6a6iZTGfVktlvbvot6jZUjaDDwKBuuGTtcNnazZcayq/2BF3z5giJ63xh3TnaNH9xx/ 5vQr771x4erZm3dQtrj6+RefXrt4+ebVG1/e+ey7bzGUgej05Asvg8RjTzz13BtvXrp1BzCilgF9 8+PP75+/vHP62bSK/mi+2YuoDGSbmboqeXavqmB7YsWuhOJBcVobU1sJDGOk5WhCsyRO9aWMxGpe cjMvuR1VeKqilqttlKR0Gop6NQVd0ox2jqGerKgCd2RFA0PbjrMhWVkHBmMk+D3V6MnhoW3A3IXQ lJeEALUV7BNVtSHx5d6MIsfoXKfoTB92CSG+OkxcFyTE5G8ZyhYEUYMHvQB73lA3kebuRAJ2gbvs YVe1xQf9Uhe4aR9xUaz2Nmz0Nm1y1YfF5Can9ifn7fAOy19ur3cIStvkn2SLBcLBufYeUmRWg9Wj MemnAw2HCcbDEaYjAfoD3roDAfpDVvnrDlpl/RisORikOhqg2RdsOhRtOCrkZKFRzTuCvsBT7uEX jfNdfKQrPciNE+LFCfNkR3mjfVTLi1RzQ1Gv50cFoqFUTPUTkJ0jXR/hhW1kBKyJclsS6bI0wnkJ 2WcNL9xBHO2jogXLKH7YkSgm+wNAFDgsVshGH04ENsxIaBGQkEJIiKOkq+MERMIKN4JNZNYcV+Gq +fPdNjkgo+UiGXEW73IU7nQQbAeGVt2DkddvPyOQuCl2m91vJK5md1k1Q2L3LIPWSiJKGNBsMRHn xD8xiNZuC4Nzyc3QnzGcBRAvswDiZRZAvMwCiJe/ZdBau58B0MJgsBXDojm4xDmgYG5AERiU5u9T FB2AhNnjzKQdRE1PlLITwo4XzM3hMgjcssQyD3LTdlrC1GwLj9b06UzSZtgaoCoKhrWlo7ryUUPl 3qTa8bSGyYymfRjByG7bn99xoKT3KILShuHTDcMn63ceqx44hGFhRKcFrcPIoHbuOYykzfFnXn3p /QsfXbtz6e4dhKaYxbhw68atb7/97IcfYJE4M554+rnDjz11+rmXMD58/uqNf36PBeD47+fvfvzv xxeuTx15PK24JZKXhKsxMDSBYoTAXG+u2p3dMmUs3RlvbmYqSxmyAq6yhKoppmvL0dsGgoQpvRBb 10KSVzI1Bcrs5uTyQW3BtjhTI1NTS1FWE2UVKHkgaxohrYwQlSOBg6o9DBHwIi6NS2qNMzXHJjYC W2ZCXbS0Eu09LqQMV3I2eMTOGSwZDuRXo4iPlTioS+IqqwB2EYr+2sIxTCwin2NjL0bN4mEX7VJv wxrfZLuADDuvlE1uCf5hKQUV3egpdfHOXWmbtMU3y8E/zTU0w97fsNjNZB9ZFKHYQUk9QjAd9zWe 8DceD9IfDjJMBxsPEBIP4on3QP1+yPJi3BejeNQHXyY9TtcfiOcIpRGhtlHyhZ68NRu3kAI2sTCX 5LcFI7fcCNc4mj8IUrBAEAF7YNA5o2CGg0cJ3Yvpb8FNQQvC8G9clI+YGiSkBOrjyTpeDIboscFe G0tJFLL0AuzvpekEVJMoTsWiQKmyeBQNDXGsdIUwX6+UhAVudvddGJm+xFe1fukyx3XeAbE9Huoh V8mwi3iXk3CnY/yOrYLtkEPcILSVt20L/57seX2beL2QXWzPOm7XOm7PWk43tAY8MruhVYwuVBIt xUSGpaYPDBfSLTV9MAg9TGuzWiF88LfQtM3K4F9geJ8P3o/h3zN4rz54f1Bq6ZwJLYbmhJQCwBkG 71Xt5wQWzA0qRCw6L7gk1rxTnD2mLp5OKDukKtofnzGCCXGarhdLliDcwIsnYKQkbqMnI0zdHpu6 S5C5R5Q7imIibHHmqIhz4giOisrC3eriEfSlgEScy8y1E+bavSk1ezEJhY7Tyn6LJ9bvOtW8GzrZ MnK6duBwWfdEWcdoWfuuur6xgckTBx9/8dn3P37z0jVsFz53C+fE6yARhYzb//wSaVK4JIr7aHib PHbynbPnP//yi+++/xpt4AhQEaHe+PLH8aPPGPOb6dLsSH56hDiLqi3jpbYqiwZT6sbTqkfk5loK 38RWN7FUjSxVA0vbYOkyTarjmev46fWilBqWtpBnqNAX9qRW7VJldzFRNBTlhonLiTNd3BRtA0lR Ey4sRW95jKyKpa3j6hv5SU38pAZ+Uj0vsY6jr2ZoysPiS/yYeY5RGa7EAgIfg1fNwYIqv9hiFA0D WaWhvMoQbjHyQobSfXGpO+xCk+dt1cAHV/qb5jupFjoaNvnl2HqabN3UFLq5oKxfa+hxci3Y5JLr GmayJySs981BZ+lKR6VrZDYzZTIm9ykP40kf3YnIxBMhhv0ISsMSD0B4wUeCfh8UkniEqDnhbxr3 NT0VazyijI1lhEYtjUxY7ExZtGwlNcQlluhNCXFlhrjGYdUS25IaRZlPw402S1lyRgQWoKE+iEqE MZaRIRWUJKnRHZqmFGQbZOhhy9DJUc03SdmJIm66Uppv0GKtRaZGlKMXooyIaUHIMrIUzwShM3MT NIm/21Y3t4UxphWRpq3r7D1XOwWzKry0w+7iITfRTlfhDpf47c6CQae4AavAoFVWEoHhZr6FxA28 Hmh9bLeVxFkMrWV9K4mzGM6SaMXQyuA9Emd88C/c8I8MzmL4v2ewyCa0aE6IFUMrgDOr8i1BaRFs cR6hVAigskaluePKwn1gUJ4/CQw5pu1YeQRhqxIm2eGJ96TtwYGRZR5CLQP3SuCoiIwN2mzk+XvF OUMzeRu0WO/WlOyBJyZaSJxIq5vKaNif1bQ/t226qPMQFtfgeFiz40TryOMQeGzYcayid6qsc6Sy Z6x+cLJ78tjk48//471zb12+jgD1ws3b569fO3vl8hX0n96+/sX3P179+lvkc6bPPDF59NhTL714 58vb3/8HI8K/Yirqqx9+wR1S+489nZpT48vSezMNBGE2RVeLjjV96Y6c+rGc2l0cVRNVXEWVlXMN 9bFJ9bSEcoa+nJfWIDLXSVIbwCBdWRBvqoEhJpX2C5NrcZZEyYOkrEK9g6yqRhKVKK+G5eEsSVdV s3W1vMRGQVJ9XGJNXGJVfHIVQ1cXKS73IGdtDUv1pBUF86tC4quD40oD2RUhsZXhvKoQbqk/PRcY qvP3xKX2L/dOtNkkWOSpWumfvNwrdY1X5koXw1p3nYenkRefWVQ2oFRts3dKXu8i3RpqtieUuIfm bvbQbHSTB3Dr2QVPxuQ9H6A7Hp14Iixpv1XhpmkoNHFfiHGKYJiM1J+KNBwKShrwMJ+JN5/RxyUE RTMeDpHNXxu44JGl1FAvISNCQEUGBksOKQlSpoFP1/MYaTJBcaIqWcRJlfIyFMJ0mTBdLEwV8vMS pKVmdbZWCNByE1VmhdAws9PJLItLFvPTFSKzNBaN2WYZE2aKbhmcK2WMYJwokWtVccI0sVHqUBfU I2xilAtiUt3tfEI2rIhgq93UY2DQiuEDDDrG9c3KIa5vC7/XntcD2cENeb22sT0bud0bOD3r2d3r WF0QUqaWEgaraxmzcwmzA1rMaF/EaF/AbH+E0TbrhrMYzvrgA1Y4N6Yeuj8ivff+t+fBv/PBv2bQ JgjXwhZaQtPgkuSaRw3lRzRF01BCyUFIVbBPmr2XlzKEgoV1rRlWnOGQiCeSqDGaPizmpegHEbii nIHaIor7oqwRhKYz0SlKirsRmqpQyCgeAYzJNZOQuXochpjeMJ7dNJnfNl3YOV3cfbBq8ETTyGOd 4092jj/Ruudk3c6DlX2TZb17ynv31A9O7Dhw8rGX33nv0o3Ld7+6/sU3n929efeLz27cvXPhxs2L dz//9PMvsFjj5PMvHH7s5FOvvHD26hUYJUiEIX75zfcXr1zfe/LVpNKuALbeOUbhx0lG4hQY6kq2 Z9TsNBR2xSVVUOV5JFkhyoUsXSPyMyx9NcdYazU1lq6cqytT57TnNI3oi3eC1khRQYQwH+kalgF5 mCaAGS0pgRDEwhDhhjMYVsFM+aZmtr4hWlzhx8pxJ6W7RKd5MfJQ4wgT1YbwywmoJHJLIwUVwdyi MEG5qnBUljNmF2qy2cKb7yxd4pG03N283M24wS/JwVXn6atVqCuqqnfLlA2bnRJWO+ldInKcg1Jd g8x27pqNvskEcX9cwdPsvH+E6w5Fmg5EJE2HJ+7HE+8Q3kMNUxHqU2Gm8eDEfu/Uk8KUx8SxOY4k 7nwfzsKlrisXL8cd1qwYAp8cqWFGGQUUBY+Mp55HA32ZyrjEeIpRQDaLuVlKWa4K5QZ2ppxTn6Wu SVfkqLn52vh0KTdNzsxNEJglDEMsMU3CTJcxkvhRyfFRaQpyloapjwtHfynGMVCzQLHDGB+tI3sH hgfaECU20amb7YICNzwSHRvvm3DAQzRklVv8DlfBdpe4Qauc47Y5Ce4JMM5iuJnfYzVExKW23G5r rmY9E4fEnlWs3zG0FPRnSASDD2JIabFEpPf54P0YWhn8Cwz/jsHw8jlhZQ/IBnfI/haLIhyFfi9V zPggAlGEo+baE6bqY4mVRyC84KNV+jILjMJ0S2hK1fYRNX3khH5cj4Id9VZhSzZFt41uBIyDoHW2 nijOGZbm7JLlDsvyhiBN4W5t0YiudMRYNpJcNZpaN5bZMJ7VOJHdPJ7fPlnae7B25/Hm0dOtex9r Hj3ZsPt47eA0KvulHbsruoYb+se2Tx478Y/XX/3o0vnrN6/c/fzyndsXb167evf2rW++vPnN1xc+ u/XKB+8989qrjz791BMvPPvRpU+++w82EFsyNrDFDy7enDz6eE5lZxQP/++VBPHTaYZ6XWFbZv2O 7MYhVX4z11jG1lXh6EeSVtHQGKNv5CY185KaAKMFQ2MFfNBQ0KfJ7ZGktnASkJMpIspK6JoqBLFE RTk8EYaI4yEroTnW0MRLrBcm18entAlT20EifixEkOdOTnEjpvmzCoPjS4LiiiJFVVhshf2KgBHf Y2LRXLWfY2xzIZuXuMvmOytXeCat8jIudVOuchRtctEGBidh90VT46QgvsnWUbfBQ+YYYHYKTt8a nLXOI9HON4UkHxDmnYlOPhZjPhqZdCjceACKMh3GRzwt7+pjpOQ9gebx8IwzAtOxIFr2ijDaPIeY JYs2bFmzytt+dXSQB8r0khhfLZMgYYVpY4MNgqhkMTVVTklXEbGwAtcFmoTcFBEd5UKTIKwskd6S LcxXxBiZAYn0oHwNN11K1tL9NHSfLElUoZqaIyFmCqNKkkW44UXJCkaiBsV9QbSvlhuFlhslK5BE Cl4WJZ0XnbXCMWKLvW0I3xxs3O8p2WmVh3iHm3DQNX7gN/W7xve7CPud47dBToI+B0HvljgAaJH1 bGhhkNNlzZdaGQSGENzQaojwxFkGrW6Ig+E8MEhpeYDBWQxnGXwQw/8tgzM5mZnOGQuDiDxnUqNF D4eUPEQoRkIG84OyzD3KnL0JhfsMJQdMFUfS607mtT5Z0v1cSdezOc2PJ1ceV+Tu46fsZhp2gEGS pp+oHSTrdpB1g0RtP+5JiVRYJoAoOqx56ecmD/JTdwBGYAgG5Xm75fm75Dk7lXlD6oJhjDwklu8B huaaPSnVe2bm9EezWsbQ+F3UO1U+eLB2+Gjz3lPdE2c6xk52jJxo3nGgvGM4v76vonVn+479Q0fO PPnmB+ixuf7ZzWu3r0B3vr178593v/zxu+tffPbKu28defzUiacff+mdtz+8cgnTUpYO8J9/wsbF K9fvHDjxjLm0M1qa781J92OYcGrD9qq89j2ZDYPq3CaBqYJnLOMkdSP9gm43xJxcYwPPVA8MKcpC fkKZIa8rtWIIMAqTG8ny4khhLlFeRDfUMwxNqGIAK5KshqFumDkeNghT2iTp7aKM5riUerAcKSn2 pKZvDU92Y6UFCgqDYguiZjAMYhdHS+o8aFn+jAxNwQ5N0U5PZs4CJ/kjW5XLPLRLXGU4/a1ylNo7 KCJCTWlJLZWVY1xh9YpNgs2+BoeQbMeIUgf/THs3nUdIRpR8BzPvSWraiRjT4UjjAYhkPkpJPY5n dNKhKN00J2WPX+ZJevbTcYap1dHJD/uE26wLs1tjF+KxNdBlDSnUnR7mLgjdqqR4ipgBKhZmeIPS 5cRMVXRJMlnH98Q+XgkxAAsPczWUZIF/ptS/r0jYkExPZfnk8AhZYrKBFaAgORrZ7oWK8Eo9tUJL KVWSi5Ok1r1tvAjv2DAffoSfmkWEw8piI5gk342B8Y9E5Cz2JW/wwhhVY0DCsI9kCPKV7vIW7/QU bveIH7TKTThglatowEri1ngLhjMAdm/idd/zQU4XrBCyZGZmAMQTyVIrhnhaGbzfCq0M/iWGFjBn YlHr8w8R6f+SQVQrUKGwdq9ZGAwpnhdSZFEwMqIzo/Q++cK0UXHGXmnWhCRzHAJx+tKj5prTBd1P lA8+Vz30Smn/c+lNp9BtFWsapOK6Fnkbtlvjeoho+KBhiGQcjtENR2mHMGCOZbzkhD6qHo03lq4b NLyhmIhwC1LkjwBJRS7cZziheNRQNp5cvc9cO4W8TWr9RHrTRHbbZEHP/pL+QzU7j9YOHakfPtay 99H2vSebdh9GdJrbMphT11XTN7Lz4KmTL7315qc3zn/+9dnPPkeV/9KNK599++WPv/6MQcW3Lp4/ /PQTU4+fOfHSC9e/unP3h6+/+fnf//r1F7SefvnDv448ejo5PStUmO0baw5X5PIzG2SFbcbKnpzG HRmVvbJEZE0zeNpcUVIFToXg1BKamltw0GOoCnnGUm1+i6G4Q5XTzDdWkqV5ZEkTUQITLKapysiy ymhRKSJbtqFYmNQQn1gbn1QpSalVZjZJzI00WXEgLdWDaHaLSvGl5Ifxq6NwX3BsRQi/NEpSGcAu CeOVSszdxoKh6PjC5a6ChxwES310tn5aO+/ENVs0a+0lfsHqtPTWhvq9Il7Oos0SZEedCXqvsHTX gKzVWw3u4TnyjF30gmdRqqBmnCSZDoWqx5gpRznpj1ISD9IMB0gp+1n5/2BlPOEd37A0UGtjS1xo 50bw3hzl7xzm5RTl484K9UcfC1pDMUQvjXIx8wm5cmK2jFygitXQw2XkYAU1RM+MyFdSqw2kHbnc 53rTnx/I6smmdxXHpiSIMBSfJKLXmcQdZn59Ar0ygVOdpsxOiMPpD0VGtN+gUIjahKUPnBwgp/iQ A708g2MWBwsWRJrXRhURZAMBioEQxXCocnegZAdeCPKd/qL+QMkgnt6SQTTpeYr6QaLFEAXbEJ3O nhCtx8NN3C5bbudGTge0hv0HrWa1W7Wc0bKC3rKc1rqM2rKE0ryQ1vowreUhess8GCIV404t0BwU KcgYOWyC5pAaoHlEi0DivN80J6bKJrpyTtTvmhtZOSeiYl44yhP3tYyiXS3UMlQ4JxJrRUvmh9bN JEIzF0UW2PjnzvErX4hLK7yzFxJy7Rhl0px9kCR7Spw1KcqcwBPv+Cax6nBG8+niPmD4Ws2u1/GS Un8CJLKTd8D1sCIJt8Dj8rIIVU+Uuj9aM0DUdGEbJwCkGXCKHEALHJyRldxvSZxm/2aLebvBoKZw BBiq8ncllOxG3saStGwcz2ieyGwZz2qdKNs2Xd5/ANPBNTsPN+w63Dh8pHH4UMOugzXbxiq7EaAO 1fWPbJs4dOjpF5G0ufXvn699fvfirZuo71/98nPcD3Xrh3+evXUVS4nHDk2def6pc9cvf/OTZdci 9NWP/75+5/PpJ95OLGz1pUo9qbIYWVp8eo2hrCejYTi7pi+xoEWRViNLq5OkoXJRw9RVsvRVgqRa pGtiDSUMdY44tcpc2Y90jSy9JVKQRZGW0eV1NFkVQ1XM1pYwVKVEYSlfXxufWC9KrhWba0TJ1UJT DV9fw9FUBrIyfKjpnsR0f3o+sqMRgppwQXlYXFkIrySUXxwlLBOn9ugKhwPZeQscBMs9lBt9kzZ4 69c4y2xd5S5eKiIlIzW1s6pymBxbgil7O1e1e1CaS2AKQlOHgGQCu5KaeSKu6B9RidPRxml66jHQ x0o9Rks6yEw7yTAfic1+Gj+wmZX3iCNvzurQVSgN+jlaWrX9Pch+Xpimj4sJRlsLPdgRUWW+mpbM C4HaslWVRgEa1YyckDRpZLY6sr9cdLo/+YXtKc9sSx4t4/eXcCrMkmwVq8ok6MuXb8+KG86Xdmcr cmSMilRFoVGsYkdywiw1RxE1RMoI1QlImD2MxtATgbQ2XGQToFwdlUsyjISqBgEg6AuWDRHku8Bg gHgADOI5y6CHJTq1Mtg3i+HWmRTN5tjuWQzXcjqBoZW7WR7xcSWjFVpFs2C4lNqymNaygNY6nz5T uP8tLr3fEx8iNVoB/L9k0CY475HourkhuMC3+JHw4nmEXJwB5xPqbDwyVkYWOcdW+caXyfIPinP2 C7OmRNn7JLnTEF4EGRNxKbskWWP6ssNZLY9XbH+5fuSN2uHXKne8lN/zFHquMG9I1/dgBRkmd3DR Z7isDUFptKoLx0bEqyRcqKTttdiirgvTtZirjUsdRI8N3FBZsEdTMIoCGaJTSFO0C+3WutIhY+Wu 5No9qQ1jiE4xIFzUNYWO09K+/TWDB5t3n+icON01dqJ5aLpuYLymf09l986abUP9+44c/MeLWCqF /W3o8b7z/be3v/3qxtefwQFvfH378t1bb3z8/qlnn0KA+tr773327TfAEIfEL777z7nLtw+fejYp p8qfLHKLFoYIknlpdek1AymVfaay7pSKfmNJD+4noinyYYhxxkpBIp5l2FANcbSFIMtcPmiu7AOe McICkriIqQaAhRRpCUVSTZWUsFTlPF219Q8CRmlqgyy1OVZfTRIX+NJSXKOSvMmZQA8M4hkpLMOJ ksAvDODk8pO7DSV7ydK6Vc7CuRvEK90Um/2Vm73k6xwkdg4yGjunoHSwrHQnlZa7eYtys6vePSTZ LSxxk69utVMCKoaaymeZ6cdJpiOM9JPExAOslMPMxH0RiUel+U+Jc/7hKe6c68Ve4kBfsi58rY8P LdAZ+16ivJzCXB3D3beCRxToYwLsczWstgJdtSmuTEPtyhUPlKjKtRQjy6cug1WRShrrVD87mfXC iPmdqbzTnbp6A6FUThyuShqtN43XJhxu0j2+LbsvTykM8ygw8nAkxOQFSv+MYHc8MZSRJKHr4iOi PBxxG4wvK2FekGx5ZDrDNEI37I7QjIJBqwmCwWDZjhkM+33Eg5C3yGKFwNAtDj4IBu8lS8GgA6/H yiAwtON0boztXM9pX8duW8tqxdP6bvnIbIfWMNpW01txIfgSeusiest8evN8yu96mNw0KzBoFRh8 CG74/9kHo1AfxF61UhjlwxGVSIciLfMQoXZBQLILu8SPl+MSLZEVHhLnTcdnTwlhiAUH5UWHrd+I 0ifEGZYAVZ47oSs9kNZ4srDn6YrtzzeNvF439HJR71OpDce1JZPoYcMGCYBGEDSEClsiJZ3Y80BR 91O1/Sgy0nTduGieaey1PA09mLTlmfvFWbtUeaPaoj0wRGCozN8BYUYeJBrKh/Wl201Vw1g7nN08 ltOyt6BjonLbQVT2W0eOt+050TV+smfqZNvug5W9w0VtAyVt/R27J8eOnXn2rQ8+uXXnxldfoun0 9le3v/7xq6//+6+rX3529tol3OL93Buvn3n2mVfefefq3c+QrsGYImqK5z65MXXoibzq7og4nXNM XCjPIEqpTK3uz2rYCRi1ec1ic3V8UsWMnVXhBRIk/j+0vXdUFHbb9zkKgr0bO4KCIr13BobpM0zv w/TeKwwz9KH33gVUpIrdqDHR1Du9x+Q2/U6vmmI0lhTfa5ys+5zdfc777J6zyffM+YHoyR9+cvXr qiCKS0Dgaqrc3Up3i9BWRZIW57OKUcxKHL8G7B2GWwEYgv9JKPJQFZUALDil8EfxzA2Q4cEI3Ek4 fSRSDTYxlVSSRavIopek02D+0RNHdiZRXWxDn7JknCZqXLuvaFkYY/0+9rYYEZQLN4ayd0ZysrH6 SkdvfcU0iVD2yA76ruii2GxDeIoW+r0jspxE+UFR+ZOF9sdQ2lNE49lC4wmydg5reIxf8UKuZBp2 a6yIzIhIo2/Zk7creh86YXdedGh2ZFhWZHjavtCc+L2YjMispF2QSIFl2vV6do+DO17Je2zYPlkv c3BSmw2EU4P2Z4/Xvniq6v2Ldd8/3/fKfFWbmTjrNb1xYujp6eY3TnddvdB9utts4+bBpTNo5FYz MrUclJFPhCI+MAiCsiOPkkJKi2XhaAxl6RaMPCCGny3o4pjnc2VTYAozinyOKChdCKawP4U3FM8Z jGUPAIPRzIH9zP5I+gBg+IDE/j3UPpAfQz+JAOP2wi7wSDcT2kBbiO3whk+Q/zuP4Fs3PcBwNbYZ GFyKbV6Kbnmo4ILmhwpCNSzJr/crMK8uAFm7OM+n/9YXzapcnFnh18PsKNC3OMtXmwjI8QKGEBiu yK1HwC3mGEcY3rIPp94SWxC8bjsQB+gBhiBO8YJf8BYWnxQ4j4FTyrIcgRoi1zEpKZvX1J10dT5e 1vtk5cAzIHff046OxwFGReVRhukwRTeOkw+jivqRgu48IVjALlg04dvQq/DB6DuzAmt1pZ0EZS9Z M8A0DHItkK4ZAxghcQowCpzDfMeQwN4nKh6EIgI0m2mrxo11B/0ZVE/XLDTYNI6dbjl0pmPybNf0 2bbDJ+tHZ6u6x9ytg9XdwwfmTjzxwktXPvn4s+9h2en3kDX94febN/7+88aff3z2w/cvvvPG5Ree g2ac1z+4ChMZsD0D5oXv3r3/9Q+/TJ08Zy6rQfP1GRRJLlPJ0nl05e0Wb6+xqgu8Vp7JC0aQLC2F T0CJb6oHGNF8M0Zg4pnLVGUNspJGlqaeWOQF9PKYNrLYixdUAoNYvpsoKgMMgVz4LUxtBfxegbkR qh6ZVHM8WhOHMSYTHRlUZ0qhLZXhyuFXQ2Exg1pCEdUZXGOFmradyYrArdQ1e7i7EqVb9jFXbMVt 3ycozDOUO4fra45k52q2hTLj0i2xmWYgMSRSvD/DzjIuCD2XqLYLdPtjJP0xpuUk13GJVvHUTkz1 qm1ZiZk5SIZsTzw2Zl8YNTsGMAQGwTPM2B8ObdVUWHCBTzOLcTADqCWnNSjxc02S9y92vHGqdbRa 0a5hfHBx6rs3zn3xysyv/164++nZa++dvXS09+mJ3k//de6LN5+8880bH78411VaJCOnmYsodTam EBcNB0MbbGKoccA2NgYyQQWlQwGGX5BOy0crLGWpHEtgODmyoKRQPYFSTGcVTWSLDqbzD6QLRjKL DiRzBtL4w8AgKI49EMv0YRjF6N//AMO91H6QH8PdFJ81BO0q7P7HLyV2bCW0byN2PNQWQitoM671 EWzLRmwzxIarME3LMI3glC5HN/u1rKDJr6WoxuD8Or+W5NcG5nkD8r2L82pA/28ZRGSULMpwL8mB yxSVS7O8QdAts1+7HVMWQ5BtispFrNiIQCxmWKdZ9llu8VFeyQLfdQwkKD0udJ/gOxZ49qNc2/yD gHEGivhQvoc6PjR46GpO2FsulHZd9vT7MCzpvgwkmlue0Nadk3hOQDjpg1EBxrED1lnD/mqkqBMt 7YHv4JV9Ph4lXb7jL4pOirqHoR/gmEd41gM82whkUEFFJQ/kHCpyDohLhuTuYU3luL7moLXpsKtz ztMz7+4BGBc6ps73zj8BZhGaTlvGFqp7xuEalLd7aGT26KNPPfPcm2/CPBRg+Pn1Hz/5HjYN37h9 /++vf7kGJJ68fPnCc8+9++kn3//882+37wCJ0Ap+887t/umTaldNAVOKpIvwAi1X5zKUt5U2DwOG TFUZTe7haGpYqiq6ooyjrSwye+kqM1lipUhLBcY6patJ6vAylOU4bimg90AeLB/kxglKyVI3YMg3 1ICAaBA4t5DVScJpI3OkSQQrrFfNYrpAUPjI47rBvwWcpZ5+GB8OzzAHb6euC6dtjWasCaU+EiHa t4ebl6uqKh+uKD+QnanbFSqISdSlIK0x8YrQKGkyuopjPi6rfIpuPUPQHmU5zllqX4wXDyPC2UmJ eS6LkinVRiVhkdHhUDqHofiMfTsz9oWmhYfmxEVwCbm6IrJekKemZzs4aK8UM+CkfPL04P1vX7py 6ehUref1U0dvf3r17mevvf3YyEf/mrx/97NrX777+OGxd56+dP/2jfv3fj492aVj5xjYuVBDvHCk xshN1zGzYKZeRs5iZENtItchZVgEOH5BKjojRWa0gwuxIYK8MVIIvZFo1Wyu5DBgmCEcBQBBqbyh NP4QRIUgnzVk9ccw/Az27af3RdLBLwWbOOAnETAMK+wB7SrsAoWQO3eSOnYQ20HwAG3Dt/q1FdcC GG7ANa/GNq7ANqzBNINWo5tAqwoaQStRDaDlqHrQsvy6oLxawPD/M4OL0z1Qi4c+mWXZNdAjCpuF IgmlOcKKrTHJiFWbEIuWBAQsoRsPMc2THNs01w63V+ZgX7So9BigJCo9ISheAAlLjhW5jsOD55gH 8a1HJCWzUEm0NF+0tT5hbrmobzgHEaK29rS+7lFjw2Omxov6uvOKiuNwyYVpHvU3oELMiBT4SCSq h6D6T9OPEuVdfpEU3TDXQ9cNAowC+zgUMkACx6jQMSx0DBY5oYFzSFY6oq2ZMDYcAh/VVD9haz7k 6Z2rHz0JoWLbodOD848PLzzeefhkbf+haggVe0frB8aOPvbYi1euwPHE727e+PrX6xAefnH92x9u /fztjWtXv/rkqdeeP3X5PBwB//HX675JjPt/w+moT767Nv/o42pHWTqWnoJhUKRmeXGtxtOqcbdL 7S1MZSVZ5ALQAECZs56tKebrK5mKCgLfSlfYFMVVGnej2FxPEJVgBcVorgtMod8a4oTgvrq4uiq2 poKtdQtMlUW2Ora+Cs2zJRPU0fnGOJQ+k2Ir4JTkMq25bGc+vwwqGuii0iJrL03RHp6mWhNG2xDB 2hTB3RTBD4ks2r6rEI81NHoPO43dKYmSvfvEUXHG9EwDYLgnRplT2CS0nuAVn2c4LvDLnlFXXQhO 0CwJI3hKik9Pt9EZnERISOWlU/JjcZn7kQkR6KRoSMsUJEbxcTkwIE9H7bYJseM1tj47v7wo9eIh 9/2bn9y/9s2L506/duny/Z9+ufbuKweqtfPdjnvfv3f/jxsfv/TilRdf/vP2X199+mlfrVuEiXFy MgfcwpfPdtbbKF4Trb9Ka2ChYapXTSuwF1F15GwRLgOdlyIxGBzl7ch8TfAmTCyrHquZz5dPZYnG /AISM4QjDxj0JUghNoQcqR/DaHp/FK0vij60n+bDEBiMoPQ9ZDCU3BVW2A2CRwixYyehHT53kTq3 4Zt3EFp24NtAAOMmXMs6XPMaXBOEh5CoAa1DN68taFqDalyd3wBaiapbkV+7HFUbjPIuQdUE5FeD EPlV/70dLF+cWebXogyPX74CfZJnSXrFkowyRLx9abwtgQqLwsr2ZRACVy1HLF6MQAQGB62GxAvb chhq8QzjBN0wDg/4Evpk4JqJ2H1c4jklKz8j9ZwRuU6CdwoqKj4qdM6D/C2miqpTcBPT0nHJ0nIe Ykat9wzIUH/O2nrR2fkEFDgUNed5JfMEzSiUEbO5cKK6BQRdlFgx7Erq8AMIDFLUfSCqpp9h6ONY hoBBMWRQSw6IiodBYuew0NkL8++K8hF93YS5AcziweKOI+X9czUDc1DWb5k42T97fmDuPJBYP3yk um+isq2t48CBIydPXn75xQ+/+eLa7d9+vncTdO3Gdz/c/PHzn7567+uPnnvn1TNPPv70yy99+sWX vrL+33//9PvdD776bubcJbHFHZdfuC+LgOHp5M4mq3dE4exgq6upMjdF6qQri3maBom1TuYA6+am Su00mYOnL5E4nBBI0pQVKLYDgkQs9NUUVWD5LhTHhuaYqTKX0FwFFlPkqBFYqgFD+MlkQkk0UpeM VqOZVl+nK8uawy2FBYxpJHB3XXxzM1PTtj/bvGIba9VO+iP7mFvjxJt20XeH0vhU+2D7rMPYEbFb sHevJTVVm5Kmj4xThMUo0NwetfdZVcMrssbXNyWrEbuYYFinJgcPDznTouPzEvCKQhQZHUdFJ8Ju QwoynZKdTslKkZBQ0BtTVBjdViI53V/fY+FrCOFVGszVF87fv/vnjz98feOnn+/fuvvS6YW+EvFk g/bqsyfv37p+/+bN29duQH/S26+++ejh0Zlm23yD/NEu9RPTVQNVokGvaqLZbheS1DQUNNLoWbhy HlFDL8jIjOYppUePP1lfcWTxauS6HD0wWKCcAfOXLR4HpQuGs0QHgMEULiRIB/wMxjN9pvAhgw8x BAbDC/+xg34G91Dhy+7/yqAPQELLTmIrULndFy22bsS3rMU3+7M0//8xuCyrERhExFgQMeY04TBN OxSWSAhevxGxGLE4cNGSoBUBAWt4zmlBySzMTdAtk1TTIbxmjGKaLDQeppmPgI/KdsxxgDj3CRD4 qEWek/yS4+C1wjc5zlm+66io7Ji85qSq7oyx6by+4VFVzSlgk2eb4dtnpe5T6qrzhpYLtvYnnF1P Wloeg94blmGMCCUMSKjSa/O4zThxF0neR4QSv6Qb3iCysgf0wDL2Q8AIlhHkc1NtgyAwi7BDRuYe hbkkCBgNdYeLW6Zgjw1ss6kbOtU6cb576lL/zKWB2ct1A0egkOFu7a/sHuqenDn25NMvffjhh9eu QTHxtz9v3/r7LswL/+f7z69+/sGbH7z9wtsvv/nWK598+sGde7fBO733x1/vf/yfw1PzlTVNBWxJ XD4Jw1WoShvMNV36ig6urgLLM2JFFrraLTBWiyy1YkutQFfJkZdyFW6+yawo8cid1XR5CYZpxjKL SbwyMq8yn2Em8B0MeRlfW1VkqJQYy6XmMrm5nKu1Y7maDII8g6DPKbRlU5xQJYQUazbNhuKWoPml 0AUnMHemEe2rQ6nLd1B3RFJDo6ibtuLCQlgCdmV388FKW2vGPvbWEEU60hSTpIiIleyKp0ucR02N H+5GNyMeQTsVJW8uXBgeXIDOvQwU06GU2QV51LwYWF/IJ2cV5sVxcLAQJk3DzGxy8OoN2IO1isdG qy4frDvR5zo9VPPVa8/e//lnyCqDu/DHT7e+ff+9f7/xzEcfv/LFN+/fvgvr0sGJ+BNC61vffP77 9Y//uPXezS8e//KF0SsnvB9caP30cv/pPiucO5QQ4zSMHOhVM5AzyficzLTEFDTutVee/Pr5V3bt YARszonl9dCcp4nqmTz+aF7RWLZwNFc6AX9pUzg++U0hkOgLDFn9IIgN/eFhJKMPtI/eG07vAe0h dkeQewHJPeSeXaSunQRwRDshTtyBbwfBl/7HdlzbNmzrVkzLI7jmTdimjZjGh9qAblhfUL+uoGFN Qf1qvzXM8y7NqwnK9ykgqzIwu8oveEMSxv8dRFY5uKzBMNCUWLwso2JpZnlwbuWSHLi+VB2Y7NmY DqF6h6qkMjIxJmAJmL/FS4KWIhatQASHBm/KAkMG1EC3NmAoKjvBdsCt6jmmfRZ4pJkPU4wHQYAn TDbBLwF0/pjxwSe8Ye4JCD0q9MzBRk1t3RlD43kQeKoSN4STU2BVxZ4FZfVpY9MFZ8eTJd1POVof M9SeUpcfZRvHC5UDBYK2HFYDrFdCC9sJ0h6yoh8ABB8VTCRW3AKCsJGu62ebIYEDSPYDhuCgQt4G xnUFjh6xa8BcOw6y1E04Gg+626eqeo/Wj5xoOXC6f/Zc7/TZ1rG5is5hR0NbWXt356HJw2fPvvTO 21c+/fDza99dv3PzNuzIuP/ntd9/+vS7z154/fmX33rpratvffjZx9d/+xX+yt388+9vfvr12Lkn dY6KXBILzRDRFZYiS4XC3aitaucaoafUns/REIQWobFa6WiSWurE+mq2uhQso8xZpijx8YVh6VBU G4lbUyj24HhOFMNYwNRTRHa+tkxhrVHZvXJ7ldhSBcDCCGQqTpVOMiIZjnymC19UkUW1ppENMLtB VdQVWfvzWZVrd9NXbM0PiWLv2EPZvgu7O5TAZ5T3tZwo1jeFh6t27WHl5juz0bqt+wuyiPWZxKEl O8lF2pJ3np/88uXHnaaOuDyBqbjFY2yQkmgwHwEDR1xsNiM/TUjKlVKR0Io2UG14fL7k6RM1z59p vf7RuVtfP3f/7if37/34541f/rjz8x/37ty5/WB68z7sNPj171vf3P/j+u0/oeDz1/17d+9c//be T5/e+eGtX//zxCf/Gnthpvrf57vfuzBwuFFnZmXJySlKaja0vcF9NFjjlrNvd2xK1pGFiS/efJXH LF+xIQPuzREMsxT9HDCYLxrPE49nFo3+Vwb9GD5kEJIzfvkB3EvrAe2hde8hdUUU9kRQgMFucEHB FEJsCBEimD+//O7odlzrNmwLaAu2eTOm6RF040NtKmjYiPp/YNCPIdAHCRa/HsIIj0VIyH86l+T4 FjoFpnrB/C2DBcJQiE8yBifp4S5DkakxJRezdPmyRYjAlcsgFbMyYPnOZSGZy+Po0vIFmFoCAYmS ilOAIcAINg4cSB+P9mmgD2AEDBnWIyD4Dnzf/wPAoB9DIFHtPQ2BobXtCVfvM2UD/4Kavr39orHx LASYkM8B/xaak+UV8+aG047W88Ud50u7njI3nJO4ZsA6Y8UdBcJWjKgdB7lTQRNGBFPq4KZ2guAa C8i3aVDRRlV3sow9POuAwD4gdPT7kzYSV7e0tEfl6ddU9Btqhqx1B5zN4yWtB7390+0HTwwdfQzW u3UeOurtH3W3dbma26s6O8aPH3vu7bd9U1GQPv35GuwCv3Hn5i9/3vju5g/v/ufq82+98tKV1z/8 +vOf7ty++fdfYBZ/+e3e7MKjAqUpn8pD0oVkhUFT1awqa5Y462kKZwFHgxcaOZoyIFFgqJJaG1mq YrJYy9aaVSUVqmIvQ1aSS9agmJYClhXNtoBTiufZKOJirrZcbPJKrdUKZ53cUcvVejBcUyZJlUnS 5RSaIaWDYpcgGfZ0kiGbauEZ2gTGrgySbd0e4vpQyuY9xO3hqG070HtC+Dxa1fjwMZu9YfsWRkKC JTlDhqOW7NzD27g1j8xWv/H8pU/fnr04N1xqbRIrPW2902KOCZ+ZKcAi+ZhcZl4meKFcdI6YmA8b YODG7tV/tV55qv3l823XPzp7+8fn/7z1/t3fv4U7krC9ALz13+//+cuNn699/tGtz//9x3cf3L/9 zd93YZDz3p93b3z98ZXnzs5MdZQf6SgZbtCO1qjbHbxaA90jh05vNOyGEhPSpcRsET1fQkzBx4Ym pmXWtNZ+/PKzo50z23blIXZxcop6GZajYASRgjEkFCl4g8BgKncElMz9xxT6GYxh9vkB9CVnaL1g BAHACGo3KJzc/ZDBMKKPQSDRHxv6XdOHDAKGIEjR+DEEEv0CGAFDsINrUT47uAqiwgd2EBgEBeRW BiKrluRVwye8QYtzKnyfuR5ERvFiZBkiyw2ViCWZ9Yh4LyK2bhNKlcguhixBeEzm4kXBwYuXLg3c sGpZ6KKgvcGbM1bGU1bkS0UuX4IF+rT91hDMorTyZJHnuKzihKTsGHyCIB0KLiugRPeNLIGbehAE U4RM2yTbMcUtnuGVzMKv8pxHikpnlb4GGygmXioffKZq9FmICiFdw3dOUvXDFN0Q0zwGb+i3Udcc hxAS0qrlg89BWhV2ABZq+2Glkm+jC6cOPguEjThJq2/dvbQNK2mCJZ94SbOfRKahG5aFgkGEKgbP 2iZ0dEpcvb6ziRX92soBffUgwAgzwu6OQzAjXDcIMB7vnTrRO32sZ2qhYXS8qmegprd/cGbmiRdf hMGo67/99uvtW9B9+tOdX3w9qL98B6bw9StvvvP+u//++P3bt33e6c07f3zw+VcnH7ssNTmSC/DZ hSyevtRQ0VrSNKAta6HKbSi2GiJHiszO0ToltiqprYajcbNVxRBXSu0lQpOpgG3C8qwEoQMvsMMD RBIV02WeIkO1zFoL+RyNux7+zAKWOg0nTsPJMokGAt9DFpXlM6xAZQZRi+UWC40tGH75hgjKsq25 m8NxEVHMLVtIO3cQRCL37OwBs751ZRA9ep+TgC0LDtwTuTf60sWZGx9dee705fG+A62NDTXVHSPD cxwmOjVmETMnETIztOwUbBJskklX0bE2IaXeLB2vZE81Kh4dKn1urvX5Uz1nplquvvHU/Xu379/5 9f79W3/+/evVV5+Ybnad6qr4+LVLv4IpvHf7r7uA583vP393qtOrL0TqGHlWGdksJMLtGLimDUO+ UKmH8oS0ECkm5ajoeDsPScoKI7FZTc2t7z726L9OX0jKZSDWFETkOSiGSbz6SA5vFOSrTYhGoTwB CdLkf6LC/jh2XyyrN4bZ809g6CtV+DD020EfhoVd4ZQuH4yUrt3kDlhWA/I/QoltuwitIfiW/6rt +OZtuKat2MaH2oJp2IyuX48GDOvX5Neuyvcuz68BLc2rDkZWLUZWBuRVBeZXg+ABXy7KrQAFZNYF 5tYiMksW55WsIVQjkosR+0u2IXuJSgeKJd8aGoVALAELuGTJusVLQ5asjUNsRwXHMtZkcJdn0JXl C4oymFo6WlQyI3HPA4PyypO6+vNgGcGNhDd8B2CENwjKE2wn+KWTAKBvHeID+ZGEQWCO/fADDGfA 3unrT9rbL7h6H68afcozcMnadlZVfRTQg2wP1P251lmeA3pmJqVls/r602AxAVVr6wUoNUpLpznm A2AHczneTEYldEQjubWwSoIEBhF4lEAI2eSbU1C10nWdDH0X29zOtXYKHN3i4j4gUe7pg7k/aCcz VA0Zq4fMtUPQDuppH4cGm47Dx/rnzg4ce7Rr5ljr+JH6wdGWodGx2fnHnn3uzasfAIZw/+Lu3/fg LNSNm79++tkn73/w7jtX3njtymtXP73qu5sB2zPu3Hnvg4+nZo8p1Ia4HGxKAZkoVOncDY76bnVp A01hx/A0OL6CLDYylSV8fbnIVC4yl4isZpFVLzJXs1QuHM+YR1ch6RpAEsO1QBKGISvlaysklkqZ vVxqKxMaSiliUwFDlYFX5ZB1+TQTgVcMyiSoM4nKQpELtm1AU9yWKPriNTmbQvDh0YQdYajVa3JN muKjc/N6ZdfuzeogRGxsREpPQ8Mbzx05Mz725Onnji2camqubW0anjywoBPjCxIDlIU5kBspImRR c+J42HTYJqrnYqFwYCrMLeEQ+ly6I80lEy2WsXbHR288cf/OT39/8/GvX39w/68ff/38lVPdHtD3 n7z4B4xsfv7xh2+98Pcf393/6/s3zh1uN4kdfCI0i8poWAUDr+dT1Sy8FEaiGFjAXFaI4uHy5Nj4 jP3rJUpxVVXjkf6eD154ylPetGxd/soQaha/k2pZACOYzYUT5EMpwuH/jkFfjpTZ98Ag9u6n90TS uvfRu/fS/gHQz2A4uXMPqeOhdhPbwwhtofjWXbiWhwIed+Kad2CbHmo7pnEbugHCQ8Bwrc8OekEr UBAS+hh8aAfBFPqNINhB0JLM2uXQ3pZVGZzlQcRpAqIlyazaIvcUmcbfFRqxCBIwi4ODlm9CLNuB 2BC/KDQPkStZi1WtT6MvemS/u/tpTdUJ8AlVFcfU1acARoYR+scARrCAxx54qgsSgBRQrToBElcs iMp9ASC/dAYsIMsODqrPMsISNpgiZNsOwXA9x7f96RDs1YRGGlf32fKBx2tGnoEeG4gHoWwBhQ++ 8yj8ANhEmCWnG0fhLSs/Cv2okLdxdz/p6rxkaz6vhWOgjgmqphdukyF5NQX8JhQPxhYgtduIFTXC NgkQ3EiCaSNY6sLQd7BNnTxbl8DWXeToAYkdXUp3n65q0FAFTWg95to+T/uB2oGpmsEjLQcfwDh3 smNiunlorG1krHvi4KMXL73y5jufffPNjd9vgeGD2fxbv//6zbdfXP3yg5evvPLqe69//MWnMLnv y0z8df/dd65OzB6zlFbkkeipBSSqSK3z1Jmr2xQub6EY0psaNEdaKFULjFaRxcHX29hqk9TsKjK5 uBonIIZma3KpilyKKo+mw7LMeK6ZKrYBsEZPvbm8XuUoF2ptaKY2BS3MxMuxLAuIyHMQefZsojKL aRA726iy+s17OMEbsnfsyw6JQG3cRA7ZiHOY65555gKhoHBdYHy10/vBG5faPeUureH8yb6Z6San u6qn/9zRw5dMAikrO1HHQqpZeSJyJmz0FRXmqDgFcDlXyy0oUcqdcqnXouutttcXCx+dafn9h7fu //7VN8/MvrAw/NXVF+/f+vrzNy9efXb2j2uv/3X7vRdPzU331n/06qP3b390+5NnLx1qrtNxtBSk hkMGBpVMQhEpn41+EHjmpRLSYpDpifiY7VEbg4wykUBqZEhlV1688Or5y/ExvIC1ObtyrVjdJFo2 iRIczOSPJPB9Zfr/ux0EU+jPzACD0YzeKMY/GAKJEdTOf1TYEU5u94nUBtpDattNbAWFEVpC8c0P 5YcxBNv8UDsxTTsgPMQ1A4bAIJjC1ajalQWAWM2yBxgCiaCgBymXwOxyEORelua5g7PKoRN7WXzZ kj3yHHaZs6kX/t+7Zf2OAMSSJYHLFwVvQKzYvXhnVmA0YXWu4BGWbm0ufcmOmMDAte7OyyAouDvb nrA2XQC/kaIdhhEJf5UBhgohmflQysoTsurj/4dOSCpOQF4UgkHI1UDT2gP5YITyH7Sb+isdQhtM Ds5DTb9i6F++KYyh56ztj2nrwdpCELogdM0wLRMw9ASim8bAkqoqjhrrTgOG5X1PubsvWRrPyD3T MHBBkHSh4XY8r7FA0AAYoviQVq0GYcSNMPoHN8tg5SCsiKFp4apvK4htbBVYOkT2Tklxu8zVofJ0 6iq7Td5eZ+MQmEWYEe6eOjm8cGZw/mTHoan64ZGKts7OsYPTZx+9+Pzz73z80fXff7vz9707vgNt t3789dt/f/TuS6+/+NZ7b3/21ZfXfvkVLtRAVfGjzz8/snDcWFKK5/BxHBFXa5E6PFZvh9xZWSjV FHCKSEUKrtYqMBRz1A62QikyGFX2UpmllKO04XnafJoCSEQzjCDAkKMoUVirDaU1sMNCbXMItMWF AgOWoc0jq3PwSjzTQhE4C6i6tEJlFlUjs3cxpLWhsfSNO5FbQvL3xTC3rsdGhtL0Ou7oUHFzefuh /v7h7kpMkkgvsvRVa1oqOc7K6qb+Z2YnX1Gz5NikNCE+jYdLY6CSqPnJLHy2kJqv4GCNRWSLRunQ qks0gKG03S1+9cLg3a9e/u6dyxfHyg41mp+cHbj+4cs3v3z5+oeP3/7y2W/fOXu4rabFIj47UP7Z C0e+f3vh+RPtfaVSFytfQsrTMGGGF12YFQcb76EnHDYoQjkyLz0FF78fLi5V6JV8oX5PHunsiQMf PHHZpu7YupscFMGOojajJJN46TQwGM/rh6gQlMwbSOL2J3L64jl9cexekK9O8cAO+hh8YAcBQBCY wocMRhR2RJDbQXuJPgx9JBJbQbsJLaAwfDMoFNcE2oVtBPnf/i8341sgXwruqA/DAp/AFAKDfr8U HksBw5wKEOQ/QcDgokTrqmTHvnwPll0N64BkaunWHcGBi9dC+gWxbBNibWRAaMHSONaKTOE2qmZH Mipw0y7EouDFiACyvLu49WLLwTfgr72l8XxZ77MSzxwwCHMTwKMa6g7VJ+BTUQmF+zlp2bykErTw QMcklcfEkMwpOwHxI3SyiT2wDWMWKh1QmwCHk2WaYhqPMLWHGJpxtvGg2D1rajpT0nfRPfhYyeA5 bd1ZSOMAiWLPvKBkGugDBqmGUX+hEEr20DyjKJsx1Z+yt5xztp+zNpyXl84xdUNEaScwmMetgak9 CBIhdwqRIxhK2IRWIKiFlYPgpsLSMzCIfPBRLW0CC3R1Noshb1ncJHe1qF2thopuW12vq2WoqvdA 68T0wNHjoyfPjJ+72DU12zAyWtPfNzgzffGVf1354qNvb16/ceOHO3d8W2tu3b4BpvD5N16F7lOI In+/A1v5fXtsvvvlxsT8AlelRVKYOJ5E4rRoysq1ngao4OM4JhRdSZUCBw6lxSDSafgqlVBrBgwl Jg9NagWfs4ChAwMHGGbjpXimBjq4HJVeS5nbVFZncDdQiywZGEkuQQUYZmHlBLalgG9OxivSCDKR 2StUN+yOFK7ZkL8zIismirE8KGzdsi3T4703f3plfrIxNwEVtq6giGwr3JtnYmYOzwxU9j3f0/sk i4SKjYQ9hPEwr0TMTsJmJOBz0hh4pJxN1otYIiZcZqHpmSQzM2++1fLemf4fnp3/14GWGo+oxS2Z b3O+eaz725env31z/stXT758aqyn3NIE4JcIz/YYL8+UHRuxTniVfQaumUeUk5Gs/CQ6Mgkuv5By EqEtnFqQJidTi4j4vdERVTa1WeXZm8UcGWx45ujU7PBT6XkaxFb8mjRrNn+MIJvL5A6DHfyvDAKG DxmMY/SB/AD6GdxH7QLtpXVEUNt9orTtLWyLILfuI7XuJbbsITaHk1r8gvduQlMYHqBreMggPPxU +sHcQoCaBRQpatcWeNeia9cUgDtavSyv0u+arsyrWZ5btSyncml2BTxWIKsDM7xL04rhOBddVW0t rZVKpds2rQlGIJavDV2xOQKxZvfiMOTqZPG6HO1WvH5JOnVd4Orli4KWBICLGoBYHrR+R0QGSmJx z3eMXOmb+rh2+GWeZRgGCaENBmI0nXde653S183ArJ+sbFxWOi93H5VXLECPKMR90nLfMih5xWl/ wPggjQOZHIgfYTXNEbCMkA7lWGFxygj0iELWBZpnjI2nPf1PVQ08WdF3qaT9vLH2mBSuzFjGuaYD PPMYbIuCLd+wqQaO0cD+KAg5wd0Fp1fmnlFXLkBdw1h3UlUxB4RCugbixGxmRS4bJty9cBANkPTd ZxHA6rNaoqiRKm+BpYUia7fE3iNxdMAeUbG1SelshTsy+rJOa01vccOAp20E+tzqBye7j8wPHT11 4MSZgfmjLeNjjaPDvbOTh8+ffu8/VyFRc/f+3d//+v2X27/89Nv1L779/Mr77zz18tPvfHwF0jj3 7t/77e6tL7//dv7kcYlCHpOTg2ax5M4SR32jvrySpgCDKMDy4QC8GDIz2tJipdXIkUrEKoPZXqFU F6MoWgwd7J0eRVEiySIsS8bXWI1l1Y7yVn2xW223SvTmQrY+K18BQpM0FJ4NfjgTK80mqmiSSrrM G5+nXLEThQhYv3bDSkoe0kBhXL00+8qFmcI8+tYN6VQsf/Py8PRYwvjApalDz7W0eEkFIaiYzZwC DCUvhYiMLIT715g0Sn4GnCdTsbFGtkhMwMpIOS3Fgqlu67GBknPj3pMDFSUSapOF3+EQP3mw9aPL I68uuN89U3tpwNXpEHa7pF2l0m63bL6ndLbTNlQm6rYzS4VMM4csIiFpqBQGPpsND3Q6C5tVRCqA qeG40E0SUqFaqicI5HXNnS8cO/fT6497zS2LlqPhGEcItT1TNYJTjeYQh+O4fZnymSjuwViYLpQO RjHrktktGZyeeEZPArM3kdXnF3wZR+8GRVI79tM6QfDYR2kHDEHw8JMYQWj2KxzftBvbEIap34Gt C8E3hJFaQ3B1W/PLQzFV+4iNEfjGfZjm0ALvZmTd+tx2yJGuxDqWolwr8rs359Vvz6jYnF26DFcS SCkLxpTDXDwivnRbtFxVUu0st+Vk5m9ZHxK8fBEiCIFYERIYgkaE5CN2ZKxMICTQVEl40aadSQGB WwOCEKDFgYhFAYjorA3hiRu27ntkd0JiIorBUNS4W89U9VxyNl3ydDxtqj0LcaLee9JUfwZiNFvj ORi81VTPQSYHxppgEQ3ACBeaijzjEND5rKRnDmJAECRb/pHHl/CB7CsEfRD6UfWDDNMIx3bA4D1q rj9uazrtgHujjWf0NcfkpTMiH4D+ozOHYE0NnMB4eA6Daxnj2yZ8AxeuSbCPgKG6ch7+S7jmIaq6 CwDMpJelFroyaB4kpxq+xAnq0FzoB6vAF1XRlXV8U5OPQXurxtUFDCocLbCBTVXSpPPAgl+oWfQ3 Dh1sGj4EEeLQ/PGxE6dGjx3rm5nqPHywZ6x//tFjL7/72lc/ffP7g9vBN/+4+c31b7766esrn7z3 8lsvv/PBO9///OMf9/+GQPLDTz8ZO7ogNpric5FZJJLEbLPX1OnKKoQmC5jIfCYXzxUobHZLWZnM YJRo9FqrQ6gz0sUaHFOBoamxNB2GpsSz5BSh0lBcVVJTb/aUys1mmcHJEplRREkuVoimaLAMIxQ7 EvNESIpBZm1nSCseCUetWLQ1I2mbXpZHTkejogsOD7S8cPnRwnzN5uWR6TFZ+aksEcc7cfDs7Nyk UytI2hFcmJHJx+eycMmE3P0whAtXIdi4XNhJKMIRRPiCcjVvwKvvKhOP1euOD5T3lanMXFyNltFV IjnVX/XcdN2zk/bXF6qONRm6i0W9brlXxzSzkd2l8oMNlg4Hr98lqlEJHLxCNQMnoaLgnCg1PxUH 0/S5qSxMLik/JXbXIxxUQRFXzJaqe3qHJhra3n3s6KGewchoNmINPjCKF8vuIGmPE+QjmbyhRHp3 ErsPJimgQpHKH84QDkVRGvwMAoYgP4CxtK4Yqg+9/wmDQOIeXCNgCGzuRNduR9WE4RuiqO0xQC64 pjk1EflN2zNLt+dWhmA6tuQ3bEKXbCrwrM6oAbO4DuXdimp8JLdmQ1b5ov2qZZHyAk6Xp6ZPZ3In JyKDAtcHBKxYtGI5Ys32pTvylkcxAiMIG1IZsWRlFIq1cstecE2XBa0LWBy8eBFQGgiKz14Vn70i PGlRSPzinXEr96aHFzBpFIlabe2t7jjTfvDFpolX3F3PaCpPK10n1O4ztoYnwS2EVWmGhkO6ugnY YQgRnMxzUlk+CwI0QP63/0sAEMJJiCv93iwUJmB2CfpI+dYRkXNcVT5tqjvuaDlnazpr8B5Xlc3D oRkYTvTdQ3ROwrAG5HloxgOFumHwTv3yt3lDukZaekRZMa2tmlNXzEhdh+APpGmg2aYJ3FQwjhnk kmyqK4/lhp4TqLWRxOXgJHD09QJ9XZGxXmptBgzljkaZ3VebU7nqLdUtjrqOsra+xqGJrsPT/TNz Q/MLIwsLfZMHQKOzh6bPzF984fKVT//9w63rd6Amff/utd+uffDZB2//+51/f3T1Y7iv+OMP9/6E ov/9F956u3dsXOt04hgsVCGVo1TpXKVSm5unsxXQBSg6j6PUFGm1ArVcopc7aqwap4Gv1NP4ehJT j6dpMIXSArKQypMojA5XTa3LW2kqtaptBr5cg6MWpeayMVQtdODk0w0FTCOSJMvB8HCFIgEGLSKj +LQkuCm2DBGCSqFePnPqqVNn9z6SnBKZhs5kx+1nCiSOl1565dlzJxuMQrhGDTEaKTcWlxXFJeYr uXQRBScg5IuIaIuQ1eBQNdikHgW9xSnpKdU4+HgLj9hXqRmu0fWVKmZbTY8OGc/06kdcwg6nqNMp qdGypIS0SiV7tNrSbBR4FfRKOcfHIK2Ag06n5SVRc5MJ6fGk9IRCWNxNyEvbt5uak0PCECRKzczU rNdoOdjacOnUIVdJ2bY9JMTSrNWR6gzeEMU6nsPuz2K15fE7c3n9GcyxVOahOMZAAq/bb/7+LwD+ DxkE1xQYBFMIGIaj68NxDeGERhB8uQfTtB/fkUDp25PXHIaqiCBUwY/tzK8Pw3r3Er1hqCoIDAOQ NUtz60KQTRtjzbAjqLplqrW0Q6eW7QmNRiDWIwIeQSzfFrA1ceV+clAkdV2yIKxADVvFIrJoq7dF IgLAQCKWBiDWBASvXhy4alHASsTi3dGImLTFsVmLk1FBCXlBu30wLgmJW47E5It0OldTD8zutU3+ q2Xi5Zru51x1jxuqjxlrFozeo0bvnLFu3lR3zOBd0FUvAHGaqqO6mmOQz4QkjNwzC94jfMKtE5kb pi2O+vKulcchB+uXwDYKKnKMyUqPaCrnjbUnTHWwzeYkWE9R6RS4rFC8AGDhWgp88mCdqWmUZRxh GgDG/oeC5lK5exJA1tccBZ8W9iPJSg+DZQQYYYE27JcADHPozgJuKU4AJLoKOE6apJwpr+JpvSJT A7RYQ1QlsXrljnqFwwub86HQYKxotFQ3uZo6GwbHe6fmDpyYGzk61XtkvH18oGNs4MDC4QsvXn7z P+99fe1rwPCP+3/BZsWvvv/6yvvvvn3lrY8//eibaz/ce7BU6upn/+kbOyDTGWg8AZnDFZus1qo6 lbMMzxXDJjE8h0uXCllKgcIsNbnMVrdTYTAz+AoCVYQjS7AkSTaGjCkUSLXFtrJyk9tkKTeYSp1C hZnEUOaRJDimjgiBYT4rdH9GejZGIlU1lmv1Ik16bExCzIbkyISNi+JwybhXL08e6h4lZrLiwvN2 hSBDwyjzc4/fv3v9+zefhaI8MmY3HPoE/5BLRLHxKFp+NgUJq3rzKwySCp3YWkSvMYgbzHIrj6yh oewCWm+Ftq9c2WDgjFQp59q1EzWiXoeg2cyv1XOqtBwdA21iEwbKrH2lRiOloFhIsfNIChISZgm5 Bens/HR8SizcuKfg8hm4AlQSHD3MzsvMVKvV80emy42W1qrapy/MnTjao1cXb98mQiwnbkyWp/B7 seqJfOlgBqs1jdaVxzuYxh7bX9iZwO+D6mESux9I9GMIptBvDf8ndhAYfIjhXmzzXlLzbmL9Tmxt CKRlsC270Y3hBbWPZHv3FNbvoVRuLijdlFO5o6AuDFMFV5jX5VasQ1dtwVeHk8q3ZPIpOnvPYJcI lwntZ0Er1q3atmfVruTAENTiMPqyOP7aTA7Qh+TaojLpi5ZuQyCWBQUtDYI0zCLEcsSSFYiglYuW rAwISs0PTMkLjkpB7EsOiE5bEZm8dG9ycHTGSmBzZxQiLHFjLhPtbGoeO/7UwROvDkz+q27gYlX3 eWfTMVP1rLFqxlx3zFJ3wlx70uT1fZprTxuhaa38uBo2RJUd01WchCAOkAQeJa4pkB9MGIBSeKaB PknJYXHxIYgHgSNg2dJw0lh/HCiWuaegTRS4g1qhwH4QfiN8gi8KX7KMQ2AK/8HQtyW7tVDZwdT3 AdFgDcEm/sNj1WyRfRTOu4ApzKY5kEwnmuf2bdvmQLnNVVjkZsjLWcoKtqockidAothULdCV83Vu sblCXVL7gMQWm7elvKuzdWxs9PjCwTMnRo7N9E1NdB8eAT16+bFX333z6x+/hWAQSLx3/48ff/nh ky8+fuHVFz/8z0fXb/wE6RooKX7+7dfDExNFcjmSiiEJ2NqSkuLaBrkNhgSlBD6PLOJyxUqRWqWy qPXFGr1TJ9PrgEQMUZRPZOagOTloLpUrN7ocpXUeq8ettZbJtHauVIeh8uOyMdGpyDw8icFk08Bz USm0OhOHJojYuhWfkZi7PyVk6SZWQdJTZ+ZnR46iUugrgmMiIgQSYfn7bzz//ZVLbSVa2LaUF7uH hspgYHJwmYnI+Ch8RmoRGWkW0y0ierlWNOB11RikUiISALTy6Q4RvlJHabWLe1zykSrZQJmo0yoE L9SjpJbIaLB4TUrMaXNqp5or7SyCnplvExDBetr4hS4Zh4/Jzt4XCgxSiVh8dnZOTHxucgoBgzbp tHWVXpVY1VjdeGzy0KOz/ScPH1LymlauoiLWE0NRpdnGA5lK2HExksYZTmX1pLA7knk9McxuYPAh gH6P1A/jf8sguQVYiyA2geDhf4PtAxh3kxp2krw7SA0hpLZduKYQlGdHriGEULuTXLEJa16Ro16R ZVudVboixRAEaw1QcrK0hqOsSiPyo9H4yLQ0IM/nUa7ZsWz3/g2JOUujcIiduKD9tF0YeQLbVEAX R6eilq3aCgAuQvgmleCHA1YGIxavRgSuWRy0ZtHStRFJQZEpKyOT18VnbE/LC03K3RSTERSbjdif gYCzAHtTETtjFu2KW5eGSZWYDc2DIzMXrsxefPvQmZc6j5yv7Jl3Ns5avMdMVadMtfPAI8jk9RlK fdWCrvIYyFC3oK2ZV1XOKMqnoMoAcIF8bqRnTlk2AwIYwZb5zZmmchZcUyDRXH8CaBLaxxm6fqq6 h6bpBSPoF9s0/H/KPMjQ9dK1PRASgsD8AYxgB8EvVZdPgbG2NR7XV89AsyVZWovi+EbzMDCdBzwy 7Vi2Hc+zk4ROqqSUqfDITPUSQ63EUCO3eJU2L5QJ5NYKmaVc5vSYqusqOnvbxg8OzM5Cn9vYsfnR hekDM5MHj84cu3D6+Tde/s93X/721y0wizfu3vjt1i9ffv3Za2+8/Nrbr17zDUb9BfX9T778/Mjx Sb5KGJ+VgqJA64S1tKFBVezEcVk4ipjI5LEkXJm5SOOUqmwqjc1qKqngS7VEWlF2PisbxaCwJUqD zeYuL6mo1dlNGpOOzKCkZKUh0XkkGrmQQaFzGBiWkMIT6DTl6AwiMikclRieGb4/fvu2lOjwV566 PNE9D1sMw3YWpMQxmVju7LDnwuGWcg2HmB6bERUGt8ngNj2PgDYIhaYiBp+QLSRlV1skbW69SUCW EVFOEdfGZ5cqKE4JukRKqlCwag3MSiXJzkVX65lNdlGZmmkp8g1H1JlEY7X2UhEZzjY5ZIUuOd0l ZQDIsDoY5oWxKbFEHAqVBAulwqP3RXK5bIfFymWJUrJw3ora4Y6+/rqWZ07MDra2ZiRqEUHMFbsL HyEWJ8tGshSzyfyxRHZ7Erc1U9Cbwhr0A+jPw/hjw/+NHfwvDPpJ9PufvtQooS6M2rCD1LgJWROC Ks8WVLMs3kJzZ1ShY32GaHU6a0WaYHWadl2Wbnkqr0AhtdlLxCT6jnWbVixfGwzWbdnuwP3ogP05 QTHoDem8wL1kxPrYbVlEgrIYJSjZGxW7fMUaX4dMwNKlQcsWQRYmKAiixcCARSCYXloUsDghLzQu N2Rf2tY9CevDk9aAEdyXhojNRSTkr4vLWZaSuzQhPWBfLGJ3VEBY3Nr4vAgUH6N02zsOzk+de3P2 wvsTJ1/vmLzgHZr2dM7D/EJJ66yzedbeMGOpnTbVHDFUHTHUzjzQnN47q6+ZB0EEB6wp3LN+DP0M gg8pdR2UlR5Slh3RVs0aa8EmngD3Er7PNg5AkwxZ2QNlCwgJwQ7+M/brn/y1jnBMg4AeAOjHEJB8 AGY329hfZB9Wwp7hyklt+SE5TAdb+znKZpq4hgDDfSwHjAuhWWYc1wYkUvjFTImbp6wUaqoE6nKB xiM1VWqc9WATFc5KuaNMU1pVUt/S0D/Ud+TI2LGFieNzY3NTB2aPHD4xe/zx00+/+tyHX3/y071f HuzJuHv9l+8/+uzDf3/0Hnz+eAMyNn/9dufmlQ+vHJo9KNZKUlDp2eR8nlZs83qUJjtTJMHSCwks MlfBl5uVCotKalDo7JYilZIpkGLJgrRsGgrP86VSXXabRyfTchRqukpJK6TkIlFpuEIChccl0YgY PJdX5DJay1jswujwkMhNWyPXrIf/Q3PIhS89/uJE39TGtWEbVsVvWhEOmckzByqOdLjdKkF+/L68 xL1FNJQc9v/K5Ta5iIPPgWu5Gl6BXlAgImZAmc8uZJs5rJZiqYGXKUQnaqgFZi5GS80QFSR6lIVt LrlLRdWw4Uh9kpKWbmRli7HRck5uiZoKh0T5BSlWAVXPKUQnRWXHROTlpOfHp0Zu2b03IorOZlnN Dg5PtSUK2drQNtjWYxGrR5qr+prsDoMnOUG7ZHkBYjdzD748WzqSXjQC7aPQyA2bjVOZg+CIguHz M+i3g8AgpGX+OzsI98Qf2j4/fb4AEN+w3xcV1oTiIS1TuyOrJp1az9NWqR3G0Ijo4FURiBX7g7ZG BYZEB4RkL96FQmxLWxEatjc6cfe2iA0rdwQsDQncnLEhQYTYy0NEYpbHCwL30AJDM+IwDLa6BEL1 VVuigpctDQxaEgz/LAnyARcQEBgIyVD4F7F4ESIgYFHAksBEwsYUwuZk3JYE1Kb4vC2x2Zv3p2+M zdiyO2lLePya+JQVqakBqamI+LTFoTGILfsR6yJXhmXuyWEQBGYLLJGAqb2pCy/MPfHKyImnemcf ax4/5R1cgOGFyp6jFd0L5V1QcJ821PqWbMOqbW31tKZqSl0xrYLdhpXHYHoCSASPFEB7oENy92GR Y0RoG5EUj4MVc3de8HReBKsqdozTtAMwXQgYws0Uv2AMn6LpAtxYhn7AEOopID+PgKHvhjXcwpY1 wXEWrqkPJhAVrgMglWNIau4t0rdz1Y2Q28dxHLkULbSBIYlaJFGNpunJPCtTUgwVc67SxVUWy2zV 0EgmNpfJLB65rVRTUub01ld3dIJTCnHigaPTw7OHBqYPjMyMH71w/OnXn/vks6vXf/n2D5i4u3/v p9+uffbtZx998RHo2vUb0H5z9+87r7374uCRHq1LieGg0WyMzKzUFpuVVitDJMMz2RQhi6Nk87VM sVaksSs1NiDOzubbc1C8pMw8FLRcaqkOt6iiXFxiYxnUND4ctiVhYnNz6WC8uNp8vJAu1wvUTiKJ GrVz81ZE8KoVa5cj1pml0vdeu9zR0LtueXQAYm1GXFqNATtSZ+ypdMB1JEzafgUXJ6LhqHk5Qkjn 0vGwhJCB3s8nxInJ6TBU6JTyZWQS2EEhfj8fnSAjINVUJJwHlRIyADqPmmISYmCltoyaZi3KL1Wg 60yFtW6xy8CkIaPyo3bAuCKcn8hLjIwL25qeEl+QmJ4QGh0Tm4jEYIw6q7W4aUsSsbmudbSnH/4b jGKmQUTr6youd3sTI8sRS3NWh7MI6p5C85E42mA8dSKdeTCLM+qbK3yAIQDoz8/8bxncR24BC/hf AdyNq48uaIjEeqMIUIxoTSH00EXdTK4iKWVX+t4dsTtiNq/aC0lOREAgYsmmgHUxa0PTl29IQKyN RmxOWhaavzSajEhkBiQItiYoAEDEI9SluwhYodRQWo0nWteuTUIsgilBX6c2DAoCckAc9IwugaIh jC9t2rN46/5loUmrInMjMzdH52xLQO1MwYWk4nem4LclYTcnYDbEInfE5e3cn7kpPGVVeOqy/Zkr Y3JWRWUti0xHhMQgHtmD2LEvOCZ1N2QOTPbi/uHD43OXDh97cur0M1NnLk8cuzAwfaZz4njbgQU4 wuvtnanumqlonfbUT5VUThZ7Dhd7jthr5s0V03r3Ya3nsA6CwcpZbeWMumxaUTolLT4ocU5IS8bA frk6Tpb3nnF1HNdUTEN8x9H1gfjGQQ64oIrWQkkjQ9YG4qi6+IZeoakfxDN2gxjmXhDN2A0ndOEe PVpaj1c2F+o6WNp2gblXVjwiLxkW2XpYWt/GM7hCCB3RKLo1i6hLx6kzCdq8QhOGYcezi6mSEhgs 4unKRGZYYVEuspRJ7ZUSW5mxvLy4vr62t6djfBQyNn1TYz2To92Hhw6enD737MXXP3z7i5++uvHn b/fu3/351o+ffvXhvz+98snXH/508wdgE26Zfv7FJ5OTh3RaNV2GExnZSodYYioSaIVcpZAp5dNF fKqAKFDTVGa+waZS6w0MJi8jKz0uISIXmyGQF1qdfJdHWOVVuUrVXB4zOycfic5FYTF4Eg1HZOII bDpTgsHT9+yNXrM2BrFoLfhCGrHk9Sefa7A6MNF7CyK3KwuhgJ4Ff9uL1QQLN8dIJfAK8tLjdmFT YpRMpNdCaSzG1RiRrcW0dpe0REKHQ0tcXLyCmaHlQR8aVk7DQvbGwCdBKpWSlazn0qTkfNilVmej 9VQzTh8ynBxv0fMxqRGbUCnh+GyI/vYn7d8duzckPzENmZSSuDc0Oyk1ISaaz1MPjTydmo9zubs6 yvtEJBIY8SK51aRxdDV4RofrctNLlq9Ih3oo19Kaw21Ko/UmUjqTGE0QFWYL+yBlmlbYkM5oTed1 J3E6YhjNcdSmBHpLIr0lgdYcT2mJITXGkhqTaG3RpNYYclskvmkfrjGK2ALyP9KwNXsLK8MYgGFV Fq4sn2hAIkn4jNxiaWOpoYqIxqftT4hYt23tkg0Bq2M2JWuX5jqXZKkQqWxEIhGRQF6aylyVVrg0 JmfxmswtoRi2wGov8SKxlICVm3ztMUs2LV+6CmoQiwOW+nIwy9cj1u9ctD1qeVQmIleHyNUvyTMH o6wbwzdvCN+4IXz9I/s2bo/dvCd1e1RuWHzB3gza9kxaSBZlVxp+ezxyM9jHmPRNEQmrIX7clwJ5 m6W744J2RS/ZERm4O3YF2E2uUmRyuxt6xocmHxs98vTQocuDk5eGjlzsPXK2f+rRgakLvYcf7Txw onlgprbrYFXbAVPFoLV6xOYdt9ceMtccNlVNGqunTDXT+spDhqrDIGXpqNjeq3KPgGfral2AfKym fE7jntGVz6hKD0vsI+BYShwDPE0PAMhSdDAUHUAlTd5CV7axNJ2wNZer7wGxtV1MdQdN0QolexBJ UkcQeaFoCBEiW9ciccA+w1FD9QRX28BUeuE4mp/ELLw2l2TIp5hzC5UoupYksNClDqbCwdWUFBnd IL7WAOU/ndvtqPVWtLc0DHa3jw8Bhv1ToyPzBw+fmD5+8eRzbz7/n+8//e2PX+7e//3Xuz99ff2L D7+4+tFnH8CR03t/3r73x+8wUtwx3CSBzmYBUWWVWzxGhUnOlnAoPKpYJRYqeMwiEo2XzxZhBBIS h0+jM2kZOdkp6QkFmHSbQ1xTayp2ye3FSp1JXIBF5iCz8QQShcrMzkZnZqKpVL5Eotu3P2P9uj0r g7cHI4IY6Pwv335+oMqFid6XFhaCTkzEpMZBf3WHU6Em5hKT91ILYnCpcSoWeqhR9+hk2fyg5Uin 9UCjE1xWUnqyS8Wvd8oBQCEBKSJiuehceEAPjJSCBgaFuFy7hAILum2SrBY3pa/GKqPlpu3dnBMX lp8clZWwLy12b0ZiNDolHRiMCdueEZ+UlZYqFGjbO89B222x09vqaRNR2GqVg0xzqKTOjrrS+ame i+efwmXpFiGS96YzCrVQ7e3MovQk0hpS6KOZ9P4MemcqqyuO2w8r1+Jo/dnM4XhaaxKzI4HeFkdt SaK3JzM64gqbgcRocnMspTWmsAXkf0SRmkAJlKY9GE8krTWS2L4rUZ6UATG6SK+srNAPVjrbPc5q h8ZWhKcjEzPWPLI/YBt6eRprUSxhdTY/KAn8T/baVOmqBOriPWm7wkP1xWWuxsHUfObioPWQgQle 8cjarZGrNsQuWhGOWLM3YGfK8gT8SiQvqEAShFevzxeuSmMGRWEQO1ODN4Us3xq6eufudaF71oWF rtm1Y+XOzcu2bVy6bcf63WF7kiPjkftTCsJySSEFtG355A15tLV5tHWpGJ9B3JOE2JOICItH7IoF 07pyR9SGuJwIipBgq3R1jUxOzj939NQ7M2dfmDr1wsTRZ3sPP9Y2erx1dL5l7EjT6ETr2NGm4bna Pt/tM1fzIXvtBOyT13hGDJXjpupDFu8kUKkuHVe7DuvLpo0Vc5qyA7qKcW35hKx4SGwflDpGZc5x if2A0jEuMQ8L9f1cbS9L1UWXt1PlbRRZK0PSzJS2sOVtfHWXUNsD4kL6VNrCVLUylE00eUOhBK5/ VlNkXoaqga1tlju6Fc4e6MMsMrQwZNVYthNJNgKJWThZDkGBoqihdRPP1kIPJ1Nq5SgcQr2tyGAX m+xymxNItHtrPC2N1V3tXYeGB2bGhucmBqZHh6ZG5x6de/aNp9//8r1b92Fk+Pdbf9345qcvAcPP v/rkp19/+P3Obzf/+O2L7z+fPz0jUvGyClLZIoqlVGNwKphCSiGLTGWT2CIsX5ErVGTzxTgfhmwe kVSYnZ2Zm5OukLFras2VXo3TzVdpZXgSOicvIw+Vk5GVCZaRTOaw2bL/xdN7QMWZn9fDLzAdpjGN 6b333nvvTGFghgGG3ovoEiCEAAn1vlqtdle73s1q1xvHdlxSnDjVsROn2IlTN46d5iTr3u3Ejr8H 6cuf85z3vDPiwAFx36fc+9wfJESZ1IpHM9EIjo5Hb0w3vvalzx2tzNI7iBapwiyVlAPBq2cW9sbL HkVnNaZJe+z1bGB7pnTxTGWh6Z2seFdbcMpSrT8agYPMJqsxSIin+78xP3hox22ygZQbjmFaHxvo i3jn+wsDcUdQzyqFFMtDRTjPN25XZf2Wctwfc1sdepXHZIjZXYBBo0zg0Jvcdlt/beLo0of7WlNb G9t3L91em10fHr6QzlwYGVy9frT18NbRvVsLv/vLvzac20UQo8RSm1y+N7f9BM43d8N4M3WZW7ym ajxyNl525+86krfc+fvm0k1L+ZaxeF2fh5wIcAP0Helyx+bCiT5zpEsfGrLHgDt4CTeq+L4M3s9e VkWuS6PXjcnFaDIFGByduHNl+82Luy9urB5PNubnaiP1dLqbysZ06xBHBHEkEWu5wzqKt0whvDTC sWsTpZuXD24/eAQqXypb0YaASK2zjarFqEuM6DTV36IFWozAMN0/1OXsR7Q5RJFCSD2npmo4ahuq kya1kgQGLEvRTuO307jYHiFJJKPJlSSRBs0UtFEY7SQSAJor7REpoJFmwWRG7+2xx/jeLC9U4gRL NGcWY0kg1igKEqzQiPC0KLmFbouoY2VvoRnfvHD10q1XX3j9E298+LPv/NoX3/2tLzz99c89+din X/rgb77w1idvg2voSx+69PDdi3ff2bvx5tkrr60fvrm899rCuScLZ9+Y3/6l6bVfmjzzS+NLb05u PQFIjoG3zMqdwaVbEODwUJu7Nr76eGTpYXP+fnPxxeHll+DaP3e/+gxxldZVMOosDB73Dl0GMAIG T2E4cVKdugoBSAQYJhs7ifo5uJZGL1YnjgfgUPvFmyNLtxqzV8ujF3ODu9nqmURxIZAad0UG7aGa J16PFlrp6lShOd07PFsZnRuYXmrOrwASJzc2pre2lg52zl07PHl05+4bj1546/GLbz9+/cOvvf3J p5/8/U/+xXt/8Y0fgeztJz/+xQ+gQP2Pb/7rv37ty197/79gFf0HP/3+P3z1b9545/EwLDMkLale d3MyUR/N9DVzxVqst+art4KDY+FizdnfKI6ONVPJuMfhTEZDvXA+4ETx8PLC0fHewtJ4rhC22JQm szoaDeeypUgom0kP5nNVnUZLIxLxSDsNiz+3OPHXn/vE/toeBd1hVyodIv1gOHN1bRyctMt+gIyn N+LO+/U5nzzrlVWi1plGaWt2qhpxZT2qwawZjNfqaeDc1bWEfqhghs5xtBQ5NzM8kovvL0ydnWqB ha9byQd7KDgPNGbVptyWsb5iNR13G3Qugy4fDMZcLodO6jSY3XbHYGPu5OrH1s9f/uU3P3B2bSuX rYxNHk3NPAqHemvlxKXdvXtXVt66eXTr3EE+P0lje1k0V6YwP3/wwsyZu2CSqamc+v2ai9fcxQNr 8UBfvmIt3TIVrhtyV+FNSIiAQQCgtXLdXLikSx9oUxeeX/WZi4bsoSa5Ly5cUSVPuNYdVWg3ObCZ K/UPDy6c23n64NIbO5vXN7euz7S2xktDs31Vv9nOoqsRdQTtqSO6Spuu3iEsYBmu0sD8y68/Pdh/ 6MmM4rQBjClAsgVJtiQlMELOrJPS813hUaK7ileH0Bx9B0WEYOltKFob6ETbcR3tBFQbQWgOcvVu htJMlqiJIgVJLKfKFTSlgixlEcXMTm4PqpuBJXOwXSKkndvRIcRSWEQWmyHi8VQ8sYEjMdOVTpo5 zPGlqb4s3ZtmWsMUpRMjMiNCEyK2Ika/1JMyp0ClNd6cWt84e3Lt+OHjqy+/9vLbn379Q3/w9OOf ffsTf/RLv/r7b3z009BIvvXx33nlg596/PanXnzzNx+8/hu3H//ayb2PHd74yNHNj56//Pub+59c Pf8r6wfvLu+/PrH+oLlwo7F4o7Vyf3jx/tDCvebS/aHlh4OLDwbmTwNawtrcLej+4Oz4wtjlHJwd P3yYHroIXvSQ+04d6ccv/z8w5kcOQUsDNmiJ2na6vlMYvlAdO+6fPBmYutKcvFQfO6g0dzKVlWh+ xpcYcccarmi/O1bzp+ux3lamNtHbnOkbm69PLQ3OLA0vLY6tLi/sbW1fObhw5/Llh9dvPbn78OlL j56+9ORDr334Ux/63Jf+6N++/c8/+l+wy/jBD3/+nfe/8fVvfOvr//n+v//opzBT/cGX/u6zD18+ WVxt9g8HizV7ue4cHIUuP10bTNZHosNT4cZoqDEcP9hf2d1aqxYKUb8/EQ2MjPTPL7b2D9Z2zi8O DGa8fqPTZQoG/fF40uUMViqVgf6KQaMm44lEFBae0fvbU1/8/OePd9doHR1iAiekssNy343tSXAd bOTSMCBtFsJ98dOtCpCZLYz0by/OnopwUq7l0eS5hdL0QHhpJHN5e/Tk3ND0QHxpuHi4NjVSSMz2 V86MDBX93rzXfWljfn18MAAlqFI01JsZyCR9ZqPfYgJFa9hu14p79DKlz+WuD8zs7L59fOvRKw/u ZdJFsUJ3Zuvy6totXzCh0cqHqpO3Dm4fw0LX6sQbb24/fHyUj7Qk7ITCEK9OnLTGb4+P3C3Xbzjr lzTDl/TDV4z9J+bsJUhwkO8g2VnL16ArhDwISATEQQASTfljdeI8oM+YO4KQJQ8EoX1DHP5/19PZ MTjzcX//8btPPnFr5+jC9uGVq6/unb0/2jvWyuT6IgkRXdVO8ZOUvWRzP0GV6+i2hiOtW9feBLTy PM1OZ7krPdxZW0Qy0x2xVmeo3GFw4tjW9m410sVHOshIOx5oeQSNRTrQaKII3SVE4YUwXGUq7Fyt S2zxyR0BidXD0RkoEgmey6VJJRSRiCaWkDk8ClfYzRXhu9lEOg/VKUCwHKSdjqCY7XhuB4GHI4u7 2Vq+jCfWsFUWlsnHtEV7HHGOLcqxhHgyOyK2IBwtwlAgPB3a4OcFi5Z0PTA4tzh2Zh2eOGsHB2dP jg9uXDl5cPP6o9snL16Dv9tLL1yDOLp/9fzNo3NXL+xcOzh/6dH24YPlczfnQCa898q5Sx/ZvPjJ +Y2PDC/dGlm+PbZ6vwVr9Ut3B+ZOoVdfuP9so/B03R6iunC7d+Z6dvwynAwI+MoP7eea5+FaGL7Y 2zoqjR73jlwCYOZGLqSbe6mBc7HqJkSqdjYzsFMZulAfvzQ0czI8e7k5fQj8RbIyD6WpN9GEcMcG XNE+T6IWzg9mamPwvIQFCpCi9U9ODc7OjizNTm8ub17aPbp/BX6u66/cuPvanUdPX3z7E2/+9ud+ /a+/+oWvf//fgMv40U+/92//8U//+rX3vvXdr/3PL777k5998x+/+sUXXry2ulVvjNoHJ5xDE1HA YP9IZmyuPDjmLpSNb7119Sv/+McPbh6dUt7RWNATiMWdrdHS3vmFi4dnZucGojGb0SSxWBShsBmq 1r7KwGhzzOeyw0AOD2phBFmaG/2nL33+eG1NTeeLiLSky7rQ6F1rVsf6crOD5dXR/vnBQiUCQm73 eL13dnhgtFicqGTHK7GhfADwuDY2ePHM9OoY1Kt5uK6O9eV9Fph8Zry2vkS4Eo/AKb3wdWIOvUXK OxUAmLVmqcipVnj1OkiIYhZJzuP73Z58rjk+cfvKvVf6evNsnlFlDu3uX9pcvZBI99rc/lioPxsa 212/BqToG6+c/en3v/iVv/3SwfY1qII7uP1q53CpOl0bXA6WtkzZi+b0sSt94CoeesuXHMVjUxrO gT14Xn9CtQnQA8TB9TkMnwMQsqEmtOrvPymM7GUz5Uy0b372zuHZxyu1+mDIPV7t3968dnT+tZXx rclSeaE+6FC5kQ4VURzpsuXbjRF+uFScg1Nfd3DyOGIdIPv76M4MWR3qlMQwbA/SyUPQQEMQT+l4 NBVBd7eTBASuHs02Iywj0gOnXzkQmrmNrCFzrSSOhcQxUfgGutjMUdlFBrfM4uUpTN08BVuqowlk XRwuXSLpUcp4WhWJqSUyVFiKuI3A7iCy0WS4Mtu7GO1YQgeO1I6noTtZBCqXyuVxFDyRnmfw8m0R YSAjCeWFvgzLFqJo7ASJvoOqQGiqth4dVmQmwmzWHBI7E0pfWm+Ly80Ric7P1QV6rHE+jGrtKa4z wyuP2Cpj7lzDHSv5K9AtnL954eqHdg4/OnP2wfT2/entFya2Ho6uPxg+c7e5cg9mNQNL92oLdyqz N8szNyCqc7fgJbw5OH8dCs7y2FGmsRurbkMka3vZxkGmeQEssqE6hZt0fS8OfvXP/jVR2UwDGPvP 5hvnyq29yuhuZXSnNnE+U11OluYiuUlPfNAWrNiCJXe8LwjUdGkwXhxIVeq9gyM12FSanWrOTwwv Tp053DgEw8AP3H3hzXt3nty8+fjKi2/cfftjH/i7r/zF+9/955/873d+/PPvfvlf//Yv/+7Pv/4d qE7B7vRH4F326hvHi2vFoYlIazo1PFUYaKUHh6N9A97dneYPv/dXf/3FT1YK3lzK35tPRaLmcMRS rkQXl4Y3Nicmp8uZnM3hFvj90kjImkzESsVqIZ81GDVEYifohHEoZLRS+em//Ofh4rKaw7JrFICU szMD45UEnM9SCdubmRDYPWX9tmLEHXUbo2ZjNeqFc1vyflPMqotZTBmXDTh36PgyHj2E1yCI2lWw ggHbiAGQqKr4KQ8I0iygATBKOCouzSzj2VUim0LqMeq1YpZBrgh4vPnc8PjE3ZO7r1Z6swhWq7b2 X7p45/jctUCwEoj3NZprCnncnRocmV59cHzrDz/67ve/+w8//sE//8brTzSmKlsTYJmcKk/K4R0M eBbiyXP5vqN44zhYPXAV9hz5fTh/3Ja/ZMpctuVvQDaEUKcvajKHzwtUuFcmL3jzZ4qNbW8wpZSK aoXBS5uPR5NjEgSRIwgXjcvGR44vvL27cmljavT63mbY5kUwYpwmjpgTiCUqzDfk6X6cNogxpDrV WYSpRxAKFqFysFISIkAQOobGQ3MteL4doh2GM3RLpzDSKU0TpNl2JVCffoTrQBh6Uo/3NNhuEttO 4tie45HENWBwBp2psrR+c2nrxBpKdfG4CKxDUVA8HVXjlmjcCvi1UvjQKPIpXDGRJeqkKHBEcQeO i6B7EExPG5bfgZei8Apsl6STzCUzqCwhQazCas1Em4fpDQrcVay3r9NfJTlyXbogVmZvE5vbJRa0 QN8lNhPFZoIE1AJurNLTIXcjCg9iDXfYYx22WIc5irYluuP9xtH1ge2r60cv/Mr2lTcW9h6Nb91t rd2BNaXB5duNpTtDyw8aC3drMzf7pm9APL+pTp0CsH/6pH/6ysDM1frsjdrk9eLwcaZ+IVY7F6lu B0sb4Gl2Csz+HUBipnE+P3gazzl9kNbE+5Zj1SUwZRqcOBieORyC4yRam7D3B9nQ6MlpnUlXKO+P l2O5foBhpq+/0GjUJsday3MDc836/GDrzOja0eq1Ryd3n9y48dKlqw8Pbz288Po793/z9z78H9/8 ys9+8RPgMkDn9t5X/unr3/zbH/7wv370w++89+W//MDbNycWkqmyvjToBlhPjJd6i+YL5we+/N7H f/e3X242ooWsZ6A/nkm5k3FXbyE8Mpzb3AQk9tcbLq9HHgpqAkF9OOSNRjKARY3WCAwxSPZ5nYxW ovL1v/ni3Uvn4KVeyilHdWvjlYJfbxXTPApu2CgPGmQRhybmMYRM0qRLnvHKesM6gCEIsNMuU8ym TLsMKZc249HCUYZekyAfMYXdCqeBD+u6sAw1VIylPGaTlGNV8PMhZzbgcGmUXpPBphHZdXpoaftr M6trr+9dvjc11RQqa3rr4oWNe7uzx/W+zXBuLF+dSudX4ECc5MD6cL6yNli6dmX3lz/44L1Pv/ap J/eWGpMmXd7sHY70L8SHpuNDs8nWZrx/Tx+akTpGHZndFJxXW72pjx8CCQgCbHX6SJM5ViQOJJE9 YfAcXLXZS72jO057FCQvcpnwzPzG8fxRr9KtR6M9nR1KPDVoq64tPTx35tLyWP1wazoV9KBIFrQ4 gWjyeEtvp9gF7AMaBWahjK52Igy9oNTDKPxtTDPSJUdAoa024mUVorxClBWQHh8c+4gWBWCREBF6 MRoXVuXGyJ0oqZMs8nRL/RBkkY8k9EJ08b14jgtpk4mkiQePfuvRk9/bP3lnZedxrn5W7aiRu1lI GwoBrr8dofHpVC6Fwu9iSrt7pGq2TMORayGYYiUAE0/noCnMDoy8HSNFUHwEze7As3FkKGg5VDaP I2OzJN18NU3jYlkjbE+WFSxB0Ly96PgANlhAvAnEG0O7QkR/mh2vSDJlbTwrjyYl2V5VtiT1J8ju FDbRT9299OTx0997/UOfvf7yu3u3X9i6evPM0d2Zs/em1m+NLJ4Mzh4OLYL99aWBmf3a1B6YXdcm rvWNXx2Yuga9Xm3iMjD1tckjGIRWJ/bAxz4zvAXHLYUqZ4LFlWBhOVw4c+qEBqAbWM0MbqTqa4n+ M5HKoi8/HSiA+9kUmFGkB5YrIxvV0fViYynTN+2P9buCJbsvB2D0Rgv+RDFe6Cv0N/PlXKGa6m/l R+b7x8+Mze8ubF1b2b27cHT/LBzncO+NK6/+8oNf/Z13/+Frf/nDX4CZ53e/89Mfgbni93788+/9 8Gdf/8Z3/uG9v/7VT3xgbXMwXeaW68bRiXQ2b794OPHZz77x+c8/3dysxmKicsmaTlh9Ll0hExhp Zg/2p46PJldWJkrlmMnCV6rp/oCp1lfKpcsGjRf+E0E3BfrhkWb/3/z5n77x4qtavk7LNtaT8c2p em/QqKQTo0ZXUO8GX/pCyhKxaaHUhNTm1orCVhVsBcLpaXGnJu1Q1hOusWKqGIAHkLkvFexLu/Nx S7NQGK0WskGrgkNQcLoyfudwsdyfLLn0yqBFbZDQ9VK23WitlmfO7r0xvfza0dUPBGNzYllpe/X+ Umu5VRpolKcbjfN9taNCadfozPjdjlIAJDZhTSANzP7fvrPxmbfu7My1wg4PmWbolIAvVO/YyFxv b3lqcm169kKufzE5OJVuzfjKrVB5ZnDuIDmyo8ssqYKwqrm1sf7C+Z2bsVhOzmPgYFiFxmlc4SuX HzRjZTOOYm/HatBdbATlo/AX+pYPLjzZGJ54uLN8rj6hYGmwTCteW8KL4wiai2AoKKkdUaYQaRw4 izZbGmrUDmUYLU1iVH0YU4sgzXUqczhlDJF4ELmzzRDusCYRSxIx1xBLvc0+1O4cIQusFKGNKrLD lSywQ5D4NiLX3oFR+4JjH/n4337sN957+6N/+YlPf+Ujn3rvyQf/ZGH9ciTbhD8wg93fRWfiyZ04 IgbT1d5F6yIxSNQeKoPH6BH2cMQcnpR3Gko2W8phCNhUNreLxsWRBGiCAFrRdiwfQfWg8LyubgGd K+XLVTK9TmHUWQMGi0fi8HOLVd3EbHh8Ljw05W5MWwbHLfVRS1/DXK0ZixVDIi/zRJkmX1eirp3c aOxdP37hjXd+6eOfevLRj73w9gfBnmLj8PrG4c31oztnDu7MbF0HGDbmjprzJ/WZ/cbMRYj+yQu1 iYPa+GFt/Lg6elQfv9w/cbk6AZu/F8Ec+9Smvm8rXtkMg947txzILwEkIUDhBpJviEBh2psF26Wx WO9Urr5QGV7pH1tvTm5WBqdAZR3JVs2esNxgF2uMUr1RYbJ4/b5wzJ/MB3PlWKGWrQ1XYNbWWixt HM7tXFk9f33j4Nb29ZcOn3zohY//3oc+85ef/tdv//P3f/H9H//ipz/535/96H/A2+2/f/Kzb33x S3/w1gdv3bi3PA62o3V9oVe7d374S1/6lb/7+w/t7FbzOf30ZKFcDKXijoFaeLQVOXMmf3i4tbk1 XR9MON0yg1EYjfj7yvVKcchgtLWDfhhBYI17fWnp3dfe9htDgEGzSLE93TpaG085AF+uSiTVLOVL KWfWZy8EXY1cFDrEStzXLMRhBRh2LhqpGMRwLlONRPJ+/3AxN1YplGKBaiLRn06kvFaTrMcoYUfs RjBU9OqMRpkIilIeBWXTiHOJVDE/NjZ1bXT24aXrL2dLsyZbaWvtai1bL8Urjb6F1vilTHV7oLJj tUdMdnAFzyjlHnS3xObIQ2UIGu+H907WlpdgsFPqq5VTiYq9ZJJb/bb41MiZRn02FCv64jlnOJOp DpdGRrK91Xr/2N7e5QvHV+YW5mGDQ0knYTuoCIbeydWkqhMXdq8lTH4pgjHjCQY8pQfpMGMoI6mx vd3H2+MzgMG1yjCLrULoZpyyQlKUUWxHu9hBspQxykaHNoaz5QnOKlqXb+MGIOVhxIEuQ7LLlCFZ cl3mLMaQxJjSnc4qyT3Y5RpEWypoUxmt78XoenF00fPAM6QEpuz5lcBU4AkqtT5zZuPu0trt2aVr m3uPrtz7lZfe/J1Hb/3R1vFr545eOXPuGoUpaUcTOlCY9lPtKXKqgutAUJg2fCeG0k1ksLrZXCbk O46MC8GWcnvEPKaQR+fzaDwunaOhspQkugxQ2Y6D2pXVhmUgqG40WkzAs2VSVSIe7uvL9paiuV4n jAcbo4bWlGNi2jc65hkacQ6NufuHLdmq3BBFDEGcO6mfXFm4+8obr33oE2985Nff/NVPvfzOR+8+ eXp078Xda7e3Ll2DrfbF/QNYbJ/eOD+1vg9ibFCE9sFJLq3zfSMXa62jWmOvNnKhNgp2oPvF1m55 fB+iNLabq++kAIzlVZDNREtLieoyWE9AAGufrs3Gy5NAVYTSDW+szx3qhYjne8PpXCCR9kYTNl9Q Z3MqjRaFwazRW1RqrVItM1l1/oAb5ijpbKhYihZridbswMLG2ObFpcNbZ/dvbG6fLF24vfnub7z2 +1/4tff+80vv//Df/uPbX33/e6f6NwgA43tf/ZMnb+3dejC5sgnVrunMWvYb3/y973z7ywcH08WS bm4xNDHtqfZZ02kzVKfjE7Wd3YWr17dW10cSSafFoomEogN9w5VqXW+wMJlMmM9ATWNWmmDvPunK mwXmpNO1Nl7dXWx4NSJYMsr43DGPKWzRxx3mQtADBGLaYwU8whUmMAmXPeawhqz6gFHlNyhhtpN1 O71qpVOt8hn0Xr0G5jAOtRRCL+KI6SSbSuXRqRVsmseoLqRSfdWxobGL9sBsNFkOJgoDQ+N3br8Y C+RysfrIyNnevlU4Qm5u4LzT6FE6bQMDqylvncMzm3wTpfqF+bnt/XNbRwfX71x79M7L117cn98o z+Xi/VZjIBHpjUWKUomtm67u5hhF+gBfY5HIdfFw5MzSbHOkxpVwUGAj0daBIugQgoqjiozP7Z1d veiVm1kIIsGg3ZQebjtaheCr4X44enVnavH8VCOqtrXRuQjHhJZDdivitUm0JYm3D6AVTUSdRBty OGMBp0hhOFBJOmgqv8CV7PaWIMjOEslaADa/Ez5Hk0ApIu0CWxvHhADZQZG1E6COBc9tYgeB8iy6 gTPEEBlYAhcazHY0E0HRsUQ+liSgcTQKvd/orqqthVTvdG1oBeCDoCgIighPU1wnHYPvbkeTYDED aQeJHexFkVFYSgeehSIwsSRmJ41BYdPpAlqPlMaR0wUqvlAtEGnEXDmfLmDS+T00HovE6kajumnd HI1GYzFZ1Qq9TKzSqLRuly3gM8YjVhAgDg3EhhvhkVaoNQGUmbs0pPUkesR6tMXPrU/m1y+sX75z 9/4rb73xoU++8vQj91556+rDV668AP9Dr15+4dHFO/cPbt3dObm5dXR9ZfdkduN4evXSxNLl5tT+ xPjx2OTJ0PhxrXVYGT3qm7xcGb/cO3xYH9/tHz1XG92qDK/mB+YSsL6XHYTxi8mXMXhSBmdC54io TH6ZxiVSWCAYHD5HKFHqTC5/OJEtpfKVKKgsIlm53iXVWAQKlVyrtTodPp/P7/eGQ75sLlbuy+Ur yXwtPjxXmz8Ljr+zF+5t7d1YO3eydO2lvd/43Ltf/caXvvnTf//2j9//1/f/5bs/+PpP/ucH//uL H/3L1/7snV+5tH/c19dvfPji9ve+82//+I9/ODkdnF1yzS56oFpIxE3JmBfmpeVKeG2jdeXa5tr6 WDLpt1oMTrsrmcoV8mWz2Uold6MRNIvY49L6fMZo3FLgdTEdKu7ZuT4P9BYskohGlPbQ5QyGqqdH L+AaRXyTWGCRCkxinobLVAmZNp3QIKcbpGSLvFsvomg5FCWTrOT1KHkcrVBokinMcrlBKjTKuRYV L+72Zv1+gKffYvDYLc3m1OLqLRIrhCAksUIztzwPbugWkz8UqE7Pnq805gqTx9vNY6fSxne6GmOX Gul5mylpCK0k8ocJf2/U4vGZi6VM8/Ju653Hmx989dU3H79279b1vmrRANwGT0/tlHegRAiah2Ct bVQLQhEjeCrSBgRBD47nJKgyRFEYIemYCv/SmYvbC9s+lRm6O6BsjKhONtIhQ7AFGPFcfO3C/Opi Iycl9yDdTCzIU5RhhOvpkLradT6UKd1lbeANgyhlsU0a7FT6ueaE3NurCAzIAnWKrUA25ynGXLc+ RVT4OthKpIuGYEC11AmDsfZ2FBpEpfASJKkdcP4Erh12K55d0TgiicrEEshtKDx4k6LwxHZsJ4LG YzrJ+E7oB4kYAhNqSKSDhCb2EOgCOMcQRxYCTtFdQF5wnweGyH8WLHQXE2DYgWc8D7iH2Wl7JwFH pZB7WN1cDqRFjlQiUMo4UpFQ1G13KGDE53Yb7WZQVDhMarNGphIw5WwSj0tmS1h8tVDkMGijAVcq Hsj2evJVayQrCOUZhSFFfco1vJAeWejdOdm6/uLVl58+eeXp2/dffXrrxae3Hv7ynRd/9f6TN268 +PLdV15/8NqbNx+9cuPFl07uPdg+PF5buba+fntl7e7k0q2h6Wu1saul5pUsGA4DDxireSNVZ6Bg cibhKcSTWhl8DVemZ4nUdK4coocn5wpVYpleobboTU6L3QeCLKMFKi+X3ujV6FwyhTXUO5RrTGf6 W4F03gYjEqtVolBzBXLgq8MRfyIdSRfjxf5U71C6bzw3OF9au7C8f3370v1zR/fWD2+vPn77+l+8 95kfn7aK34fS9Ec//h8wQf3Wd7/6tf/606fvXi2ULC8+2vru9/7q4x9/qVzyAfparVShYElntKm0 NxA05gu+5ZXhre2ZRqPgsJtEQr7eYMrniwMDDafdQyczMeD8ReD4zEACjhklOg2X3sx7zs0PRO0a m1IcslstMplLo/YbDQmXE3JfxGYOmg2Q45wmVdxvCcERTg5p0CZxqnl2pQDO9nXqVBal3CxX2lQ6 qxI0l2IgBQN2RSYQSLl9TpUW6EKnxdA/MLSx80BtGRJKAzKVrVjq3dw6S+oW9PBN1cbMzMoaSILP DV4O6EMib6LYPA8yokyqpfBOGRwT0GmHDRYxQ2/S2HozpnrVCY+V3YWF3bWFrfX5rdWFiYFmLdGb iWalMjWOEuhk+7AsA5oqJnbLGUIPTZM71bGY4u3ArOk9G+AGM75oFylhakyACRXgFoWStGNT3uLu 3uP9hdWFRkHOgYkpAyV1IYYMWpUgS32dMhdaG2o3pDtUVUQYa+N5aNqoDkblvVPy6Ei3uZdtCJIl 1g664hlV0Y20g3AUQNYGJBHsUcBSPSQwaAqgN38WoCzFPgscCk2AwhLWLsAeH64YHLYdlp2A1yfg O7E4PBYH/wBVKIHKIsD0tZvbRmLhaGwIbHcPhsqCUQyKzOgg0U+DQEd1MlCEHhSBg8LzUThxB1bS gZVBEd6OY2K6ek6DeEpnQLcI6ZLDJIT8unjM4vHqYc8lDMeDGJVKYTef3ilkdYlZRAmjS0DvFPfQ 1GKhTqEQi6V6g0qqZDIFGL6iU2Nn2MNca4QVyilKI97Jtd6VvZFVOA7iwvT6xfnNw+Wzhzuru+tb B5s7l7bX95c2DuZXz0+NAyHUTA5PlaAsrLbKUTgLMxLQu90qq50lUEAA0LrZUjpHQeeowHwHrnSe kM7mQ7A4Qg5fAj6uMqlapdTrdDZIdHq9HW7kcr1YrDYanZFIJtjbilbGswMzxeZEqlqFYtTmjXpC BbvdqdXr1FqVwaq3ea3eqCNZjlRHirVWX2t+aGF7YvNwdvfK4sVba3dePXr9V+5/+jO//Q9f/dL7 3/na//wctN+/+OEPf/itb3/lD/7o6eNXjj/z2Y/+1/t/t7u3HAia4cvn8t5YwhyPu6NRJyCxXIkP NgvDw7Dwm3S7rAIBTyaTBQKB/r4BvytAJlC7UOQeCj9iT6R9cYOIb5b2jFYSoDTzGhQ+gxYAGDSb IjZryuNOeZxhqwkiZDGGHM5nYQ9YzXaNyqnVBk1Wl1oHqmyzQgYZ0KbSwE8InCAUnz6LKmA1gmRU wxVBURoNQM1cXz93vzXzwuLaw1Lfki+QiSaKOBKPLTIVKyOrq+dqg8cbQweV9Kg3P5opLVbyZ2qD B7bYjMSad/tDDr2BQ+OY9IrpseZEc5rH0rIZCos7F63OwG+7tz5Wb442JiaXDw7OH15ZX95cbk1P 1odymbwzELP50k5fke+OE+VGidF5ZmlrdXjaLVTREBSbTPISKAI8joe0h13ZrZ0XtycWh4oRAVtE xhvbwKNJnQefCgzdi2d7SPocoskgAjtWHRPba4ZASx8aFrtLXUoXwpRhKcQ2AqS5Z+Bqw8LaBOxg 4NrAzQIBSGHROBwWtgvRsFzxf4E/Fc90dMIVwHjaKCAo+ARIhFg4pKkdC1dUe0cnntDVRcLhiRg8 CYUlAS2IxnejiWQMiYIlU3GUbjyVBgE3EIA+dCf7eTzPhm24bgRLPb1iKHBzSl9CQQsyVwwchEEC TVwSluIsRplUDGueMoFA3EMW92B5DETKa9eI0Epum5iFiNkYnZzhsalMRrvJaOPyxDioePE9BBIL pkN4RhuJ2UZmt9EFHSIdzuTv9mY54TI3XGEX6u78gCM3YEv36WMleaQoDhW4IO/xJHD+LDFc6vYV KNYkwRBCGfynoTIL5AYuXw4Yh3ETnc5h0tgsBpdLpFKoDGYPjy+WyORypUKh0mn0JgCSzqxWARIN NpvDZDKpVAqTyRCJBrzRAbO71+4vx/MDkVzeGQz7Y4VidTpTKPnDMbPdoTebtCad2qCBr+Hwnqoq AzFHATYUZmoLG62FTTC+a21fnLt8e//Bk8uf/PRbf/alP/z3//iX738fmETY1//RP/3jl//083/0 s59/+8tf+eNzu9NWqzIRj1ZKtd7eVKmULBbjmQwoSMO1WqG/v1jIp+wOk1whBiSaDOYCeGtEUvwe IQ4kFzRmKhCMOBwKJlNE7YKOD7bsHWqxW6uBJAitHLR4AZPeo1dCBC06j8EEmc6lM9mUBr1E5dKb fWa7WQWJTwico02tNEgkEA6NBmAIIAWVWsRmU7EF8HiK+J2w8bi2/WB584NbR0/nV27nCpOhaE1r i+f6ppaWD9cXDivZlWyoVChO5GFAHasFEovl8ccDwxfVThdHpoiECiFH0GjQjU3tryw/FnLM7e1d JIFTASPW4LjElnFFcv50f7g0Mz07eGZu4mjt7MWN/eWFrZnFteHx6UQy68wNSewxmdY7CZboQ4sh iYHVhhJ1U314EhvVxkSQVLhy/uKTleYkzHjpDA6BYkIEXkQR79SWMOxwOy+IUeURSRqmEuJYI1ic dYeaAoUXS+cjeCLS0d72bFXw/98WPN3ZPU2AaGjWUMw2ohTDduNFaYAbGtUFgWonQmDRFAgMigr3 6A5SR9vp+20IHt1OhMyJausCnRtUpxB4HAlYJiyaAAE7wmgcGQJLoOK7aJ0kRheZSQRVG4WFIzOw JDqW3P1/QQWoQnQQugGG7Tg6upOL6RQAjYjGS5AOnlXhyYZ6VRJdD0MkFxhonT2kdgwNc+qBw8Dg OZ04IRUnoWPFDKxGwvA7tfGkJ5JwwaBDItdwBWYyVQH0B45KQmEYHeDtD3YdeDyWBAkW3y0gsMDt w4CArvUZvtotEZQ53G4MIkA7+jJET6rTlcK7clhvERepdKUGyIUmNd0nTVbAiVboDPMsPo7Wxpbr GTIdQ6VXA160eo1arYaEIpfK9FqD0+Jwu52BgC8Y8nq8do/X6gtAy6WQyJgmS9poyllsWZMlLFNp pUqVyRLweiu5Eogp+9P5Xm8wAqW3UqUBRMOH0SpzeLQQZpfKH7OV6+nxhcEz52ZXdupLZwdXd8dv vLDz8d987c+++Lt///d//833wdftF//78//53ne/ASezfOELn9vaXE3GE8DLFwtpgCHgrtEol0rp TCYCAKxWCgP1UjDkAQyKBEJoD4sZ4PkLWoWmC40o+dxMIGIRK1lYnFUm7E+FM34bqFwgtHyOXsiD 6tQsE+iEbJOUrxUwddAkSqVqvlAnkboA0jqFRsE1yAV+mz7ktNi0CqNcCkY3LgMMRVUug8Sj06o5 QmgVnRYd5MHVrQdDEy81Zk/GZq4ONndyvbPR7PDsmUuHF15ZGrnUGx6WimWh1GBjcCsVK9siy9nR D25uvOJxyyk0TiG1UM9Mq+QOb/pc38QrjmAq42QqZUJHZGBgfD8SLio5UjlT29NlAw8zPI1hDZVq I+frgwcDg7v55rItXw2V5zSuslgeGCxOnx1ai8ttPUibiERwtGGZbYgAha2Vx4+vvDVdaYLwAGqe 9h4pSmUDloGgS2IVUUQWQlQprLqI99Wl8WFLsFcoUWMwp1u6GKgz29qAU0cjnR3PrESh94OSsw2N 6sDiMD0+orxEdy6zIpcQGA4hOMAXto2MawPokWHtAgJmIygMDYWjg0f3aaCpHejujnZKB4YN2hvo E0HvjcLCc4IC4xc0HvImAwJW1TrQ9LYOCtJOhsQEKABUQgAqyd1s+KXRmHwmW0RnCagsFpXJ7mZx KQwuicamMjlkOgvT1aWQcnxeGKrpJSKtSm4SsARdCAIYpMGoFU0it+MBkhQUDjBMRRGZeJpKaVSp TFD78OVKtkQsUiukOqXGrJHqtAKlokckoXFEILHDgqEH5NkOGgrT3UXuobGgfuTpTGK7V+iPC2J5 UbIuDxSIqT5yNE/1x5mRrChaEnnyTF+GHCmQ0n20akvSmLBURpzVscAoHOM8szy7tD7cGozGTWZL t0JN0uoUTnfCHxqp1Vqw0eDzmdxAR6SbkXhVp7coZVqdymHShzQah1iuUulNOktAqgoo9Wqt2awx Wi1Ovxsynzdodjq1ZqPRDLlUrTUoDWaFzaXxBk2xlDNT9A6OZ2dWBtZ3J7YvzGztz5y/tPzo9au/ /rvv/ONXv/Kf3/j6+9/65rd/ALrTn7//jf94+dVH4DQTj/srlezIcL0+UOktZirlfLmcgTdzxVij WS9X+o0mi0QmhH2oeDJRKtW1Mi0Znol0hkOllFKJwi60Xy0qug0OIUtJI2jZZB2XquRQVQK6nEeT cbtVIoZJwVdyupU9VJscJm0sYNysOplFDdv6lqDdalLIVQK+Viw0KsQaMc+olNk1FmgltCKZ02yH TauVtReaE1ca0/eGlq4OTh+UKzM6k09vK81NXQatuMPg7XGVSgMXJwc38/Ehe2ixOP/K8drTkFHV 1m3Iz98JJ+pmdcAb347VXwyVL6xPbZXipf702NbshUI0SMNh8pFyIVXDgCoB30PV5oShDZF7V2BZ lrmnbPn5RCaP5fJA25JI1i9vXknYQvT2dgURR4NRThtiYnFHh9eAs5ivlQImI46lQ2g2nDBMV2U7 eS6EKEWEVoyvioRH+RIFUOeoDtypbcVpmXlKFQBfAN4VcAOYxGJQ6E48QmYiPQ6UakAYPuAFwBVq iWYbhU8HcgHqTKg5T+vSjtPJDIID1gjf3gZgxCJtODBkO5WbAlShUsUyYQSK66QgbdAzMto6OGgM GEaBKA4kqafRjqI+xyAAENAKmQjQCleI518K0iUGT+mk0CEAfWQaD6KbxQcYwjsapQCmhTqtSSbV GrQ2KU9KwaC5JBx0nkw8hYrGUwBFGBzcAB4BlVIxWBUZYR7SReND74mncDq74QsKWSIhjHpg4MMU CnhyGV8hfx4wt2RyhQRoV3EkeDJQaM/wKJb0yDg8GVtrFLk8Ml9AEc+a033mUFlymgTTrFyfamGt tH+0tHOwdvZoDbi8o5uHO8dzzUlXONUdy3D6Gr7myEADlJ2p4RzMOmrJSMgWiReS2al0ZioY6DUa 1AY99IaALrdOH9QZQ3pTUG3yiBQSlUEHkAQYqg0WuUavgeLVBvM+t9fv8fpdLq/NbNPqjDKDRWZ1 qiJpZ6roLw0kRmerq+cmzx4sbF+Y374we+fhtY/+2rtf+Js/+c9vnWpQYU3469/8z/e+/A8vvHAT AGizGnxeB0wLG/VquZSDzJjJx0qV8mBztFIdgG+kUEnVGl0kksvGslqJkoLB8qlUg5AnpuAlZFxY LxsrBU1ikoyO1gu75VyqlENV8JkCFlXDJisYneDZ69KJLAqOTcF1aYQWMcuuU/ptxoDNYtOodRKx Xio2yEUqIUcvh3GNDW5McjVw9DCeXV69NwZKwolrjbmbLYjWObcvavWFd85eOlnfV0ot2mS5OXdj ur6X9OUTlbVM8/rx1kvAmFCEoWjzGJ5yHkfcm9oI9j/wFA6HmgsXdi4enb1SCJepXRg0qj2XGYB1 DBg/Eqk8ta/pqN621V7z9r8QKM67I2F48ndgKQiBoQ0Xdg5uDYQKwA9qSQRBOwLh0jlGZ47OLB1M pOJujRLXo4L1pTamHYHD2kQeRGzvNoaZ5gT4VxDItFPgICioNjFtaDDQBszBR1tbB/hYnFo5QV4j qxiqXp5rjufbotnmuq0z3dapbss4pQcSUA/8NeJw3SgUJLjTkSmQfFgExSIyCOjO/+dE+rw3hFPs Tzf0AesdsHkBC9p0NAryHR1YiTYU8ZSbeCZSbQOVeBsJwHh6A0hEUSDg5vk9vAmfCe9AqsXimTgC i9DFhokrGkdlM8kOu1WvNUE+M2vtMr6MhicIaGQRgyugsbjUbl43VcigCxlMeAlvalVGs8mh0lqI VA70ldB+4jp5uE4BhkADr7kuKovBEbD4fAqTjicTMV04gGk3tHV8DlssEyoMPUI1lSVl8lQUupnH jVO69DwOVyAksng4Kredq2kz+UgGJ8EX4w62Its7c1duHVy9d2HnZGlszZcfEvhSuGQvd2o+u3Vu emt3Zm13dGJxbnKmb2WlUK16EqmkH/w1441kouoP6Mw2sdGscLkiQV/d4x40W1NakwMKWrVeJ5LJ eUIZH6pvsUKpNejNNsiC0E46nU6gMAJBj8frcLosEHqLFpReJofGG7b39ifBW2ZyoTGx0H/m7Oi1 e7uP37j51gcfffbzv/2d778P/vzQKn73O1//iz//45s3TiADetw2iFg0AAVqIhXPZPPAElb7GoVi KRKNA2svl5sDzkAqkjAq1CDfgl87MHp8MkbFofZlbDG3XCcmG+RMPwxL9XKNRGhQyBwCukfF85ul TrNYKaaaZEy/WuAW0GBbEBIfpD+tWKQRCTUiAeBOxmUaVacYVPB7oC616s3QkZ1ZfzALC6FLNwrN K62ZR0sLd3zBVLYa/KM/+PgXPvE5cOzkGIxwJvjmxP2ILRouteqjx8N9U1BwuGJzqcZV+A2bTB5n cj4ChxUmLwdTk/v7186vXpCD8QqCEsrNrckdWKLEdCBsttyfOBNtvqyt3JbG54ExpMI2F7oLxhTt DJk8Xl09vDc7MOeg8MUIomxDqAgCNj5bJ28uTW8V9Vo5k4bQpGimCiPxoHVpRB1vEzs6eTqY4kKn duqa/Wx+gmpHg10TXOED3GPANAYSIYLF4JlKoampDuyJfDsM+xLd3qLbx+i2SaZtrrNbgurkd+B4 eJKkkyLDdgkRDHCC3WG9ewt08bVWvdwoZMvZTG+51N9XbURCYZvDCtMDNl/QRSATsBQY7AAeYUwK BSokuOe0ICQrWGN8BsNTDD6HHmRGeB+ugMHnIEXaqc+L2LYOGNtCGdzFpJGMWo1SomLTuTCGYnez SWgMFY9hdpIZnV3wh8EidrLJRC6VAvWShMU1GYwul8tgsbJ4QhgEkZhsOlsI5S6jR0lnKWhMOYkq OmVSKDyl1gFEMAzEvJFUqjSQr42AiEJtcUp0BoFK7U85y33DJqMzFFKFwhIOh0ej6WOpUZtXa3WJ taZuqYpgtgnzpQj4joXStnCRHu3l9LVcG+cmDo52tndWoT48fzI+u9aYWY5ungsOjxlh26g5Pjg0 0Rxo5ks1IAwVNqfM7XWFgsVAoGZ3ZBVKt91ps9pt0Fiq1AYYqKpUFkjrEolOJJJIJDKVCrKiBZAI PyN8wA2kRg8U624H0DbgT+bymqJJd6433D+ShBp1e2/6wvGZm3cPnn7w0ef/7Hfe/8Y//fxnPwYw /vd/f+9P//QP79+/Pg77RH6XViN3e3zRWCqVLsDMFmZDo6Ozvb0No9GrU+r9Ll/UH9TK5fQuqN46 pRyagNGlEdFruVDIpRcwO4VMIouEJePaQS9sYZGsYoaUT9SbhE6PWi6kishoI5OsFnGFTCqfRpVx 2AaZ1CCTyHkswKBVp3hei+olCqfZCs+BlbX747BoBkrCyduD4/dnph7kc/P5WvhXP3z9D5++SyTA wShdUm9lfezuSHbaly6PtTZUMgvw/+nyXrwIGxZNpy9iS41H6/d82duJ8u7RxYfXzt2wS/3QKAmk oaHRS8lUk0jCcblWd3DNV7jAsucRFqia0aAoITNVWLEJB3y6Jd8c39+/8GC2f9pEgEVcvE1pnjhz tHvy6ni5GeAyWFQGwrO2SaxEXYiui5EEdgxRCGkLclwHoAx1OsOEewzq9BiXUxiiMKeaFRiAdkCL xmJqE6rQisi/QbPMkI0toW+K757h2OdY5gUcRYohiTEkKYGiINLUXVQ5DEng8ILhyMAnn3zs5Wuv fODh06tHd+dmNhbmtman11sD06ViM50fMJu9RBjCgE0GntTNZGO7uk8HpIRnlD0Q9FgwHCahcKf9 13PQneZHcNiAaAN3YTIaS0Nj6TA5QWN6IJ53kfA+g0qRCkUSvpRJZvVQ2TB5BkoS5rOAcEJbOzS3 nXBERjsCoyIaoZNDpcvEGo3aLJGqnpWyNCKNRmEy6T2sHq6ELwIRgI7BknWRYHppa4CY+84vnd17 CcQ/W7uPxmYuGu15kcqrtoQFKksgCcP8osNxqjNZ30oF/QGHub4w97hWPQs6RJ/Po1RxRGKaSMwV ikUisdzp1edK2am5xeW1zenF2Ym51vTi+OzSdKE/0hh1bu0EpuaM08uJ5bPDy9uDcyuwjWtKF9Wx jCoUl3tCsmjKlkwnvN4kJDhIczDJAYg57B6jwaHXOnQaJ4xl5HK5VCoHJELIZAqNRmc22b2ekN8X iYQT8XgcNgQdTrPFqrXaNf6wJVMINobzU3P1ucXGytrw5Wvrbzy9/bnP/v5f/dXn33//n37+v9/5 6X9/46/+6rN3716FijQSTYUjSUhD0Vg6Gs3ncgPF4mAuV0vE0nKpQilXOB02WCWgU7t6GEAVUKhY jFl5SrUzCCgqFuF1Y2Q9hJ4uRExC5CyCWERSmwThjDsad8F4jIpCJGxoGFkKHkfEZMi5HMiDSgH7 tB9USWxqo4xLNytVbqsdPAEWlm83J05GFvZhe7oxdXN6+pVq6aRQG3j4cO2Nq5uJQJbPcWp85aHC 8mRuM10cSkXTDJrK4Kr0Na+GwsvZ9DD4t3izk+nBG5HcldHJk/GRxfOL+1uT+zqZGzZeQ8GR3kJT IndJ1AmJscTXeLHd4O0Jf1LdXTwHQR1ApO42npPK8UaiY+vbd/b37rZKoInp31g42Lv4YGXpbK/L pSYSOmkiRF/o0kWJEjuhW4hFEYFiQAPpgILDzTqeCf/gkMFTDJ6mQgAm1JOnR0qg8XQFW53n28d5 rmmmfZRmabGs4zzHNMc2zTLN0PVTRIaIxldTuUocpFQyF5opPJEJg5qsNvrk8KVzE2cPN09y8b4u Qg8WQ4exDB0toRLUXJ6LQVNDh8kl8oRsOZ0pheUI+GYQ7RgqoA9qbCAsoCD8P7jRTmvRUxgCBdp1 WoWiSHAmKaoDjPcpMP/BoGnwEoOhgA0xdGgaqUbOlYqYAmEPPE0Z0OFCmwrKIuhIgVk5ra07OmhE Mofew6Vp+T0GClmMwUFh3w2mqc/Hs5hOdBe1k8ZidjNZoDdgcaR2Z7RcbQ2OzI1Onlk7e2VkYktr iUu1AZM7w1O5sBgVEa8RC+TLy/nZudCz5btA/8DC8ODV0eGz/f3gIAHGSUYrNG16tdlsNhqsfl8h mZgKR0ZdgUI8ky/195ehLQylQSO9vpobGnbUhyLNyd6RmfzUQqJ3QAniuta0tz6mzVQZ+Rq/PuKt N7PA4kHA5pHXZ3A6gaDQWUxmm8UJNxo1cI5isUgAo0uxUALjQblUpdVY1CoD0DGBQAhgmEjETiMZ cXnsDrfF7jL6g5Z8b3BkrDi30L+00lhfXzh/fvXe/aMPf/Tlv/jib73/9ff+5V/+5jOf+e2dncO+ WgP8Z9KZYjicd7tOHwjJZBHoDJ8vAPkXHgIanRrGNYwekNJ0imndPFKnsJsAEppKzDxV8y8Oh2cb 3qRT4DWy8kmjQd/jDelW1idXN+Ykcg6H2gUyYWgDoXFgdnWKWQyoPyE5KkU9VpUBekmTQmnRGaKx xNKZ21NLd1vzB3Aqcf/E0ez8q4nExcbo3jvvvPKbb91YHBouZxdWz14/t7IzkljMRgd6ejg6czI3 cqXZuh3xTvT1TvgivbbgYG/9qNp/cbgx202hQhdzcuHBxPAcCHwC3t6h4ZZSVxPoYwSeCP50ID1B B9QJRi7qGKKLUFSxbpatm2l0e3snW5vnd26f3PnAlZ371w4e3Th6sNiaVvYwYMxCkrpwtjqFYycQ BdCgnWoz4SuhT7n108QHqa8NmjTAHuRXzDMfJ2wHloBnuvjahsqzLfWe5TrmmZZRpmmUa55nG8af R49xHLQreKqAQBehSJyOZ1w5Ceb4OFLdkXtp78658Y1L5078zih0i6AGUesdVISGbWfiO0U4LJtL 5vcGMmF3opPEx+B5aBy3iyzqZkqg+QWerpPCbAMxN7oLCtTnAQNS4BNPLfdRncBxgBIAhjyApzZI bh2d8BKN6cRjCXQyTStWq/hyKVvMZ/J7mGwKUI3wzHn2WDmFYXs7CUfo6YaZgEDAUvN61CAxPS1r Md3P57cwF+okEp5bO6LQ8I3A3JGAxXUROimgMOcIue5gMBRPa8xupclp9kWMnpBI7JBJjKl46NzW TK2clgvV0VBfs7ne17fY1zeaTESsZrlaydWpYVwrlEpZIlGPVmeKxAeKlZVEdga6EkAfsMZWWyUc SA6UIwGfMpkOVEEf3ZfsrXqzRUd9ODQ5nwS59cCorjggrjSUg6PW0XHvcMtVqmizeUUypQoEZE6H zAxSFR0kP45QyJJK+FqNwqDXatUalUINJ1xLxQqZRKlR6Q06o8PmDAcjiViy0JuPJcLAiYQjvnDE Ewo5gBAcGCiMjdWmpvuXzzR39iaPLy+DcPTqtZ3Ll3cuXbo52ByGrhBgmExWYtES+Il5vKFwKF4q VfyBEF8skqnlFrdFA1o0tTjtkReCqtGS6+beyEde2X103Lq+mf/I45X9lfhEWfPweHSm7mvV/BPj hfn10XNXNiEJMrqwci5bDTOxbqqkhwnvwDhUIWQBBmF2CkQGnEMYjcdWN+4vrL84Nn3cmD0PQnqo S+OFrUzt/Pz84fWd9cdHm8VUY2Rw9tVH99564fXJ6jT8XZm9ycbGL1f6L+fCoxODCy5P0epstFoX x0c2nToLOHYK1N6ljbt7u9cnhhanJs5Wh1tUrgNLEwLXfVo0dooJbA9FmcSpgl2mRDDTKsRrPmcg m84tz6ycXTtYOnPh/JnDO+fv3t+5mfMlEBhOwszO1UtVJU9pu1OeHTaHYPryjHxvR3Wd+hYCCE+b P/gGIESFfwc1DBGc0nxrcs+ayLEssC3ybTMc4wRbP8Y3zXAMLa5phGce5lmbBLIcS5RiybIuuppI V3aShHgMC9NOnU32Pz15eHf35OH1+3arCxDN4MMMwxS1GWndp1w8jc7s6eqyiERaibyHLyWSFYQu KYkqY/SooUvtorBpPTwckUqlc2GbAtfZDQH0xPP701SFI3R2gU0xUCiQ0zox2C4MFq740ycJguJQ eoCs10s0CqGC08PtpjHoRAYZRybhILkR6SQKl8GGcY1SpJKJxGKhiNAJg1lgKU/VAlg8A4PphqwN 6fV5bsVgSM+UP8+7ZpgykYHNhz4RT+ajulhMocrij/pCUaVaYNQL8vGoxxhUCh29+bF6YyGZHvD5 UnqNHagwpcDotUbiocQz9kTKE1D5CobebXRHsoFYIxSpuz05q3kgAS1jKWkxipwuazSZsnusehPf 54/E4qFU1lMsB/sGotmCNZETVJuimUXr1Lx5sKXob8pqDVVvRZUv6NJpPewZORwao1FqMChgpmo0 aPQ6DdjCQF+lkCm1auDYDEq5Rq3UwfxKpzHanRaf3xUK+8LhIGTGbDoTi0SddhDC2Yq9gUYzNj6V Xlguz8yVG4OnmTqRKEBLGAhBCoaaNh2PwaJDbzAUCwVj0HLa7E5gSww22PdwhLLRUrM6P2ybqhuX W/Z7F/o++GDmZDW6P+38vbe2rm2H0hZkpaKcysg/8nj3+uW5ZMmxe3tjuK8XKhghg2aUy8QspohJ h+qURyOpJZzntaheKrMbjelsBvSBrdmrK6sv1sbOwRlSM+s3s43FUutKuXI4Vp38wOHS9vra2aX1 T//2u3/yux8PqWGLlqF2emrrH5+aezQ7uF6M9TEY5nR6+ejC43K2Qm3rItKE5tRcc+nVnf2Xz2/c 7i0uEfk6hASVIfBzDDijSuQZUiTngo3t7Mj26MzF8sAMeBiG9P8fW18Z3th5dXvE0hEcMTOzLLAs WZaZme0x0xhn7EHPjIeZIRlIMsmEOWmoScPUtJlwG4aGmjbUpNykX5ImvuvY/e5zf9x59qM5lm1Z 8O5377322usFE8/d29e+feuO/ev2n9px5Nq9Zze0jasFekLtoYo6eL5SsSIgFPNBW8FK4qL1x5Ag r0P/AauW7kIwWfBBFqhnSwcqgcFiRBeqdKctu1oX71aH243RIWt0wpwzYo70m3J6TTk9hminPt4q l5jEAi0l1CvFmGdwaiQWiq0ySG1rOteemD8x1LRiuLO1IJ7gEjKp2GrQW2ymgFJsoTgmndxJougj eFKdXWEJKbRhrtAmELtVuphKl6AUOaQkwBN6JVqnVO/kAbQUKwgJJdTp+BolQy5iqii0KGRQX1Qp CAp1JR9GiGXLzgLejlQod5pc4POHbAGnxuYw2VCKmUFM0QCrMdlNNofZbjNa1TqzUKKg4VwW+iYS FheKKVJ0T8DrY3E1ArFWAL4cXwSMlC/SQNMDMRGw8RK6y6H/Fp3Y8kCCMZkslEShVBhkEp1eafa7 Am6r3Wu328w+py3o98TS8ZI66Ee2jvS1jXc1DjfVdIHi5XVZTQZJIuaoqy6pqahsrG6tLGxoqi3v bM8kEwbwRfLjmYAjDL5rXl5LIrc2HCkBjzQvlZ9IRtH4y4EofYmnvNxbUYNuiKW8TlvRIK9plzd0 Kxs69E2d1uYuZ0Obp6rOXVLuKihy5hc4URKicQMDISfgj4SCsWAg6nKC2K6NREIgoaXQlcsvaa6t 7e4ob6svh1ZmfU1q5VDDzHhb34rq1uaSjq7a8ipMiMXBKSsqaSgpbU/n1adT1UVFdSUldaAKJLNV JaWVpYW5QGTzC9raW0bmJwc7B/JGWuLdJbYVnaFtWxo3jxVN9SYPnVu5dba+vyGwqjt3Y3/6tpPT 1x0ZGqgxblqZd+qeuwvrGwQsjlcPQQW9DPUUyUdZ4bEbYyGPw6z32GzRYLysuGViYuf07NHxufNg xXcObpuavRzahuOTl0xOnMwU1Y71tVxxfPvRbVNn9m3av2k+GUlSlMZg93os1WXZrr1bj9SW4uzE qlOHLju4/4DBQAlkyrx09djwjrYV67MN/cGiSlAoQZ4heAqWKWxI1jgKa0xRoGyJRG66pDBdmkq6 wnFDIm1OpdVWO9D4/v7B42ePHNlx6cTIvAfj5RqPOVqqDUCbQm8JFni8IaRwAoGMJOVLWRwfWRyH gy4AYJglcJQuNXGcBAeBxmSORUp2evI2+vLmbZFZR2y1O2+1NjigiwyYEkO6yJAhMmaMTHH5KpiA rxaL9HKpGaCjEEtSbqtMlOd7E1qeJmRNpCN5kZDV6zW6kZ34lfFcj9NhVsjFlJQEMYzS6SVam1rr NJh8BpNfo3Nr9T69MaBQuoUiM19E0SYQi8Qy6PNLKRUlUcokKkA5fJGYlFAiGd0oRLJK9xB5YqSj LDZakzwOUwASI3pQXrMHbuiyONxA8C0Op9kO74MPWvRmvUonEMlYoKCjUUJ733I7EkAxkB/0LoEL 4QJ1MQ8/g7EOGpjlYaBDiN9CixM7FW7xi3T3k967eChISb5CwJML+RTJF4rxHIVSuUwNLmg2v6ym sqWyrLGksKYsW9VU09GKaYeyYq/L6LRpk/FwYTpbXVZbWVxfV13W1JifiFti4UA6kcmLpSGckkxV gBjj88Vd7oDT5bNarQaDTm9Qm/Qqq0ltt6iR37o9mmDIkMiz5xd6aputNU2W2mY7fLClM9TaFWlu jzS0BEvKPdliRybrKij0IVYWFibQ+EvlxUFxz09ll5zTGw1ECvMimC6Zm+7q7a7o6S4bHaiGtbcU FmXD5ZWZlva6xta2otKqdEFFUWF9WWlrbqI0EkpVlNdjf0BS3drW0dFSXV0JtZqBnu7xodaqtjp3 e5mns8Q53R8/sKXh8HzHrnVN+3e3HtnWtX9jy9ndfcc2NO5bXX5obRWUgWf7grfeeWF61aBOq4Ce m9toQlOJ4rFVcqHTogt6kF/rwEL0OQOlxY2zc/tm1xymodHhTV392ydnzkA5bXRs76qZo2hSgAlw Ys/8sZ1zq/s6hltXdDYN19YPJwqazIFoUU3rxm3HpmcPrp+/7MjJnw2MbxWobJhhyRY3FWTqMKmk Mhu4IpIN/SOeSR3MNyXKLclyhT9GAOFcShfpnBKgPeA+lcESqVYHyyh30JcqqqofSWGQ0BIiJXpK 4xRj2IEjM7giA5PrkM9gfYrEcqXSCGEmNM2xZgBuYFeHDzKxo9PNOyw5FpaZRuuPZFf5clf6k+Oe xLA3d8SXP26ND5jjA/rwqCYwpA2MmkKToEzjUBig9/hzEqlJINSiVYcLEaaZAPcQUruhID+3Di0J ukWVLOifLe2ZqEtkEjI1Tr0wSzUWaD2J1Bab3Q20UKsziyVo6FEoKhFc9Ho7R2SmT31ia3ikiQ5M pFHA13I5KvQ11G4XJEz5XKEURJZgUOvxSxC/WFwASjCaMEBw8DQAjQKfseltLrPLY/UgOwVqatZZ NHKtXKxYjmXYmmjnRVHJFvH5Uh6PYjIU2FjwNHDiBl+A8pOL74rFeBoKdE9IMZgGcngffB9pOxor wG+XO5hIZQUCBZJksUQqFAL05ZMioVyhsVg8DkfAYnaaTXaHw+F1BZGiF+RngJlI0SvRax02zBuE cmNZIIqZTCQScYWDoXhOXjovH6pK0XgshJzSD0aBx2y2Gg1Ws9EGM2nN/2sWs8Fpt3jBDgr6kAXq Y7n63JQpXWDJFttKKpyIldX18E17TZOjqt5R0+iua/JX1wcqa/zVdcHysmhpYaayNF1TCU21cFkm 3NuZ7m4tqCiNtjVnR/px6FNJfQ1A1WR+fio/U1Rcig80W1pWBZQ1jRy2uLKksKK8tAroLIY+6uob RwY6Otu7skXtKzpGMU44WhvoLg8MNcUXxksObWw4tWvg8gMjlyw071lfu3uuasdMyb658iMba/fO luyaLdwwErvpzObtm4ZtLkzjER6j3aXSynkMuZRh0avdNpPTYvTYHG6bp6KsccvmQxs2HVm/cGZk ctfA8L5Nmy60tk3U1nQBjsYTc5qE99952TWnt68d7d49v23NzM7uvo19k7s27tyxbsvOMZwZMDY/ PrkR+4bVg8ZSjdMXtDl9IEkyRUJCISZUUpU7HEArtrBBDY4ZPZgrWEpK0U6An3DYJO2kIkIqlTnU sWJLWZstp0IpcoqFEkATGFOQSrXL/K6+wbFtu/flJjPgsQhFqMV0qHGwqBAQccGkk1IapYED0qra KA3Z4FBjMqZEZy3QWfN1jgKto8jgr7PGui2xPlN4TOvr1wX6TaEBqdxMyUxYeEKxTo5ryiCTmcRi HXI8o8GH4CgWqnk4upcwC9gGPouH+6UAZvkmJqFmszBoha0ABR0FHwAxAKgmYgywWQZdnmE4A+Cs kUvo2YSGbuUzpZTcgFeEMIQI4MtkjOEwjynA7Ewgm0X3WiHBBkWDumyOALQf1LY8Jl/IFVGkVIXO nxwcF7NRhVFDPX4FUVKI2IfXC2YCR0gKKB64bkI6n8QEIupBdNmKSyqraqoLCrNqjQ4sdNolsecI NUhW6eYsj46DdDTEXxDp0CtZ7pvQvCD8dYxVsuhnweJxsach36BhW4EElSy6rzwgPjyRUqGVSdG0 pIAaURSlUCg0SoMKH48Wk8p6uJjF6KCxTZvG6bK6PXYAKwG/F97qtDuQPoZ9ITcGKO0mp9Xkslk9 DidqPSQbMD+yIq8r5HcBmwz4TEG/KSdsiUftmaynuNRfVumD98EH4YyoK5s6XDU1rpam/KnJ+qmV 1SXpYFt9erg3U1cWLsrkQN2iHOhv3BX221IJwLnl2YLadH4umOTQPCwvKwoG0KdEipyMg5WdBgU7 EgqFaiszbS2tyXT9aP/E1UcXppvT7VlzX31goq9wZqBw+2zVoXU1O8ZKNozmwaa7glOdgZ2rStYP xwfqzchFt20anpzusDl1KJH8VptbS/ughCR0KrndRCeiQbfX5/CUFlWuWbOwem7r2PTm4dGFiYnD m+bPNjR0YYAU7088nBjsS3/9+dOnj04kg4qaUuxm5VZPntweranvn5zZUVfb4/EGzTa1UiMC1cRk SYgsIZUnqw/VKYPVQm++Kq8kp7XXXt7MllsIvggdPCxJDpcPLgvoK5DtNZvlNnqSXKkR4tx4V7C4 rrVlcLqjZ3xieM3czIY1c7u3bj978pIrzp674fprh0f6KSnKHA6WATZ/GEIhtn3cMgkJXRHidAkk XWBywhnBZMECIzXL2zv6dARPJ1BFbJFWV3LYHhs1BboN/hZjsFEm1FDY+VmAO5SUSAM9XxREQr5C L9UVxPLrywpLUp5s1FWWk6hPZ5qyETWhtgntEb0PwwTgKcWs8nyPtdgfrMqNVsQjOcjzVbKISZfy WLNBV77PXu1ztyZivUUFOGG5Lo0GmM+qkZIsQijRYCZIokIvkkRBp7c7lUY6cQUsw0HJBogXGows 6J3814RsIZjXNCzDk8ArQeDhswTwUOj5I1apFFoDFDRURgy9WE1uo86OV6FTW7CkQarPFqRcTjs+ J4CKJrNDrtACIMUbhQ0Db6kIEx9I8HlyYL+oNZBmCEjJEl4kwlaAb+ENp3c8hgh7HT1UQuPSTAxw 4RYceC6LhAl4Iuw/IsC6HP4yVxCpLJ+DO4W4k88nMGwilVB6ncZi0JoNSD71qIxcVr3PrYEFfXrA QagrU0lPXsqbzPPEIzjN0xfyuWlPBH3W5w143GhWAIUBPpObi2Ne6AGlkrJQSVmgpj7a0hJpbc5M TdZs3dJWWmDvbI0c3Nu+ZroygyPQPNJoSA5z2sUmAyWTUdgklDJSoxL4PNqciCk3ZstLuEC09jj0 kYAdnUq6X5n0FxcXFxa1QJ3x5ku2TfTUdBWbJ7uT/UN17Z2FC1PZQ2tKF2bq5/piCxPZ/Rtq1g0n p7pDc/254+3BVT2x1jXjPVMjAY8TvSh0Fe16jYhHv3cahdSi09mN5qDDDXI3+AArVvR2dq3A8Ehn x8TMxK7h/lmgXtgubCZ5zO/du2d08ad3/vjhI7dds29kRXMillvf1puqaHDFyny5dWpbnlTv1jpc rljKHas1upqN+Z3GZFegZLy0dX1121QwUaS3BTDBSoDKgpBAk6mZ8A8IPFIS0qB1UAIxzuY+sXvt 2aNH9u8/uHbDzIZVw7tmJvsG2oaHV/R1tdWVlZRnClCMFeUndWpwZ2hMlLuEJCBKwlDCgNUJH6QJ n2hPYAoJM0cIs9h9cOIuRpCA3tC/hTwVaZ3LE22PFU4GU9PO6IAt3G0NtwkJCY8QAQ0RsqQ8DOcS SKDpCzNbXBHybRpqxRFXM+2B7ROh7aM5+yerbzxYdnJtdmWlr8KlLrIo6wLWwWx8bX35hu4GWGsy 0BT3zDSVTdYX9xXHhsqTmwcqplvzO4ojdfk5qVDAa3fDO3gcOcGhBBwFn4PxJTFDIOKyBYie9GAv lya3AmKiB65Y7GVDpkjTWNHVQUyi9aRo7BSsPBheFaIk8lKjxoTYCmqNFToFKiOEM0wGK4ZVMSWM +UOTUWM2GTJpiHwF1SoFghTijU6rVsjkGhXuUMqElFhAyiViSkijB/AXiUgmEcqVMmS8SomAwh+C 45NsPqKmilJQQhH2BzH6HRwhnoYAzQ8uh/51iUgsImHoUiElIOlKGF/yZSKpUirTKOQGtdxikNvN CouB0shYmJfUqQQwo460mEVQdXU6KNrsCqdd5XKoPS6dz21CNERMXHJJT9DrAcENGx7GNJYsBQ5a fsoXi3hHh+tvvXVfZZmzqEB2/vzA9q212awB6h8LWxpaW2w+PxEIilw+eU7CBadzWMVulyCVq25r jqybbRntr4oH9QaVoL6uZm7NTFdHNWhy6Uzt/Op1V+yeqiqPl4SlK2pD7f31nQM1O1ZVbh1J97XF mtLy1iLNWGtwpjdvoNE/3ZPaNlUzP1pWMjPVNbMqEggiVQrZzQBhJHw+xSaVUkqnUuuVao/ZEfUG sulUS3N9Y1MNQN26auA/PRXF5ZXF5QW5IauO67eqDx5a+OqLNxcX//T3T9+cHlwhJSXlFbVVTS2Z QkzkV+clanzudCQE6lAJZk/GJmcOHthAn4PTUdLRlLd6oKoy4XYqVUaJCX0ulYwjkxBCQOciKd5/ k06qEmtRBxVk88ane3sH2rrRy6mtywdLwqWxW7TgJ4gQMJkMfLJwW1CogYiSAmCh7GV+NRyQ9jh6 KhApnwghY9kHacekU134IA93/rdrT3urCCxKu6c8kGhzBYfsvn57sN8ZHuQzRSwoUXAkYJ1hk6cN c0xsEZzEIiTLo6G001IVN3RV6hvypeUR5Z1XZfevC1fE5C65BEEcFjWZiwP+smgIoTBm0yP8dVUW ViXDuU49DpCqKEuGQg4s2KWtAORtNcFC+ekSU2aVxKyiTJhiQDbIAXMILw20OhYm+THkz4bf/b/X uAdfLt9DJ9wIUUgp2DhTiovWIckiYWKuRAGdKUqDW4jZBD0BpFhAPMwGOdAAk05dkMrLjbpsJllu 1A3cz+e06lVym8HgtqIPYnTplZgUNsiFSjEPBDnskFKgbKQc8A0IcqBsecwqqDrY1WrM6ejQ/pfK rXqjFbQ2tdqgUqml6JioDFqZQauA4c/hUzTptEatDvhtyOuK+N0Btx3JZ8BpDLr1TrNcr+Sq5QIF hQIVrAumSPBfE/IZSilbo+AZNEKjVgwz62UOixpxymU3OG24NbntKIwdmDaKheLJaJ7bAxEeS8+K qrvvPt1Un44EpDNTGBiI5qf1x49PPPnEqb17Wzq7PQcPj9x8x/H7H77h6cduvfPW49dc2HRof8+G teVnL5m54tKNbXUJm54EyDO2crC/t7G2tjqRLBvr6T2zMAgPXVGTX5rwJHNt1ZWRvtrEYG1ovCc2 UuutjFAJG6MqpavPWhsLnSuqIsMNuYWtNRXNtVarWUGK7Wq9Q2MA1ZDCuwrCoUyOd89psIaB3GfT g31tQ8NtKzobaiuryoqShalgQyn020J2DSPmUY1PTvzp849//94L549vL4n7sY6LCuJ79m3aMjvd UFQw3NrUVlyKlEwv5KZCuvk1zYdXVx5eD2VJS9ROJJxEnlcx2NM1tXpzdW5e0CJyGEmjyqhXGOxm uUVDGimdSaUwa7VID5A9ooZjECIAEVhVKKgQuuBTmAmisyUVElUU6gGtxoiVjBY8hmpRTML7cAun w3wfYgdIa8suCfej+TM4dQLJL8bfMRjBpMMlumZiqQVKSgJZLqUp0DvqncEeoKzwVtxi4g8wPkjO mPiDocZhEWKEKjw4j5CL2RaF2IBnJST4AshxYDsBLY3EkdocoVxLyW0YG0ShB9QRDkUp1DAQVERS GSmWI/cDSoMfRG4G1EXMkyklWiQCQp5WLNDIKT3CzVIcZOFVANxcoqXRsxYw1M8wXCDM031EDoc2 FH4oxvg8bFAIiwKmAAZPpMcElxhuuJUKpDh/z2M3Y5EHvRaYXiVTScWxkC7sU0cDBrtRiqivkvAd Bh3iJCT7MoCAvfp0yOYyyJHfK/gSFUbOQBsSCpxaUTpsLEna80OmsEXr0+mCDq9DbwrYHTG/Jzfk B3vZrFJbwMdRi7UKsUpKwtQgW5qhGWfzodFp14V8Vp9L7zIrvTZN0GXw27QQY3GaEBDlRo0MTw8J ohYfNjqvGA+WSoEoyoRCqZAvFaJTw1v2UynGaqRCvUZq0FJ6rcjt1CACQnagrNqflw5EoobJ6fb+ FZ0VxVm/y2JWmuI5pr6ekuNHJnbv7Dx0ePiDD5/8cfGrf//w58UfPl1c/MOP37/6/MVzC5vKB3vD 02PF7Q05+VGrXiNHOARPoK2tpaiksa+17dzWoZO7x68/c3rj+FRHZRSOlmNS16V81x7te+neM0cg up8xlSf0jcXulhJ/yIC6mijKs/v8epKCYIkKWrdmkoawMVeAPAccDDSY7DozpLaLM3lTE71r1g5P rezpasVoY6KuPNpa0ZgfCKMAbK+ONba23HPPzUMrKs1yIhPUeE2CFW3pb/715tVXHhPyiHhY1lKT tCjlGDEQMnngUEG6SMgQSUitzxFBlxkhb+38wiXX31YTCVsoQislzBoLek/Y/Qxylldj07A4Ga8G kG/CrYv7Q9FILIrJlYAHMjg+hwsEekhymb3+QDyJ5inoEAaDaXmeHW64jEUsOx1kJxAtl31wKe2E JyPu0Mdk03gpPBF8GqD3ILABPIWBKia16p04tLwVSxtvDIpKuCHgRICKuMCXy5gPSiEBX4xHE4vF UqkEOSK+BSBo+ScBz2q1VtzCjEanWmO0Wd0AImg1NXBJTBYYtCZAdzTqLTKRHBAKxZfKBEopVyZl S2Q8qQgBh4nhfTqmIxxzGdhP4NZgAGEEmU6osTXhS1xjvooFoHTpH8ow+t+SjBuNRdGkWR6QTBox lmkNaqMGcK1KnY7kQGbBZTDGff6qbKHHZNaIAf5qHRqbU2uHNA1wZxvocEqjisS8kxXaXzVpS1eZ N2XTGbiUV+syy80Y3rFIeF6NFCE+B96nlbmUYnqiR64yCCW49emMUZsz4fSETNYcqyOsFXsUfPCW zRTfIhWaKZFdKvUoVHad1CgXGOV8aHH4DPKwSeHXSnw400NBWuUCs5QHw3gyrh0qkVMtNqnIZXY0 ymcY+t1mpRwUaI1GqFIJtFoRTKnkq9UkhALRFzOZVDabDom3WMQzGbUFmTR69MlErt9urSsrbqgp BjKTl7SnM472rvy9ByZuv+fEuRs2HT2zcu/OnpJiJ2ViWVNqZ1peFnUkg1azie8JqurqajKRijU9 43snO2J+xS3n17z+/uF//7Dn8w8O3HhhbSOm6FzMG6/Z8/2333z98SdX7Zs8vKr42TsvObFrOwrk ZJGyosZr1ZNYXlAqod1BqoAoCooio0ZhUCvQZgLNKS8a3blt9d4945u2jg30NYEWjvPXOmuSVfmx kvwYqmOlkG1SUkoRaVDI6AFhv9Pj0ADgTUT9IE6h7eh1OpDcIuQgkzNqVSaz2uHzIE+ImKhEQE/w GANTM2cuPV0ciIkIvkZmwCANSgatgsIBueg26406hUJmtRnzkrGq8iKMVK4c6hkb6hrrWdHb371r 8/yx7buuOHvmF7ffOd3UGdBb8QGA6I2RVg5Ly6TFYEBWQzQULvsR3ZUAXMDELe1zWLhYvxhfouEa OmUVsRgIRnAo9C+UHNJqdBS7422ILTB43DKkD+eC4Usa6mHRMAN8EOoxQPwAv8tlFBphaEzLKRKY CEpUm1mHvEujpMx2pd5IOVx6o0mlVEgAPqDaQgcMQitmi1OjNgK3hLuRHBE8UcAWInLRlRQSTPoA GtBc/wuB2rXYm9RmpQJEX7fRgIslloXKBjDNbkFLHP4MA7ZmBQoDU2vMGL8ipTjnGxCrXAg0Sasi pRjjt2r0dp1RyiMRp/02zJuqkBfpKK1FZUaAUGMJk3IdpUFZgA4l1DfiPtPUQOHWVQ0oIkxiiU1p gF6MWSq1yuV2pdKhUsFsCoVFJsMtEhh8eHpMQWk0DpMJQJ/LYoGFnKq8iD034vA6dXazCgHOpJK7 TAav1YQxBCGDoDgsLCq3QYMkQMIiNFKuSsJWiJhyIQOGC3yppjgwfEsr4+nkpF4h1CvQo6ENJzXA rGoxzK6lHDqpUy9D4LbohHajxGGiYBhe8Du1ITDr3OBt8t0WlVUHMjwHya2MIqQSwmQQxaKWWMqc mzbnho1IcYsqC1sGG+1hbcynr6lA9yLk8GtT2WRhunjD+Mr58fpcCYUDlRpHssduannot9suu3n1 ZG9ayMeWZ91+aPqPH9xyy76BHd1lt1+77Za376556JbhqfLhsaocvxF4owOD2yIlTeViAZVgUyTX otcAFNXKtIWp/NMn9952y4kzlx3YuG6mo74C0sE4fK08nYdPmRKxKEhlgl7NJHQyKurzYPWhlDNq RTIp+E4EQGsRXwCDDwKLh9ht2C1zBk0Qqo0hS7eA6kqMzg4s7NlXHc/PhPMKU6U+px/go1oixA+r VBoED+SKRoNuy+YN9911x603XHPi8P6zp45BoOfgwf1H9+w9e+Dw+XOX3XX9zdNN3SaUaLQkE93+ Q+tZKDCTfCuLKUcFh+e4ZHx4Dd3gZvHgiTSRG0ECTsjAKKOYxwMthE5NcQ0nBbdZbcpxhRsQg5DQ wtgsOr9dvuXzxMBd6aYblGSQqKJrqNYAUQesAR0tv8OgknAB5WB52PRys4YyqsROl8LqkHt8RrNF J1NI0VCD12oQZ3R2pcaKRBc1JvYEuBsoZaAU0MMdaGHg2dHJMj1yBdQFFXcO5EesVpdGE0QP12DA godIMC7gCMC3ceEzmWC4hkfQ95gsHoNFK1bAoTDwiIimFcr1ErlCgn1CAhNySZgcrDkR8jiRjJTJ hXLcInEV84R0W0IghiHNdpolW9a0HN01VFMQMFEilQgppRi+CT/FEoIAB/Rx8CX+ENxcKkIdJ5ID R0YyDY0ZlRyIHz5Wu15ckPRm0yGQS41GOYYOsOXajFqzVDze3XFsx9aG0kKdhG9TSzE7YFKKl7JQ SiMXIXdVUmjTCJaTWL1I8F8T8/S0cZbNIRfCTCKOgWSBPY+g7FSIEKYjDo1DI7SpBEGrPOpS+c0S p47nNgjsBsJpYbosHK+d9DmlLqsYscmqF5mULIWKUKnZRgVpQ6VclKqsL3Q55fkJd0E6EQYVNYb2 RyF4pyDYbJitT3ox1IaqBf7Lra3OzK5sn20OV1TngrzqsxOnt8b3DyVGK7KdzanZWzZMfPXwzBxI mnU5PhvKQItSb1EbsGSRusBrgCMrKAkyJczdlBeV3X3nDZed2w2pjTWrZlaPjkFCCgo28CARC1Ji hBxFD+oCoQAMEuTqVoPGqKWkIgY+VCxp9BeW0GmaJIbCBG1XpYjQGSRanckk9jgkJqWEaOuqnt+0 bUVpdUVuUSZRgKlwisO2axTIEGSUFKAcIo3ZaFqY33TF6dPbN22aGhrevGZ24/jM6tWrx/uHRtp6 5qZnT+w+NFTZYhQqkJoJEH5wXAcDXUKrSOJhcVCCqUkSK1wKwJXeMGg5Jj4dE9FhX/qH30LuCtcD TIqMVCKRIJxJKBy3A95TK12BApPERMJSfosLfIliEPUW7YBcId0I4wrwVDHcCk/EcsW6BT4JhFAp AaqgNar1oJDZrWhW26DNazK4MdtHSZ0SqUum8IMtBpIY+GP0ED2KWSTF2AgYDBoFpateiN4s+SCd IrMUJBV1OEIWbOpCNZ+vJUm9SARfM6BhThBmiQRiO1AnkHHZOiGpEwhUHI5OjFlCOQKcQixTA3rk iSg2H5/7UuqLmEv3FsUYmV+6wDVanDCSIxDxhNg/AexAKU5C0uNRSgkTYNpIT1nErcEHAzKrlATO I4bDLvvscnMELowNHI18vQSZrQQQjVOrNcvlBopCs9YiYacD9kKoGlnUFqXEpsbWocKhKkhcTi3M vfjgneuH2zCNHrHL00FDACM/ZiN0OCH8jx6XVaWA4cKuUUHP04ngq5TZFRKbXGyjJxdIOnGVkbhG ogtzqiRujRTm0ytcGrUdxymrFTiG3m9SegyUz0TlODEiJMlxUcmABodBIDfLcevDTj2OXAnoxGYM HykFmIbQioXYkuQSplnKint0gDFtQFEM2lTMmc7VD/WlV00Uxbxig4UN9Zg8khdWckaqPXtbfYMd 9X0VeQvVqitWF0x3N1bn51cndFPDsZn15R2dlUl6XF6N9EOPuRUZkGQA9TSlGcgz/AVVIQDn0mzZ 1s3rMZCiUAiByQx2dgXtuoayfGhD4aNE4gp2DcoqAcotJm0khyFAxoOwh3qEXrsAOug2NPwIU28u m1mqECETSNi1GXfAi+aXVAi+xPzUUF9ZTZ47bJDpodSBYIBMDrI54HmhF48tGuzH3o4VdaUVJalM RX5hcW7ar3eWlVSO9462ldY2VNcfXNi9qrXfTKkRAEH+x5gPXeuxREyBDEqelCpkMQcVciufrwTq Ao4H+lxIL7FnITgjCMIZAaGgS84mdBwmNmskxDapyGDUQWSnCjEIXrbcksMtjMvlQzaNJEW096H/ xhWgaw6MHYgWSbfAwD+hEVTIQJEC0M/k+BKmpixyiUUtd8gpu0howuw7X2Dik5bl+fqlbJmOemg6 IAQibcDsA3JQpBMwuhWBMhAUT6EIQ2og2y/Hdb1UgmuYjIfjwFlQOIl73ejS4UNx6bVevQ77DvSn AG3JRSJsTAj7QErx+ZLIepdQGhyMwcN7xuADPhVhmImUgakGzAe3yFFpyjibAwgUo4jAgpD2QKUB SikyLnSvGHKeGHRWmQglMcAsACwSBcAjMalVSE1alUdHPwGnWhU0m8JWC770Gw249ShEeU5TfsAZ smo9eiVUj+Lgm4J3ziNSbn1NXiBsptw6QV7A4LdTKjGBKs8ol+KVaiUioK8wXMAMMrAlKEwA6aQC GFJKI/xFKTAogewJ7RB1saoB7yDPBMKD24DJGHM6ILvkN6mCViXApbhX7TOLIMxrk1NujTJo0vu1 ardSbqOEWi4TSkBGiotJeZOAbxeTqFJtCn6OSpQ2i+NasZ3k6jlMv0aQ8vK6a8yjrZ7JgLo1LJqt TUxnfBGXqKnM9PDe9o6kPdcguW9j8q4Do2tXHYlb7QOFnBs2ll1akdtQW4K9DysPECg2avSqAfIL edjuSex4MLR3AUnk5uQBOgbmjwXgttug+quVcysLo2WZtFWjhRNiVSAOApKSCMDbQBilFw9+mC61 4NJLPQAsIjwgPil4qC/H6jdL+8vDCzO1lZV+t1cPytBgU3Kwpr69rAYpDYTjIHyKnQ2vHRHVabaK uGTIE9i7sLO/tXuoo3f9+Or+5q6+6vbairqjOw7O9k+giXlo656dK2fNFN2gh+YSCCfQiOCQEmjK o8smUrislohe59FqXEjTLBafVmtHrxnQCkXJdBqnTgWNMr/Z6DMZMUGC7S1glNlkAq1abvW4cpCl w8XgBLhYNlyD9IIxYMQnXNDX/9sLwDpHQ2CJ84yfZePi/8qTAs1dEl7D8ocKIna8pQ2KSc9xIP9d nobAACANb2IUhJacwogvYE9UqgwSf4xOcwi1SBy0W4E84LHgd1icuFahx00QWjYrz+uCXJ5SyIWz QMbZq1MjO1dwmEY0nfEzTJqdA79GxYHPAr8iRl6+9LC4hYGvBpkUENQw9o/BfimDLWOxpEwmbrF5 KTn0FibFTAWDWPouV8UVK1hinB8NjFTKYaiFPAWfLeexdIB0pSIELPxdPSUGKLd8jQvELySKCE/Q OEKxhu6LU6dwaUHmA0uPq+Kx8SAqEkMdqMzpU7K04NJCq47938FkvC1YbzDMKfPAoFoyrGPoU+K8 MqmEKQeWhuYyB5sVUyNmKwR4x1iAevRSHjzIoSJNFNMkJVIBbUdNvKUilBeQeTViCDEl7OqUR5Ow SRN2Sb5XXuCX59l5uR5RQVBRGVTURxUNGU19WtsS101l7XPVvtV1sdVN5duG2rcOlR6ZK71hX/dv zh/58tmb33vqwiWr68wY5SGIW1eXfPTQJX/85M3nb9kyUB7YtGrNcJlvbbP+0LqGWi/6swp8piIu H4kTtj54ImoBuYQSoA8DBWnEH4FErTCDsyYRgeAEKiGB2e3SLEbxdWG/2apVydGlhbIRk4kUNOwD yqITcGkvxoOgxADgsbRqCEQHOCAEHeQkHTj9blNY7+gsLV+9srGtMYqTaFqgrJWMT7S1I71sqKqb GB7dtXHtqv7O7etmAbkc2rOnIJ7E7M/c2GR5XuFAS/fpfUevPnnu3J7jnU2d+zbsWNU9nIzFN82s 3jY6lev2QbwFkQ61HhIojy83GM6CeQWuIyIjPQmLDiSwEB1IA1BxzhQXV2/bvgl15eHDRw8ePHzk yLHDhw/v2bNn586dW+Zm105NrJud2bZ1E10y0rsJjeP834vlO/El3BP9App8Q/egoU2DHYuOXHQs Q175v9qJ+BL3Lxv8Db5Az3cg2LFow9KCYcYKfgcdfLgAHAGMai2Hh/VP3093NzE1QagRCwAJQUOE ydTy+Xok2VwuIiCuLSymWyKC0peO5Gj4LIOAY+Kw0KoxsBg6Do4WZtAzwBwQ/yDQz6BdCVGVw8Gj 4aFgSjakphi4wEyjkmArCAYMzwG5BUzFYGqYDC2bgwsFwdRx+QYMeTIg6sHRchhKBgFnx62KSRvy CdypxiA/7mExYLjGrZJJaLlsM5ep5xA68PMETA2fgYhD/zCLMPD4eqgGEJCsZOqZtOFUY5ApsZj/ v6bBH/pfg9Clgcsx8XlQnXXw2DYO08pmWFgEzM5luUmeVyRwoDwkCROHMHOJkJpf6NFk3cqonu9W EyEDJ8fMDesZfjUR1BC5VlbWKygOSGIObtLGbY/KRoo0nYXS9gJ1f9Z541zVry8ffuCS/hNrOo/O Dp1c23Hn4cEvnzmz+P2fFr/92+KPf/3+pcvvWx17YnPVl7fuWvzb198sfvvXz95+/Kqt79y3+7f3 H3/72fufffaR1rF2fKAiLheTZSjMwQuDMolGqsUAGqgpOsQimZISy2nNTAalkuuwyQPmgGwCGp0h vwMVH+ImnYQIuHgQtGnQ4lfLQGCmy0mJQIwYSq82bLBcNmZbkAhhxzahpsbWJFN0l9QNljcgybcb VIX+QKknmPF4872oDqwoQtHjSwScOQ4DVIjBw0HANdKAs3Jhds3M4Oi60cmZvtGZnpEdkxuaaho2 jq8+gMGpycldGzbMdfb4LSasL3qF0lUou7iwbnx4YypehRYb6JoMBnhr4BirQDGVy1F+mABI5ubG Icefnw2m8iG6kp/Ky2KiDSfAQdMDkgLhgDMa9S23AOBEy/QU9DiAHy+7GLwMd9KhcJnBCUYoAyQ5 gFA0XwV8g+VrXKBCRP0MI3noMrMRicBKQsBG2goGANJiGOILgg7KQhWTq+cJjUyOlUdqOBzaXzgs OCk+NSCHZj70uLkYR7RDgYInwLWWyUZtmStTBEViG49r5LENXBak3OxMVkQojlBSv0iCRwPXE26F dg9WO5Qh4TL0yueDpUpf63lweQYMB1rpGRwDkwszc/h4DrjVM9hGFqGHE7GYKiRpPLaF5MFBjEyW jce3I6tmsfUEw8LhWrk8A4MJc3B4VjwxLt9MME0Ew87mWhgs3Olnsd1Mpo1JODgsF49jYRB2FiNH Io7wBWEe30sQER4vxhdEWMwkn5/L40WZfFiMJfh/DfckOfxcNi/O5MYYvChOAiL4MUIICxGsCJMT IBiwHBYX10GCiTsBDbgY9K2fy/ewWHaCcBCEj8sOgiYkF5s4DLw6l4gfkkk8AI64LKeQsovlZgYn T8hvc2krXcqUTlmgNG3MiC+s9R9Yae7IqDvSoZa4YbLC8OjpkcW/f77492/+/Id3Xzjd+9Kw7487 2/5y37ZvvvnNf35Y/Oj911841/Pptf2Lf/0I0t+LP3178bdvdrU20bwFOXIaCGyCNyknmeBiSRRS AzJ6EPmW9mnaB5fYUUIhG91DmUKsA5EGBSO4wWYlxuiAfaAVjeIRM9kcxErkOchPl/6nvRCd4ojf g6TdopQWxwMuLYV+3JF13admmjVL2mOFKT/OzQC/q7OyEnkXKEsSUpAMudurCpUCFhrxyL4g04Fh /x3rNmyfXTvTN5wNxipzs8fndw119U33Dh3auGVh47rd8xsWhsd8ZpxATdA8RvC7CF4mVbRtftdA +2qLIg/hj55gghohk6QrQRqQodNGOlmm/yEuITGnAxU6azQ+Q9O9AIjQkU/GJLCi7ByekeTTmzmy u6UiC6EQnogfwOaDTYeOL0sr3MLjofK0AoPicrwSMXwBOzPMzMY9PCuLg4dy8Ukbm4tliTUpRycd rMqlmhqOBu02MynyiGQOtsBHUlj8dGzig8+KAMGwCSUJEZmQiXNUEp9chICCxRMQi51MVpSS5CuU +XJFjkiEP2piEAGeIE0pkhpVUq+xCXh0hMJrQVnBgiPw7QzCxSbcHNq8WIok3y/ke/gcvIk4d83O EuAoAS9HmCOUx4TSIIeMCng2RFUgPwyWhcHAGg4wiTiXkccWpPmilFAS5Qk9BNNNMANMboDJL2Dz SkhxRkBGWawom5FgM/M47AIut4AtTrL4ERY7wGLgEcIMIo/BKGLzcwgW7VBsbg6TGWYRORwixCEC LIRUwsgmrAwiyGYHCCJIEEmSF2IT+Wx2PpOVYRApgshnEUlccIkEmwiTRFRM5CLhlBP5MiJPRCR5 RC6XiJF4BCKHTyRE7CCX8DKJHAEzJSOjSimU+jwkOyDmRBXCHIoMCHg+RA14qFCAj8nE5OETt/El LpGc/ugJwsrnmtg8bI+Au1USQscjyp3Um/uaXtnd9vj2oo2F3AoxUSMjLkwWfvnzg4sfPvf+LaMH 64lNNZp3Hjy3+Pmb33314Q+LX3z07ou15UksRItOrKW4GglHQbKgBAWpFCRzYiiRkRwg18CWlUIR BLsAj9DcYC49FYtcCRIoaJCB1otHwLLlkzyZHCMx9HgAqqGl5UwzFeGS9DWLQCOjKJHCUBsIJNND AzvWjYP1hP4vjjI8sHbznvGRFe2NaOJHHbHGwrojC9svnDiKE4ERFDAZivOFwqHY5rl1RzdvK/QG Em737PTE4e0H12/Y0tvS013ZOjU4sWN6/fFVG3ONVhqS4SLqQlGQE43kzK/ZMN4z6dFGgGoD+ac1 IhhCLl09IGBhyBeNbqYAfXm4It2Xp+cKQVaBQ1ACDaInMBzow6CPDN/xI+5IJfBBC1fglMoQmOj0 gIPRDho5AXCBESk1NCcFQvigUyTyiEVukTCiAuGcB7kb+CBihENAwrxCsVsgxEqGAwbEFDYZZJvw PrrMoR2caWTx7BzSzeUht1SzCaRwGj6HDpRYCSJhTCTEIglQQreERAYI6CAokfgEpI7BsDDZQYk0 rMTQL50cOklxTK5Z/mEti1Aw6fQPCaqbzXERRJTHjwoEMZLMIQUxoSgmkYRJ0s1m2Vi0f3kZzBw+ Hz8TZnOifG4eJU5KJF42G6ENL8TE4Vg4bL9YEJcL43gcGCkMCQQeDtvD4XrxzNmcXBE3TyqIiNku HgHzk0RIyIiKWEmmJETwXQTThljJ4zr5HAQdOxvbFMvGYZg5hAUXIp6dEliBbYq5QUqGF5iL7UWh rrHYyjRaD0HEuLwc+B2XmeazUxxGpVJcpRGXqfjFSl69ltXpkIwlTNOFjsGUoSUoq3DwswaiQMYv VJD5FBduGBeyCrVUiUGeUYozOk1aq8jXyfM0oriCm6chMwZJSitMaEVIXEOgbYkwvsWiR+CYbBTF SANsFJgDUpSxEEzLNfJLnfy1zZFtjcbZSsfu4fzDs2UdSU2FlbhpU8EbV828+tj+3905f2lbYkul 78LWgl/fOf3HNx7997+/W/zXB5cdWlset9SknH116daicEthpL0k1loQrUl6K3D4SzZYFHeU4jov bBCBH0U49VqcD4dmLvIr4CSofbD/wwcRRuF5GqUw5MbBByY0u5eCC/rcWOFwUHqBw5FtauQyCJyK iiJQ3qIItDne+PZ1e1ZUNyPbR4YGd6guqJ1YMb5+bKq7oQ70J/hGIloA9dGqyrpNs2vP7N7fXY7m sHtkoLc2Lzs6ONRZ15IOxnEkx4GFHfum1kTNVrgPlOfpeMfgVpSVH91/eG50bdiSJPH+0Z1MQJoS vdyEkQc0QdAmMGNoSySRStAGkQtFEoyjioWgpoi1cit8kAf1bJbUA3Ijg4n4hTiIAsdBikM6PcQD EQfhgMCyEESFTBaFogzZl0gCX3CJxX4p5SQFuHUJ+AmtKq5RIlVzi8ReCeURS5w8nPHJRjSEa+PD xbsBN5SwaQAE5StikIctjOL0YblQxSd0bGSM8HQauoVXZjQaH8kPSsUhlQLQHPbkuFoblmDqEsLj rBylAvfDW1EVxvTauEoVFPBCMrEWvHMgJ6AqMQh4d4RLpnjCBFeQw+LncMkkJU9jvJ9SeNh8s4Br 4TKDpKBAqSpQKuHyUTmVsRiKpOoYR+QleB6C5yP4OSz6EQp4YngEPBpua2XQURIhGAeN41rLwlAK ifMjlypcqOqj+0If/EZrxjEYyBmw26D0w8ykWyAOSRQRiSChkpe7nT3FResH+k9u23HzZed/fstt D919+xMP3PPRW69+9cnv/vLphxcuPUYvSOw8PAJ/OiFgJklGhVpSb1KUa4VZGbuUR9TK+B1mTYfD WK2TQUg6q+CkZMyUiFWiEpWoxVm5sEApymokhRoprMyoKdQpyszqKpcONPtylyJjIQMU/SrwlqIk wzokOXTZjk0Sy9JBctH7cFuVqYChKWYdSVlOTBS/+fP9X//PG3/77MV/vnzr6+em7llb+ezl439+ /8Z/f/vC4l/f+svFE48dqP3VqaFLJnKv3Nrx6euPgwW3+MXzX/zmngt7xjb3F53fNnR8tvXkmvaz 8z0nN3SdWN9xfE3rqfUdC4Ol+2dad8+0OykgAERXRfrw/OSanobG/EhBwAZcCwQU0LwR2kCbchiV dcX5hbGkUqyERBDAbzQQwSKmQw2LwOEKEJuFD0olDgxZh71+XNutoRUd4+WpUotIQhdZLEFlQdVw x/Bo90BFpgCRBV6ZTBQ1NnRAq23NyqkTW3dOdXSBgIECc6i45JpLTox1doJe1dzRAuhm7+o1EYsF WwKCIOIJ2nYNdfXwwdUja1K+YjAw0SnAdzHaMjE0Odw5MDc5d+rE6QfuuPPmC1ffcOGa66++5rKz 586fveL08Us2zK6zGXwiPhJASAsqjGK63vGJJBYxZuoIFEc2MZrRIIgx6ck5Ov2mc1G4D5AKu0Rq 5nLhgy4haWQycOsmBRmLsdBusfA4CIs+SoIIAmfB/SGZ1IPJeTYbkjFwQ9wiz0DVZiY4doITY/PM Qg68BkmRjUNrMkp4jBypIq7AIYsEEt0ApClFZFipyJitIUrmIllhiiw0aTNmDE8RfqUgVysNClg+ Dg8CN2aKBA9VAfgRcVAgzuFLYxwyxIJDMZFh2hhsJF3YJUCNpet6+mmwzSy+mcFFSMWCBzKJO7Hl ojpARMaPYeeknxiiLYsOcz4Jxy8jPSCtUfyYWp5v1hd77NU5wc7C/PGW+oWVQwfXrca5Prjdt2nt 6f17bj9//rE777z44IMvPvXYby8+9fpLv3rhlSd/8+ozv3v/la8+f//bP3/27y8/++r9dz986aV3 n33yvZee+fyD199/4/lXX3zy2nPHhttqccRzpU3rXvJBHIye4hFFYnaxhINcNC3iFlHCYqkUh5Jk 2GSGxS3icSuEghKlJJ/i54lweCVJe59OljXIi4zqYr0sSrK8QB1RFC+9LisyVQlRZDd3ZNPbVk/e cu35Rx6494pTR9GFtIi46DXkmCTgiNUmzWMVvs3NoXOrSp++ctWbP7/8Dw9f8szJjqf313x8y8I/ n7vph8+fXVz8ePEv77x+98anj1W/dn74yEDojuPrF//1x2++fePr396x+PVz7z562Zn1zdfv6r/3 +MxdRybv3D92+6GRR8+uefDU1F17h67d3PHg6fU/OzpX6iQNHGK0JnbD/pnrd00cnmqe6yhcUR4t ilgwII1MVS+ngg5lrkttldCkU3yIiIAQfxcz0UnjASC1qnQRuw8whUzu7uoYLc2WYwbB78sbGpxr qmq1yrSoBIHP15TWQnOmubIR3ow2Me6B7HlxtjIWiK0aGrtw5MTBDfNoT2MZrCku/vn5s3M9XWhD l1UWnTl25Nj6eagnLfsgVjSeAuR6ZqdWr2jsi9hSMiG2NA7azhDcG+zs7ahumh6cGOwZqi4omBoc WjUyOjMyOrtyfGZk5frp1Wsmpu1GP2phQKxQsUBei+CVMpiccilqARQCyEXhg3iNtAOicl5amdjb 9TyBW6pAMYhz2YBXwFAPIhdFmQ9czk7y4TVmLtvAQJYogD+mTcawHFk8gjQTQZCGaFBi8Em3UOoj pYUijUeGw9J4bpbAxRZiB8F3c8VqOJ0OYAibjoBwBIeAH1LIcS6qfmkJObnssFyiB9caEAqD9hHa U9DmW/IgGn2llxnLRLCwz+OHkSd7KKEHNZFRg1YdoDAwAzHEHTZbMi5vTTy3tbS0o6EWZ6CsGOjq Hmjv6G5qaatua64a6GqaHe3fvmb65J51lx/bduOVR35285m7b738rlsu+/ntVz52z/XPPHbbKxcf +PDNX335yW//+sU7f//Te3/98nd//vzdLz94+Yv3Xv7szRf/8NoLsD++9fLnv3v58w9f/uq91997 /umXnnjg1V8//Pt3nv/bl+9++cdX33r1ifcuPvTlO8/968u3v/70td+/9xwe8PP3XvifL94dTcVy +awMyS0W8tJMIp8girnsAg4zT0xkZKxcARFnEVkRv1QqKJdyalT8fIUkIeZHRdywkOPjsxyoMVkE cGP4HXAhlITlXs9QZc3mwZETWzbfeOrk0/fe98Zzz/31808Xf/ph8cfvnnjgrgDaxmJ2xMAq9cqa c3TNMW13oWms1jXb4NzW6v/lZOLtY63PXbLi2WvXfvjEZZ/+8vqvnriw+NYdX7949eOX9j62r+UX W2oP9DqfvOPA4uI/P/383a9ev/v7jx//y6t3333J3BWbu1687cCLt+x/6My6l2/a/cr1O5+/ctNv r9nx2nW7f3Pjvmeu2nlhyyBi4u6RihPTtcfHK/YPFM01RGdaUqs6C3MsKmwOPpOsOKatiGrzbIqA QeIwcK0aOfxRS4L1CQYcgfN+iiI5UMaE7ll/1zAU++kzpPSujjZII7ZZpJqlLjRvYEX/SN8QvpuM pnAPYhkO6oEPZnJSw82da4fHDi0sjHZ0gBPSqNa1hIOHZ2Ymm5tLClKHty6c27Qt63Kh74YVveyD 0EqYGZ8e7hxL+UuEHICOXGgvFBZkN07PVkJ3OLcwG8+AwlFbWFyVyeb6Api2Qvc/6vaX5Wfhg0ss UzHqQTnAQwYzJJU7kLHi8+IKAhotesTLcRDdGUQHdNaWsRSfQo16EGbn85CIpi3mACUJgJbMZcFl 4IaYmkbwykHnWi6DN6FsRPeBjoMs0BsYyHYQFnGaD0bWE2K5XYIGHPyFDVuOPmEu5aREgOJRNAGN QTFo47MiallMpwyZbTGLI8/hyvf7Idqc47HneR2lIX9jbk5HcaY6HStN55RnYuV50Zq8eHU8p700 2VtXONpRu2qofX52eN+OdUcPbj12ZPvRvZsPb197cvv6647sefDay5/7xe1vv/g4RmO+ev/tL959 7ZM3X3r/jYsfvH3xw/df/v0nb3z+xXufffbK139555///vhf333y13998IfPXn3v/YvvvvOrjz54 5fcf/uaT919567e/+vUT9z/64F2PP3Lvk08+8PTj1z71yPWP3H3hZxdO3XBy3+0n9z181YmLt1z+ wvU3PH723D3Hj/7s5MFHrjnzxpN3ff7WL79679l3nv/FK0/f9Ztf3v3h60+/8fyDzz1+x8VHbr/v +tMtNksemwVkppjDK+OTBQxWhmAW8wUpLicjFALb8RMMFLxhIXYwwg5bSpJtbMIl4CKfdEmFeU5r XSrRW5OdH+07u3fvI7f/7Iu3P1r85/f0UWk//Lj44z9wYhrs/Xdfu+OWq1uqi5QkYVXyE06yIqBs CWmq3cISP78qLukvMmxty/nt0eovfzb37S+v/OC+k+/ev/29+za9c9Pmfz926rWbtt6+vfKBXY03 ryrc0mR54KZjP/3w7WefvvrZa/d+8Pyt//jdw289duWVOwYeu3rbxZv3P3Hl1ldvPPjSNbsuXrH5 hau2vnTNjqfObnzk9PzzNx5++obdN+0ZuXS28dRU7e7+bH+BqafAOl4fLY/avWrSp+d1Vrq2razY OlQ32phpKXO3l+c1JMNJuwFQD3KYjNfZVVqE9BWCDhN9Pb0N9QiXUIdurK5Hyy/HYAeWAngfgh09 7e097d2QvQI2gliWTJe21nc2F9f21zbX5mcHW1rmhoebIPVBKUMUdXh67rJtuzvr6zaOjF29dXdl kBZ0wooGBIrmNnxwzczczOiakngtfBBUT4JBlBQX3n3DDUPNbUU5eWPdI+unprevXX9i576Bpvaa /CJ0/+vLqiFH67Xn0EUeLUFPqXlM5KKouXwaFRI5YPUO0PHodjsXHFPaAMhweXAci1DskSkdQqFX KoWXJY2GIpcTeSBgyVyd2spnu8QCm4CTo1XGdCorj2UXcGx8nDPBBEkOjAkhyQWPAdOsoJrIBDwr xdNRHClJaMQsk5SvF7IBoRdYTUGdwq+R5TmM5SFPQyLUmU32V2QmWirnZ1bu3TB3dGH9sZ2bDuza cPr4zvMndl15ePu91x57+r4LT91/9a8fufn5p+989onbXnjyDqzkh++96pH7Ljz682sf/8UNv3ry jhef/fkLF+9/9pl7XnrqvouP/uzZh+54/uHbn3votl8+cNPTD9/86yfuePrxe3/9y3tfunj/ay8/ +PorDz3z9J333X3Vbbeeu+fGE/fddOnt1xy98vSOkwfXHdg6tWfdCAxVzL6ZjgMz3fsnu3eOduyb 7j25ZeayfRsfvebwi/dd/Xuc+PDha9998eGPf/548evfLf7p7X9+8/k//vnp9//64tsvPvroxV++ cu8dz95wzZNXnLtkenSyKFNrNhTJqTBiN7ILQLsEwhwrBxgpk51m8gp5olwGJ85gRwlWmC2F+dgi F5MPbNkpkDiFMgtfgoQB+16uyVSbzJ0b6j+9f99j99792fvvffvPrxd/+o4+Ge27H+mjYH76cfE/ 3/z0n78tfvfuT1++8vELD3QU5iBIoKEJIhwY4EGrNGQURQ3ctIVbFZS0JZXTNe4T05WPH2h+6mTH g0eGn712/Uu3DjxwpOL1qza+eW7jvXva79zXdtuWjnMD6ekSxcN3nEJv4tO3nvn9y3f+7uKNf3r9 3i9/c9cjF7ae39J51ULX7QfGbt489PODq+7cP352bcPJmaorNrZc2NJx1ebOm/YOXVjouW7n6O2H Vl++eXCmIT5c5llZG2rJD/rVwoCWN1Dj37Wyar6rrLc4VJ+x9FTkjFQlG+NehwqSZERZ0DlYlU37 9NUZ7zyquNI8FBRODTXe27VuYDBpsEtwWBC2KQ1VVpBcOThcg0DJQ/bEDERSdRVN9ZmKlSDJtLSn Q6HiWAwe15tfsnf9PI7AHmtActQ63tl15bbdVbEoEk6otNHnqhBst9u9cnR8qHtlzF2A5stSgkwE fc6zRw5NtHeD5NZV2z45ODI/M3fhxNnVAyvzvBGMZc0MT0GaIOxNsgnoM9BHPMAHKwLB1tw8+CAe BZiMSyZH6kynoDg9DUbXg3TRhO+ip4YUFLAMskRcoGpD3ohEFBAKoBVkfXBD+GBIJYP3hVWyXKM2 7nKlI+GKksKWtkbkAavWzqDdsnVhftc+TKys3rZjcveBNRCePXVw/rqTu++5+tIHb776ngvn7rv6 soevP//I9ZffeurA8U3Th9eP75rr3TbRvmm4fuNo3cxQ+drx6o1j1Rv7S/paI7C6YmtDqX20O7Ww tvXS46uvvmLL7TccvvuWU/feduldN5/82U0n7r3j7C/uOf/QfVc9/os7n3rs3meevP/hB26/6bqz iIxbt6xav3Zs88axLeuGNk22re+pnG3InymJry3N315fdWx8xenVQ2fWjJxZN37T7o1PnT/50YN3 f/fKxb/+6+O//f33//7mix+/+8tP3//9p59wRvz//AfHrPz7o3/+8TfvvfLEb5997LVnHrt4z623 HNh+YKRzuqqsMx6t9/uq/f4iuzPXYI7ojEG1LkqJgxxulM0LEcwowUlxqQhBJrjSKIuT4PIzpBgd jTDBwHcjHAGqETSPkK6gjIXEj0fEqgt717a17BoavfXSM2889fSnr7/+yWuv/eWTT/7xpy/+/vWX iz/8DxLN75f877sfaffDQfaYH/yf//z++1eu+9WZ2b2tiXIFE17v57HweTmkIo2IDyJcwK3I80ja ourpIst8c+DYqrJ799Q+f77z4zu2vHF+46MH2n91cuXHd5+8YnXhdRvanrhq7sx06ZHOyHyT94WH bl/8/p9fv3HXF2/c++e373vnqau+eOmWP//mjqsWOg6PF1+/rev27eNXre86t6Hliq0dx9dV7R0v OL6q7NK5qqNTlcdXNZxa03VsTc+2odr+ksBAmXdlVaAzE3OIuE4Za7AqtLWveLY2vycbakrb6uK6 kbJwa67LIcfx8USBTd2PI4yTztq0oS3rasp1lgbNpTFXRcLflkm3xVNWnQ3JGF4aRGm2rlvf0dyF rgZ4ywRbbNU62ovrFlauWj0wjJBHh8LefrQI5zdsWpjb1FJc68PxNB7fJZu34rAnNP4QBJd9EHFw 3Zr1U8OzqWAp1Cfgg4CIIFSyfW5VX01dZ0VDS3ljMxTB23vGVwyt7Bjsq+9sr2npB1wzvTbkyYUP AheFSCka1lgMfrUWOoBA+Uw4bFamwRlFEHOB4AbGRWUkG2TFqNNQHHOVxN31xbGWityu2nR3VW5n eXiwLj7XU7RzomGks3rVUOvGye5NE12bJzq2TnXsnO7YMdm2tq9qTW8lbtcP1K3tq5lqLxmqS/VW xvuy3o60oyPr6ioLNOV7qnLsNUF3YyRYEgoWBr0FAUdB2Fae526viE10FG0Yqp7rLZ1eUTTZlV3V W7Jlsv74tqHrTm342VW7brnx9M3Xnrru/JHzl+w5fXDLiR1rD2+aObBhct/OmQM7V+1ZmNg82T3d XDZQkNOb4+kJOHqLotMN2U3dlRs7S9a1prd0ZQ6trDi7tunu0zsevfbo8/dd+9rTd79+8cE3Xnry zVd//c5bL/zxT+9/9fc//OuHr7778S//+f6rxX9/tfiXT7798I3P3njukxeeevfRex+/8tLrts0f m57cPji4eWBwQ2f7SHVNc7YIJz4jtyn1hRJKTZjLQ68QOCcCXACYJwq0pQs/QeQSjAybl+bw0jx+ HoefZHIR+JIEywc8lgVwlcaIUC9gV/cKuN054TXtzQvD/Zft23X/zTc8/fAvXnrx4nvvv/u7jz78 7O9ffvPTd0gz/wPDf2iWw374AU63uPgvsFx++vTZr56/4vWbV/98V92VI7nrC4OdDnmxlJ2RCuKY 42ACCiA8UtIqYecYiLoEWZ8r6ii09JW4t3aETw4Fnz7c/eYtGz94eP8vTvQ/sKfjH4+fvWfPwIGx oufPrHv2pm3r2sNzFabD4wVvvvDQ4nd//dsfHn7ryQt/eOn2T1++7dUHL/3shRs+e/66G/b2HJ0p vefY9G0Hxs9tWXFqY9dl2wbPzPcdXtmwp69iW19y12DhntGqHYN1O0eaOzPehphppDbWU5tVcVmY E+kq8c+15I6V5YA5ELfKsl5VT3myuTDhAfmGRQQNgvqUqanA0J7vaEvbuws9/aWhrgIPHgSGR8uE TQmPuirfX1sQHetsGGyuweg93luQ7XM9nqHmlhML2zb0DtYBUSmuWNfahbMwxvtHNq3a0Ne0Yqi5 d9X/4es9wJpKu67h9EIPvUNCQgIhJIHQQu+9995FuqCggKKCgr3r2HvvOvbeFR3HLvbee++ab51k xv/5n/f9Pq91nTkijgpnnb3vvddeO6t06aRZ0QpfoiajHu4D4+DtM7h5EHY8uTkoUQIilAPoINvz mmvrRra15iQkBXt4xQeHF6dn5yen9snJKUzPiPIPxtmzsqCPl9SPjjoloeYzltnoB4htfIRWrrYc LI8L9hIHebp4ujrIsYnPU+jjKfCU2/q42UUFidOi3TNiPfrEhpRGBRZG+uZFKwvifXMTfTLi3FOi pDFBwtgg59ggl8gASaS/PNJfEeIlV2Inq8Cez7XGdAwKXFCwoPWG7qGUA2GBDr71XpaGgU62/hJ7 P1dBhJcsJTQgITYkMS40MR77jwMzEv2L0oOr8yIHlMQVFmM3UHpFaWZNWXZtUWZVdmJZUmRRdHBd ZnhbWcro+oIx9QXDi1Oa0sL7xQU0xAYMyknpri6aOrhuWkfdlI7q6SOr546tXzixYd709pULR29b M33/n/P+2rvy1umdL2+c+Hj/jOrnAwKYLv94/8eL2x/u9L68eObJmZMn16/ZsXDu6j8mLZs5ccH0 0VMQNxtLy/Pi84KVOX6KVFfHYHNDDy2aE5mEIIUCEZJJB1wpRD0EpUj0NdB2l6LPTqMF6+mGGugr mQwc9IL0dMMMOf7aWkoqyxtncHUHBERAggFAiobeerK3oiwpsbqooK25cdSoYQsXTz90bPvF3rO3 7l57/eb5d2Kh0k8it/yJxUo/kGkStAP7voKE31Q/Xqje//3k2prHW1dfXDh16/CamSVBbRHWxWJ6 ggk5TIuh0CZJGCRnBslFm+KizxToMRz0GXxDlpO1trcDK0Gml6Y0i1dalCRIBiSL51b6HZva58yS xgUDw1YMTXiye8qhaf36+luu7Sq+u75z6oDwRDetfHd2dx/f+709CLyPerddObjg+cXNd04s7dkw 5s6ReR+vbLy9f+bCYZlT6hM3T6xf0lE8sSFxcmPq9P6Z0xuyR5XFDS/0G14Q0FEUNiQ/rC0vMtnD Lk5m1SfWMyVYakonORiy4KxYHS8vDZFn+MjdbQwDnQkOJijlDgZa6FU5m7ESlHapQXaZ/o45QU55 wS45gc5pPvwEd1sg2ZMb4yuKVgrj/FyC5bwwd6cAiQCD2Jj8CvX2TAwOyo+PH1JVM7pp4LAq6EIr qpPSFSJRmLd3WnhUWWp2XW5xeVL6wjHjYxReiIOaeVv07hx49gPq+g1vHhEkjwIH0TqEbABz62W5 eYPqagfV1ecmJmfHxLdW1/XNy2uqhGFAfoRvcFxwdN+8vthtyiBhk7UOlh9FKhwQwUPd7AOk1oEK XqivKNCLr5BYwqDdx83FTewAc3IhljrYmznaGGM1vLO+MWROVmjmormoMftWV/uRH2MiFVJkjhbJ SJ9mZMzAWl1AaGeN8VXsqpPw7eQirlIuigrwSI0OqkqNLUsI7ZseMag8bWhtdkdtzujGkskD+84a PGjO0LZ5I4bM7m6ZMryhs7GooSiuPNW/ITF0YGbMkPyktoKExsyIcgTiQHGKD7EEISvarW9WcHNx 3PDqjAlNxXOH160YM+jwolGXti94fm7X5/unVO+uq34+Vv16pvr+VPXrqerzvc/Pr79CyeXq2Xtn /7px8sS1EyfOHP5z36ZFyyZ3je/XtyUtodLfr8hVmifAMhgtiF6EoBh6guokEDk5YIo+DpUozCJg eYBiJJI/mepHongzqQG67HBj/XAjnTBD7RBddqS+XpSBvi9bJ1jfMFCP48Fku1KoYjIFvxFhEZyV cfQVlhY+jrwQD2lyREhRZgpUHeOmjNqydcOVC2ffPn6k+o4D3fevPz5+V315//Xz55/fP3z5/PLt m1fvX3/49B78w+Jdlerlr4+P3t6/8vTSX/eO7fpr7R/LO8tHFPlVempnOVCDdUgK/EEUklyL5GlC 8bPRFnMozkZ0IYdhr0O11aFg5IpnSOca05zsGF5cdhhfO16G/XdaSf4mtbGCuTVRS1qSp1Qou/Oc js+tP7G4vSZKVBfFv7B2eO+K5qFl0qGlvh1Zsol1odfPHFR9+377zNZ7p9a86t0KDh5dM6pnXdft g3Nen1+9b37T8KJglEnXj6uYWh/bUaAEJac2ZEzplzmpNrG7LALoKo8YnB+UJDNLlFv0TwvMipTY 6JJcrHXzo10rE+TFIbKcAHcl38zfiZEeLErwlaDoDQ6imJDgLU4LcErxccgJFmNuIivQKc1XAKQq +Yme9gl+jkkBzlGevGBXm0AXG2+BmcLexJNnEeYl9cf+Va5tkExWkZnVisZBfnF2RFyQ3CXWzycz MrI+r6BvWkZWSNicrpFJvt6Ig5gBRCMecdDa2rKpobF7yCh/aQQsQFFoRVMS8rysxKTSnNxR7UMH 1dRhnqs6P680Pa21pmbYgOa+uWX5iXnV+TWIg9p06EoIiakVi2xCI+FVA4ExVk4joEIaiwMg8M9g sPoGTXYAH8E5EaMREPwZa7GNCVm1Lp9jgmWEIe7ekd7+iaGhuSnxZfmpVWUZtVWZDXW5E9sHTh0x ZNa4zrlTumZOHj5mZOPApqKaqvSyokIYx6EFUJKVkBsfFOPt7C+09LDh2KA6p0tyMqa6W2uFCIyS JJZ57twSBb85QjYyM2hmXfqqEZW75rSf2z7j5eUtqucnvv96/xO5luqj6pca394T0uKPr798evr1 0+Ov7+59fXr1/Y2TD49sOrlg3KaOfpNK84elJjSGBPXx8E7jOvqxDeUktjt8zNHsQIkYKRnIRSbq +UQvHi9YRDEqTU5nyGh0GWY32Gx/XV0/HR2075VQApBpvlSKLyFooaJz586iKFlsDwrZi0IKYJP9 tMgeLIpCm+nKoou1daCWQesTJWWRkQFEEvYcHQ9HbqC3W25awtiuYVs3rj599NDL+3fBuF9vXn9R fXn94dX9e3fu9F65dfHS1TNnb1668OzhvY9v3/348pkIeL++/fr6/suH5x9fPXj/4t7nG8dPbZw+ sy23f4o8Q27sb0xBM9EDejwDksyc5GXNVNrp+DnoKvn6rtYMHofE47ABaHXU48AUGx0Kl0PhG9Ok thSFPQufGSLST/I0yfA2bMv27CoJqYsTNsfa75tQcHhmXWGATbQrZ2VX8e1to7Z2ZU1riTm6pmv5 0KwlHZnXz+779fXjw8s77/297sHpdfdOrerZNH7b3IEn1o48tb5r9/zmWYPzkHMu68jbMLpkYmXY yOLAkaWRUwbkzBtUMLEmYXJdwqyBaRNqY4oC7XN9eYPzIsuTvQVGdDeeSUWG34Bcv+JwaYavs1Jg 4GFPxxEmI8TH30nE1dVxMdeP9RQk+zrEeXIzg13yI91yw2U5YZK8CGlWiDjRhxePI6SXXbjMKsbD Hr8x3luIseRQ9AI5DD42KnJYhlgbr44msKCV8UXpkWF9czIby0qH9WsARgwYsHHR/PSIUMLzAb4T hIyCYm5uisd4UF2LnzRUm42TOqYFaTYWlk319eAg5pFLs/KC5fL4wIDs2JjyzMyRLUM6m4dG+0Zl Ruf4yQP1mdAyo2mgi4MG/mi8SYgRA4jSiXBGhngJS+VcbDkeTlZYsQpBUZSfa2KoR3q0f1JqQFZO eHlZUn1NdnN9flNNfmOfrPrS9IrsuKKU8IL40ILYsOyIwAQfRbCT0Acet4ZsK8y+6TKstCjWLBKX TRJokUU6ZB9dmp8BNdZev8DDrjpC3JrpM7YmfmZLzqZZw/eumHhm39Lb57Y9uX3g9aPjH1+c+v7m 7OePd358QzPriUr1VPXjkerL3V+fbqs+3lZdO/zlzM4Hu5aemNO1pq1iRmnSmPTQruTA2mDPPIVz lKN1IM/S39HeW8CVwnHCxERmqOWsQxOxaU5adEcmxQHiagpJxKR4UVioPSpINDcSGTVJDzpVwaSg Q+dKp8rpNIhC3ckUnNT8qGw/MtOHRHWhMKCUdqPRfNhMJZvur8UM0tdGbumuZeBKZ7tQqDAvBoXR XsGeHoa6qGWjp+3G52bFR48d0b5s8ZydOzdduXL24Z1rVy+fu9Z7Hjh2cO+hXTvQtuvt6bnRc/ph by9KK18+v//0+d27968+f3qn+onT3ifVjw8E3j57dOrQntmTZ/SrGJwck+MijbQ08TUg+ZuQAsxI nhCUcighFkZSS7bCRtfTWlduAtUEQ2LIFHHIPF1M4FBxzjKmExMfmASxZpF5OmQHXZK3Ld1HqB/l x8+NdO0uj140KGfhkMKhfaLy/c1m1ITtm1i+oH9CsptRqrfl7NbUiX28S7x0S2N4Q8tjcj04M1ti ntw9iv7gy9t7Hl/YfOvkqhtHl5zeOnnD9H5/bRx9dOWwPQsGLh5Z3pLr05wmXT4sd2l7NgjeXhg0 ti5pQlXKyJKI0X0ipjUmTqqPw5ukMlLcP9m7LMbHTpsmMtPvmxXY3S+pKSewNFae6Gftx7eMV0hT lN5+Qj5CuciIEutpkRvJT/IRZga5FkZ5lsR5lcZ7l8R55EfKcJZMUvJiPWyi3a1jFDYx2OXqxUvw EsS4cwNcbf1cbAKlPJh6YeQTW9cRaDDkC7kmVrZhoBUeRFhPkxIdM3hAY6ivN5MY64ebExsrPuEW iH1YEQHRfrIwDQchxnHkCrqGdaAdn5OYmhGbmJ+YmBUTXVdanB0fX5lfOKi2yVfqGxsYH+AebIBt fWoOhkIwJxEFuUti/L1iAzxj/D1ig70xyBzn6x6rdIvxkQOxPtIYb9doL0mUp4u3wNaDZ+XGtYB5 gsTBTGRvBGMEC1M6vo9gNTy1ocGQGTO8zdl+VlqBtrrR7lYZQaLKZJ9BRVHd9ZlzO6o3zxx+cMWk oztW/rV39bWerY979729e+L7ywuqr7eIE9mP2wS+31J9vv7t2bmXvQduH15/ceuio/MXbJ88aWn7 kBn96if0LR9ZmDcoJbE2MizFxy3ZUxojEQbYWcoNtEV0MuTKzgCJ7QjhEImKaQI+hYykEYzAVaI+ neGABrhRSV4skjebDM2zTJct0WIgYMnYNEQuCKch2JZSSB5UmoJEAdAm8KIy3cg0dzrTW08/Qtc0 RJvjp60nZdDQoUMARYKKjAJVFAgmQD07LTa2JydEhHaOGDptzrS1c+f27Nz594H9R3Zu//vIoYt/ 9fQc3Ld/17a/dmy/dPjgpZMnbl46f+fmlRvXe+/fu/X82aOnt29+e/dapfqCosp3opeHwPjp3YP7 x9cuWzamc0xNWf+U6Cx353AbIz9Dhjscxsg0BZXhwWZ562t7GbLdjSlyE5KbOUlqQnI1IrkY0IVa OnZ0PXM62xTTfwbEm5ZY/UgihrzwBseciIij7WTEckLctKNHK23SgwTVUW7dBVGZXrZBTlozGiJH l/gOTnQt97MuC7Gb1ZKycWJZU5JDkadBRaIE+Z4Hh7S4K+3r+wsq1ev3Dw+8ub7nwdkNt08sv39q 1c4FrcdWj+zdPe3qnmk9a8fsnNs6ujp6aIH/7JasqU2p7cWBQ0uCusvjRpREjiiJGFkWPrYqenTf 6M6S0NYsv5JIBV+XbsEixSgdmoqC+2cH1WcGVmd554c7FcZI04PESqGprTaJq0UJdLRL9XJHgEvy dc4Ids2LdCuM8UDNMD9anh8tyw2XpAcK0wNFSUoHMBGIkFmFSy2jPPjRnoJYpXO0l1OUp3OUlyRY 5ugttMPYraW+NsTZoCT6j5gg5sGnz1Qfi8+InJMwC4WckxjoNeWYw7cApg7Q/cHMCuOQMWERQFxo RHZCSmt9/5b6fhNGdFYXFyVFRuWnZcaFxGQnZoUro+ASBKkMJoJ9XBwVQq67I1zFuF7OPE8ne3cn O7gbCY1Nefocaxbbkk6DEBoaS3sayZZC9IJRr0MEEesxZOY6fo7m+FckBUqqEkL7Z8Z2lKdPaS5a 3F21eWbTsdUd57ePe3dmxfdrm1QP96qeH1a9Oq56i9MZcPrn18sIcE9v7LrRs+rs7vkn/py5d9Xk DfO6l3S3zRhc31lTMKAguSw5NDNYESET+DpYeBkbgCOYhkA6h3QRZAfr8dhbQPKtfubRJUH2iDKI I5UsolNdQTEKyZPN8NLV89TRU7ANPJgcb5axJ4PhxWQCCiYNkQ5woxPTDbhCeeKO30IlKSlkfyrF D51fqFP0dJUsJpjoQadDvy2ikO2hqmXScDaEUAdX/B3w9HphpyGXm+Ef1FBR3tbQb2LnyLULF69Z tHjPn1sun/v78rnTV06cuH3mzI2//jpz8MCpvXtAxp59e/Zv2fz3nl13z5+5c+nc/VtXvnx8g/LK v/ii+vnhy5uHt84ePbhu6eYZU6Y1N1fHJiTwuGCZE8K3+t+LEUJHHZKjPlluQPY21fK1NHI35jjr afG1aYhrEPXZa7PwiNrokCyxfgGCfoxsY/qTSsXbHEDrFqoJDDJANm+txUBqCvNAX6FOvKt+sptp iNAYAdRJl5TjY3lpVWtTvFNLql+mm/mgZOcXx6bvmNGnIsq6T5DRoBJfpHzJEt3tcyp/fbny48uL 7y/OvLi68+G5jc97t329d+DS3llb5zRjuhDFmev7Z/fumr1qQkNptGtjlv/socWdfTAs7NOaF9Sa FwIMzA4clO0/tCh0eGnw4AJlXapnrMJRZm8k42pBJxPhYhUjc0hWigqjeX3TJeWp0rRQQZCrpTfX yp8nDLB3CXK2DnaxCpfZxXo6JCoFSX78ZH9+WpAwO1wCZIW5AGlBInwcqWmEm2WY1DrK3R6I8UBk FKb6uWQFy4GUIEWIzNFTYCPnWaH1b6KNKVeSPgueVNowJYNLJ76G4CAGi2AGSINamYICi8ZolIJh W3NDY5Edz8NFjp08EVhOmZiclpAQGUzsw+pbVj6sbShCITjIwlg5jQMR2r8gcaiYLSIbM8mmbFgv 6stsjb35FgEiqyhXu0w/cXWc98CssO6aBBSWV42t3D2n6eSK4de2jn1+ZNaXv5f+uL7n5639qgdH VE+Oqp4c+fn40JcH+z/e3fPk4oZbJ5ed3jnj4Oqx2+d1rJ4w6I+2Pl2Vme2poY2RnvluvFALbSmb JGRAqko8z9jAwaYTQJ0XKRzxClI/53jaUWnkkciIa04kmiuZ5kFjQVat1GUBvtpMCLeCtFhBLGYQ gx5AQyYJitEwVQR+odlNBDIS2RM3NAroidwSJztM8LmQyKhJ4rinoJC86CRvJKUMMjo34CPSUS8m HdIvN22GC5WMCidKKJi3FOtouZsYefBsIxWuiUE+GdHBIwc1Qt87b+LEEzt2P39+987Ny/duXvv6 5v393us9O3ftWbli2aTxaxYtmD529ILpUw9s23L22JFbF859fPZE9e0LcZJVffrxE1fUOb/8/Pju 1f27Dy5evHhw977F8xe1Ng2MDA034bjQSTxME6u1Z3gZCnXoUmOYTnDcTPQlBlpiPZajPpOvR7bT IVlrYVhSPUTMIGHQEk5DELRr3lc4d5iQGFDmI/ZhPB8SL/R/YWGKoQN0hA3ZUF3qy9xto2TGifaU dLFhhDsP5stJXtwTc9p3jU2vj+SXBklqomQbRuS8PDR2Sh1Wb2pXhum39lVWpvnUxjgfXNb089O1 T2+ff31y8fWNPQ/ObHx1bScqM0/Ort0yu2nPwpYzf47bv6ht0x/NM9rLSuM9kSIOKY8e1xjfXRVU neRem+LVnBPWkhNel+RdGSvtlyJrypS3FXq3lMYWJgZ6OxlKLel8NtTFFIEO3cvKLNZdCELlxrhg C0ZOBFGQiZbau9kZAJ4OhkqRsZ+zsb/YKEBiFCQ1gU91nLd9lMIaB8NEHBu97ZP9BQlKXoK3A1LT MLFZjNwmRmrtx9UJFhgkuNnEyu3j3fmgf5JSEqd0CXV38BCZuPJ0sPbLlGOGxWGGhhjo19JiwxxQ V5tiBA4SijAStOEYb4Q3kYGFgZG5vjEE57BSwfiSg50t9hdgtQc26/StKI/2j+UwUIbB/LqBuzkp kM9M9rQojhDVpMib83xGVEVObEpaM7HvznnNx9eM+Hvr+N59Mx6dXvb22qZPt7d9f7j26721n2+u /nh19bvzq56dWHJ375xr22YcXThy78whG8f2W9BaOK4irjVdiVNeiT8v3M7ax8jAmUlHQoipWwwH WeEwS8x+QKlD0sfUCYSg6qojKoQiEhkpohwqETLFk0ZHy8yXyVYyWGifBTCY/nRGAIvlx2aBHW50 ipxOkRD8osoodBzN8HvxRyAUIljztZkQTDprM9B6RkkTvTkpmexGoSAIQisOoRfa36ChDHN8qGfq sn11GAEMNg6DGFPyMOIozIwcWQxQXgSdKh1PMhnTRo4cHQjAgsSOTUW5E1ubJk2a0Nt76dGjB1ev 9j5+/PDZsyeHDx3Yvm3LyllTJg5r6W7p191WO354w4yxA7dvmHnxr62vHz76/u696gcOdD9//PqO 5sFnAtCufPz84pEKapZXD99ePv33+iVT6koqQz1dDVjQiuOfg78GakQODJLYgKmwwPdLX2qs7azP QIOez6Y4sMhQs4OSGFTBxDHG8y1oVAs6A6d7E6y9gf0+vDuomFgj1jNjHhQ/8ALHD2y10SEztUnw VyTEusYMkpMV2dWOxLeny62ZARILnoWWBYMC24ql3YW3lvd35JBqIo14FFJlZuir4yO2dkb1T+bn B3AHZohbi32ac9wGpAkOLGlTvb6k+vL47YML728evduz4cr+hTcPL7x7eMGhRe1bptTvmT1wWWcR dKENmUFjm4payhILY2WtpcFDygMH5gXi8atKdsOZpa0srTIlpCDCpSxB2BDv1Zzm2z/dtzJRkR8p TfIVKYUWAiM2NqmYUum2WpDQGHojGfO2g5gtJ5afHuwUp+QHSgjjDsxEuVjqSG04bvbGqHwCcr6t u6Ott5hHrFDxEkcosSdFiGmlcHdBqBsvQGLj62yJa7iCF+MjCER4FRr5gMtiMyBIahWusA9ztfcX Wij5pr4iC3yyp8AEdVuROQveYgDs1QwYdDNdHTeRMMTby0/hBnWcm8QZKzZw0MRrDzZHbIoWi8yG xw68/uBshpx274KWk2u7Lu+YcmPfzFsHZ907Ou/hiYXoqD49texxz5Jbh+ac3zYRteX9y9u3zWta P732j9a8if1S0UttyQxoiPPpE+iaLeUmCsz8uaZKWyNPS325iRZOH6i6CNgkPoskoWHoleREJgvB ERKFR4DqQGKIyShr0DAGDlIoqExU8BRkhgJCERrDi0oHcKOkomFN9yJR0cjGKQ9hSAhmsWkooQgY ZLAMDyeEgGirCfBHUCkSKk1GoeHI5kFlSJCO0qmIX64UMobWZRQKSKdgMFxodCmTBUjodC+OAeAO n1gKJmoJ0oG/CBaoeaHti2MdT0srLTG6oaZP1/C2/buQVZ46eXT/neuX7t64vHnFkuP7dm5Yvmj0 sLbO1qZRQ1vbGmvHDB88e3rHqiVTD+5ed/bkvoe3Lr95/vDrhzcfXj//9fXTzy8fVd/APKLR8A9+ fvt0+8zJP5fNG9lSnRodIXH0tLHANApmT1z0GE46NCLhN9KWGmphcAO1LIDLINljCBHSMhYVsGNg JhFTnxQI6WECYEohvDWgwkV5DScNQi1PbGombHyQNZGRO/3LQcyXapExDYv5UjKSHzTgJNYskRkJ doiwv4A2DN4RqJCPy5Wdn12ZHS0TsUiBXGago8HcoZl3tg//oz6gJNSsMdG9o9h7WJ/ggQWeI0o9 T60fofpwTfXl4cMrRx/9veXqoSVnd8y4un/2k5NLj68YvnZM+cYJlXvmNYyri2rO9R/flDtlcHl9 dkhBlAwyj7ElEc1p8pIYx8IEWUUG9BjRfZL9oI2pTfSqiJZXREsRJWtSkPTKY72FMCJ2tODYGGiZ azEBKz2GwEJX5mCEUEUc7ryF8X4ucb5ikMtXbCvnGjtb6grMDSBd08DRwgDWcxJ7MxnfXOlk5+/C C5bzIzydon1con2cIzyFIW4OoGGwzNZPDKKZ4xogsQp0tQZAPW+BqQfPyINv7CMy93Gy8HQ0lTnA Jc/RTWAHFy8Hc0NiaYKhDsyCYM4sEfAcba2wMiYqMCg+LDI5Kj7cL1gulBICeSa+V4ie+vsWtkMu C0ntmvHVC4YVz2rNndI/bUx1XFt6SP94Zd9QWZGvKFvBTZJYRDjoB1gxNXPZjkwaHn7EHQGZjBMi pqoQ2nAi0wBTQngnY7Ie87AQhyDZQ3lfxmBJaCxnsIOhLdfSV5JZSiob8KayMasOGsrVzgx8OjT/ FMjT/wEZzCUOoSizEBxU3+AePXEXZJUMmjuFLiMhvaTgj0DfDQVJwJlCkamTTJQpvFFqRluBwfTQ xUwTy1VHF+GYSyW8aFA5QXYHrqGQgjTY2co8ITwoPSmmrDhv4Zw/9m/9c9nsmVd6z1+9cmH7tk0H D+zev2/nzD+mTJ82cdrUCSPqq7oH1I1u7oed6fMmdG9cNHvzsnmnD+zovXLyyZMbX768+vz59a+f SDXVvfOf6J9/Uf34pPr1RYXKyuULe1avnDq0fVBpSVZ4oJ+Tg4uJPgZQ8dVDkRbvE4waIb100mE4 6THFBmxnfRaPTUGuDikLhu7hSgEQRjo0MoaXQT2c2Ql/GxoZnjmQ76Osp6kk4CWLAyBSejJJ/QP/ wTw3agmooZNATMKWBZ+MiUVYHaLNLTQkCzhaYmu6rSEDp8UUP7Pbi8pmlyqZbFJthBP+rPpst6ML ilcNzewo8auKcWiIkw5IldWneVYlScDBA0taPj85pfp6//WdnkdnNt46uvzUnxPPbJvw+NSSs3+O 3Tq9bves/ic3Dt0wrWJxV+HS7oqV4wZ01eRmBLkVxASOzPAbnuNTnwEPNHFJpm9dYVxdbhyiYWm8 R2mse1mUDEysjPeoTPQujHZLD5WE+IoUEhtHWyNiP4i6U2ahr2fFMcABysMBxLFHaQVCtRCFU6Cc D99gKdfUxdbIycpAYKbHM9aGn7kdHNQN2BiWhDOkjGfhxrfyENoqXbj+Unw+3xcdAbGNn7M1giyA n/oILRQ8Yy+BGeDuYCyz57iBiSJzhdAMTpVybC/km7naGwEyvim83fjmWo7wcTXU4ZlxYGfqYE74 uSldXSFJxQCFrzza1lSiRbdiMaySPPgJbvxQoYWbqZZQm+TIJiPtwfOJbyjGmnBwQPsfIHoWCBBw W1U/sbji6QVQDwHdwDWUQQj3EjbzNyRaLMCVgZBEhyRSAr0Wkw23E1xd2LrwPAHL4LVij34cniji oSKApwvDFxiAwnyiDRWFICrcnAAI1kExqCgBNemQslLcSFQQE3USxFl0vX8HQShPlGxdH209ZxIF tQsnJoOr1n1p/sIYgcTf34HDgTw+OTwSNvitDQNAuskTRm/etPbK1Ys7dm45fuzQh1ev9m7Zunfz 2i2rlvwxrqu9f+3QAXW4wuJn7LDWlTOmrJw17ei2TbfP//X20Z0f7198eQsBAFgGtQp4953INNU6 se+fn799dfv8if3bVy9eMGn0qKb64rjIAAEXXkz46oH7+MKiv4uJe4ke28dYx1OPoUAHh83AwQeW HUjUNcAXB4ZRcHYC48yIkEc1psBXCkZVVGM4NGp2s6nts+AcgjYuTiXgHOZfiPodfqgJCA5qbmEc AW4aMCkWOlQEQb4hw1aLDGNGoZGhwJhmqkOJcDXumZm/Zngy9NsBIoOWJCVqp+un519Z39ic7tmQ Ku0TyEvzsqiIEKb72qf7WnYUex5a1vblcY/q651nNw4++nvtvZPLz++cfG7HxAc983t3Tdo3f+DO WY2H1g7ZtWDA8tHF0wckzxlSPGdYdXNRanakf1WkvL0wtLXIvyrFFeKcwli38iT/ppLUPhn+OPSl +/JLwlwqY91LI6VFUa6liQqos+KCxUEeDl5iOxeuFWHQamJmb2wKx2Ohqb6LlTFo5eUE/ZVDkEKE 5lqgG89fZu8jtoUYzNXeDOsGBKb6Dsa6thxtrrGeg6kBrlxjHZRfpDxLD5E9lGP+YrtACRdXP2fb ABd7XycbT7456KaBxN7AlcuR82FfaYQbkbk2oi1RO7I3ktgZeoqsILbEDgtY3LhyLRB/Ma4Or2Y4 7CFwu2I/n5UTB7ZhhNuZFo5jeCAN1E8CHgZkYngqOCSyDYltTWIRV7KWFYltgYXCJDYWovG1tDEv DyMLDAmiPMhjUPgsmlCbCfsUBCZkgABuCDcVNYSYaaKqj2nqOh5xXkPchOqbeIETDjD4eyASEWEU 6n0yego0DcRkuitGLClMXAGEQnAWkRecIk6O0JlQqICYSgO7keji4zBTAnAD0wknDHqQSPYUYg4R hk7IW6SOdkE+cn+xU0VWenu/+q62lvXLl146c+bEkaO9ly5/fPPiEkYmtmzYu2vrvFkzmhvqhrcM hOKoOj+lvV/5nPEdcyd0Ii5eOLrr8om9z26cU337gOKD6heI9vn79/c/f336ofoE2bbqhxrvXjy/ dfn+pZM9u9evnjd+amf/NF+FAsbasHlVv8QQgpFV4jTnaawlhwGFPstJiwmJGubILEhUaOPxCsKL iHgdUcn/EfKI7w4m9AneEfOf2P8KmwIKAN4BRN0cCacaCHZE8ollI8R/CGDQjvigmp7aDDgakeHd 7WDEEBgxbbSJLiFmSB1MjPEd8bUhrxkSfWByqdRem2fJbI5y9LfWzfR12Dc7b9P4/LIkaVGQRa6r RUYItzhEEONmnuFv21nic3Rl+9cnJ6Faf3btwLPz65/8vermkblX9k65th9diSnHVg3fNK0GBfPt c5rntmdNrI+e0C9hyqD8KYMr+hclx4e45sV51Cb7NKUoamKEuZhdChFVZYWgLVic6IVue5a/KCdA lBfilBsqzAp1hMw4NRBtCMd4X2G0pxAxC+EP5vZgnxpGztZGCHyu9iaISm4IZK42vq62gNLFDq1A 2IZjoYGbg7WLnYXIyoRvxoF3B/JbDcBEd565p8DKW2iDZBVRFXP9uALuAnOEPBnPRAPQDZByjT0d rGEMIrE2ltmZuVgRf7qUi8+0dONbSOyM8ccB4L6LLczh9SEJgE+miQ5W+WATEhlFM5i64PhjBs8x Jh3ufLhasZn47oMXBBCb6DjpY4aXas2mC2kUAFEP5Q4xC4GPqgHcY2DixKXCSQwjgaDwP0CA+ydB /f0+R2dBfYgDoQCwhiAUmYKYBYswEVFdIQAmgoaAhAQbMcIxTERjOMIiA3VR2JcxWLjHARNNB4U2 R0Qn3DNgVwsbT7zb9dioS9AwigVj2whfr7T4SJzpli6de+rU4Z7dOy6cOPLt9fPHt65uXbf61LFD m9av6uxo719VOnxQQ2VRdkF6As534zvaR7e3bli6cPfWFWdP7nl6/9KrJ9fQe/715ZnqxyuV6i1y yy9f3377jgb6a9z8Un1GbfPV68c/X1x5ePHAgXVzJ7XWlsQFY/IRzRTEX1hL4eWDoyvKmChpig21 hQYsBx0an0nmQQ/JoMCHDRy0JahHQWoBYS2OePA/JGosahBnPcL7FA51ZFiLcJgs7C6FNat6zhrc InhG/TfVJIov+EGYThILR9QX3BCfAKqi2syBPkqbYq9P5+pTMboLTwO0J8ywNhE9GnPOtCLZju54 nHeMtUnlkdxSL1tnfdKUfiHL28JGVYRVZ8nSFNql/o79iwJLI0QZAbz+Ob6jKgKOrxj29clfqvfX X1w79OripjvHFqGad2H7xL82dV3bNwM1h51zmlaMqt4yvXnxiJJFnYXj6uMbspSj+mfN6KgqKYpN DpMXhMraMvyGZHjUxjoWRYqyw53R4OtfGNlUGAPdCzQwGf7CnBDnFKV9lp8wQylAfMwOFmYHO0EJ EyG3jpDbImwpRdYeYArXWGpnCJ0JOIL8EHmjAqtAhOZKZxs/FztIlHEMBLO8nXgKga27wBpA6HS2 xm4FPZGlvrMFx8ncAHPN4BS64YA7DxUYYj+XhxB2yhZY7QeeYsRYbmcC+ns52rnzrEB/ibUJNnOJ LAyxTgMcdxdYim3wFzAB8E6QO4CY5sSbwcHI09lS4mjMs9ECuRCMAHAN80eEuwvKcVpUZxYD7ltw JIMXGRT7Ggi1GBhOx9PCo1GQ3WnSSCSuGNY2I9OwWRCrrAHc4KcA3GOQRuK5QjzCb8Fv/A1ndQhD FENlRgPUNgGIxAD8n/H/x8EQQBjFowvrM8CZoSVm6QA8Cp0ooZCI9z/yLqRVENfBfx5W+UlBwYWJ SegCbN+wdtv6Nfu3b7l55SI6dHt2bjl6aO/hHVsmdw2b2DV0XOfgyqLM5vryqtLsprqyof0rgJlj O6DN3rFm8bnj+3r/PvrwxoXXrx9++vTi27c3mE76/v0t7j9/fvnu3RPV16eE5abqternS9XnJ09v nsFM4qyx7blRXqGuNlILjHERdUtUjURaLDnHUGqg7aLLwinPWZeJSiYOd/ZMTIpRLRksIqtUpwHI yfH5EH4D1gzCjxSONJrkHx4g8D5F8omdWCAg+no6NMJshPC+I3iHIKeOev9wEKGP+EHQkNAYE0uN iWKo2i4ebQjooCx0SVwODb0HdLdt2BRYmmBwG8GRq0UaEO+6cUhSQagAX9WicOehKeIArn5OqOW6 UalLW1MmN8QMyBRHy3XLkiRtBX4VMc5l8a6TWzLBwdPrulRvr/x4ee3mqa33jy09tWEMUVffPObU hu67R+ffOjRv9/zBq7rLlo8smT+8cF5nUXddYl2Gcmh53Mz2ipmj6uvzI/NCpRWx7k1Znv0z3frG ywrDpHlBzuUxHrVZ4TW50fCGgswszVdYGon1slLMN2UHOiJc5oeL0X9HTEwNQB+BH+sjgJFUhIdD sMzez8XaW4SyiZmCbwZiejpaeIuslM5WvmJryGPwqwEShyCpIEjmEODKBT3xmQB+C8glsTZ0seJg QxYgtUWAM3Hjmsl4ZnJ7U8CdawZHfShOvRwsvflWcntznCgldqbIcnFFwUdsa+LKNYfnOSo/rjzs rOTgXsKF3bYBXNDhuuzuYIr3g9BWn0tjOzC0+UyADVtCWLvgGIK5eEQ9mHMCKFBrAiViJW5wQoQd IgwJcfZH/RCAqREyIk0mqcmd4ESBtj4yKBzukBMKqDQHMgVXJzpiGWG/iWRSAC6riQzG4dSDyAgg VZMwGRrAhxPAcZKosZBglgsjX80fR7zG8XhwdBgiB5uw0OCM9NTBbS0zpk+dO2fWhvVrjx87crLn +Mnjhy78fbLnyIGNa1Ysnz9n4czpI9taSrMzUcAsykyqLclrrintk5cyrqN5bEf/uVNH7Nu45Mi2 VXcvHPv4+NrXl3dVX1+og90bjP98+/Dh89u3X9+/V337pvqJOYWf+OD311efXD2yf/3s6cNqmwri svxdYiQ2MiMqWINcDp4e+Ocg1RRpU10NmUKc73To6JuDd3Yo5+Jkh38shbjnkfG2IdmpR4cQ9cBH UyrTlAH1IbqBAAXaeMCYTDWEqw++4FRknsQpAg484NQ/pzs19Ygwp24/qD+KC5F9qvWNsF9g4FcQ MVFpwbYOM3gFG1EdjeHjSuGxCb9WczbDTB8bRkiZbmYLaz0bUjzhHO3FZ0wqVaY6Gwv1SCsnZmyZ kD+/tWhCjV9VmEmYu1lWmqApQZLubVoYI57TWdySJd0zt/nHkzMQ6N4/t/fukaWHlnXuXTT4781j UVp/fmb145MrDy0buWFM0bLO/I3TapdNqBk/KHt0Q+aIyrSuqvSF7SWd5fHoGMYHcMsy3KuyFH1i 3OoTAksCxdn+osIYr5rChOqChOwo73Rf57xACUYqisJlWUGOGcHIS52TA8UJ/hKYJ6QEOCQG8OOU vGgvbqQHN8ydi6ZDiIyHlBLwcQIlrUAx1DOVYnNfFwtUXZDHEuUXsRW6EqBtIPJVJzN8MjbYKhwI MoKAgIaMYCXuEftQ/HGzNfG0M1PYmMgtiZqM2MYAYVdsxxFawXxD35lr6Gij52RthDIsOAiIrA3A RPySyFpPbmEmNjUSW5g4W5k6UDE7xrSlMS2odPRz/6lp07A5hvh+/QO1bBuBBg8/eruw/YdzLwo1 yI7QkEISiBQU6SKSRlcay4lCmM06UPFBJFcw9KPBcwbREBkpzjiImJj8xRXCNlg/cWGjATdFaFpg xKSjh4olyIuyAzJJPG8o2eFhQ5gDkDYL+TZYERseEVxSVljbWDe4Y9isxQsu7Nlyds+fN3oO3bt4 6talv44e3LFq1YIt29aMGD4Gk5Jtza31lZUp8ZFF2YkVhSlZycHDWvI7W4qmjWnYuGjcoU3zzu5d ++jcgU93zqu+PPnx9cn3Xy+/qd59+vX63YenkEMTh7tfNwnnom+3fz07/6b34P1jW46unLFs1KCB BTnFUWH+MJLGa+pfzQzOegIGFUamEgMdF6hZdFiOWgy4GtrTSPiCIBnAQRhZAWpN+LfjBaXJ9jVN PZRZCAtieBEzUOGEXgIm/AT+bTGo7QgQ99TUw5U44ZHIv6GJg7gSTCRTCC6qfxUfgZ4K3zg0AXHc QM7J1WNiRgn5J2z50SSGwamAwzJnkOzYpBip4dqhEc2ZthwczHXZI7OkGX5W9qYmeYFeq0fnTaj0 m9UYOSjLLdSVkx7mWBDLrYi3jpaaJ/lZTB6U2Jwh3fjHoA9PT/94c+X15UMPT8y/snvyvUNzLm+b 9Pe6MWc3TDi9fuKxFWO2Ty1dNDhx+/SK/fMbtvxRvWVW3fyReeOb41r7xQ+qzazKT4sJkGGXaF2u b0OmX1m4vDRGURzpmh3EzQy0qk6VDyiIKI71j/WWp/gJCqLkueGuyEITvLlQoMV72cd62Ma528Qr 7BM8uECcux1a7RqgrwdApB0ksQ0QW/s7W/k5WRLdQLGNBoEuthoEEZ9jBzspSEn9JUSsBGG9hAij Jgrs0OEaAiiKSu0MsDpEYqOHmQ6xlY7U1tTVxgTAYRAZrCaVJbJZaxMXG1MAN85WxqjBArhBsqrJ V7GyB0VsAI86QFDsX4ACKHSj7Ib8ByDez2qARwA4RfALfs4UqDEJ4KeaGiaRedKosNaEERNucAgi eEfkooiwNPwq7BBxAydeR5YWGnBIwyxRNsFH2No4RRI1B1hkM2nY6iLDggmZJEDpFRigLMvOnNw1 YsvqVWeOHrl//eqzBw+uX7r014nj+/buXLF88cxpk/vV9m1uqG2uq44K9s3PSMrJzkyIiSzKzexX Wdzar8/07tbVs8duWDARwe7Eno2X/zr05PblDy8ff4cQ+vuXXz+/f/v0GS081Ze3v949+Pb88qfH J9/c2//46uYnVw5eOrzh0LrZ66eNHFVXnBuscLPUs4TdvboRgyviHfzWpKb6GvCZVA1wxEPBCgQE cKOpRGm+boT1HAIlDY73RGcBxz047ePrgH84kg1jOgFDJh1A0gg7LE3sQ5cBrQR1cUVNwP+NgwQB /+UgXLkA/BTpOuQQcIN0NMJ+Uh2+AdPREHZAZBz9sMRKaKSFoQnoYUJcTKaXey0eGBfsiJVopHw/ q4GJYpmFNuLF8q7MSfURXcUeY/v49Y3hB7voJgfx8iK45TF2MIBKDbReNq50VN/g4+snqr7e+P7m 2tPzB16eWffw+LJnPcuv7Zp2aPHg/Qtazmwai070mpHwrEhb2VW0YWLfXfOads1vXjSqcOXkiqEN cYPr0hpKM7JjQiM9XXKiFPWZ/sVRzmUx8soE95xAbl4ItzTGpTLVr6EgsSghDPqWJKUgO9QVIxIZ QeJUfwhBBVGY2FXYgn2JnjwNEhQOAMbqYxSO0e74BH64mwM8akJl3BCpfZDU7jf1/vOGoCECopqG 4KDS2dJbZA4aohWIQyWA3gSAM6aGjwQlbU010DARxRkNcDaU2lsAElszDQ1BwN9k1NAQb1IKFR4Z 6sVS6uoo2AciWJHhkEa4LcEO3Y7CQKzkwbyayhKiPKIRQqPsT6bYwwFe0x9Ul27wXIGhyC0Jq2oK wVCYCiJQwmsUV/QN4V2DsipxQ2db0ZnYKIGsUpdFw2YBmLmZsphYFuZsZxXu59Xe3H/tiiUH9u7o vXz+5YsnV/4+07P/wP6t29YvXTJ3yuRxHcPGDGtvH9CYUZiTmpNa368qLFiZHBE0vF9lRUp8R3X5 lO7+U0c1zxo/ZOnMMRuXzty3aeX5o3sf9J55du/Ou5dPMV8Dg4dvXz98+vQKhZSHj27duXX87tVD zy8f/nj5yM8rx771Hr57eM3+ZePG1ZXl+rtLsFdXTTqUcDHt5Wii626lDzJKTNiOehS+Drr5xEgI AAISBRZ1uVjApoOAOPqhMPUP+6jwySdKnepwjxUSdCySsGTQsdEGxpL4smNkHhMNpiw6LMJgT6RL x4pWwlEEXyU0+wBNVvDvlWAZug/A7/iIG+ScGuB3QY8E+1xTNhlurhILA7GJFleXggExBwOiHGfL YVtztLFEBu/zphS35Y1BFSFSC5puqJN5V4lbqrstT49aEGG6vjtkXFXk5Lqo4UVeWX4mIWLtBF+r jEC7wnCeL5dVHCM6sqYDKu4Le+YiYfjysvfN1eP3j667vnfRzT3zLm+dglrNX2s70aG4sGP8qq6+ i4cWLxpWuGRk6ZoJNXOG542sjZyBMumQ7ObyyKrsyH4FORkhoYEujpnh0ro879IocZ9YSWGYY3GE EzLPzBBJbV5MfWFSWaIywYcf7+0AbTaQ7CfET3EkxPwgpko1SFU6pvqIUryFyV6OsR5CAEyMVAg0 NAQTQ+RcTdQjAt+/cfCfaAh6utoiO/V3sQaQqWoAyxqksqjt4NgIr8XflNQcEpG4aqBJX4kM1t4M BVJAUxQV2xhr4GRtLLIyAlCDRR8QQFaJFzLRWCcjP6QBEJVpgDqnPemfD6ISoqmZ4IFESQTA06U5 yiHY2RLeoWR8Mp9MF8AQnqkN2OvoAvCJskbIg2xDfYTENhbimVEXUrDCL9BD0dLUOHnqhJUbVh49 sOvimZ6/ew7v37N13+5tf25cs3TJ/LVrlo8Z3T1xwrjWlqa0pPjqvqWQr2C/c0VpTuuAsvSEAMhM uporBlfm/jG0/4T+fed3DNw4p/3EljkXj6y7d+nIq0dX37588PULxgx/onqJosrrl7fu3+i5dXH3 s+v7Pjw4/PnB4R+vD324twu2tMdXTJpYmVes9Ijk2nsZmSiMtJzZJCcWSW7AdjPSQ8hDBQM0hAcl eIfCi6MezKyouLdnwUObhG0OaNngTA1AvgIRCw65uEFWgPCHLJQoOKMTyiCO2zh0o+SCLBSZgAUk H+rdTITAjIk9X2T47oJ9oBu+UIC6v0f8VAM1ywj2/Yv/H/XwG3FgBBDssGVbZKojgsLNmC3CoK42 cRAw0me4mFEcjYiyKnY2DU5y+qPCpzxKhJYTqNqQ6FwcYGujzUzzt100yHtciawtyxuWL/XJ4gSF frLSPDtMkB0syA7kBwv1ajPd/t425o+BSdcOL1GpHnx40fv6Ws/rC7vvHl5xbefMS39OOLuh6+KW sbcOzT66dsSqUZVz2/JmtuQt6eo7ZWBOW1F4a1H4kNKY7rqs9sq45pLIlj6ZFakpQa6uoe6OZRm+ feOl+SH8kkjnojAXFEXBtdQQ15LUoMEVKRUp/lBlYx4wxV+EjwPZYVLkqMm+EHkKEkFJXL0dMaMU 5+EQ6cYFIuT2oTK7EKktJnmDJITuJdjVHvifTNRQ7/cVZAQlARRzUNL5zcTfNMTJEUClFHUb8PH3 KVJoYSCy5GiA+98/xSERrUOAj8XKGsaRCKJpwCNRAWw5ASVRJydEL//ChtgZ9E/HSnOoUddwiCRT QNjXayNcOjC0uFg/TUFdlIoCDvEqRutKfYOkCDMgHjKX+pqKzgldmOhZtHjejj837ti4HldM8mzd vnn3jk0nju7D9Y9p4yeM7mxuqIZwpaIox8/bIzMtsbKsKCc9sa6icEhzTXVJdm15zozhdXCqmdBW tWb2GFhCHdu65tLxfddPH3l+8+yPN/dUHx6pfr5S/Xr94+PDt8+vP7x95t7lPU+u7X9/79jPJ6dg sfLxyo47++f3rBgxuTa/MSU0w08c7GzpZEQnmnd0QrWCOqFQlyTWp7roUV11CQkZ9GOERlrdIcUO GhxvcbgDv3BP/FS9EQm807APXy4oW2DViOQTsQ95goZ9qHQh7UTgQ0MWpz8Q0EoXC0+1kRzq0Yiq i8bhXENAsE9DQFht/fOV1Hw9SRQmsU7uP0EETXzBcZBHAIU/npU2Cd6AMmuO2IQl0CUL9Ml8DoWr RzI10nIyR+eUZK5FKg9xXF2nbE8Wcq10Mdqd7W/aEG7rwCKZG7NmDIw9OaW4syBsULrHkEJ/OI5G SrXzwnh94l0x+JAR4BjIZ7eVB13eN2X6oKTrx5eDg5/eXPt0/+LHW/vv96y8e3DOjV3Tru2YcmXH lJuHF0O9tmNu09xhuaNr4qa35g/rEz8wL3L20LpprdVDinI6KlO76uNH1Ce19ElPD/P3cLQLVohr U72LI11AwNxAYX6oCxqFMd68eH/HuuywQaUJlWmYVOVHutmAjKkBToD6eEhM8sZ64HhoH6vgRbvZ R8ntwD4A8xS/CQgOQoGGjDTY1Q7AORHAiL0Gv9n3+0ZDQw0H/5OGmlIqKq4ASq8AarCoeWLuGEBj 4n8FajWAyMpQaMnR8E69PIigGzzTcDZBZQ9XDfARDcBHANzUiNBQREVDELHSjlg8pD48UqF9Ik6U eHLwzDCY2BZMc5U45edl1ddVNTbUDh4yaOq0ictXLP5zy4bDh/ZdvnLhxOnjJ8+dPHr80KRxoxdM ndpSWZWSGJOeEp+aEJUYFdInPwtGuwXJsVX5mS19i/PjwpvLC/7oam8qy1s8efTy6WNnjWrfuWLe ie0benZvvnjy4KPbVz+8RT0T4z/wMlIh8KELiK4BznRPz21927vtw+XNb3pWP9i/uPfPWUcXj1s9 tgXrvSrjQ+JlIvRHuGrZD+zfMT9iq0NsECO0Q6Y0oTGdr4stYyTMCWK+w4lFFmvRkVRDHQTAYfg3 sLkDiQEIiEINbB5BPRAQ7R4Iv8FBtIEIYBuamoCgngmDjJW/GKi30Caatjj9wawABMTRDwbLWO4I IMwhZQD7NNBwkAhzBLA+GTvECbChByZABvB/QAMCXMaiRjvwjsMAAYUcGiIg2CcyY4qttEUWDHM9 ChiaqzCZ20fZmSr2sKFr00l+QlZdpHWyA/aEkuIihQvbkhdVJrTlh0+oiRiU65PgZRYhNcgKss0P 5eWFCsIlJkEC1uS2tBtHZoKDvYcXq37c+/4Jr74Hv56efH5h0+Pji27vmda7ZdzptaPP75x97ehq yGbWzagd3RA/oSlzRFVyZ1Xa4lEDp7fVjKzs016W2lkTN6IusrNfUv+SpDAPV6xBh4chzoBlcYqC MKeiCDEUpNmhYgzkJvo7laUENJclVWeHpwS5RHs5xCkdcdVwECO6oCEBDwcATIzBkRCjggoHDIOE u3HD5PZAiByUtP8vGmqYqGEl+Kgp4GhqOCjjIAL+r0B2+p/4l5hm6A+imahpC+KK1gZUc+gPOtub Ak5Y4WpL7InQUO8f9oGAaqBYB6BaDoB3v2FNZQBoXaGOakalmaBZTKxXIGGIwwxbRbnWnl5uYRHB 8SlxJRXFlXV958yYevTgvlvXep8/fnDv7s1bN6+CfePHjWqtqR7SvyEjNSEhPqqhX3VuRkpjRXll dnZyXFRaYmxmUkxmXFRlTvr4toFzRnWM6l+3e9nMed2t04b33zBn0pLJI7evmH1i+zrM1r17herl 1y/vX0O4ovr56cvrR28e3Xx25/LDG6fvXT529cS2C3uXn9s25/ymKRfXjbuwZtT+md2L22r6JwaH 8MzQICAqIWqZEBTmTnpUiYm2q6mOs5G2k4G2QAedGuwWJNlpU2BxjzohWqXoVCIPR4kJBqqaZgpu iOHKf/1U4fOJJVBw/kfII4QNWFHKpGn2taEJi+VQ+B+i9gIdoDmbBnmGK9cKQikQkCgCq99gIBE4 qGEWWAabIIAY+kOnj8zQsEzzOVgorE3BTAQBEBCjEDCZBQEh1QadOaivsmgQocEYEBuGeDokDBLy DWlOFloCc5bImCQwpkSLOV0p4s5UqS9PzxD+wEak+gjnPl427oZkL5FRa1ngiBL/2hiX1nyPsZW+ RZHwgjCK97bJ9LNFSyLNxwoObBm+tismV53bOXZcfeSlgwtVqoc/Pt///vyG6sXFj9cP3D+06K9V ww/OH3Bk6ZCLe2ae3D5j24Ihc0eWjmtKnzo4749hxbM7y6YPKW4rjRxcnjm8IqujKqWlJKQdkzvt JQ3Fadgs7CO0yQzzqEhWlsS6gPg4GJZFu0ItA7ol+IlKk/0HlCSAhlkRbhDMRCiIiSQkpTgYIjLi tBjvjasgwccR44QawFIGPQt8JoCVNP/Jwd/REDT8HRx/0xAE/H9w8Dfp/uvmt64GWhoAagH0BNHC cLQ2EFjpA3xLPZTT/6mQqwuYqBigooLqJfIrondAhxoNm4PoDnQ6CpuAKbbzwM0JPqfoXzCobCzz hp2xoXZoeBBaBkgfT/Ycff3q2fvXL54/ug9LoiO7dk8YMRKW+y39GvoWFlUVl4zu7MQGjcaK0qH9 agviYvxEwlgfL6hZQoN8GhqrZk+fPH5kx6wJY1bPnTVm0ID2yrKZQ9tG1VQuntp+ZOvC3pPbb54/ 8O3tnddPr3778ODb5ycfP3/69u0LnFW+vn70+NLx3gPrz25ZcGTpxLPrOm/vm/7k2KJ7+xdc2DR9 /bj+/ZP8IhwM8OrAyZfQyCFLZGFAQEtuC1EE04ZDduBQQUMMDMq06RD/QDqL+SCBrjYGGVDgRc0W mTYaqfZ0LRvaPyJq9Ps0amoNH3FFvYVIONW9UXBQwz4cAKEJROYJDiIIovCCLB22CSCgtT4ba3k1 1WkiCCL2qRMJzDVgLSa21AFMgoZMDTQcBEkBDfuw15tY8K3mIERrxF4PzMirCYg5UBdLPRdzlENZ tjix6pChaRRZYsoGO6pI4Xz6sDj+iDRZmJMp/g6wVUl0txoS4JFkbyy2oGJWYnJlYluhV9880Ygy +cgyeaKnbiBcfwMds/ztM33MCsK4PgJaUbhwGwYDt48eWxd2Yf/8X99uv3197eXNv99cO/3+ytFr O+bu+qNh+/S+V3dNUD0/+OTy+o6qpLoMv5bi8NGNKfO6yjbPHbh4XHl3Q1RdTuDAooSh5Vld1Rmj GpIntOV0N5cUJcdgabWX0LIYyu04l7wQm/Iox8IQPhb+IvYh8MVgqVOMJ6IhmAgahrnZ/uYgctQ4 L4Q/AmBftIILYFYX1At3t8NnAqFutv/Fwf+kniY71Vx/M/G/zoNgHI6EwO+b31UaTeEUklHQEHLu 39BI3US2hkIbgomAJYlmR2ObEzN9VBumFlQu8NMGiPksbI7Gemhi/wuJivySQmyeQJKJN7KbXFpW WtgxfMjePTtevnj89Mn9671XDuzZu3XT5jFd3dXlFfBdHDOiq65v1fI505fMmtRYWdQ+qKY4N16J hdZ8Q4U7NzoqIikuunvo4PmTxo9rbZ45bPCsIS39M5IGZUaM6ps9tl/hrI7G3atn/3Vww9nj265d OHiu9/TN29eePX318R1a5LDvQ6754+vrVw+Pbbq8dfHpFdPOr5p6d9e8Fz2LXp6f9+LC7CNrxi8a XT8gNzzF28mPawkPalhS85h6jtpEvHNRO6uIDei4B5z1aQ5a9N9A2/o3NGGOqK5AL40CCx0rcQnY adFt2TQbFtWaqV68i26FWv4K1SXafBqFgyULejliPy/Yh9iHox/CHzZiY5W2rYmBlaGuKV5fJDik I4ek4KpRfuKKcMZALk9iaVH0MR+qQzXHglktsimLZIyBI1BPl8bUpbB0KVq6ZF0DipEh1Rye5Xo0 fR0yG/8ftAKRToOAGIhwMjKx1KHaGJL4RiQ3Y5ISw26mhhgG97MgjUgznVfG7eNjDtsN7OlUClg5 Hux4H1MXE1K0VA/jM0PyfKujHYfkeoypDKpKk0bJOUne1ulB3JwIbkGMsCDaBUO1VbFeZ/6csH5a aXd98P1Ty1SfLz+/tu/TozOvetd/uX3g6sEFm2fXrZ7Sp3fPfJRJT6zt3jRv8MF14yYPzh9QGNRU FDqyX/r80XXdjZlD+qbWZoVWZ4e2VCQOr88cUBJTmx/WUBwZGuzhYMmJ9nCpiPMpDuOXRvOLop2R oGb7C7NhqReEAGeFSfmWypThjYU5MUq0G1B1QbsQEpo0pV2Sp1Wcl3W0hzVoqOHjP0yU24bLbDBE D0dBDYi8VG6HeSUgSGoTKkP/ghci5f4u2mjqpf9fbxHzgyILJcRvaqB7qAF6iP8JHAmhmtMA9zgn ahQ7mo9A4A1BHTZyQoCBcUho7y3YWqhb4p2MK+y1NS9kGhYPOXLTc9IaWxpnL5q9b+9uCFEOwRp+ 49qVK5YsXDB7RGf7hPGjFs+f3tXRguvyxbOGNNeVF2TkpcOrXiB2MA/0lET6edaWFPTJyuzsP2D8 kGF1+aWDGysrcpJL0uPqizM6+/eZNKxh/rj2zQunbFg8a/f6Zbs2rji0c+PNy3+/enr/8wfYqmDm 9Qdhm/np5YdHV2+d3n1656KeP+ec3TH/5sG5dw7PuXNw6sWtXbvn1s1uTRtSEFKHwrU7yuaGKKdo dCnq4iQZxzQwDtQDB3EV6VIEWiSMZuOqGcf7n1ewT0PA3xzE4U4z2Ksh439diT47AzuqCICAAJJP ACpc6Fdho4S+g7kuG8DcOroGmvilviKNpOhQiCMhAUQ3UIyqp0c11qPg6GapS7YgQGHokOmAHoWh T9E2oOhzqMZGFBMtkrYuWVufpoOPIxSCg+ZQyhkQq1EtEQFhKWNN97LXkxgxULzFpFJrvMO8UvnI dCGc1hAEPax0ygNsKiMtA5zZHrak8ljn7srIxmRX2KmNrQyFPi0rxCbcVS/B0xI5YVGcMAHuo95W fD1SW17UpR0zNk7vs6A7+8Ffy1WvTr+/d+Lnq953N/d9vH3i3bV9t04sOL555Lmd028fX7JzcfOC sVVn98zZOGfw6AFwgY4f0jd+/KD80f1zuxvzUeocWBoLDsJKvS4vrConuK4gPDc9XClzdLUyTvGV 1KX5lsdJ8iOEMIfRcDA31Ak6mURfHuymK7Mi4C9dkRmV4C8OdbVI9LIDDTP8HBI8bQkDGYUdKqix OCF6ISxycR/lbotijuZsqCmWaso1KJmqQdRL/2fJFBz8zxMiMcmrBlqHGmha+RoaujtAp0pUZn5D w8HfRRswETRE9QxcQxlNU/FGSdzBzjrYX1lckt/a1jyyu2PKtIlr1q3csvPPdZvX7j6wa8+Ords2 b9iycd38OTNGjRw2cVx3TmZSRKhfRmK4n4c4VClPiw1JjwstTI9r7FvYtyC9PC+/LCc3LSqqJj+n T2risJry2cNb/2gfuGD8UGDe+PZZ4wbPnzp8xYJxu7csunp+/6OXj959fvvtx+efxJaEb98+vX/5 5OHDOzefnOu51bPt8v6F53dOOr2p49CiATunVf05tmLtpOJFXdkTmuKbcvwylDxvK7YAc3ZolEAi ju4JmaAYJtDFRkzYaToZ0hy1KcgwRbo0Is/UIuNX1Rwk2zL/G3YsCoH/iIAIghoC4oqoB2jqLRpK IiAC4CCA4j/Knhp1H5JPMxaVkMGruw9QlSMUGtBx6CNedFD6YWXhvyATVnfqZBIZCIfO5tD0EOYM yKYcspUhxQbAB/WpTHy+ARa30bSNaXrGFAMjMkefqmtA1zWk6xizMNnKttJhgoD2hkyeAUzJ6M6W VImtNmyc4XfhZUZqiHZcVuc9KUOegvOJPsOCQ8p21WkKtsz24rhZklKV1tMHZYyqCmtKd+0s9p3e lDi0wDfEmREt4yQoLIpjnEvihElKkyRfWyGH1F2Z/OD4siWjcpeOzrl3arHq1blPj06/un3i69Pz nx9c+vbk/KcH+26dXnT8zwnXTyzcu2rgovE15/bO3baoY0JL3ugBmWObYUpQOLI+s6sxZ2h1akt5 fHtVSnNZnIaJiIYtdVmFKSEQn7jZmsHUF+OExTFilINQI80NdoZgOyfcGXYxYW6WiQHO/Qrjmyuz q3NjU4MloRLzaJkl2hmZAc7o14N0Gg6CgP+J/+Tgv+yzARk11dH/2/W/mIhzIpr4v/v4GhqCgP8r B/+LhqCnqbmRk9jRy0eBA11EVGhOXib6dBs2rT124vCDR3fv3b917frlnhNHMM7Tv74mPztD6SaV CHjx4SGFWSlx4YHDWvoPHdQPzQJUVPKSE+FarJRia4Y8IyqypbqqY0D/pXOmLJ8/dVJX68xx7R1N ZfVF8QP7pPwxsn7R9NGHtq2+c/nky4dXPr25By/QF0+vXb968vWbZ+/fP//8/tm7Z7cfX/3rWs/O ni14f07aPKlqZXfBwqEpy0dkbp5Y/uf4ynnN2V0F4bEu5l6WWmgloLqCBjqiniOL5KJLkujDjIgt 0mFhDBZD6OikE5V5PcQ7REMyDnG/byDjhJhTk2dqrgh5v/GfH9cQUKNsx5KU/xXIRTUERAqqEb1g owc4SERAJg1ACx5z65jEhKUkUg6crDmoa6lhQCEmcHGFRA3h0oTJNKbrGFENjCgmxhRLE6oNAQbb iAYXSqgKacY0pjFV25iqa0TWNWTq61PYYLQRupB6bCxwwUwEIqA7n+Nhr62wZcPVAbOrsDosV5ot 7uM2K19cKLO2x352ZKE80oAQ/UpvfYUxyd2KOiDXf0l3SXux14B0pymN0ZP7xReHOPg7kNJ8rZO8 LBI9zTDbCyR6WQl0/g9lbwEdZ5n2cU9cJjrJuLtPxieTZCaZibu7uzRNUveWUhdooUVaqNCiLe6U wsICZXF5cWlZYHFdfJfdfP/nudOHfH133+9851znPvc8eZIWTn69/LpYV63o+eTpExgIc/Kyvr+/ e9e/Pn/5k9cf//itRz9//6lfPn3z67NPv3bmutfPXPPi6aufeWDfw7esQQ4Rqfw7rl55xfrePSs6 L1nWvntpB3YlAMPVI9WLuos2LmzauLB5y5LO1WPw8io2TDUgRlqdBzcrDXXR7SWe0VoPkiOYpA0G W4IazH9rLzLCDUSBKMIyA83FaxZ0Lhtqqg9aQyYBIqKtAUt7vo0k9Bn1ByVIkASDTJiU0YYXMEiI +48n4qVEUEuDkjYISIRCBIaEQRAHYfQgueAJvELiGCJQs2z1UmwJff6V5776/stffv8Zc2Wfe/nZ g0cO9Pd1lpeEDGq5lMvxZ1kH21q2rlxx1Y7t2Bu7b+eWoc6W0qBPlJ4oyUDPfmyWTrpy4fiONStv P3oIzUG3Hr5m28pliwZ6MRO1MCAe6StYv6rr8FWbT99700fvvfbFh+cwN+WVF59Bv94rz//lnddf +ekbTDf6ETOkZ3/7cfbzd//24qNP33rVid2Lr1nZcf36jnt3Dty/q//0vuH794wcX9u9viPc4lS5 MqIV0ERUYQD6BGPgvhm4sTZxYpYgEZPb0eWBE+hh0AqaFFA7rcC0T2yYSoDfh4VQFIAIp2AiBD0U gkJyPmsMgIz9SXWvx8z1laDAEiKKg9MHs5MiER+BHhFiecIEhfoj9AFACMx7VNiCPghpi8aYPGhD QhzKdCEwICF4AQPQeOgpA7OxCdxo7CjP4EZyeVF8CBjE9lYyKyYjKpoTGcOJiMuITMyIY6dFx4Jl KFlMc1WmxcpTIzHfySymVgq6RLFWQZxFzK52CDfUaA+0yKdzBE4BG5g7OTGjXvaGBnGrJw3B4Tqv fPeipp1T5VM12uk6DRjcOlY0UKhp9GcOVRi7w9rmHElbgag9JA0b2epE1l17lnz/0r1re7Jv2NX2 +as3/vbxS9+cfemnz1/69uMzn7135tUnTzzz8P6/vXHbV28//NjJS194aP+rp678001bHjy6/oHD G45sHV03VLKsK7hpvGbvmr714zUYagES147Vrh6pmWgrGGsJIlazqLd8qKkUwyK0vPRQlrqvwjVS ndUeNLbmo2tJD5cQGLaFTWgnLMqCNrQMNxUtH25eMtDQU5lX5lKhjQVz2JC7JzWlmC9a5hRDyIRD xGdIjHQuUopAjUMatkuYgAyJxjD2JwPdBRcwSIQUl9JVbahngyqkGCTCkAgTdH6YFF09B665csXK JbV1lbYsE+Y+uZw2xFt2btm4e/PG2288fu1le1aMj2Hot5HPR6ELH7tuk2Krw3kH9247tG/nXTcd vvfE0UP7dkwONjRW+LFhvCJoG2or27F28uZrdj1067XPPHbHE6fQQHTizw/f9dC9dz7xp0ffffud 7775HlWav/9CQ/fbT99+8PbzD91z79EDx/dsvXH98ImLx05dtuzJA6sevXz6/h0DN62subzfO1yg q9HzvOkYRpFoSUnSJccq4OulsKzpMaa0KEN6lD6NGvGnZlMzhPWJ1CRGKEckmsEgetLpTHoMMizA EE4feMQkFkbwkViS/+Gk6ZsPIGFtvhIkVM6d8ATjohCNQeqBCKUE46kCIeg4Qhk5M2IioRMRpUEf CkqVMG4XZaIEW3wjN47KHvJiERlL4MUk82JSiWRAOSZAoCWhCimEgSEUYnpkDNhElh9WKMYpYz48 FhLBCsVUbbsYe1Qj7VxWmSllulyzrcGwuUgQkiXyE1hQjqMe0YZieW++wKWKxxzgBfXeHVP10/VZ ExWaFa32jUN5U3WmoTL1dKNtUZN7SVvuusHwxtHwkk5PjYePVQ5PXb/pq2fvWtnhPbK15q0n9v/7 y3dmf/j89x/eOPfavZ+989iPHz/7w8ePfPwKpm1fsXd554m9C797+863Hr/6yVu3Pnx8A+SGSxZs HC+9aLRs83TD6uGymc6CJd3FKwYrFveUzHQVrR6uW9ganuoqQWFMS1lujlmDcX9lHt1wvX+g3NVZ aO4qMsElbAioGoNqjLEFaNVeDcIv6HJaPdGxbmF3V3VOyC4JWgQAEEIKvKu8ckJiqUNEBhsyUdNS J7L5VLiG8Q2pchqLGBI0o8BbRNAjeQqc5CMIZRgkCpEUl9JGKdU2RRxAkAgMiQ9IkhQkT9HV1tzT 3rJ2xdLFCydWTC/cffHGvpbmjrracMAPJehz2vwOW3Guf7K/d/u6Nfu2b92/bcPlW9atmhxa0NMy 1Foz0l6H0MrS0Z4NK4YOXr7hyFWbr9l30bGrtpw4csltx/Y+dermZx8588nbH/z29bf/+Oab37// GhPcZ3/+4ve/f/L568++8dh9Z+647vSxy07sWX1i1/J79685sWv6ts0jN6ztuXZZ246hiims3fEp S3TpznSU8cehwQcdCkidABl0vWFXgl2UbBOyTOlUUEUbFwNBU78WWTBMy0+Cx4dReFTVNFqxqKQ5 XccijWUxMt8HJFm8+SdV0IIeLjoCQ+xPRtnhgo4DakEAxpxCD2KWYHwEEdAHBsEdaAJEECg1CLWM AwNRoeNiYC5Sgjv1kRKqVIYGkNo4QCQTDMZTQVSoPGgr8IViWgiqaiHp8VEIpKRju0dsJHqR0FMP mxZWKKrdRAmRyDugxgDVBVnShHwT3ylBKCa6VJs4GeJtqVduKFeP2DNVadgxwWpyZa4sUfa6RIbM BHkqq9HLW9qeu6wtB8bnggrjxf1BqjjNmVjtZnfmi7oLFKMVljU9wVW9OWM1xhoXb6zK+8LJ7ah2 wMsPHB759p2Ts9988OvnH/787as/fPTM71+8Mfv16z9+8PCnL9/00Zkb/3LLzjsuH7vlsuH7Di26 5+Ciw1u6b9s/eddVi7dOlq7syR1rdCNMSjBcPlA+2VawuLts/Ti23TUt6q0cbs4bbMqvK3BRQyrk /Jo822hNNo2hESVzHWEdjNKmPPTzGhuz1ZVOWYVP110dmBluXDLW1N2QV5KjAnToqkBvxQUYMvQB RgBIGASGYJAIcRJBIhGiEOcziCfQlYTBXDM6E9GfSNmlwBBCAGQwJABS8y6UlFgUHEhNUWEzhuF3 dvQ0NIy2t6+dmuqurmkuLulob6qrpZZED/R2QFAktnXjutXLFmF5xN6Nqzcvm1o22jPd3zYz0L5i vGfXusU3HLr8wTtveOXpR/765gvYrv7th29/9MYLf3vrpc8/ePvvn384+9NXP3169uP/eeb9Zx59 8cHb7juCfWETR1aP7his2tJXeOXiuoNLq/dPF6I7ZkWTe6TIUJslcGB2N13KhX/k0yLi0cKvTI3R Z8ZiqjkQo3RcTIw+NlkZn6KITVBjmk18lAVD0dmUqYlYCnqNqe3A0REQpNqh+4gGhFVJhDE+557Q mXSSziP0kXPO+6PLXRgG4fExDAJAwiD9y4/Kz2hYoVTjA9q7MJAH03hwgcRQOTtOHGUrQiivkH6B itjQ4VOGZfw03CkAKYkk7yPRwE+MFLCjUNyeCq0aR6/XicdQUCoRj/pStASiChcs49vRGm8SJjhk yS5lcoFRaODEwewcCat2t6p31wsX+jLy0yMzU1h5qoQlJdLB7BREj+NZMUZ+8qoO89qB0FiluS+k Gis1bB8tGa/UF+pZISOr0hrXnC3oCMiHSvVdBeI6b3qpJXVBrf/M9Rvu2bMKU2Ueu2nqn5/eN/vt x9/99b0fvnrpt09e//HsKz+8/5dfzj3849u3f3zm6Dcv3vT8rWsObWk9cfkQEhY37x06c9vmt/50 1U2XjuxeUrlzSdMNexehynff+sE9q/qX9ZejGo0qSBvqXtRTjV2Twy1Yt+crcllgkaIZger2rcG0 bTO6+PvLrRi7Xe+XwzrtCuqa0UDhUgQdivpy77Lp9rXLOod7wsVZAmg92J+ERKhCCO5IWABDRv2B Pgg+MgxecCGm6XwG8QSGK6ADeoRBgiGJ0vxHBpGPsKkyIYTELYuHxloqKgNOp0GukwvVCnEwmNfc 2rTtko0nbr3urhNH773pyDU7L17QVt9aFAiaNX6Xtrk2f+PasVtu2vuXM3e8+85TH3344rkPXjzz xOnTD9196oHbn3nq9KdnX59F891PX//+2V9///SNz17501/uOHDDrsW7p+vX9eaubHOsaLGu7nBh 5dzqdkjO0gZfT642LE9ypVHzi6DsICj6Qm5Ol5xgSk+2ZKTC+IQrBz8OJ7nAoYOQbAL4IsLYmQCQ CmnSJdNITIA4OHekeIxhEGkFxvhkUgx4Qu5EAxLuAB3RfX+QQtucc9ZmYjRgIYoJ3c0QUjtE+r/w EcMGkTHET0CmACdVrgbu6OiNKCGC2sTBjsKJie4EQJzIBcJWFCRGCBOjIEg00PqRUq8AnKhO4nWC eozIxnwwIZtyAFWpSD3EZOvS/Pp0pNrFqawsPmuBn3ekyXplu6W3RGpVslE4V5rMGrSmD/tlXgU7 EQ3UmRE9ReqtHdblmNZbk7Wo0bpuwLe6x9tfqqrPFjb6FY25/M5C+VCVAZ5gfS4PjUteBWvtSAjJ wWO7lzblmK+9qO27d6//988foS3li08f/frtx15+5Mhrjx36+s3bv3/nzidObLxuS89Tt2x+58y+ p+669KFbtt9389pP37n954+euPuaVUe2t9x/zcwnzx3+9IVrHz+x8rpdXShmW9lXNNWcP9PlXz4Q Wj1cMtkWGGoK9DSEc13UiA2XPrmx0DhcTU95CpsQEm/MlTeF1DjbCjTNARRp80vsAix8gU2LWOtw W21TWU6hV13sk1bnYQUM1WyIBig0OpViCIZdTJIXxS5pERzG7POFNEjiwze0ifKtQpy40+aoMGAS 5hkF8wWtiBCmvQIX8iTHIMJANgiGs2Egm0fNdSkznIq56RYYNQORKDhGswyr0R6488YzD9936uSN D998/WVrV9Xm+PI0Cm1KPHa9oXl529qRhx+49v33Hj33zpNvvnr61H2ott559OCl1x+64tTdd557 483ZH/85+8NPs7/9Amvzh09ef/2pW+8/tu3YrklUH63uK1/aEVrZVbRpuHLbGDbNFa1syR3BilWf OCiLsyZTs1awsA+iR5k0nSvXsGNRKqZLjseJO/2QAhDQQc2BQRJXoZ9QwRbKOqW9PFzOe3l0WgHo xaBwhWKQYDin9egnDHe4EOKYJ4wJSqk8GkAgwwBImZ1xUX/YnPGRGE4OyxCZ7vkAEgYBYGY01SJB uAOApGOC5BDBICNAjwhgJAASBgmAdJSGciGJZqS8RaRCEqKJ5sX7msw4rCiCD+hRp7qUbABok8VY 5dGtOaLddbZrqy1bKwwVrnRRGhqXIvv1qcMuEfbOY3gvFG7IIVrdHdgx4F/R7J+uc6zq9GwZD63o dLXni8BgV1jfGhB1hmTDlQZg2JovbQlKcjWR22ZqXrn18o0D1ZWOlJO7u38598jsP7/87vtzX371 7Oxnr752+tgtexchL4/lg2euX799qODg8oZvX7vl7JPXHdk2fM3mzpce3PPsnXvQxLRvedWNlww9 etOax0+uPnnV8P6L6y6/qOHqrT1XbOrdOF25bqJ8cW9ouDF3tKWkp7680J9tM1hMisx8l7i32jhY qW/yy5pzsHPQ2xR0NOTIYJciVgMnscwpgu7DWLaF7aG1MwMzg42tFb5ir7zYJca0bYRS4T+Wu2Sk upukC0vcMkihS0IKacgJ9EJZYggwPO8V/v9gkGBIGPRqeBiQCAyZojV03x87cvDItVcM9bb7nSav RY1OClSZtlcW7N626OZju5965MRjd99w3/UHTx7af3AXnMGNV+/b8NBdN557/bVfvvhh9vtfZ3/8 fvanj2d/eveD5x587v7j9xzedWTniktWDGyZaN083LhpoH7bRNW28WrQt6qzcKzc0+RRF6oz/cIk rzDBlh5lSKRSCRgojVJMY2K8iZ2A5iAiUHxk/sN5xUcFUiDz9R0+zvfpGEcPl7ncOs0g6GPQYy6E Mpxz0RXa2iSWJ/Xw/EcCIBVvOe/0weakoZjz+CizM4ZarkSEmq97Xg9CG+IOAGElkvApTnF8pAQV LPEgkboANyLzAaSoTIqCXoPMA5CK0sDsREAGSUYkL6h0f0I0FfNBfCmFpePGWCWJmE/v0abYZOAR C85Ypa60pVWGqxocu/O1C3wqnzYVmtEnj1lbZB7O0RdoeOJ4ljqFhS6ktd3Bla3ehZVZYxWG5W3u tX3ZY1VabALtDKsn6jyLm12LmpxLW32L23zjtbaxGmu1m7tneeuBzeMDDdkN4ZQ79vf++/0XZ7/5 7Ntzf5n9+ZN//xPDrz777KMz596859Vnjt12ZPX9N1789TsPff7SrY/fsu7A+sZbdg0fu7jrwNqG hw8vvXnXOLb0Hlhdc2JX79Mn1545ufahw9MPHJm+//DU0d2j124f3YQwUWfhSCPqQsNl/rwCT4Cf LlXwOVUh7UgTtiwZsHOwNWBvyIEoYJRCD2LCDFZmlzqEFV4ZFkxMdFesmmxfNdHaW5OHwhiMwcey CRTYoL8JBd5QgmAQAgCLnJJChxjcIUAKBhE4heBOGCTBGejBC1Thf9ODGExKhCGRwIixbAiNkpiM 32aqKQxgmNhYb8uui1dds2/7nh3rDl+9c/+l66/Ys/GGI/tuvfnIww/e8/zzz778yv+8e+6D7z76 +ucvvvr39599//Erbz5955N3X3vHgV371i2+fFHf9tEWLDJe3VmytqdoU3/Jhq6CpbXu0WJLd46m ysIPShORUDAnR4I7xMDh0KFkGnFLDLDFjhJTCtucmmJIYqMRT81GeDMCF7TEko9o0CM2J3PS86Wp FRVEwf1vyqD+iJAXgB7BijDIUAa4CIOUmpsnJMhJwJkPIBMzwa89sQkR1SQeH2EQxTAYt4sBykRw xxNqWh2dxUA6A9xBSGpjPoOERGKawi4VJ0cDQ+hB/Im0BqSyFcCNZjCOx6YlgYq4wk8UYVINQsSS eABo4EfJKB5ZPnV8vil5olByUYVmW7F60ikJKzkGQYJTFlNjiu+yZhTKU9FTD/M1pE9bXO9c1ZEL 1hZWYbS1dVmra7LO2OjjQMEhLdgaVAwUq0crDJjg1BmUtQXkg2WmMmvalonqyy/u627wDjQaTlza de6RYz+988rXrz/34xvPv/3qnz9+7+lzr59645mbXnz04KMnttx6xZJDm4cPbh28dmvTrfu6Hzow c9misrX9lgMX112xrnN1b7grpJmsyz6+Y/GpYztv3rv8iosG967pObSl//rdY1eu7dw4VjHTko9t LCVOPQYJctNN7GgMSlLWFdiHGxw9leraXFFniRn0NeXBLlU35Gmagjrspq/KlmNZDOZjDDUHV4+3 rp3oGm8rw5aisF2AVRQom2FShyibgRAYgSERIEkZqDSYoSwhCZMy2pDAiPP/k0EMrpkvGGtDep0Q LB0abu7vrdu1bQ1wu+XIlU8+cNfzjzz41D13nL7v9F0n77j71lvPPP7wxx+89tsPH/30zbtfffLy 28+cevahG268cu2ulR3rxiqnW8KDJcGhkqJldZ5l9T54dpNVroGwuQu9zFZxiTwlB81rSSysQ0K7 vQoJdLodD6FLY3oM2s81SUidU0YmbEvkyqHy0AnLYAgGSWMsyqug7+YKV+Ip3UdUnuS/MwgfELjN B5BUthD1R3hkQCOsEQeNGJ/4EjCBqmICnrgQHLgImMRSEU6kGJDpozIOGJRE5xcQ5CRx0T8iLXSi EB8ZxSdNjJ7PIDFEKehorxCOIfENCYOwMMkfBwChEDGPAg2GCOxQGpAdg+54RFyBqpqbaJNEW8Ux yAb6jZxih9AnjwqqYyaqTCvz+JuKFVM+QYkuVZaOqtGoJrtg0JHmgAuQhAo6lkWYOFxq3TpQsKzF 11tqnig3IDGxtMU5XK6pdaVU2JNrvJkVDk6jN7MtV4zQaLktDdGYWrcwVxm7Z1nHw1cs2jhQs6az 5uTO/tdPb/7+by/99t33v3z3/mdnX/3209e++fi5z97/029fPPOPL55544kb7j686fGbtr587+bX 7tvw8smNj1w9dfdlXXdeNnDtup7low199cGaAldLecF4V8t4T0dHbWVtSQipkF1TNVesaL52fRfO rePlmKPYUaiRSvBbk8Fm8Y1CdXORfbjJ2BwWtBVq2goMyFlg/iHoA4Y4a3Ox6kVY5BJW+pXY3r5y tPXimQHk/ZtLsoJ2XsCQgbIZNB6iyYIAiNw91OI8hSgCjGCQCBMmZbIVhMf/xiA1D9+AifpCCN4h DiN6ElH7DSFtUO+9/hT+ybrvtqNHrtq9Z+u67RtWHjtw+ROn7vvl+7/N/vLF7K+f//ubs1+/9cSr 9x+9fefSnf2VfdXqzlId9lB3Br3DZQWLmwtXd+djOc5UlW4wLG/xiUoMabb0CPTiQdRYLRGBnrsI rF/BEhNrWjyqoxGFQ2CTwEUNfwChbIo7ovgY+xNUMml0XDBlGkCRpDmBi2TSGQ+O8ekIZXifqDyc ROtdwCABkNFx5CNRhbiDSmIrkmjnfACJ8Uny7OREhBNCcnxgkAhxGMkJBmXsaClGGrIxyZO6oBNf gnpOdjSBDqc0KZoIYZDYomCQKEHgTxjk0/EffKRfoFp0MaLQJGJn61KM/Ag9n4V/qzHur8UnaHWl ThdLV2Zz1oaUdeY0nYAlzWDlq5MnctT95lRlKgslDZASK3+m3rO+G3lA9AQpx8u0Mw027DzqDSsa PBm1nsymPBEcwL4SVEHL8EJznrTeJ6ly8sOmtBsuWfbo0dUzLaXNPt/emYr3z1z825cvfv/JV1+c e+Hsa+c+O0utufn9x+9/+/br3//+/b9++HH2l3/NfvLcTy/edu6B/X+97+qXr9/28g2bPnzowLNH t8FDPHBR/8aJyqEqZ0+Za6A6ry3sqfbbhqu8WDOxYaj8ipUdV63uuHJt+4GN3ZevaW9t8+d4shRc LSc6wyIVtJRY+6ocrSFjV6EVdilIBH1Yy1ufp6zLg+ungjbE0iX0/3aU+1DStmayfWawrrsuANbC dhE0HTqe0I8PABGigZNY6pnDEF+FEAzxGqmlAYkkVUFShzj/G4M+HY+RbD3/Dx7pfnz0AkNGOxqQ 77vjhms+Ofs/s//+YfZf31ON5//65vvn737y6Pb9y3tWdJfg/wNCwb1FruHy3EX1RTP1+Wu6Std0 Fy6sdY1VWjuDinxVtAP2ZALmMqHfJ0IFptC+nc6yZUZhBDfGqiBtB8GQMQRYCFx0pgBZcrpShZ7E AgapirKkOERgKEePXq9Az+Gk4i2EQWCIC2lOJwySHj206TGCJ8ANrxFhPDvCFyH0AgABGkn2EaeP cCcGKYhJ0ok/gAB9BPoIgHAASb5vrqyFzrAT45OxOYniw0nMToIewRAnAVCRHCtLjgF6DIlzACZE MDEZoEdcQloLI4Iajb8eDFcJO0KZisk2VBAGHfEA0KlIcsjZmlQM6WUNh+QX1RmmctjLioSDXqFf liDnsrKVERN+4bRfHpZGCTiR2OSVr0/uKdAsavRN1bumGqzjVZolDVnr+/LAIDIRtU5OvY/XmCtE LBRBUYywqPbyMN0CscdytxDbXa/YMHbVpQudZmzoS5xo0N1yafvpm3befNmurWM967on9i1Zf9ve K04fu+GBQ0dPXHbVLZcdvv3KG0/uXHHDlpUH1y66ftuKa9ZMXjo1eHLbmgevuPjSycYdEzW7JmvX 9xfi7zPdGJisLxipCFbkuapyHa3Fvu6K3P6q3PGW4mUD9esmu9au6FgwVF8V9qt4Am5MvFslQ+/S YJ0TDKJGFFNlACAS9xBMO2wsUGECG3YOYgNaqUfaWuYAgGumepaNdyLWipGkQQsPug9dh9iDhhgp ojSEQRBKcXfeLsXlgvpSQiLO/8YguIMAQ2xoIkKQJMFScn709d+++elrTI3+5YfPnnroNoypvWbz 8s0TnWu7qqfqQwvqC0brgqMN+Yvaiha3Fq1sL11a7xkvMbX7xHW2jGJtipcbbaS3ByKoogNr7Fgl KlhS0DoajwVVWFKMCZZo35bFUZlxqtE1Pg7T8iHoScTMQ4xewZ4FcIpyMpR6wkkkvUJ/eHP0ilsk LKDOCHQAkJ5iSqlFPKQLp6lWWSIEQLQH4jUI0X3zLU8w+AeA5yMt+K3GCl2EPUEcfsmxoh0nAKR/ 26nZR/MBJDl3jBxEnyzS4hj/gpALFXhB/BMD6OggKlGj8zEkuo+oPwDIMChPiQWDxBYlJ7FOSW4C MRn4ehBgSP4OeJnSnoksKSqCMqPt0iSbJF6XSeUj3Op0fLSLYmqyMhaVqFeEeQvtEeOlwnwFVchn EEbWm+O2lqgW58jdkmiukG2QxoV08TO1NuwdQzfEaCUsGe54uRqbNxdUmyusyWCwM6QAgG0FkpYC cUchFIqkJaRCtXalT4ZfaZRYNxc5c6ya7jrbki7TwkZnR7m1pcw62VKJWMqRS4Z7ajUFrrjaEnFB doZFF2vWJTgUaToeD4shZFyqylGYmKxMTsFYG2WqFBV3Cg5HnpmGCDMGDiu4Yl4Slx0Xm8aOF6Ym 89gJ8vQ0m0JhUaisKp1Hr6sJO3uacuuKvDapWpWakWfhtlUI2wtMbflGCkNs/8xTIjpaH1RQgq5e P6UNi92iIq+kucwz2dewanJw+UgtMKz0q3N16Xl6DjQgNYjGp0bsFLSWeaEQpbgXOoShLD6EqS9l FCKxTv8bg3gOKxTq70IS6d0xiM9A3nr4lj/fsO/49mU7ptqXdBT1V7rbiswYmtpb7B6s8I7X+Bc2 5k3WezHSHEUUpabEbKUQE00xp12RgEYDlhwr5hOpqhV00qGlDnv6FOxY0lWH9jp8VCF1RU91ADIQ cKSg5zwgDYfXIBd04TEGJHMh6owaRHZeqOlt54VJtJ0PYM61DpFcAB4iJUf6F1DJSRVRI/+ITkA2 NizEwVDEE9qMPL+Pg3KyqEAHcg2ENfT9EUENNl2GzQRbyEdqaCfj/eEHAliSwgBKxLaEzoKSxfxA cSILggtUGEpZcEdZNXmIly+IjlJWKLaEJEVBACA6AVEFCnWckcDClhYJXOn0SLc8Bdk9uyjSJY2x 8yPMXJaZxyo2JfUFpAvyJYvyRYtyuaXGKLkkgZMRUySP3pkv3xI2FEo5gN2Whl1mMd1B1bIW/9Jm 72SlBZ7gSLFmqFK1uj8b+48qHAn12WktefyOAnFnSNIV4rUHMzrCvJ5SKZomAsb4Jb1FC1qD9Tbx 2qnGl1+97YXnDj58aMvB0YY9/eo7ttacOrrw8Ka2VT0Fu5c0P3nnJfcdX7dtZf3m5Y34NUP6QJuG vz/bq9P5LWrMc9CJ+fyMOI6Un6HXxfM5GemRWdgDnRnPiotN4bCSU6Pj4jAjB/P/MGaHFcfCByzx TkxKyuRm8OR8rsuowLYyGOH4l2EwhLHbxuqgvDJb1JGnQZ1VtUdana+hAPRiDT1VJ0MvwhYiMTFU 41u2cGDRcOtgU6ghqCu0coMmlKQKSzxKpCdQBA4XssQtCTv4kCI7tzArE6oQLxDzFXcoUIRYse6Q iZcyScNcAx93elwwTFAeJFvPhfh0mbTgI6UigedgiRvlr7VuebVT2pyn6y2xU1NVyx3oT+kpRd+H osopzlelubiJZuyaRFIbk/oQ7sAKPMS0k6J1qXEQbUosmAJNpLMVrhlUD04gBgAh4O4CIQD+7xQ5 498Ro5E5mdqV+SqP0noYzom++HmCJ9RDOgNOAiygj5ACWKSJsSi5ASx4Qj2HlYs2n1QUT8aSriIk 4JhCMgReCHrMOS/gSRENwc8hPwo/DT8fKM0Ps+C3nfAF3EAfRJaMqMscg/IUaEAKRvIt9PcCVbwQ LUmJIS4hpQoBXXIsMIQ5KmSzxBhuw4kyixLtskSLCKGYKJR6uqSxJg6rxMieKNGM5gl7HamDXm6b Ockgj9QKIwqUSVPZsnX5hgZVCtYXilKorS419syZeveiBg+S8ksb3ZRCbPEsbncsaDB1FYrrfZzW gABno5+HGYZDZcqesLgjJGzNF9Zm86p8olXDVZg0iC29D9y0afbfb3/z9okzR9Y/eeWGt+/b9Obp PQ/dvPP45StvuWrD47ftf+KO/ccvWXbpivENIwMrO7tXdNcc37N827LupcM1a6ZbR9qwQ95aWpY9 NDKYEypVm63+guxQaa7BZkkXqfV6l0Zj42ZKUlMyuRwhoMtIYyclsPAxPi4pNprauCHOSHNQy9wV mCHf7Ff3lmYhQFrjl9W4xU05Shil5X55Y4DWg3RtDBhEzTZ4xMO+1pIFfTWLhuoXdJR0lDnhMGL1 JzZ+YlcvEohY1AvzFUoQvVGFTkG+jWKQxEgLbAKgBx5xAYYkd08ABH2MEAZxzseQJpHyEwmGrUFD T3HWILzgUiclJQ5s06iyi4P6uBx1tFMUaUhhYSkJRhpifJM6MgFZeyK6VOquYscgSinCtHZaCaqS 44keBEpE00HxoTqF6D6cuOMJpRNpJYjX5lFGfQthjQGNueA5cwd6xOaEqUnom+PuPInUehRMq6DN QkpR0gJAIMSfIsk41J/gd1uWGg9hajhJQTUTcmGgu+DCcDefQdwZh+4CEtHIAPog4I5gCB4BJnik NSNVJ0N/C/U3hDEsTY0FhoiOQgiPVL6eTU0jVKexjLyYLFkikhHYFWiVYZdWrFeZFNYkDvmFq4oV E970Xmd6m0uQI44VyJNdXNZUVsqGoKFWzUNATJ3BMitYxXr2cKl5TVc+MJyotCxpcEBWt2cvaXdj ZATCofW+zJY8YSuMzzwxSmgGSzTI0TfnCiqdGRVO1MnY1o42BQz8lmLH+88dwvbzl09uOL6+4fHr tv/40VOfnHvitZdOv/bCqddfvPvUnbt3rqlrDqPVQt9b6KuwO6Zay5+84+C125ZftKDtmp1T1+9b 1Vedf8ml66cXjFk0WXKZTmuzivVqid6s1Pt06gK9LlurtdpsXr3WlZos4PLSzTaxQaOVicQqqVIs lLATkpLZadwMATdTiGRcd4l3oNTd4IPNrGgIaavzFKiKAW71uRpM5CbaEBcwiCLS8oC+uz4XZaWr p7unBhraq3JLvTogA+1Zl63AO5TSdFJBG0jYOacEwV3AzAWDJFhK8UgXdTNJw//GIEMiE6jBBb4q JhV3hKw1LkVYm5ErSXRwWIY4amooqsUg1E6EOKr7QMdGA2y0BB4TLRizidUwjFBmZ3I8BBdiXhI7 E4gxPOIJgQ7s4E4T9/9ikP4q5dkRyv6Pkzh6OIEbMCQM4iQDqbCfiKkKowrDmJpMwEiXWFNRF/y3 JMdCQCIKRRjoLrggwTc/38eQSNC74MQfRJw7AiB4JOYoLkCP6EFwByE8Uh1GKdG0UMEZml8qEET9 Q5EUhSZciCQlSpyMdkLKNJWlxbjFcRjCaxVEIQ1hkcba0eygTrDIovN0qd3Z0mk/f8bJnvFzBnNE xcYMCy9eLmQ3auLXONNb1SmSBJaIw3LpYt3a6Aa3YEVH3vLWnJl6J/TgeJke2zzROL+w0Q76Qvro Rr8A9PUWa7D8BdKWK0XXUoNfhLlqFR7RZGt468xAtpY/3Fb600f3zH7z0t9fPnHumau+/eiFWZRM /QMjlH+d/dcPP3/7/g9fPDf767Mfv3n8w1du+O69B9788+NbpgeWdFW059t3zHS9++T1s9+9OPvj 248+cFtFKJzAiuemcPVqjVarlitUGr1drrQq1AadyWqxOjUae3q6NCNTYLEZUU4iyuQpJQqlQpfK EccmiRLSVAnpOrkos8Cqx1jmnkJnc5GpIl9ZkStDxhBNE2CQtE6ALAipF4VqqwroepsKFo60LJ7o nuxr6qzMq8wxBdRJIWN6GexbuvueDICilvNmCYEeTFBwhzuxS0EiEya9IHXI6EFGFZ7HkArUQBCo CVn4flWalRcNfWdIQnsCy5IUYUYUJSoRIo/B4D6qVAxxFewjkCAbRYsQ0XsENJD4BmIAFlTS/h2h j4BG0CPKa74lScj6b/qORC/nn8SenP8Ed2g3IrASSR6cSY4TuxHT0vCNCL8gLElimzhJjIU66QpM yr2imxoQ50SajwhhkGhDnIRB5vyDQZrlOX1K/2SKazpiCY3GoEcwROCF0X3gjuhEYpcSBhWpcfQ7 VCyICPQgdsVKU6EHYYtSU0BhgmIeWrY0PluOPHusRRJplUZlyWO8qoQ8Q2q9SzjkE814Mpb5ONNB Xr091SmMMmXG5XGiNxSal+TIbRyWiMsyqFguBStXmzxcZlrVFZyqdU5W25CUHyvVzdRapqpNI1XG Kmdq2BADAJtyhMhHYIoapMEnBIPwTcrsmSg+wWDP1aNtTlnGZHvFN+/eicq0b88+9u2Xp//9ry8x WPKfWMb4j+9+/PDsjx9+MPvdZ7O/fzr767u/fvnci48dn2obKszSTLXn3bx36q/PHP/4hesfu3n3 5688vaCrFxvbMa0oS69d2Na8rKst32nRauSebEcwPxQMlpjM9oJwaGh8sL6lweHxGtV6MU/E54rS M8WJGCCdoYnLMEdzrMkcQWZCcr5WM1QRaC21FedIKnOgypVwA6H7IMQxJC2E0IPFDh5MzRK/rqU6 uGCwZdmC3qn++v76cLFFkIcojS69GGFSv7bMp0Z1DQbOwBZlBAACRmKRzlXRWEEoHgoY+W8MMlEa YIj1x2qMakeQLZlOKyAbTm8FwgxbXUoSpoqpEuPpkeyIn8RgEyvIggqD5QnBBWqOCf4TlUdsSzw8 rwGptT4QxpLEBR8JifMfkifzPTui1OZO2rBkSJzHIIpS4NxRC2tIZBLBSVzO60G62RYxDVq5wMZD cRcy3ThR6IL6lhT0rSMsc57B+R21aKpF2JOBDheGRIp6OohK6AZ6BBz8KYivgkFVeoIyLR4AwsXD iTtjixI9CBOUeIJEOUIJgkFa4mRUwiJWzU3CJAoACAdQmhqpzIzWCePNsmSPJDZblejVst3qOKcs CqMnYIJ2ZEtHAvJhZ8bSXOniAmmdLcErZzmEEY7M6BF5wkWFNmwz1wqj9Kpory4yZEiA07SwzjlR nQUAx8pNSOUDwNESNWSgTI0ITFsQcRjK8kRCEKHRhmx+pSOt1sdFrhCTnZCYGGnIWdKHRWSCmbbg p2/dNfv7l799/86/fn1r9vevP3//heceffDDZ699/6njs1++/vELD1++buz0rfveef7u9dMd6IVf M17/4PHN//PQ0RfuvurBIxedvGId5lU2FtYZ1MYsh6WpJjxSGS4zqUxCjlojybKby8tqaqo6zCZn Tp5v4aKBlvYamUKaliwQCZUSqSolQ5jMk/PktjSpPUXkjOVg+F9aRlxCgUXZV+VuDmvKXLx6vxQR GCg+QAcGoQ2JEoQ2rMlWoKQhP0tQmWfsbypcPNKydLx1qr9uuCmMuTQgyKfjFGSJizEI0T1niyJt ASEKEcEZXOAPkrpuoBcw8+cLwyBRf+eVIJcwSIKlQI+qV0lBD2y8JjkO6gwGHtBQsaMQcoG7B5uT Ag2eVHycLCmRCvtjYi0dfpnP4Hni/mg6AK20Kvy/GAR3BEMCIM4LPDsGSQY6BkNyIcQRALGhBkKQ VKDfMCkWa4ZQlwI0IERPkUw6JkvgApVHWmtxgRJkAAR6jECr/kcMoQHPKz5KzxLG8QRsnocuHtoQ RimQBGLaTGq4BPEHofsIg0QV4sS3QGgSoRApYZSgJCUCABrEiVZFMsQujnWrErMNKV4tBVohYpsO 3lSeeiaHN+0VLM5TNDkyrDKWSc5CHUu5PGFDVmaPiesRJxqFkei1xMPWPOV0nQsJQUy2n6q1ozp0 tJwyRJGd7ysQdYZFozW6yUZzH/oKixWj1YbxWgwVlLcFkfqXtIZE1d7Mhnz5gtY8tLdjPudMh/GD V0/O/uvbXz9/4x9nX37/9Mmj27s2TtXcsqv5uosbn7hx7Z37Jwcr5Qc3tT9wdP2yvuLhdtcT9+76 7u1TDx26bHl7/Y7FffffiN0CVfne8vy8woGBjkULOhuLs9GdZLdYg4WlDqulJFRcW9UYzC2ymB1O h9fu8IglyphYEZevE0i0HL5YqjXosrxCpS2Zp4/hZiVwtRj+x0tgNefoR0ttDT5RdbawKagHcWAQ ABLfEDDSPIJNlJWK4PTVBrQ9tTkTvZWLxlsWj3cMt5dXFdhzrCKMWg3a4PqJqLyGU0JSh8QWJdnD XGPGBQzmmRAvpeQCBklolMRkSEAGJ0rFkCgXIumG+HlitCwpHqBJkhOpvUL0ZgTK7MQLdMgdMXZi 3ZGiRyYfjY+EOHKCR0ZIdwBDEHNhoLvwgkZUOrB5wUl+DuXcwac7H/OEspvTenRujh4hSDEoiI21 ijKNvDQEwAEjAAEy0FAY5I7BnnNy3vgEfZju8n8wSIxbQiKjCi9gEPThTwGMhCbQR1QbTjAIbajj sqEKCXSMXQoqiX7EOxB8FwEQepCOwFAOoDIjVs2LNUmTslSpZhnbKo11qtg+fbJLEZktZbU7uYvz VTM+yUJn4oo8Sb9T4JFG6dTRVkN8gTpm0M7djAkwqmSYOrBF8yWxRXo+piGt7HQtacmeaXTBGYQS HCxWwxNc0eroD4mrXImtQe5AuRKhUZwgcaRKP4ytuOUKSGtIUJmd1laimurOn+ktRo/PJauzvzx7 L4q0v3/jqX88/eTz+zddu8p/8qqB27YvX1ydM1luPbFz8IGrx09ds/DIxt579q390917bzu85LVH r9o4WhPW87bM9N5xeH+OzZmSqva5A2P97b0dpe0dFZ393eWNXZ6ChrLCQCjgDOQ4MO5Ir/KzY/Qy oV+nyhXJfHKNT6qxCZUatcVssNoFUnU6V5EgymZLHbHpGAjJcvNjhvMNE5VZhEEQBwyJHoRRit4l qn3Jp8dqGEzwKLFkBI0pZdmynsbAzETTcG/j5EjbcE9Nddjut/JzkLOw80qcfCT0wSApniEBGdii OQbO/22LMuqPyU0w+XowSNJkiC0gXC9OiCHljrgDN+afd0aJ4DeNKXckADIYIh/3HzH5IzhJgwN8 ABGF0vmcAkxNxsyDT0f0DvlVx3Py+089jMA2TEqYLWyY8k0JZh/R/bAgi5rZgmgMvdFSkZ4Im5Pq aICpidUqCXHpcTHUHrGIKIyhxipbCC4Yh8tk24nuo0e7UB3uREj9DLQbEWJ8AkBgBWQADrnjIy74 CAah+/ARd9iWcPSAIR6q0qHdKPVHAqFEIQJAPFSjniEzEaciLQpDYIiYMqJM3EijINokjrVI452K RI880SdJAIMOdbxDFRXQRrXaU1H3MurldmclD3vilnv4VZpErSzSo0ms0SYMmOKWmKM6PbJBj6w7 S1CuSwyaE2sLpSNN9qkmB0Kd6NWFElxQoYcGhCocr7LgYaUrvcqZXudKb8nmdeeL+4rkgLEln9cY yGwLcBqcCeXmhJ4y+7Kx1uZyf6FXe+LQmn/88Obfv3pj9t9fzP79NYwV/ft7J376661P33P5qkH9 patzP3j5jmfvPdKfLdjR4p9988Xv335kx5KeruJAYZatraTo4iWTG5eMtVcGsd4uHMwtyQsU+3Nb Kqqaaurg/cm1ao3OEyyo9vkKTSa3zuBWad1ilcfqqbI5AyqDW6x1SAxeqc4jllmFAh0/QxnN00Rx jbECO4utxsBOu1aN/doD+coqmNNefi0c2yCquBHtpFak1XjoNl63FPoRVMJALbLx4Sq2F1qWLuga 66+dGK5fONbQ1pBT4JXmWDj5Vm6pV4TSUwhKvvGRdgaRJRSQ6rULAjJ0fnCunJtk6mGCksJRkp0n J0J5SGzN5bbonjgASJFI/ZM+988y+Ree/FNPGCQlWAAQapHYhPMBJKqKPGdyB7gAN5ygj1oWfz6P QD2nY4/k/G8MMugxF4IkVTxGN6SDPtwxUkwvyLDJRSJ2LPLsVEcDtXk2kgaQ2qVCTQ5kGMRShvMM kqlKwPB/Mwi4GMH/BAjBDXAx1iaIA3pgDRdCIr5EhChEqDzgBvSIKmTu8ArxEDCi7JMRwGjBFCZx nE2agByEXZGAfkCMR0NGntaDCV5tXJmZ3evmjLszx1zpkzn8JfmiRkdSjjLKIo6wC1hd4oRVmrQB NSssjKrWJlVp2GF1bLmT01qsxKqyIUzoLVKPlBuHS7UAcLLSAFWIhojmXFFdNg/1aRhl35EnAoPd IQlygm0hQXO+oD3AbXQloX5msNa3arKrttDj0vGOX7Fm9qcvf/j8i18+/+THD1/85YPH/vnJ01+8 9ed/nH3mx49e+fy95z99+bG//uXEXdcs3ruo4ZoF3bcfXLG8vwp7SKsD9mNXLLv+iokdK+pvvHTx huULu+orG4uLFvb2Lp+YaCgrDWS7c3x2iURnz/J5PbmIi7q8gbxwjcqcpzDnZzlDIlVWhjxLpPeJ DdlSnU+pcckUWWkKa7zQHMmxRKSa4pIUYg4fM0JHq90tYWVtjrjSJ0GeAgyiLhQtS2hcAn0QcIcT ahEXdNwjH9Fa4V882rx8pmNypG5soKKzMa/Yj+X1HL8hpSCLi+IZ5O7hCULm2pqwQYaaNkP1FTLN FLiT+hlSLcMYn7ign5cRAiDRg6APSELAIHQiurNJPQkuf6hIenotQxyl0egQJXMhH+cARBJ8Pms0 gwRDEmmZDyC0HuWszfO/cEeNCk76IWpaKCGuHy6wQuH9kXpp0IcwC5aqKznJGIKHcQcIeEIDztmZ 2H4SjfG51CxBwiDBEAD+wSDd/07121KzlbAJd27MC2V+n3f9yL9CFzDIQDcfPXBHCAWVIBF3qD+i +3BCCJJ4iIIZUAkkof6AnooTo0yHKmRpeRHoQkIK3iGJc8sTPcoEL0IxmqQsaZxTGRe2pnX4BSMe 7kRW6pQrY0lAOGjm5ChYdiXLLY8sEkVPqwQrjNIaXVKQywqIqQrSoDYWU+LHK8w9ISWKP0eqzAPF WqAHBqEK+wuVDR5utYvTkMNDKKYzKMGT/kI5GEQbLwapdRYresLSBndapZ07VF+wZLQz7LHI06OP XbEEcZifv/rys7OvffrWA1+/d9dvX7zwy+dnzz7+yLvPPfqPr9+b/f3js8/etXtdz3ira/dkyamT E0/fd0lVwLBiQf0Pnz3826cPndyz4ratO67duX7JQEdndcXyicllCyZriwvrS4MDbVW53hyFROrI shcUFPgDBY6cQp7KrnWXmu2FYpVboPWKLUGhKU9qDSgseQKlM1VqSBCYWamWGI4zOdOOTarCNHap z9BZYmzKV2FZRrVPjio7lIZiY0WpWw30SKwGLiG544J1qEjTt5W7pwerZ8bqp0bqFw7XdTcXFOfo fHrM3k8JWDNRSFPsoRt+HVLoQeQHqQ4mOjuPC3ikAESpzPnFhcAQSpAkI2CIksQEOUEfAx0YZD4C Q9xJHQgYhJ+IJ9RHYEULMSmBHqxQUhh2IX202YlUHYMbRdz5nTLkwlih9O/8f2aQwfA8jJTtynwj GESKATUk8rQE2J/I94FH2KWwJKEB4ehBCGvkxOwjImTTNE5ic6Lflmq5RTFbDCozQeLcnCUS/4Ql AGGCnzASiNabr/jInaQYzus+KuMANmmKKX0H1ogehOIDhgRM4hUSE1SRFkELSy+OMomjbcJoj4RK RqAMBt1JNlm0V5GQrY6v8whG8hVjDs5Ce/oSH3fUkVzKi6mQxoesSSFTYo+eM6DnB2SJRn5UsSTW LUSLBKvSx1velL2y3j1apButpmo7MToeehBKEAzigiJtWKH1fi76drsLZCNlutFybW+hjDDYFpKj lb4qK7XSIeqvDY10NWbbtFhcePLQRbBCf/3+r19/+PxvX/5l9tvnZn8+O/vLV3+6+cpnbtv67ds3 f3n24at34nfZMNlkuH7f2CfPHp/99q0DGJQ51vjwHTs+fPnW67et2tY7tnvlwsWDXQ1l5a0NbdVl NbkeHxqX+horCnKz1TKRy272uO1yNVw/l0DnktqCKn2uXJ8ntYSE5vx0nT9Tl5Oh8cYLDOkidZrE kpBpT8h0pwp8cUnYSpeI0hoUvWBhExp7EQhFohAtEmUeDWbagzviIeICIXlDOi+PAhheQ9g40VO2 eLRxyYK26bHm4Z4qjIcK2Pg55swCoEo39qLbF62+sEXB3QUM5uh5uSZBnlkYsKD2Bu1LVLUMCcuA R0YY6KDpKDcQfGGaND0cDMTh9x8nPgJDoIqPOPEChChQ8j79EPxS7avzBU/wLfQPmQvsU8qO3n5C q7Y5mhgAKQTO60FcyPfinH9nfhrVGIum8rgIuo81WpQcB0FrD5VoQF9tTBR0HwDEPiMIACS5BhpA aoguTR81bndOMNsT8z9RfkYN46VGogFDXMAgUX+EQVLOTTNIdS4AKJwEJSAGw5IoPqCHfAQyFPAH wSB+CN4BgMAN3wLBhdzxJlxFCJQgem8VKKTMjNYLYrLU7Cwlsg+xfkViQJvsVcTbpFF2RSwyEVXW 9M5sUb+bO2JNnXFlTrg5zZootzimXJtca0ttsCX12jMLFHEZqJpLZJUqEwOa2LAzvbfShDkVi8ut Y4W6iWoz9CCmM8EfRE5wWZMDRdpNPn6NO6MxFwxyMbVppEwDJ7GvUNmeL8Eu+KaAGBkK9O0iiogx C40VxVkaGTbrYQnd7M+fz/7y0d//+sKP778w+/m5Xz89hz10z96+dfaD07PvPXrjnunVo3n3Hhj6 0/GlN1w29eEpbEO78eZLVvbVePvrs9dMdAxXV0/Wda1eMDLQ1hrMCxWVNHj8RWaLI9fnLYE9ajE5 rUZ3ltmgV0uVCosnR+3I4xuyxQq3VJst0Oekq30JMke82MKWWNIUdpUuiy81p/EsbK49OdOWlKGL T+JjTyNUD6b+dhQ74fcBMfTtIuuHnDsVlqHX2TNRGmAIQbtTkZ3v16di1yEwnB5tmhxuXLywY6Sz tL7Eme+S5lr4EKQtyGBSlHAjTU+sUMAItUg5g3oqLgoMwSDBEHdCJQMgLvj1hgAlcET4wkkrQar7 m8h8uHAnH4kywp2wgJN5bb6egsVIhDEjKQOSRf2hEApJyuqjBL//sB7J9+LEVwmD5DV8lRG8DFIQ jcEoP1LeSSo859d5kjXu2H6CcdYQGKWAjn4Bo3TnACT1aeQkfyJO4g5T/zdoE5ScAJCQSFQh7gx6 lBmZEk30GuCC7QrogB4BkFikMEdBHEDDawRbYpHSPFJfor49LQoaUMuNsUgT7cokl5btVCU45HE+ dSJS8Dg9ytgcY3KDMbnPJ+xxpbfrY8HguDOz2RBXookwG+KsWlaNOmLCmoJpvVkyFhqlfaLMcmNa tZPbFlINlJuGS4wjhdrhsKYvX4ZtnmiKB2ULq4zruvzjlcZKWwq6BVEOijQEGIQhOlCkgkJErhAM YoAMKmcqHBn1ecbmsvxQjlsnyfDpJAd3rPjmgyd++Nujb/z5yCPX7Xri+JUPXLd78/L2Zw9v+fWN 51+89ejRVW3vn7p89rtXsf/l0cPTfz6y4s6947dfvnBZT35PlbezPL/Q7qzKLR5sbW2sqPZ58wqK al2+cJbT73X7c9xer91ZFAz6XE6H3eZyey2uXKnepbAGZRq3SOngyO1pSgckSWIRaJw2X4nJ4MrI kCeliFMyVfEpkhi2MI7Nj4jBdrnIbJOyKeRsQCmmW4JSNAo6vxq4Acn5GhAuIcxRRF3QfR80cZD7 qwkYB1sKJ4cbJkcbkbYY6ipvLHPnO+UeXUauiTc3ecaB5RTYH0qNIcXJmKbzGSQk4sTu0fPakKrl hpojODAY4tcPv4f4bQRW1I7mOKS/wRFFB57gJIKHDIB4DV+C4CHzAi70O3PZ8/neHE0l9ecyWBEA CYPMD8ELRAniRxE3jRiKAJARktQjWOEO1ojQy1Oo/SlwAPGcfo3649BkBKePEhpk+ufQKm/uv5FS +pRJQJe+QOuRC6DDBUK0IX1S6o+oNsIXEANTYBYMAj1CH9QiLkByDjQ6RUijR/mAeAg9iK9SIKdG qhELFcdnKdgOVbJPl4REvBPF2OoEjy7BLo8Cg8V27rA9bdiV1mNJ6DPFD9tS2w2JhaqoXH2sxxrv VLO6dNEb3YIeZ6pVynIK4kpVkkJDcrNX1B+mVoZhMsxguWG8zDgUoBhETAb+IGxR6MGuoARBHkRj EH5BEAauX29I2p0v7QiI8SaWfjYHMF2NBwbr8s31ZfnonzUp+KU+0x3XLf3qg9vfe/7AqWOLT27v uWlzD2bFLBt0XbmwfW1X/bFNU6+c3PqXo1uPb954YN30/iUlmycar1qz8I7Ltu1bOYx5hnsv6lo6 WhpwSqpDodJA0JPlyg+EPW5/KL8InqDDbHXYfOH8klx/0OVwWy1OhEaBnsKQqzd7ZTqHUOuQWfzK rDyl2We0+j2+QpXEkJHMT0lKz8xEE1RGbFxSVFQyPcKcJUpLCVhUjXmm5lxNvVdc68P2XjkMUSo5 aEdNGpWqAI/4iLBMgZ2P+plKHyaOShH8rA9bx7pLxwcrESyFQpwcqu+sC4accvSL5RioBD1GIEIP zmcQMEItwq8MIHFPC+5E8JFkK8iJXznQh992nEAPQqkATMikoQNlRLsRoEAZefK/T2FcHLJyFxar YKZffDyekxAKUYWoaYFQWNEMkkEQoA8CsxAAEiEvkL8G9YTe2oA2BwjuMBQpbOHukZTE+a0N2MKQ gW6+2FiywyglOiaNekIJeX+OQdJ1O7cDgrI88V+Ef47wP4EY3kTrIVtHGMQJe5LoRKhCMEiqXIiL R/QgdBlN5Vw/IBxG4jOCQYBGFB/F2nnB+8hHaDKQN4zHQ0YJ2uSJKMOG8QndBwadmjiXNt6hiA6A plzFjDutW8vqN8ZOeblgsFIemaOMdBnig5qIRlXEYnvargLlAkuyRcRSyaL8/JSAOr7TL5spy5oo s2D2UU+VAan5sXwlYIQ/2BuSwxkcKVbV2FPg60HTNQe5YBApib6wDGC254lQrtYRVnQVyaANK1yU UqgpzvO7bRaVoDpgO337utnfXv767fufuGHTmSMr/3J46eOHl58+tu6Kiysmq3RH1w58/MzJJ07s Xljm7fTauosCbZXGwdqittyCapu5r9h04qrp07ft7akrLvf7C5xOp05Xmh+oCBd0NTaVBvPtekOW NReqzZmV7fcGUCqjN3p0xhyjLWyweNQmp87uN/kKbNlhpzdks2VrlBZ5pkoukIv5mSJ+ikjESU9P jcWmuMi06KgE7DbS8JKxlhdrtVuyJfCpMRAA9TOEO+IP4k5gLAObPgUygGTeGnL05QHtYFd4eqJ1 fKBu4VAjoqYDzeEyn9arSUMDCwMgoweJNgyidM0KfxBeIYxSmKZcCH3hk/Q9TFMhtlsmJGL3GQw2 TlQs1p8BGdiK+N3G8gJOZBQ6tSDY+4mNhKK4BPL7jMZVDJUlNh5OSsvQM8SgX/hxcehpxTwxCIb7 YTG9IjGJy4pAnAT7N7HAF5WceHg+9kiboPQ8FgIjUgyMUGorBvRRSUD8iSRxwKg8ciFaj5S7EIOT +H1z3NF7HEjeYf5z8qfjTwTj+AeH0n10Jh15PYBDkn24kOQCvoQ7Tig1Roimg8GJC/EBaUIjQBZx DIEVEMOdzhVSQyfgnclQ9JJOqTyiCsGsGDNzUlhGAShLcijjbfJIm5zlVEci1W4TsBzSGJ8yIU8W Xa2B1kubyqI04IQ9ccqeMGhlVxtTESm1qGMtusgOVcQiW9TmPN6EXeURpmgQC9XAFmWVGpO789VT de7JWgeaQAeK9fSphbs3VKIik5p6QnLQhxYJSg/mZPaFJYNIYRTKQWhbjgBjMTrzpNi32xzkYGhn qT8ba7Z8brNOntpUon7hoStnf/7bL++8dmrPhqevXv/4wXV37x7+9NQm7Ao5vK7j/muGzj1+w6sP HNy00NVawF/a47toSX1vk6651IQ5YxiAc9Fo47knTt511UhfTXa2IT3Xwi32q5vLfHVhX77ViBxi S0VebaGvONeRazd5zMZsu81rtZlVWr1KbtXr9Uo1CrxhpRr1lkwUrSVl6iUamUDF4amSBIZEsTVO khXJN7A4aBZnR7NisD9TJ+DWBZ2dJY6WgBw1sRVuSZUXLiF8QOQKkZ6gAqcQTGODlKON1y1B+xLq 2Qqz+GEbr6Mhd+FwzdLJ1pmxxpmx5pHuKix3cGi5GGKA6CjsUpxI2UN1ooQG2XyYncQfxAVaD52D Xm2GQ5GSbeT5TXxIjlmAuKUsKYla4hOfyEtMgtbAbzt+RfnJSSSLjSdULptyqSIAJoiDdZceEwPB 7gMllytMTsZDeF54DsGF3PFd1GsR1PdyY2IlSclYKoqP2FRCLSuh/bsLuMNHAEge4gWYi/ibQGAx MhwxDBILEydjf+KCj+RNxjdkNOyc3xcXS32J/tPxk4nSR4gJHAE0IoRBnIQ4hsHzWQYqCUirNsrI JF8lSEKjEbhwEjVHeITNCXcPGEKwCQLo4TleoCSFZeLHO+UpyAC6lAlIr3s08W51jF1CZ/okUTmq +DIdu8WYNGRkj+vjRi2JCx1JY3Y8iS/UsqEr8XKeIWbcyl7m4UxmZYQzoowYZ6FNzLfGFRkiGj3C /kL9eGXWUKkR5igYpNzACtTGKMcqdOMokinRIBtY5+WCQeQHW7I5XUEBlGBPgYQCMJvX7OU3urlV rsxKd3xxFhj0gkEnTFFuKlYEfvb6mdlfXnv9qcvuv3Lw3j2D166r37+s5NCKknUtnfsWTty9f/FD B7c8cO2G+46OH90+sndVx+Wr6rctLDu6fWhtf1GlRTRVnfPoNWuevG7NTE9Onjndb5SUZntKsrOt colBlFrs0Y5312OlQnVhjsuktqgULrPRptVJeAK+kKdQyUUyKUcg4IqkqXxRHPYopnGlAhmaDZPT pQngjmeME1opBjM0iYmZUZEYZhzJZSf4zYq2QntnoR7JUDAIAKkF9350M1H0AUmQyDAIAKneJbQQ 2gWQfLesucI9NViNdqfx/prR3qqB9rKmyhyov1zoOEMmGETGkGp0souoniabhGBIHEOcBEOfgUvE q88UsuPjgU9UpMdihQjTU5OjImxqeXFBwKRVSQX4j+JmJiViQSGWX6fCqEtOTk1IiKE3hDotltJQ yKTRxEdGClLT0uMTUmPjkqNj+Cmp0kwuLzlFkpGZkcjG+mYZl6eTyvAl7HrGmykxsQQ3ovKgIhnd R6XUaaOUiVjiIx4S4giAOBkAyZ3BEM/xhMaQCniS7yU/EOghgAPBc0I3bFpie1Mm6HkAGQxxAXSE TfBIkCTuG+3fzQU8EYTBO+dNyjklSHuFWElDWZ7wE03CVOBGGZzni9Nw0WPxvTDVLsMslCSPOtkh T8iSxjgV8R41G2JXxGXJY13y2JCO3WrPGLSnLzAlThvjljhSF3s5g870CmOiX5MAQku1CS3mBDwf NHJLBGwTm+UQR6Hpu8TBqfVzMC5msNgIAHtC6u4C1WCJjkrNlyEpr8QcezCIgWlhbRQW74JBlGe3 +jM6A3zaEBU1+7jtucIOrDxzcDBdrdgWg8VGZTm+4nCu1YiejJShhpK/vnz/7Oy7n731wCdn7jj7 yMGn71p559UT2wYapiqxuSl0yaKqSxY3Xb2h79Gb1t+Hce2jPYMVJR2h0pXDratG6ydbG5YPNuy7 uPWydR2rh6r7KrObwt6KXHcgy2JVyexaeb7HUhPKrijweUwaSUaKLJODliWtXJmRnJrJy1BrVSqd lisWp3EFyVxBGl/Kk2sy+KJUjpCdKkpMU0ArIlcYK7BE8IxRbB4rNi0iIiEuKlLOTSrP1qEFss4v Am6gjzAIGCGEQXiCwJAoQTDISMDKQxchUodTA1Uzw/UTA7UTg3XwENtKPch0OJXJMDWpNfd2CV1C g4oaJQQYIjeBDb9AksBIAIQ2hKCGBNUjdoOuqqw0L9sHFZ8YE4Go19Bgf2VFWWG4AGdZUSECxfm5 OZWlJcVF4dKSIp/XbTTocnOyZVJxSjLbZjXjtXAon0hVZTmkID+AMz+Y5/W4cMeZmZHO52WqlPLk pESi7OYrPtyhns4TNKf4wBT4YkxNBj3mgvfnY0gYpB9SLBMhOBM9CJzxkbZvKb8SGhC8wN3DSV/m YIR2A4AgjmBIlB1YwxOiAfEckMJJpPMOKEVLwHM8AWtE9xFbFKzRCQtKz+IFoAoDFU+QmgebRkEK Yi/IuYM+uywWgjVJyMJDJ8IlxEe/Mq7CkNTj4Ey7M1d5OOvc6UtsyeN2ToM1LV9PKcECVXybPmHa nrrczWmQZZjY8XpuRK4hvsyWUe0S1AcERPf1F+nAILLzyMtDqEuRAuboSLm+2p4SVLIq7KlgsLtQ BQD7C6UwU6EH4Q8iNIr9L00eXltYXIUdEw51Wa6nIM9hUOt5MdzOktBf7tz9w8cPvX3mxjfvO/nS LTc+e/uBh46sPbSqeeNoyYru7Ksvaji2q3/f2sbL1jQd2rJg00RLb1ndcF3rWGv1SGf5UEf9UGfV plU929cPH7xoyf61M9OddSEXbE4V9F5FKK8AO4c0YrNCpBVlAkClkG9SqsCgMIMr4fHwj3+W0axV aEQCqVggR/OvRm1OFYpTuOIUjjQtQ5XOM6YIzZQqFJpZKWIWAqTxnAhWDDuKhUUPcGxbwkYyfo3Y ooREMAhtSBiELUrMUcBIBDU2+IcohPHd5e5FIw2LJ5pH+6pHB2oW9FS2V/ioKI02zaNJQ7U2AjWo ogGAJZhr7VQAQLQ+gUGSnkBMFRoQAMIWxS4SSvHpNIX5Qbc9CwyyYyNzXNa2tpbS0uJAILekuLCs tBi4BfzZNRXloYIgMESgGCiBOMBo0GsDeTkAE8BWlJfighfycv0upx1L5/EQUlQY8md7LWYj3g8G crNsFmgiIsTmJHcYh/NtTgZAMEgE9jCTZMcFH/E+YfACKgnRZJ8RAjiMgGiaQWovJwT0kajLfACB EmEQFiYhEYqPWJs48SW8jFPNSdRmJoEsYrviCYToPtiiIBGU4SNwg5B0IepC8RCOIUSdEYuZhAh4 WsQsqyQSJMK5A33QjNiXZBJiHWdEsS6xzZLab0madqWvzuau8aT3qaMb1DFAD22DUILliuhBXcJa V8YiN7dcylEnxRok0R5VRFif1IZxRgEB0Osr1IJEcNcbhgMIBvFEiTo0RD5hiLb4+agOBYAQqmW+ QDRWoYGZCkipSrZKI/a/gMGOYkFTQBqyaop97oKATafQqDjypT2N75265I1H9t937ZI37tnx5j2X nT588eENA9sH/ZetrT+0re+xW3a++vCBew6t3Lig6PKN1Xs3lMIt3bOi8vD2/t2rOrFhsD7gnWzu 3LVk+ppN41umeqr8HgNfalXoC7yekgJ3YdDkNethlcHfy7HbrFq1QiRSiqUqmVwuFKqlco0Mppos M13A5Yj5PBkvU87m8pMyhCkccVqmPI2nSxaYYvhmFtcUxVWzUiWsxExWRHwE7K44mOuChrATa7Wx NI0wiKkX0IlgECcYZIQ4hgRG5DIQtMk3cRGlaa30QBVOjzYM95ZPDdbj3lMfLHDI7MqUbD3VSUGR SC9sQvYQQgppSN7Qo+HAMSSCISrw5mCOasQSmIuCtBTUdCl5HKg5qUSUhnlWnHSZSIgzMy1VLZWm JbElMMZhn8bHqWRSV5ZNr1YJMjP4GRxuehr+R+BLuOCrCTHReBMiF4ukQgEueN+ggROt0ioVcPGI r4eTWIbkI3LrJL2OrDqpcpmrdaEdUkB3AYb/kUE8ZOhDzHO+kKZdIAklSM1KohN/YArcQVVBwBHu BEPcCYMAjTzHRwImFJ9ZxDEJ00EivoSfcP57KRMUDAJMoEdIRNOEgZ9MIUkXpKEaTc+HqZmKJbl2 SQQMTrciDoJqNL822admO6XxfllUiSa+25E54s4YMScsyGJPu1KHjTE16qhCZWy2Ij5HlViqiW9V RY3pYldlcTr08Tk8liGD5TemBo2JxaZkNL93FSkIgJjN25Uvp/WgergM5qi+LYfXjjUudOQTCQj0 CYJBZOHB4CiWo5VpwCAy+KiWgS1aa0+vy2dXeoVuuazI6yovcWkVUh1PeMmqnq//dPPpA1uvXtX1 4u1Lnr9t4ti2rssWjaypqd+/qfb43pFju9bcfPma6y9dsaij6pJVTYd2dW6dad+0uPT/aexsf9oq wzB+aOkbp6WlO23pC6WUFvpCW9oCKzAoY8B4HVtLR3kbLWw4Nhlbtql7cS4mC8aZOaNmuplozOLU RBOzRE1MjJ/87AcTvxj/Fn+HZ2uWfTAmd54853AS+MCV67mv637u+90bq9d3VrdXp5amjy6MHr+w Wr5amV8c6+sNeXojgbH+7NRIP3PVD/cnGesMAIeymfGhwUw0Bv0BwGyqOxKLelt8B1zNTU63xe4E dxbFZ7C5LDaX2eqUbU7Z7mlQ/DpHSKOQD0b0zrDG1iKhPhrsmjoDk98VWc+cIwBIV1KasAHD/8Yg iaEaXPjNqLkh95U4l5Ym0jvVmctbxZ0zBeLV6tx6IT87FIPsch14i07VnoiqFd2EWjYTcQkFlQ+Q aMAg7gYqZYsswzJcKLDuq6MQCo96ScPfKcKs1ZskLdIuK1khGzDLhnHqjLOn4xXZIhmimiTWSQaN ZNSqGx6Zbk+JJsH3rPjmrOoQds0zsaXGhrWNqv/sh1B4xMobgb4XV0GIL2FQHE15CcSIGvrEo8p9 +z1yeU+FGxgUxp/gNfBF1DAIDMERj4IB2Ytjp2A01g6HhVX8FJCy5xsidMAE3wFDzpxgUBVkrDoG sqhqjJmWvHWUwWBAYAKmAiYKQXMhcy4k04IeHQYksu8Pm+cj8krK/kqvsp00b8X057rlMym51C4d ihgoG861N44G5XKHfDZq3InLu/S+DhoGW6ThTmkS+6DPV8x58dk3JtTDJ/QHBgnoDxKE+wgACAxP 9NgJNBkYEA+ClYMoAUVyFqVktDIaWBrwnshwctPlY9a+1s65/PD0ZLq9VUEzefhO+Z/vvnl6/+aT e2d++ezi57erdy9VHt2++sX13UfvlZ5++donb1956/zx+ze2dhbKd6+cfnzv2s3da4tzxxZmqUmb XyoVlorF4sxkpTxzjqmXU4cXjvYsFfpOzveW50emD/XnoslEezBNQ5lkYjCTzSYSkWCoKxId6h9I pbvdXo/d6XL729z+oLOl3eELNbr8Xker09FiVTwmpVmreDWOdo0rpnF1GZVAvc1Xb3brGxisqp5I 6yWN1STno00cQemKDwYJGFAoM4IEa9KokGVQZo5mPYcpFs000/BQhWHcQUedC2tT2xvzp9emz1bm KGw7tzLJOGDVH8SP2O+uhk8hoMcq8EiGiFkvkIg3wQ0grIemOiwAGd0SYwKzrMko201mwqo3met0 Fo3epjMRtHmk3TokBVvBUL4mK49sTPC7vp7xlKyNqnqj5aoCmaYwFACFKrfu+wuYGr5Gi6A/oU/W ckM2L0GvBkmBuP+DQX4XwcUl4SQKGIJBHtUJKQ31dInfv0oPQp/N8QQ4IO5FDAI9AUbgCb6EByFe Cr5T6OP9XEplI77hA6CH2AIMnx9BVROQJLGd4d22OurQEn6ZMpjutgaawIRdEpTXE+BgSRmMEQwm 3FJPQJeP2xBCN1K2zXjDekA6HdZsp82bjH6I6OJhXbrTfDBoGW81VsMm0sNL3bbtpG02qSwOyiuj 5vF4w3TKszYWLh9ynBpuxgSE/gg2QK/KJPd8S3nQvTLkXh32cAo9lrYCQ7wJblLAhluTwbW8G4Tu B9/4TuUD5X5P4YhxoMMylR5emZsbHmoLeBrSoaYnD5b+/vnm9x+v/fDwxqfX37hVXbvzeuGjvePf flh9sLf11+9f//nbTz8+vvXHrw+/en/vgzc37lwsXlheXZ85uVE8dmlzebOwvDg2sVU6crlSuFgp bpTGq6XxwlTuYLJ1LNc1ko3FfY6w15OJdKKFosaAQVz7WEdnOpGMhTqURrvTpnQGI52heKgtFvBH m51tXYGukD/i9LbKbp+u2a91h/TepNHXY3G1yQcCBouXqcUIDPyjaSWTVtJ12CRGpIFBVQvt8YFB kMhe5IPkgDVRFG+CGMuqfQ4Jrk6o1kNUGU14FkdT1dXJrfVZlFK6tO1uzJ9fniyOpHJhZSCsDEeb iZG4ZyJNLukXj0KZAYZkiP8CN28nowplbmRzdHJlYW0KZW5kb2JqCjE0IDAgb2JqCjEzNjE5Ngpl bmRvYmoKMTUgMCBvYmoKPDwgL0xlbmd0aCAxNiAwIFIgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUg L0ltYWdlIC9XaWR0aCAyODAgL0hlaWdodCAxNjAgL0NvbG9yU3BhY2UKL0RldmljZUdyYXkgL0lu dGVycG9sYXRlIHRydWUgL0JpdHNQZXJDb21wb25lbnQgOCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+ PgpzdHJlYW0KeAHtmdF24zgMQ/v/P92xHcsEJZKCnMTS6XBfQkqXEIhtu9uZn5/8JxPIBDKBTCAT yAQygUwgE8gEMoFMIBPIBDKBTCAT+IMJ/NI70SQN0k8/D/7+slvQJA0+vy394rYDGQxN0iBt8nnw 2IFKhiZp8Plt6RfLDv1vJZqkQdrk8+C1Q/dbiSZp8Plt6Rdhh04wNEmDtMnnQbVDGAxN0uDz29Iv VjsEwdAkDdImnwebHdxgaJIGn9+WftHYwQmGJmmQNvk8aO5gBkOTNPj8tvSLzg5GMDRJg7TJ50F3 hyYYmqTB57elXwx2qIKhSRqkTT4PhjuoYAjy9RsEAf70f9d4Pgp8sbMDBEOQG7JpE+DOoIvl6u4O l3+CPJB+LJvki1wujcsQtexBU+QgdNlYr6A22W1T4Ci0Xh6XI26VvxDM9RPh2t0pdpCL5fgZSaJj mGMNjj/183n3BbJ+eSxAB3P+rBzbmqB9f68bdhtCh5MiPCPCBogzVB0vdEjECHVbrHThAs7/jKwW dxHD3BWd7reSgPMrf7HLm49QN5fOVoQDCM6vPavgzEOoc9DZymBEg/M726ryZSPUqdLZGneoBuf3 ltXKlYVQZ5XO1jpjLTj/pLXaeGoR6qTR2Q7MQQucf1ZbNRzVCNUbOtuRMWqD80+1VdOPRqjO1NkO m2EPnH+OVh03iFC1o7MdV+M+OP9GrLpeBKEqV2e7UAIROP+uWA2cFCT+DATkCiTkcM3qZZXxBksZ JaMAXzEcPpPad6TeN8KAI0qiQNyDhV78M/77hMXNf9cefH3U5XcfXlu9zgL7tZ1/2R0GUdVffnlx +SoMaBc3/mV7EERVfvnhxeWrMKBd3PiX7UEQdfnll5eWr7NQ/dLOB83ti/EjKoa6IWXGXiRFP4yd q22/55LCdRaqZ/4a8PX/zAxJOvoGBlsxTuPfAw6xzWWYsbz4jX0+pCkmy06e8LFrhfutnzHOeG9N P0eTR+05Ir5Oai1bSlM2M/1UmwyCMcD+kbVePWUx089qk0dvuTLB/mEr1c60zPST1uRx0vpywP5x LWVN1Mz03jJ5nNXOXLB/oaVsXjPTO9vkcaq9BWD/CqU8GpnptWfyOEd3Idi/FCmfFWZ65Zs8bsRf B+xfF6mILMz0z8jkcVccdsE+8JKKufLc5M/Y5HHLbEPI7Mgu1UMnBzKwLbNNb9vzvh9L+AvVW5mx vw3vv9Nx6zDbcEoU9db27vC+rXuJF5THKRC6/Fy9rcKJTdmZepTzP0S93iVGKIOzIML/IPJHcqG/ 5Ld4mO+P8i+4m2YBl/3c9u0tcf13o4vKlh1NAReuOuuCc56MwwbJtcvgX29lnCZpsHpgrdbdorFJ kzTYPLHSgbOFYZEmadB4ZJ0jcwvTHk3SoPnMKofGFo41mqRB56E1jpstXFs0SYPuUytcVFsElmiS BoPH5l+pLUI7NEmD4XOzL2GLjhWapMHOg3Ovry26NmiSBrtPzgTOLQgLNEmDxKPzkGML6nmapEHq 2UkQ+YeumzuapMFJK+ezmUAmkAlkAplAJpAJZAKZQCaQCWQC/2cC5x9wvD5uRKDmsRnUwtG2HhTz /yaXFlIe6CkB1Tw2glAVjrY1JQFQq3CeABOXSiFGzVs1j41J+4c42tb+nH3TKpwnNm6cKgXjvnek 5rHpDVb3ONrWFdxtW4XzpDtZAKVQDgc+1Tw2Axo7iqNtPSjmq9FCygM9JaCax0YQqsLRtqYkAGoV zhNg4lIpxKh5q+axMWn/EEfb2p+zb1qF88TGjVOlYNz3jtQ8Nr3B6h5H27qCu22rcJ50JwugFMrh wKeax2ZAY0dxtK0HxXw1Wkh5oKcEVPPYCEJVONrWlARArcJ5AkxcKoUYNW/fnS+iSqdpCsV+agF2 CjmlgBdkrealIadbTCT2qr3nTt5XUQrco4pS89IoZqQRib0amURWq0iHTFzLzD0bal6a+NHgViT2 KgDDK60iXTikLmXmng01L416Y6QRib0amURWq0iHTFzLzD0bal6a+NHgViT2KgDDK60iXTikLmXm ng01L416Y6QRib0amURWq0iHTFzLzD0bal6a+NHgViT2KgDDK60iXTikLmXmng01L416Y6QRib0a mURWq0iHTFzLzD0bal6a+NHgViT2KgDDK60iXTikLmXmng01L416Y6QRib0amURWq0iHTFzLzD0b 787X7pTeh3Kp32B65YMZqJh35yu56jfh+pbtlatb6SoF9lng1Dw2wIyUKPGp76OR9wurfJTDgU81 j82ABqIokblIMpmLZIFV5oJpSJ25SBZYZS6YhtSZi2SBVeaCaUi9Si7iKKtMIBPIBDKBTCATyAQy gUwgE8gEMoFMIBPIBDKBdxP4BwlVoyoKZW5kc3RyZWFtCmVuZG9iagoxNiAwIG9iagoxNzgxCmVu ZG9iagoxOCAwIG9iago8PCAvTGVuZ3RoIDE5IDAgUiAvVHlwZSAvWE9iamVjdCAvU3VidHlwZSAv SW1hZ2UgL1dpZHRoIDMwMCAvSGVpZ2h0IDIwMCAvQ29sb3JTcGFjZQovRGV2aWNlR3JheSAvSW50 ZXJwb2xhdGUgdHJ1ZSAvQml0c1BlckNvbXBvbmVudCA4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+ CnN0cmVhbQp4Ae3QMQEAAADCoP6pZw0PiEBhwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIAB AwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYM GDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBg wIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIAB AwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYM GPgaGEH/g0gKZW5kc3RyZWFtCmVuZG9iagoxOSAwIG9iagoyODUKZW5kb2JqCjIwIDAgb2JqCjw8 IC9MZW5ndGggMjEgMCBSIC9OIDMgL0FsdGVybmF0ZSAvRGV2aWNlUkdCIC9GaWx0ZXIgL0ZsYXRl RGVjb2RlID4+CnN0cmVhbQp4AZ2Wd1RT2RaHz703vdASIiAl9Bp6CSDSO0gVBFGJSYBQAoaEJnZE BUYUESlWZFTAAUeHImNFFAuDgmLXCfIQUMbBUURF5d2MawnvrTXz3pr9x1nf2ee319ln733XugBQ /IIEwnRYAYA0oVgU7uvBXBITy8T3AhgQAQ5YAcDhZmYER/hEAtT8vT2ZmahIxrP27i6AZLvbLL9Q JnPW/3+RIjdDJAYACkXVNjx+JhflApRTs8UZMv8EyvSVKTKGMTIWoQmirCLjxK9s9qfmK7vJmJcm 5KEaWc4ZvDSejLtQ3pol4aOMBKFcmCXgZ6N8B2W9VEmaAOX3KNPT+JxMADAUmV/M5yahbIkyRRQZ 7onyAgAIlMQ5vHIOi/k5aJ4AeKZn5IoEiUliphHXmGnl6Mhm+vGzU/liMSuUw03hiHhMz/S0DI4w F4Cvb5ZFASVZbZloke2tHO3tWdbmaPm/2d8eflP9Pch6+1XxJuzPnkGMnlnfbOysL70WAPYkWpsd s76VVQC0bQZA5eGsT+8gAPIFALTenPMehmxeksTiDCcLi+zsbHMBn2suK+g3+5+Cb8q/hjn3mcvu +1Y7phc/gSNJFTNlReWmp6ZLRMzMDA6Xz2T99xD/48A5ac3Jwyycn8AX8YXoVVHolAmEiWi7hTyB WJAuZAqEf9Xhfxg2JwcZfp1rFGh1XwB9hTlQuEkHyG89AEMjAyRuP3oCfetbEDEKyL68aK2Rr3OP Mnr+5/ofC1yKbuFMQSJT5vYMj2RyJaIsGaPfhGzBAhKQB3SgCjSBLjACLGANHIAzcAPeIACEgEgQ A5YDLkgCaUAEskE+2AAKQTHYAXaDanAA1IF60AROgjZwBlwEV8ANcAsMgEdACobBSzAB3oFpCILw EBWiQaqQFqQPmULWEBtaCHlDQVA4FAPFQ4mQEJJA+dAmqBgqg6qhQ1A99CN0GroIXYP6oAfQIDQG /QF9hBGYAtNhDdgAtoDZsDscCEfCy+BEeBWcBxfA2+FKuBY+DrfCF+Eb8AAshV/CkwhAyAgD0UZY CBvxREKQWCQBESFrkSKkAqlFmpAOpBu5jUiRceQDBoehYZgYFsYZ44dZjOFiVmHWYkow1ZhjmFZM F+Y2ZhAzgfmCpWLVsaZYJ6w/dgk2EZuNLcRWYI9gW7CXsQPYYew7HA7HwBniHHB+uBhcMm41rgS3 D9eMu4Drww3hJvF4vCreFO+CD8Fz8GJ8Ib4Kfxx/Ht+PH8a/J5AJWgRrgg8hliAkbCRUEBoI5wj9 hBHCNFGBqE90IoYQecRcYimxjthBvEkcJk6TFEmGJBdSJCmZtIFUSWoiXSY9Jr0hk8k6ZEdyGFlA Xk+uJJ8gXyUPkj9QlCgmFE9KHEVC2U45SrlAeUB5Q6VSDahu1FiqmLqdWk+9RH1KfS9HkzOX85fj ya2Tq5FrleuXeyVPlNeXd5dfLp8nXyF/Sv6m/LgCUcFAwVOBo7BWoUbhtMI9hUlFmqKVYohimmKJ YoPiNcVRJbySgZK3Ek+pQOmw0iWlIRpC06V50ri0TbQ62mXaMB1HN6T705PpxfQf6L30CWUlZVvl KOUc5Rrls8pSBsIwYPgzUhmljJOMu4yP8zTmuc/jz9s2r2le/7wplfkqbip8lSKVZpUBlY+qTFVv 1RTVnaptqk/UMGomamFq2Wr71S6rjc+nz3eez51fNP/k/IfqsLqJerj6avXD6j3qkxqaGr4aGRpV Gpc0xjUZmm6ayZrlmuc0x7RoWgu1BFrlWue1XjCVme7MVGYls4s5oa2u7act0T6k3as9rWOos1hn o06zzhNdki5bN0G3XLdTd0JPSy9YL1+vUe+hPlGfrZ+kv0e/W3/KwNAg2mCLQZvBqKGKob9hnmGj 4WMjqpGr0SqjWqM7xjhjtnGK8T7jWyawiZ1JkkmNyU1T2NTeVGC6z7TPDGvmaCY0qzW7x6Kw3FlZ rEbWoDnDPMh8o3mb+SsLPYtYi50W3RZfLO0sUy3rLB9ZKVkFWG206rD6w9rEmmtdY33HhmrjY7PO pt3mta2pLd92v+19O5pdsN0Wu067z/YO9iL7JvsxBz2HeIe9DvfYdHYou4R91RHr6OG4zvGM4wcn eyex00mn351ZzinODc6jCwwX8BfULRhy0XHhuBxykS5kLoxfeHCh1FXbleNa6/rMTdeN53bEbcTd 2D3Z/bj7Kw9LD5FHi8eUp5PnGs8LXoiXr1eRV6+3kvdi72rvpz46Pok+jT4Tvna+q30v+GH9Av12 +t3z1/Dn+tf7TwQ4BKwJ6AqkBEYEVgc+CzIJEgV1BMPBAcG7gh8v0l8kXNQWAkL8Q3aFPAk1DF0V +nMYLiw0rCbsebhVeH54dwQtYkVEQ8S7SI/I0shHi40WSxZ3RslHxUXVR01Fe0WXRUuXWCxZs+RG jFqMIKY9Fh8bFXskdnKp99LdS4fj7OIK4+4uM1yWs+zacrXlqcvPrpBfwVlxKh4bHx3fEP+JE8Kp 5Uyu9F+5d+UE15O7h/uS58Yr543xXfhl/JEEl4SyhNFEl8RdiWNJrkkVSeMCT0G14HWyX/KB5KmU kJSjKTOp0anNaYS0+LTTQiVhirArXTM9J70vwzSjMEO6ymnV7lUTokDRkUwoc1lmu5iO/kz1SIwk myWDWQuzarLeZ0dln8pRzBHm9OSa5G7LHcnzyft+NWY1d3Vnvnb+hvzBNe5rDq2F1q5c27lOd13B uuH1vuuPbSBtSNnwy0bLjWUb326K3tRRoFGwvmBos+/mxkK5QlHhvS3OWw5sxWwVbO3dZrOtatuX Il7R9WLL4oriTyXckuvfWX1X+d3M9oTtvaX2pft34HYId9zd6brzWJliWV7Z0K7gXa3lzPKi8re7 V+y+VmFbcWAPaY9kj7QyqLK9Sq9qR9Wn6qTqgRqPmua96nu37Z3ax9vXv99tf9MBjQPFBz4eFBy8 f8j3UGutQW3FYdzhrMPP66Lqur9nf19/RO1I8ZHPR4VHpcfCj3XVO9TXN6g3lDbCjZLGseNxx2/9 4PVDexOr6VAzo7n4BDghOfHix/gf754MPNl5in2q6Sf9n/a20FqKWqHW3NaJtqQ2aXtMe9/pgNOd Hc4dLT+b/3z0jPaZmrPKZ0vPkc4VnJs5n3d+8kLGhfGLiReHOld0Prq05NKdrrCu3suBl69e8bly qdu9+/xVl6tnrjldO32dfb3thv2N1h67npZf7H5p6bXvbb3pcLP9luOtjr4Ffef6Xfsv3va6feWO /50bA4sG+u4uvnv/Xtw96X3e/dEHqQ9eP8x6OP1o/WPs46InCk8qnqo/rf3V+Ndmqb307KDXYM+z iGePhrhDL/+V+a9PwwXPqc8rRrRG6ketR8+M+YzderH0xfDLjJfT44W/Kf6295XRq59+d/u9Z2LJ xPBr0euZP0reqL45+tb2bedk6OTTd2nvpqeK3qu+P/aB/aH7Y/THkensT/hPlZ+NP3d8CfzyeCZt Zubf94Tz+wplbmRzdHJlYW0KZW5kb2JqCjIxIDAgb2JqCjI2MTIKZW5kb2JqCjEwIDAgb2JqClsg L0lDQ0Jhc2VkIDIwIDAgUiBdCmVuZG9iagoyMiAwIG9iago8PCAvTGVuZ3RoIDIzIDAgUiAvTiAz IC9BbHRlcm5hdGUgL0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGF Vd9v21QUPolvUqQWPyBYR4eKxa9VU1u5GxqtxgZJk6XtShal6dgqJOQ6N4mpGwfb6baqT3uBNwb8 AUDZAw9IPCENBmJ72fbAtElThyqqSUh76MQPISbtBVXhu3ZiJ1PEXPX6yznfOec7517bRD1fabWa GVWIlquunc8klZOnFpSeTYrSs9RLA9Sr6U4tkcvNEi7BFffO6+EdigjL7ZHu/k72I796i9zRiSJP wG4VHX0Z+AxRzNRrtksUvwf7+Gm3BtzzHPDTNgQCqwKXfZwSeNHHJz1OIT8JjtAq6xWtCLwGPLzY Zi+3YV8DGMiT4VVuG7oiZpGzrZJhcs/hL49xtzH/Dy6bdfTsXYNY+5yluWO4D4neK/ZUvok/17X0 HPBLsF+vuUlhfwX4j/rSfAJ4H1H0qZJ9dN7nR19frRTeBt4Fe9FwpwtN+2p1MXscGLHR9SXrmMgj ONd1ZxKzpBeA71b4tNhj6JGoyFNp4GHgwUp9qplfmnFW5oTdy7NamcwCI49kv6fN5IAHgD+0rbyo Bc3SOjczohbyS1drbq6pQdqumllRC/0ymTtej8gpbbuVwpQfyw66dqEZyxZKxtHpJn+tZnpnEdrY BbueF9qQn93S7HQGGHnYP7w6L+YGHNtd1FJitqPAR+hERCNOFi1i1alKO6RQnjKUxL1GNjwlMsiE hcPLYTEiT9ISbN15OY/jx4SMshe9LaJRpTvHr3C/ybFYP1PZAfwfYrPsMBtnE6SwN9ib7AhLwTrB DgUKcm06FSrTfSj187xPdVQWOk5Q8vxAfSiIUc7Z7xr6zY/+hpqwSyv0I0/QMTRb7RMgBxNodTfS Pqdraz/sDjzKBrv4zu2+a2t0/HHzjd2Lbcc2sG7GtsL42K+xLfxtUgI7YHqKlqHK8HbCCXgjHT1c AdMlDetv4FnQ2lLasaOl6vmB0CMmwT/IPszSueHQqv6i/qluqF+oF9TfO2qEGTumJH0qfSv9KH0n fS/9TIp0Wboi/SRdlb6RLgU5u++9nyXYe69fYRPdil1o1WufNSdTTsp75BfllPy8/LI8G7AUuV8e k6fkvfDsCfbNDP0dvRh0CrNqTbV7LfEEGDQPJQadBtfGVMWEq3QWWdufk6ZSNsjG2PQjp3ZcnOWW ing6noonSInvi0/Ex+IzAreevPhe+CawpgP1/pMTMDo64G0sTCXIM+KdOnFWRfQKdJvQzV1+Bt8O okmrdtY2yhVX2a+qrykJfMq4Ml3VR4cVzTQVz+UoNne4vcKLoyS+gyKO6EHe+75Fdt0Mbe5bRIf/ wjvrVmhbqBN97RD1vxrahvBOfOYzoosH9bq94uejSOQGkVM6sN/7HelL4t10t9F4gPdVzydEOx83 Gv+uNxo7XyL/FtFl8z9ZAHF4CmVuZHN0cmVhbQplbmRvYmoKMjMgMCBvYmoKMTA0NwplbmRvYmoK NyAwIG9iagpbIC9JQ0NCYXNlZCAyMiAwIFIgXQplbmRvYmoKMjQgMCBvYmoKPDwgL0xlbmd0aCAy NSAwIFIgL04gMyAvQWx0ZXJuYXRlIC9EZXZpY2VSR0IgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4K c3RyZWFtCngBrZZ3VFNJG8bn3pteKAlEQEroHelVIHRCEaQKNkISSCgxBoKI2FlcgRVFRQQsoIsC Cq4FkLUggqi4KDbsG2RRUdfFgg2V7waWuOc73/73zTkz95dnnvvemTcz57wAUPZzxOIMWAWATFG2 JCrIlzkvIZGJfwQggAMEoAUQDjdL7BMZGQb+tb2/jbrRdsNaHutfbf97QpXHz+ICAEWi08m8LG4m ysfRXsQVS7IBQFiobrQsWyxnHspqEnSBKOfKOXWKS+ScPMV7Jz0xUX6oB41DoHA4klQAyB2ozszh pqJxyDKUbUU8oQgACrpz4MUVcNDYFPkarDIzl8g5H2Wz5H/ESf0HczjJipgcTqqCp/aCvol+2F+Y Jc7gLJ/88f8cMjOkaL4mmy46UrLSo0PRJw3NWS6XExA9zQI+W/6fTeribN+oaRZms2OmWSANjp1m aXqszzSnLwlV+EXJcyKmdW6WH5r7qZh5gpj4aebx/QOmWbIkSuHPyolW6HkCvznTnjROiDzXk2vj SFD6m/kZQYrvirMjFesUZcxR7CVFEqjw8LO+7zdbEBM8HSdbEqPwpAgD2dO6QBKs0MUZk2eaJs+b RBqlyANfFKvIIY/jr8gt8ANCIAJ8kAk4gAmCgT8A2fxc9DwB4LdEvFwiTBVkM33QG8C3YrJFXBsr pr2tnSOQ3ye5B4C3dybvCcQgfNfy0gFgXQQADviuxaPnsqEeAIb2d83oC3rESwFo7+VKJTlT8TDy BxaQgDJQA5pAFxgCM2AN7IEz8AAsEABCQASIAQlgEeACAbpuCVgG8sFaUAiKwWawHVSCPWAfOAgO g6OgFZwC58AF0AuugVvgPpCBYfACjIL3YByCIDxEheiQJqQHGUOWkD3kCnlBAVAYFAUlQElQKiSC pFA+tB4qhsqgSqgGqod+gU5C56BLUD90FxqERqA30GcYgSmwGqwDm8CzYFfYBw6FY+CFcCq8FM6D C+BNcAVcCx+CW+BzcC98C5bBL+AxBCBkhIHoI9aIK+KHRCCJSAoiQVYhRUg5Uos0Ie1ID3IDkSEv kU8YHIaOYWKsMR6YYEwshotZilmFKcFUYg5iWjBdmBuYQcwo5huWitXGWmLdsWzsPGwqdhm2EFuO rcOewHZjb2GHse9xOBwDZ4pzwQXjEnBpuBW4EtwuXDOuA9ePG8KN4fF4Tbwl3hMfgefgs/GF+J34 Q/iz+Ov4YfxHApmgR7AnBBISCSLCOkI5oYFwhnCd8JQwTlQhGhPdiRFEHnE5sZS4n9hOvEocJo6T VEmmJE9SDCmNtJZUQWoidZMekN6SyWQDsht5LllIXkOuIB8hXyQPkj9RaBQLih9lAUVK2UQ5QOmg 3KW8pVKpJlQWNZGaTd1Eraeepz6iflSiK9kosZV4SquVqpRalK4rvVImKhsr+ygvUs5TLlc+pnxV +aUKUcVExU+Fo7JKpUrlpMqAypgqXdVONUI1U7VEtUH1kuozGp5mQgug8WgFtH2087QhOkI3pPvR ufT19P30bvqwGk7NVI2tlqZWrHZYrU9tVJ2m7qgep56rXqV+Wl3GQBgmDDYjg1HKOMq4zfg8Q2eG zwz+jI0zmmZcn/FBY6YGS4OvUaTRrHFL47MmUzNAM11zi2ar5kMtjJaF1lytZVq7tbq1Xs5Um+kx kzuzaObRmfe0YW0L7SjtFdr7tK9oj+no6gTpiHV26pzXeanL0GXppulu0z2jO6JH1/PSE+pt0zur 95ypzvRhZjArmF3MUX1t/WB9qX6Nfp/+uIGpQazBOoNmg4eGJENXwxTDbYadhqNGekbhRvlGjUb3 jInGrsYC4x3GPcYfTExN4k02mLSaPDPVMGWb5pk2mj4wo5p5my01qzW7aY4zdzVPN99lfs0CtnCy EFhUWVy1hC2dLYWWuyz7rbBWblYiq1qrAWuKtY91jnWj9aANwybMZp1Nq82rWUazEmdtmdUz65ut k22G7X7b+3Y0uxC7dXbtdm/sLey59lX2Nx2oDoEOqx3aHF47WjryHXc73nGiO4U7bXDqdPrq7OIs cW5yHnExcklyqXYZcFVzjXQtcb3ohnXzdVvtdsrtk7uze7b7Ufe/PKw90j0aPJ7NNp3Nn71/9pCn gSfHs8ZT5sX0SvLa6yXz1vfmeNd6P2YZsnisOtZTH3OfNJ9DPq98bX0lvid8P/i5+6306/BH/IP8 i/z7AmgBsQGVAY8CDQJTAxsDR4OcglYEdQRjg0ODtwQPsHXYXHY9ezTEJWRlSFcoJTQ6tDL0cZhF mCSsPRwODwnfGv5gjvEc0ZzWCBDBjtga8TDSNHJp5K9zcXMj51bNfRJlF5Uf1RNNj14c3RD9PsY3 pjTmfqxZrDS2M045bkFcfdyHeP/4snjZvFnzVs7rTdBKECa0JeIT4xLrEsfmB8zfPn94gdOCwgW3 F5ouzF14aZHWooxFpxcrL+YsPpaETYpPakj6wong1HLGktnJ1cmjXD/uDu4LHou3jTfC9+SX8Z+m eKaUpTxL9Uzdmjoi8BaUC14K/YSVwtdpwWl70j6kR6QfSJ/IiM9oziRkJmWeFNFE6aKuJbpLcpf0 iy3FhWLZUvel25eOSkIldVlQ1sKstmw1tHC5IjWT/iAdzPHKqcr5uCxu2bFc1VxR7pXlFss3Ln+a F5j38wrMCu6Kznz9/LX5gyt9VtasglYlr+pcbbi6YPXwmqA1B9eS1qav/W2d7bqyde/Wx69vL9Ap WFMw9EPQD42FSoWSwoENHhv2/Ij5Ufhj30aHjTs3fiviFV0uti0uL/5Swi25/JPdTxU/TWxK2dRX 6ly6ezNus2jz7S3eWw6WqZbllQ1tDd/aso25rWjbu+2Lt18qdyzfs4O0Q7pDVhFW0bbTaOfmnV8q BZW3qnyrmqu1qzdWf9jF23V9N2t30x6dPcV7Pu8V7r1TE1TTUmtSW74Pty9n35P9cft7fnb9ub5O q6647usB0QHZwaiDXfUu9fUN2g2ljXCjtHHk0IJD1w77H25rsm6qaWY0Fx8BR6RHnv+S9Mvto6FH O4+5Hms6bny8+gT9RFEL1LK8ZbRV0CprS2jrPxlysrPdo/3Erza/Hjilf6rqtPrp0jOkMwVnJs7m nR3rEHe8PJd6bqhzcef98/PO3+ya29XXHdp98ULghfM9Pj1nL3pePHXJ/dLJy66XW3ude1uuOF05 8ZvTbyf6nPtarrpcbbvmdq29f3b/meve18/d8L9x4Sb7Zu+tObf6b8fevjOwYEB2h3fn2d2Mu6/v 5dwbv7/mAfZB0UOVh+WPtB/V/m7+e7PMWXZ60H/wyuPox/eHuEMv/sj648twwRPqk/Knek/rn9k/ OzUSOHLt+fznwy/EL8ZfFv6p+mf1K7NXx/9i/XVldN7o8GvJ64k3JW813x545/iucyxy7NH7zPfj H4o+an48+Mn1U8/n+M9Px5d9wX+p+Gr+tf1b6LcHE5kTE2KOhDNZCyDoCKekAPDmAADUBADo1wAg KU3Vu5MOaKpGRxn6u8vl/+Kpmlg+gdYQYF8HAPFoD0F79RoAjNFOBwBEsgCIYQHYwUHRUVXeslIc 7CcBIreipUn5xMRbtEbEmwPwdWBiYrx1YuJrHVqX3wOg4/1UnS1349AavEwfhlbVdMV3T77+z+E/ FW/1bgplbmRzdHJlYW0KZW5kb2JqCjI1IDAgb2JqCjI3MzMKZW5kb2JqCjE3IDAgb2JqClsgL0lD Q0Jhc2VkIDI0IDAgUiBdCmVuZG9iagoyNyAwIG9iago8PCAvTGVuZ3RoIDI4IDAgUiAvRmlsdGVy IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHFWdlu3DYUfedXsH2JXHQUkVqnL0WduIWNAm0wAwRF nYd0asdZJovkJOhvtj/US4rnUBrJ42nauDYS0dRdyHsP70K904/0O51XaVbb2vpBlmVW12aZLuVH l0Wm2wv9WL/W9x90Rm86bfxvt4lsZV16arXVdellVRpz+lWcc3rkJ5e5XZVu7kpffqWXpS31R2X0 i17hg5XO/O/qgaw08wLqpi4yU/jpxXiqMo3bS9SvNlstNHnVlCYrRYAphbWq9FbGRVZVeSUbKm0h C5M1rMQgziRRTln3ltiqOodszMneMFc0yzSvi6XIIO9g7sqbMLypdf+m1MZmumrSypZZrmDnny/a zcXb6/dPX+n2uazFEblfEEJBFCN7vH+6Nfrhm375ate8N3rUOo9mqXUK0kKLV0Wf12Z0vUwFFAKL sqhT6wx5vJaV+7f+sZD/16J6vTZpJmzrS/2rTlbXT4+cya1Ort8feeFJd6Sf6PWZPlnLAh2Q1KFq da/W9mrlIc5Lq2WZ65F2AYxoT/SRXr+glrA5AUpa+X+j7TWN357RRV3J1ns9Ah9vCx0GC1upfot5 6oDvlHwxUuLPhLPdAUqCDcdKTJ6WTV03WnQFcxY36AobMsUyM8tKOZ/lbpQ1Y8/Nbk2kOxTJw9YC VUHcQKNNs96E4sDHwWlXcGP0Z3gjZvb+5QtM/NizqOQNeF9j8AwD0K6ug5SWYqbEF0eqhxK41mB6 DnlvMQDJaSCB/Hvub6OTTh8pv+zjC7BwQM0iJCI1SwV27t/YvMaUHjq6KMq0gFMluPmQ6Yxs4h8L 26SlcbH0dhzJ8g5QCKhGHQOFRjwp2irxbdAb8HsYphxE5jE1u2mbOwYtDyvnw0WxqDfsV9bD0PB9 8Ax913bXwSe7zls8hI/w5iMmCBdxaI/DAAGVSLzp4fIbBq8woM6OuKb3fwcRBD4H7Ia48Ng5owpK /gNcFmIyDEw/UAlnhPYf4Eu8ycg06+4s2vuwOHULvoJCJZF+gOG9+LotZvWhPsSsQ/A12PQ+fIX9 DvEVwo+O4QcxgFBhYLoM2Omdp5INYUF80fmMXUQM5XXEVaAWSaQCMLAKqiAFVYB0iA8frdyB3EnM RooOl5l1Lima+JDiRn6NeyxskdY+GDHmhAT55Vzums3+tyip0qay9dKd96Drv4ozo82F4BoqIHlI nHE1pI16Z+LMMQ8pLI/QT3sTB5GijyX0PjzCcz5g6fMIKPhijCnJOFwH45EEvJEelXBJeENEfSBM oGk/SEOqJJcD6SjYFHVWNj4CcLS0pVQTdifBVTYArBTwMcH1AHNlBJ0+SWqzAGuoLozEfgcoZqKD YqlbbJabsfOV1J//OrnNbXgAuiJtpGAqJ/seBp+TjpUIPbBhIiGsCCcOmD/ayMfRAB096KZsu14W fN1csuTWDDx6ByWLV0hPzin8/CXLcNP7UspMKGFpEKvUy1Cy4LwueGDpNbxCQFgwRBAHITSoBLRM DouORFt6m7XFgqGE2gK5SiKA2kUoPXTSoBhBEDlPWFtRxAYv+2JZJWTPwX5+BBouj+CklUDCCTFb CEuwBfZ7iNmG8Ss2pkxNVhodhKfoVxee8hlX3ugDaVR9UFZJ9AH32HU0Uoul0+EUSUt0MLxKClgO RjlPziiWDHiJLoWGJ7szfH/2yR0dDXYuaSL4NCSck9UPYZfgiVI+kJ2bZbkt1MMkMiwWpKjwNYeO HqkkvOC0769IQjeNhKH6i4E99xG3KPn8FYl1m/u0imRFZBEy73EweMZ5aOAg4I3M9A4o0Kv/sNNG MRURMtMaFjIiDPojqhKuiPo2WAqY8DeXRgR130bcqyFyJlWAJKr9VYDN2f8o019f+MdnLz8GiqUP urvyw+udIuyQ8uO77iVdwBjwDBiD2xCEicIWbwgUTIC0DWJVQjRQPhDr3Sx1mN25uPJTof8fXM75 aLavsZEq79Aw8umNzbySOwgjbnNTJx/S2Pz5Cx3H1uKeO/pyvcVDywE8Oa0Y8IanN3hfJQwcHLA8 xZHnEiZSCBAmfcILzLsakXv93a2/YaH4gDLlgOPfTGSQNOZo0PIsdLEJ42Vi93WQCOrTnb8nmiiO 0H+JpMxEyd2L1Bj3BmWLpA/ftpu6ILpjk+HKlmzmUoOOpmqcungg3T3aqK3U0laGuovU2CzXySMf 20rQ0LK93EFlRG66lmKmC4Q4rO4Ki6IUUGy4zTbmIwoEP6jDngb3zJF/S9kT9nhrQ5owUMkWshH3 pi4n01+gXchgv6sHDfSOq2cq1GOasm3dsTtYtLTEvhCTbzV5mufLpnBgmtFwHktc2BTPt/DNNwFK 93eeBPp0kAZS2oxHDdJhVVASYC0LE+jb0gpB3KAgWfBdG0FLrfHCBLK4VPqZwRAkXAlFE4pYPIMW eARt4XTtQyuotx33yOqe/VwBSTXKpgID2IrqsZ7YFvqmjDCRRLD/ftfYwaeuu7hQhsL/80IZa3Cf L2OXOP1gMRN7GTuH3f84Gc22sX27Bszf3P3H7EcfL17A/QG78Ybg5tZfj1r/DBIIqT5eqYTHgUeG xQIHiG2k5bkg0+5HG2yUR4m54exxiAzr8JxIZ0qg9HiwJ8Sk4Wo5ENonCp+YB0kX18lLKbrk4lg+ 1/rv2BEI89cFA1vN7b/HANa3Z/8/hcZsdeIWyG/gj/4Gtp+sMgplbmRzdHJlYW0KZW5kb2JqCjI4 IDAgb2JqCjIwMDgKZW5kb2JqCjI2IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIg L1Jlc291cmNlcyAyOSAwIFIgL0NvbnRlbnRzIDI3IDAgUiAvTWVkaWFCb3gKWzAgMCA3OTIgNjEy XSA+PgplbmRvYmoKMjkgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IC9JbWFnZUIgL0lt YWdlQyAvSW1hZ2VJIF0gL0NvbG9yU3BhY2UgPDwgL0NzMiAxMCAwIFIKL0NzMSA3IDAgUiA+PiAv Rm9udCA8PCAvVFQxLjAgMTEgMCBSIC9UVDQuMSAzMyAwIFIgL1RUMi4wIDEyIDAgUiAvVFQyLjEg MzQgMCBSCi9UVDMuMSAzMSAwIFIgPj4gL1hPYmplY3QgPDwgL0ltMSA4IDAgUiA+PiA+PgplbmRv YmoKMyAwIG9iago8PCAvVHlwZSAvUGFnZXMgL01lZGlhQm94IFswIDAgNzkyIDYxMl0gL0NvdW50 IDIgL0tpZHMgWyAyIDAgUiAyNiAwIFIgXSA+PgplbmRvYmoKMzUgMCBvYmoKPDwgL1R5cGUgL0Nh dGFsb2cgL1BhZ2VzIDMgMCBSIC9WZXJzaW9uIC8xLjQgPj4KZW5kb2JqCjMzIDAgb2JqCjw8IC9U eXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL0FWWVBOQytIZWx2ZXRpY2Eg L0ZvbnREZXNjcmlwdG9yCjM2IDAgUiAvVG9Vbmljb2RlIDM3IDAgUiAvRmlyc3RDaGFyIDMzIC9M YXN0Q2hhciAzMyAvV2lkdGhzIFsgMTM5IF0gPj4KZW5kb2JqCjM3IDAgb2JqCjw8IC9MZW5ndGgg MzggMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AV2QwW7DIBBE73zFHpNDhO0z QqpSRfKhbVQnH4BhsZBqQGt88N8XiJNKPeyBmXkwLD/37713CfiVgh4wgXXeEC5hJY0w4uQ8azsw Tqf9VDU9q8h4hodtSTj33gYQggHw74wsiTY4vJkw4rFoX2SQnJ/gcD8PVRnWGH9wRp+gYVKCQZuv +1DxU80IvKKn3mTfpe2Uqb/EbYsIuVEm2kclHQwuUWkk5SdkommkuFwkQ2/+WTsw2j3ZtVLUaTpb 80+noOWLr0p6Jcpt6h5q0VLAeXytKoZYHqzzC37acEoKZW5kc3RyZWFtCmVuZG9iagozOCAwIG9i agoyMjIKZW5kb2JqCjM2IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUg L0FWWVBOQytIZWx2ZXRpY2EgL0ZsYWdzIDQgL0ZvbnRCQm94IFstOTUxIC00ODEgMTQ0NSAxMTIy XQovSXRhbGljQW5nbGUgMCAvQXNjZW50IDc3MCAvRGVzY2VudCAtMjMwIC9DYXBIZWlnaHQgNzE3 IC9TdGVtViA5OCAvWEhlaWdodAo1MjMgL1N0ZW1IIDg1IC9BdmdXaWR0aCAtNDQxIC9NYXhXaWR0 aCAxNTAwIC9Gb250RmlsZTIgMzkgMCBSID4+CmVuZG9iagozOSAwIG9iago8PCAvTGVuZ3RoIDQw IDAgUiAvTGVuZ3RoMSA1MDY0IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ab1Ye3AU RR7+9Tx2NyScSQDZJCwze8OSt3moHBCObMJuSAhgIMDtIshuko1JJJLCkAMsuC0FlQU5FUEFS+Ue nsAhkw3FTeDkIqWlli/U0lPPKuV8XV1JeQ+5UtHMfT2brIRSKn9QTlfP79ndX3/d2zOz3WvXRWgs RUmkhuXhrlayrnEPQxQ1d4a7EnbmnyGzm3u61YQt5xGJq1u7buxM2I77ica4bly9Yah95gfwt7VF wi2JOH0DOY07Eja7BnJKW2f3+oSdeRTSsXpN81A8823Yts7w+qHx6T3Y6s3hzkgifxxvN6VrzS3d Q3YtZGnX2shQPgsA36vE4BXoPkqhm8gOLR1lJZH9H2NcJCHK47jW317y0qorZp2jDIdlr1rwa0u+ +MAXj34Z+SY39V7HV3CkDOdzacsfzCdKY4ifTb03GbHa4SYY1FhoUB1qJeq1qIWFVU6KssfpHtTH UEVqZ9tpA+o21IdQpaR2AFY/2x6XHN7jbANls3neVElZMj5LcY5JVV43mO3oI8o7zg9PsCys3hmW FR9LKVVj2GPsUWohhf2ePGwj1VIe29uXv1oJIXSAulCjqKJ1Z+xAfHK5cpIVkUdiaDOVJkvsmPJp WbHycZkhsLhyKteQIJ6eDMt7hTLgekT5i+tG5STqoUToYD4yjikHXKuVXZMNtjeu3OcyGNrcmxDr XGh6TOnM36O0lFnx+XsM4VBcmYH4Mm+qMm26W7nW9ZFSkms4GOxi13yloOxlZQoaIk1Fpx5vhjLJ tUuZidBklz93JuoJdpDtowK2L+6ZpxyHiun21eVP32OwW/tq88o8BtvonVabtye/NteTP1/x5Nfk 5kJf9rx9i/16e5W93F5oz7NPtbvtOfbxjkxHuuMnjjTHGIfDYTfYH+OViu0EO0SVoOVQn8PmkA32 JJzSCXbYch7+k0NyCA5yjDfMD7B5GY032KGj6VyDcsxmaTaDHe5LuA57FYlrkhVIF7iOG+4kMIdA 80hndxs22nplT6WzMnN2xowa3w/dQlZk+F74w5eTufQ99Y0B/aArqJdzxXQFh9Odw8oPyu51CEWq CwvrF2/o6+nqaPVHNH9I80dQQ/r2njanHm1S1d6OLh5QdXFqqKm5jctwRO/SIj69Q/OpvT1Wu4vC rTzco/l6qdW/JNDb6o344j3eHr8W9gX7mqrXrhwx1rbkWGurv2esat7ZWj5Wk9XuorFW8nATH2sl H2slH6vJ22SNxSfvb2+svqUbu1P1t9erel6jXrdoeUBXw0GfwR6H07eO5AFKl5+iPDlK2VIJKUTm O6jvcjm41PxEfo7SBzvNf4sVWNR+XoXBylk0QHfTPjpCNnoCeh7dQA/SC6wDv+0VdJTeYpPpKpy9 Ehk0n15ipvkatdLvkN9Np2g39VIa2nTSBER3Mo+5EbYXehNtMX9DU2g63UFP0Qz0upPOmgfMPkQX 01I6SIfQ/kWmCb3SOPNJ8yNy0CL0uQWR18z55hHKpCKqpgZ4t9BJ5hHfNdvISRVA9zA9SvvpafqM 3caOmm1mj3naPIOt6qRJ1IiyiR1lZ8Qj0h3mw+Y/zUEwkUcFGDVEu+i36P8IygCOVj+7iXWzXWy3 4BVuE45KW+WJg9+Ch3yai1JLa+guMNBPz9B/6Cv2ueAU08Vu8VnzWvO/lEr1mCWfSYR6UO5E2Yk5 nWA2VsrmsAa2id3PdrM3hAJhqRAQfimsFz4RF4orxA3iG9ItUlzeIT9oSx08Z54wnzPfpInkoutp LW3G7E7RafqCvmYi+prEPKyCVbMbUKJsn9DP9rN+oYENsNPCQfY++5B9zs4LspAmTBAKhW5hl3BI OCW8IraLu8WHxPfFc9JsWZD3yx/bPPa/DTYNbht8xawwz5hf4oh1kBsrU00LaRWFMdsuuoZ+hVkc RjmCVXuGnqUXrPIhm0Rn6UuwQCyTZbNytgBlIbuOtbJ29gg7jnLSwvI/AQshpAgZwkRhktAoNAmd QlR4U4iKOWKBOE9cLh5BeV58SzwvnpdkaZw0QZor1dEOqVPai/K49IQUl16VZ8iz5YXyMjkqb5N3 iM3ya/Jbts22nba47XPbv3Aszrevse/A6ryAPfs09vJ3l8SmAH053UzNzMeaaA9WYz8LUwy7q4Xd Bb66KM9cKW4W5wql2A0n6Vbs1r20ibaJK2i/+bZ4kP6KnbIaXUbpD1I1ueQHsDq3USl20VDx5hfk 5+VO9UzRfupWceRPysnOck68csL4cZkZ6WPTUsekOOw2WRIFRkV+rSak6lNDujRVq60t5rYWhiN8 gSOEn7Kq14zM0VXeLozQiEwvMlsvyvQmMr3JTJauzqJZxUWqX1P1l32aarDliwLQ7/ZpQVU/a+kL LP0eSx8L3e1GA9XvbPOpOgupfr2mpy3mD/mKi1i/F3SMKS7iB4eXUnnHOs0Jb8IBS3N4hl/P1nx+ PUuDjpjo8Ydb9IZFAb8vx+0OwgfX4gDGKC5q14GTtqe1aC3bDS81hbgWXhHQxXBQF0K8r4xCfaLm 0ydu/Nj5nTms+XdcENQFT004EqvRvaHtIJebIW6Fd8Cqb1TRrbA1GNDZ1iEQHGMHkHK4iWeCJ9Sh 6ilatdYW6wiBXFociGd7s63DV6eGQDzLm2UZxUX9zs0Vbsy+v7iquIrLCrdzc0J+envC//oAl87N z3wAWb84SQDjDGh1wKmrzdYgGsBO57fIdIo1TwdPuIIM02wHnjm6gD0jenTZUxfWo43DMNp8CXCh Dl88JSvbeghVB5EfiqXPxEohP11TY+fwtA5pZz8b6QkPeWye9HPEg3yhk3tFZ+FhvYc/LD2YdZtT a+Pr22OtKWzN6b/AAZtTwzHr4/EAbwi4dTUIB94mi+oNSmkI9DK2M2gwc6tBPlc/3lHFVTcgXMS3 WrsP48MoLoKjwA3tqiK1BiPX8L2ixtRYXUtMrVHbsJkkjyURiMSCJWCwMQCeaAlG9AZzkmokGJyJ fkp4P2iC9FgQPXQM9QBpuUq+RVJpER6m4tSGwKKAHvXl6F5fEKuA7TvQENAHsHODQWSVJZEC8aZ2 5xDmcmAuK0D86kQveHeJootgLMb7bAxobn0gFsuJ8d9bwjYYXezwDjkM4imccoNFG9AWQnPnWGvg 1tyAFeScXoMtPbyj8M5+aYanJXGj5c+AdprF8PTLxPCM0TA8c1QMVySRjmB4FjBXcIZ//uMxPHsE w5WXZtibxA2QVUDrtRiuvkwMzxkNw75RMexPIh3BcA0w+znDc388hmtHMFx3aYbnJXEDZD3QzrMY nn+ZGF4wGoYXjorh65JIRzDcAMzXcYYX/XgMLx7BcOOlGV6SxA2QS4F2icXwssvE8C9Gw3BgVAwH k0hHMLwcmIOc4euTDHtzdLrwHI5edOzSZT+YV1xAOd6U5EyqZi4o/PMZH9C40vBlkQbpTnoI79v8 XyYB7+Aknca3m4j/gCoT/8s4SvDwRHWkG0SnUbkNXXzPIAmVoNvfo+NoQbSs8Dh6kSFLy67OcGfk olZLO41v/i4/9fUcQ1pwHt/4yLAuM4Jvlu+7EGeCfd3N7eWl5TVWAsNXWAK9Df9LUdWyYMPCOYW1 kdU9ke725jByElGejDhNMocu7kjqTC3h9v8B4XdlDQplbmRzdHJlYW0KZW5kb2JqCjQwIDAgb2Jq CjI3MTcKZW5kb2JqCjMxIDAgb2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAv QmFzZUZvbnQgL0xITFJXTitXaW5nZGluZ3MtUmVndWxhciAvRm9udERlc2NyaXB0b3IKNDEgMCBS IC9Ub1VuaWNvZGUgNDIgMCBSIC9GaXJzdENoYXIgMzMgL0xhc3RDaGFyIDM0IC9XaWR0aHMgWyA3 NDcgNDU4IF0gPj4KZW5kb2JqCjQyIDAgb2JqCjw8IC9MZW5ndGggNDMgMCBSIC9GaWx0ZXIgL0Zs YXRlRGVjb2RlID4+CnN0cmVhbQp4AV2QvW7EIBCEe55iy0txwnaRaxBSdKeTXORHcfIAGBYHKQaE ceG3z0KsS3QFSMx8A8Pyc3/pvcvA31LQA2awzpuES1iTRhhxcp61HRin836qmp5VZJzCw7ZknHtv AwjBAPg7RZacNjg8mTDiQ9Fek8Hk/ASHz/NQlWGN8Rtn9BkaJiUYtHTds4ovakbgNXrsDfkub0dK /REfW0SgRpRofyvpYHCJSmNSfkImmkaK61Uy9ObO2gOj1V8qMdG1kuBHDZa2yu/OPdcVTp2IU6f/ XHmhTOLWXK8pUek6rvqf0tN5vE00hlh61fUD8hN78gplbmRzdHJlYW0KZW5kb2JqCjQzIDAgb2Jq CjIzOQplbmRvYmoKNDEgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAv TEhMUldOK1dpbmdkaW5ncy1SZWd1bGFyIC9GbGFncyA0IC9Gb250QkJveApbMCAtMjExIDEzNTkg ODk5XSAvSXRhbGljQW5nbGUgMCAvQXNjZW50IDg5OSAvRGVzY2VudCAtMjExIC9DYXBIZWlnaHQg ODIzCi9TdGVtViAwIC9YSGVpZ2h0IDcyMyAvQXZnV2lkdGggODkwIC9NYXhXaWR0aCAxNDQzIC9G b250RmlsZTIgNDQgMCBSID4+CmVuZG9iago0NCAwIG9iago8PCAvTGVuZ3RoIDQ1IDAgUiAvTGVu Z3RoMSA0MDAwIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ac1XfVBc1RU/99739j1g AwshhGajeZsnNAY2hJAI+ZBsgEVg1UIgk90kNrt8JGCIQRKZ4EcGG61xIZ1tQ53RqiEqijHo2xCV ZNJOGiVlxnasM9rRJtV2BkfHijNOxfQr0N97j1BJa//uPfze795zzjv3nnvv497d135PEzmpiwT5 GnZH2sgqyXWghQ0d+zS7LZ0gktfsaNu5224nfEokbd/Z2rnDbifvB7/Z3BRptNv0T/BNzVDYbbYS fEPz7n2mH0pyBR7O1j0N0/Zks191d2T/dP90CW3trsjuJjBKyj48ctv27DUZJWUdHkVt7U3T/ixI JOpmt5OJGLwEc1IeHaZk4uRCbTXUn0vbYTMFaSkvV0mtE9tT1k2obhUKov7BI5Mmjx4qRn6T1Ykf KfloOi1/04D3lPzJaqKkHqKptxM/mrGYVrMIn5PKy1FJS1V9Fdowv+lkxQrQQYvYCZtesulFmwZs esGmZ206ZtNRmyptqrDpFptKbPLZVGzTOptW2+SwSbJJ2MR838OYLgEXgd8DvwPeAF4DXgVeAQaB E8AA8AJwFHgaeAroAQ4CDcB2YJi9YocetOm4Tc/b1G/TczY9bVOZTRtsutmmIpsUm2SbuE3k86Gn D4D3gFHgV8AFYAR4HTgFDAEvA33AT4BOoLFiRXpCekJhbJh1+CqV2DEldkSJHVZie5RYqxLbocSa lNg2JbZFiYWUWFC5QV2saur16kJ1gZqpZqjpaprqUpNVp5qoqqpDlVSukkrGXBHggdoSFjDONVCg XjO+rtWHWWLNFkPWS5iRFqBAXUmmUZRj8EPDjOqCw2wqztiPHnYbaaXB08TY1MOH3dMcClFGzn+W zFmqQHXnWVrECknBs2BIWfSmAnugFtqYpY2Z2pilzWQnq2lFINIdvo5mBbm2wa5VfGub+VvMdKuD cZVKQqXbbB7iSYnIJ+z2hEoyXG3FVnJrPZkH3GckYgOUlBMynHqJMQcw8/Zu8G4wTRI+I5iSoU6Z NmUeWOtxn2ED0yYX1KmYSuvL+n96vPOtg8mnfGpgQf4g34Laz6gezyeARuBx6qVePoQafKgAMFCr ok/kUVpB7Za+gO4Hl9FfMXE/tDTrqB72eniPgIthawAz2Bqol/VY/AA9hNhf8iF+np+3rOsRt8r0 sIUPyaPQmz0fpJfpQ3YOEe6jI7CepnfMtxC5lwbpMlsC6WYfs3FeDS0j9I84u+Ddi/H+gj6gv7B0 Vsyi7Cx80viD1ljs3rrgMwJ5x4piRrqNtbI9rJ09iphjXPBViLqHH+J93ODnRUgqlkcdaY5CpRVR GP5TC0pFhma026kWPdfT3Tij7Khm5BH6LeOshtWxZvYY68MYRtg45Cvu5esx66b8VIQlp/SpvEt+ BjLq2KQ8pToQWyYHLSCNsmglsvKjjxpk1kh30r2W3Icc76cH6Ad0lProGL1IcTpDvzT7pIv0IV3G 7KRAzLwK2Wq2GRKCtLMD7CHMR/c35DB7kg2xMxjfW+w9vghZ29KK7O1RHuRP8FP8Lf5r/hEf45/x LwWJBLFd1Iu9ol8cF2+Lt6UKqU86Jl2SLslMNqyZSnOkO+5wdEN6lARll/KQ8mPlKeW1xGU0H3nl Iq8q2oysOpHJ/XSIotaqxZHJKXoVMkqfmXlApqYzMbNZzcpYOdsECbEtLMx2s71s/0xGz7Hn2QA7 hVzeg7zPLrI/sT+zLyy5zB08g+fM5FfNa/lmvos/xh/nT/KXsCOH+Fn+Pv8QOY7xCeSYJNLEPHG9 8ItySJ3YKvaLg2JQnBcXxTjWzSndLBVLm6Q7kPsFaUz6FCvJZSFnyavkNZBm+S75gNwtP40dPS6P O5zYP6bMdax1POI46hhyfOC4osxTMpTFkGVKvlKrtCodynFlTPlEPZGwIaEloT0xl47Tcnr9mu/4 VezuN/gdjjxawC5iN9wtUuClYT5HuFNpTWjhQ+bolFq2BCv1B7osEiggXaDNYiu1yvUiSfmcBthe 6UH2kiinE9SvdLCzIizGRb+c5Vhr7w/+hDiudCph5ROM9CtxRG5WlrENcjcb4OvxRbezGvqaTdD3 0fM+vpQu0KN0iHXgwOlVT7A5+IJH+CLWLT8jTkp9wi8fYDdiBd3yqHiYVtE83FaW0GLsdZnSAfIV FhWuLFiRvzxvmTc3Z+mNS76bnXWDvtijLbr+uoXuBd/JnJ8xL31uWqorJXmOMykxQVUcsiQ4o1y/ Xh7WjOywIWXrFRVes61HoIh8QxE2NKjKZ/sYmvleBKZZnj547rjG02d7+mY8mUtbR+u8uZpf14zf lOm4WmypCaJ+uEwPaca4Vb/NqkvZVmMOGh4P3tD8mc1lmsHCmt8o72iO+sNl3lwWT0os1UubEr25 FE9MQjUJNaNcb4uz8mJmVXi5f02ckzoHORpVepnfqNTxKsKILH+k0aiuCfrL3B5PyJtrsNIGvd4g 88zKsVyo1OrGcJQaitWN1mIgHerW4rnnoj3DLqoP5zgb9cbItqAhIojhN1JzjFv0MuOWe8cyvbnD 7Pm6oJFQat0QTlPVVFe8squsLGT2huPyEct9Ptzn3zvmFlF/ZotmoBmNPqIZfTVBM9hVq8f0CYUQ 1Jsb2Bj0YNS6v0cz09gYtDJAUJaZh4GbOjNNO+Em3W9qwndqRoJeojdH7wxjsRZEDdrY6Tm5oMp3 euqPVOXXonVB3WOsd+uhSNnCeDpFN3YOVfq0ytkWb27clWrPdDw5ZbrinPPNShNWwbZZNcvdrGHU V6eamSPSKw0f9liDhpEEdYNnFZmPpiKKNhRhRVBCDDPagvkLR11rkJ0hZ7l0LTpB2Aj6+OezNZFp jSPLNUGm0dwuM1vOYJGrdSMnx1i61NwpSimWFiMrttqrvLkdRkBvc2lGAFNG1UG8FFqThyn3eMxV 7h72UT0aRldN0G5rVO8+Sb48XHV42LScu2qZt8m0dF21zLwe1rGdT+E4JJpnqNkzfymujLn+5jUG y/gf5ibbjs/Hr8UlOStaHcyORLvd2eFoTwi7uhxfdTRarmvl0XA0MjzVVa9rLj0aDwSibX58jXZK w1Pnut2GryfUzDCpRoE9G8bc0qBwc3NnosbdIuQ1b3Fd8t9oULyI2wNZp7j5T9WJsxY/xMiDc9c8 182SjbOpHvUu/Ezqwm1E4Bqr+1KUd5n0LnsWPyynSJ4Sp9nHRHmT465xWv8FnvnLC1I9qVmeVE+X oCtdnCZJHv17UZc0avY2SL3y7fJKSqL0n5PgPZRADvYPBBjHX/7yuSupYAXNSyd9MQ2yrRMTbNvk cxMTk/18bIJtnew3q2yrGYed5VckJ8aEOIwXYriCNfw7DoYwyKvhVH3FoOl8aKoIt4f/VgSGxplQ GlraG1qbblL23n1PpL3J/C3MKA0wi4MyiW6tuHXj5ttzNrfctbMR2Ovd2LTzntZIO9G/ANfZuVQK ZW5kc3RyZWFtCmVuZG9iago0NSAwIG9iagoyNTgwCmVuZG9iagoxMiAwIG9iago8PCAvVHlwZSAv Rm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9VU0NEVFkrQXJpYWxNVCAvRm9udERl c2NyaXB0b3IKNDYgMCBSIC9FbmNvZGluZyAvTWFjUm9tYW5FbmNvZGluZyAvRmlyc3RDaGFyIDMy IC9MYXN0Q2hhciAyMTEgL1dpZHRocyBbIDI3OAowIDAgNTU2IDAgMCAwIDE5MSAzMzMgMzMzIDAg MCAyNzggMzMzIDI3OCAyNzggNTU2IDU1NiA1NTYgNTU2IDU1NiAwIDAgNTU2CjU1NiA1NTYgMjc4 IDAgMCAwIDAgNTU2IDAgNjY3IDY2NyA3MjIgNzIyIDY2NyA2MTEgNzc4IDAgMjc4IDUwMCAwIDU1 NiA4MzMKMCA3NzggMCAwIDAgNjY3IDYxMSAwIDAgOTQ0IDAgNjY3IDAgMCAwIDAgMCAwIDAgNTU2 IDU1NiA1MDAgNTU2IDU1NiAyNzggNTU2CjU1NiAyMjIgMjIyIDUwMCAyMjIgODMzIDU1NiA1NTYg NTU2IDAgMzMzIDUwMCAyNzggNTU2IDUwMCA3MjIgMCA1MDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAzMzMgMzMzIF0gPj4KZW5k b2JqCjQ2IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL1VTQ0RUWStB cmlhbE1UIC9GbGFncyAzMiAvRm9udEJCb3ggWy02NjUgLTMyNSAyMDAwIDEwMDZdCi9JdGFsaWNB bmdsZSAwIC9Bc2NlbnQgOTA1IC9EZXNjZW50IC0yMTIgL0NhcEhlaWdodCA3MTYgL1N0ZW1WIDk1 IC9MZWFkaW5nCjMzIC9YSGVpZ2h0IDUxOSAvU3RlbUggODQgL0F2Z1dpZHRoIDQ0MSAvTWF4V2lk dGggMjAwMCAvRm9udEZpbGUyIDQ3IDAgUiA+PgplbmRvYmoKNDcgMCBvYmoKPDwgL0xlbmd0aCA0 OCAwIFIgL0xlbmd0aDEgMzAyNDggL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngB1L15 YFRF1jdcVXfpvfv2vqaXdLpDaNYkLIFILktARPYtQSJBQDaRJYAbalBZRFR0RlxHcMeFoQkBAzpD RhmdURmY0XFGZxRmBtcR5XEYxoV0v7+qTgB9nvf9nn+/NFV1blXde2s559Q5p05dVq5YNY9YSTOR iD5nyexlRPyFjhJCm+esXhkvXNsChKhTrlw2f0nh2n0Vrq+ef9V1VxauI28RUvfognmz5xauyVmk /Rcgo3BNK5GWLFiy8trCdfCvSE9ftXROZ3lkAq7XLJl9bef7CS+PXz17ybxC/dVGfr1sadPKwvUq vJ88smzFvM76tI4Qyy97DWzfWijnsR1dQHIR+ZpUk58RA2FEI73JNELkF+QiouCalyuOmT858MzA WY7qfxvD/DWEPP6P0u48/fXDV0z/blfHfI0Yrbg0ifq8APcZhuTGkeEa+W7Xd9drhTfxkq6/i/aT KVK3PelA7OjLUhk5jsCkspZMUWy/VCoVtQyO6W1Sco/LW+4Y2lOK44m9RRxHvBRhF8JBBJnMkqIo 1RDfjNCMsAvhIMJRBJUQxLw0jrAUYRvCcQRVKpIiLfGYNrRUCuLeIPrrkPzkK4Q8gkRiiHsjjEeY hXA3wjYEVdTjOUsRbkY4iHAKQSW65G+5twJt97fcIZI9i64qF5ezC5czG8Tlnun1hXTsxEI6YnSh 2qBCtb6VhexewwppaY9C6kqVN+Phe8y28vahPsmHTvrQ8GWIKTtEHJSSGNkueUkWgUloqsjRJdee knT5toOSTKjEJErmkli+XaItNmf5UDPLs6+Ii8TYl+xkoYSd3GN3lm8begn7O9mFcBBBYn/H72/s b+RmdpyPOeIahG0IBxGOIHyFoLLj+B3D70P2IXGwD0hvhBqEWQjbEA4ifIVgYB8g1thfOcaImMM1 CIz9FbHG/oJu/QWxg70P6H32fr6dvd0yoKp8vwAyvTuBWKoT8Ic7AZevvI39oeXbMmBUGjMNjHpJ KiZDSIVU3JLqG2uTAi3VC2Nt7B974pnY9qF92Dski8DQknfw5ndIHGECQiPCMgQV0LuA3iXNCFsQ tiNkEYBliDWEOHsD4S2Ed0kfBB1hAoKRHW3Ba9rYkZb0sNhQH/sde534MeKH2W9E+hZ7TaRvsl+L 9LdIoyh/g73WEo2RoRaUE9yjIdWQ9ka5wn61p8QVyw91soMYwRji3gg1COMRZiHcjaCyg6y4ZW7M hYe8RN4ADcdYC/lMpE+Tx41EXxTT08OBgHEepQddBAjRtvi2NNPTWx/EJY/Sd90LiEfp2zYD4lH6 +rWAeJS+ajUgHqXnLgLEo/SMWYB4lB4/BRCiNvboiyWlsQHjF9P4UAe7BqN0DUbpGozSNURm1/Af +VbmbXy4pXt3jNhDeqase6z5AG1+mTZPos2P0+Z5tPkm2ryWNlfT5stpc4Y2R2hzlDbrtPklOhBD 0Uz11h9cVukB2vwGbd5Jm5toc5o2p2hzCW2O0wF6G0u0jAbVIakVyZ6hnOhYYs9FQ8B9HCyBEU0A 5xPgCQcRH0HIiysdleLFhcrBKE+L93SvKVz3GlS+dOjF7FXc+Cqm4VVyDEHGBL0KNHoVD3kVj3Mg rkGYhdCO8BVCHkFF7WL0424ROxD3RqhBmIVwM8JXCKpozldoCiNLEfMm7hIN6424BmE8v2Kv4leM X4Il9CItomW0i6W7I9QRpeOj+SgbQHw+8GWX0+hso7Z9/7F98x8bMQ01sbvY3aQIE7GlM7275dui WBt9oCX9Umyol95PojKwjlaRNE0hHUiaxHU/EjHy/EoSYc8jLW+JTMNtjpZ0j9gBaud37Yt9GzkR +yzSxgB+Gnkp9qd4m0xbYn9EzvP7Yu9Ebo/9tnebETkvp9sokgNxUXV/ZGBs5xui6loUPNQSu4kn +2I3RkbFFkdEwbxCweVNuNIdsUnpGbGL8bwRkStiehOeuS9WE7k8Vl2o1Y/fsy/WB03IFMDuaGxZ RLw0GRUPnDqgjS7Qexi2GuoM4w39DeWGHoaEIWYoMoQNHqPLqBntRqvRbDQaVaNsZEZi9LTlj+sZ vup5VLH4qUBoSmQBa+AwlLMZxIRRIyOXkKxbGsPGTB5Gx2Tb55AxV8SzZyYn26h54oyskhxGs64x ZMyUYdmBmTFthvyk7IDMmKxhwmV1uym9qx65WbaxjZIpdW00z7PWhbOu4XX7CaXOdXeGedpt3Z31 9STgW10TqHENcVaNHPE/RI0is3FE5vxf4DyYCWSKslvHTK7LPldUny3nQL6ofkz2J5PjM+v206/p qdoR++l/8aS+br80hH5dO4nnS0NG1NePaaPTRD0Sp/+FesAYJKhnxMLM65G4MVqo91ChXgr3o14J T1DPZCIpUS9lMol6MuX1djeV1I7YXYIIdfxx0iTqNPnjF9Z5I4U6KUSo42smb4g6b/iaeZ3sEPGY SARVoohQhYZIRFSJ0JCoIlq+W1Tp3Vnl9nNVbhdvkgqtEXV4hMfYjnfVsR1HnQsG8v8NzhuWydA9 g+vnzKydl6xtTNbOQ2jM3rF6QSDbfEU8vntOPS+IZ6V04xVzFvB09rxsfXLeiOyc5Ij47sHivh8V z+TFg5MjdpOZtVPqds/U541oGawPrk3OHlG/Z9SEygE/eNft595VOeF/eNcE/rBK/q5R4r4fvWsA Lx7F3zWAv2sAf9cofZR4FxE4PqFut5EMqx+O+ePpHmYxA18bw4n6YT5t2RCBvIMTgZvCByCt7CCW TH3WmhyWtSFwvO45tOdQXgSa4kV2ZDs6iwI3DU6ED9AdnUUasp3JYSSzclXTKhKoXTii8K8Jf8ha uYpPRSHO8Lz/8Q9VarP67BFcth6T7T55TLZm4oy63QYDchtH1CNvUFeexVLblm8vZPZC5iBeUZLO VeR51TzPZOqs+N9xQbQJ2Rid/RA0XtpD9ShdSZrqpWx0zBQGVjBlBoZh5oy6A5Cl+CLRVI8ONtEM bep6Gu+HgEkhh6DbTV1h5apOqHMsVnamompThmSauoak63EZPlgiEmO1MgPWphwgQYSQ8gwJymkC /Sf/CcKnPM0tzH/Ky3nKPgeja+sMhOwgO+lCspMcJK/QU7hrF9lPWgkXgUaQR8ga8lOyAcvaDOTc TibhpyD/pzSYb4Vm8hgWzMfIYdSdTm4iB4iPBvKfkZvJOult3LWO2EgxGUomkKXkTnppfhWZSY7J t5IB5FJyNVlGm/N1+bvy9+afJE+R/dJv8h3EQkJkDn6H818qf87/lfTEHfeRB8kxeq9pL9HxlmbU /BlZQR6SGmSan5//Di1IkGvQBpmMJYdpO8vg6fPIJzRA10jD8ZQn8tn8IdSKkAaygDxEDtB+dBRL KDPzY/OHiQ/vuBZPfZC0kH34tZFfkPepVTmVfzJ/igRJDzIa/Wklv6PtUq5jba4G46ZglMpIFUqW kl+S18lRmqS/YksVq1Ku6Mr1+XeIh/QlU9HaZ3Dnx/Q/7Cb8bpZek0fmh0HJW0fu4aNNfk3+RkO0 Nx1Pp7EytpQ9Kq0gRryxL35zyUKM9wN4+odAo33Myo5IT8jPy9+rRbnjeTtmJE0eJj8jv6I29DRO m+gt9F36DzaczWIPs79LP5Wflf9gmI1eX06WkDvJ8+Q/1EUH0on0MrqArqEb6D30QXqYHqWfsqFs ClvMvpIWSMulX8jD8JssN8m3KuuVO9RPc3W5Q7nf5/6TL8+vJxOBD2vR+vvIo+jZfnKEvIffMfJ3 qlALteMXpwk6ld6A3030Tvo43UGfpa14y1H6d/oZlqR/0+8ZVlqmsjCEHy4CJdkKSJg/ZY+wI/gd ZV+wbyW/VCxlpH5StVQvLUWrNkhb8Nsr/U0OyUfkPMa5XNmqbFN2KM8rryinVKvhFqzxb519oqN7 x4c5ktuY25prybXm/0a8mEOsHlDBqtH62fgtwnxvBcbtIm9TK8YuRLvTIfRSjMwsuogup9diJG+j D9GnRNt/Tl/GKP2JfoU221hEtLkX68eGsfH4Xc7mseUQxu5lrexd9p1kkCySQ/JK3aVRUoM0T1op XSdtlbLSW9IH0t+lM9JZ/PKyWY7JxXJazsij5FnyKvlR+RP5E2Wm8qbykWpWl6jr1Tb1vyDVDDFM MEw0NBjuNuwzvGNsBHa+SvaSF4GB5/7ocWmtVCvtJXexCjkIFeZ3wOdZZK40lgFT2Q66kd1IW1mJ cq06mA2m48gpOY2xfo1tY2fYYGksHUMnk0Wsb+GBqkd+DlC1/Co5Kb+Mvv0OT75WtdKb2FeqlbRA RqqCjPRrqY+ckd4k70vHqEF+jPxFNlM/PcmekSYAC34hD1HqSEJ6hPxcWk5vJHtZLSHm742bgcfj 6HPgC1NoOf1GykMMHgcsGiD9g9xKFrM/k5Og443kfjpXnk/uIhV0DfmEPA2qKFOuVrurXvpbtlDe xNy0lTD5WfSuipZQSfGQ22iD9JD6FXuPrCJHZDP5UHoBrT/Cfi6NlU8pk+gCUMCNZD1Znl9LrlPq 5D/Q+USi00hKPg7utkYqlxNIbwZXmQmetg/UfQB8YKg0FjkBYM6lwIup4BAP4fcA+IQMDFoIGp8O LvY70qpOYW1kvmKn4Dqw1LyZm0Rm5J8mD+bnk6vz95Ke4Acb8mvwxB3kI3I32UHX5W4gy6BKvgfa vlQZyY4oI/M92Sb2HpvMtv5wfjHaKRogn+P3c8zMEOUlskn+E5lMavKb838EdncDh32QXAGB9QR6 +SXecLHUTipy49ju/EhpGfp7jEzMP5OPUTNZkL+KjCcvk6cMCpltyGCOs/QP6O8NZB6blF8pzcst xDjcjVHQMVqrwH9u14dPnTJUrxlyUfXgQVUDB/SrrCjv26d3r549Mt3LupWmUyXJ4kQ8Fi2KhEPB gN/n9bhdTs1ht1ktZpPRoCqyxCjpUZsc2RjPphuzcjp58cU9+XVyNjJmX5DRmI0ja+QP62Tj/L7Z KPpBTR01r/xRTb1QUz9Xk2rxalLds0e8NhnPHh6RjLfRGRPrAN85Ilkfz54U8FgBbxGwDXAigRvi tYEFI+JZ2hivzY5cvWBTbeOInj3obot5eHL4PHPPHmS32QLQAijrTy7bTf1DqACYv3bQbkaMNnQx G0qOqM0Gk7gVj5FStbPnZidMrKsdEU4k6nv2yNLhc5JXZAmXlDKiChkuXpNVh2cN4jXxhZBxsuSO +O4e7Zs2t2nkisaMdW5y7uyZdVlpNp5Rm3Vm8N4RWf/1JwLnL/FwyGQbLiwNS5tqAwvjvPKmTRvi 2e0T6y64N5zgT6ivxzNwL0uNbNw0Eq/ejJkaw2XxLFtXX5el6/BKCJYp0atC/wpSb6pxUTxrSg5L Lti0qBFTE9qUJZOuS7SEQvr+/HESqo1vmlKXTGRrwsn62SMiuz1k06Tr9gT1ePCHJT177NachYHd bXd0AlbbhcA8DHqhTECiOofGTDo3spS3MTkakmA2PieOltQl0aeBPJo3kGyaMxATgL96iruyczEj C7Om4Y2btEE8H12kWSWlJeOb/k2AAcmTX/wwZ3ZnjprS/k14IceTc6iWpbO74Gwmk+3enaOIYTjm FG0cIq779eyxuo0lk8s06M9caSATMLaz6wf1xvAnEnyC72jTyRW4yDZPrCtcx8kV4Rai94ZszRp5 SXtXiXcqL2nuKjl3e2MSmNzK9VnizRrT5/45NJ+7dsGgLPX9P4rnFcrHTE6OgWgcr93U2Im1Y6b8 4KpQzgcU44ayTijrHl4nhRnyOMTCkigtSMhdVSAu11mzcgr/VIHUc9sMRmClyKHxkVmt8eJCXG9O JDpp5v/rprb8KX6XSM7f1tmN7KBMZ0MLzc4O/sH1D5pn3SSNmQKWwyDZb9pk/kEZUK3QytGdCTAe in4iPjxLpoIyU/gHlWMgD/XhrI4hQ8kUUJHIrg93Xv6gYrjzpnr8cezs2WMkeOamTSOT8ZGbGjfN bss3X5GMa8lN+9kr7JVNy2rB7QqI05Y/cEc4O3JzPUZsAR0E8mBk2O4k3Thxt043Tp5Rtx8mjvjG KXUtjLLhjcPqd5egrG5/nBBd5DKeyzN5lTi/IGMoOtnCjKJ+eL9OSLMolUWGuJ4D64bIK1RCHiVz 2lghT+uqx5AnF/J0kcf7x3nM8Cl1ndMiEIKTHnAIOzR4DJcx5CbipRvIDPYcWSNCFXkO6VCUHegs n4o6xxCqEaYhhBBmI0B2JVNRZz/SGcq0fIcyjWxVXidXIjwK+HH5H2SHWkWWoM5BaKUDUG+r+hx5 AHlzUD4T5X0Md0KXmkZUlF2CsB71JiAdiTAG97mRDkPYQF8nG+nr+cdRjpTciuds4PkII3iKNq9D WQ3uKcH1rYBDaAc3PiVQNhlhFCHoNCdUgl0tla5AGodcVMjhRin+J0HqUASkYl/IiJ0dM7QlKzQs bBrhz4GdIidxCZhHbgQP5AMfdLOAkIEJCUMOJjAfRhHHEPhfHNoT/ytGSArofFRCUtAySiFjlJHu JAPNpCfpBQmpD/STclKBipWkH+kPfW4gtCFCBp2/9f8n0GBoBfzPi9/H1ERH00fon6GhBNlEqbf0 M7lF2aaOV58yfGUymQaYsuZ1lomWL633Wk/bxtv99tvtHY5h2p+cy12vuYs81V6H71r//MDQYDj4 XejJ8CORqyOfFq2MtseGxKclqopDxWeTN6cmpz5Kt5a+WvZNpiSzv8d4WBvxeoVPrYR5JQlnwplC BMskORuX2s/qCvmexOV2iLvEm/9ErlfexjzGaF99Q7eigUXMJJuK2HTHi+4XI6+7X498U6RS5iUm WfIQk6I6CaQwjZgsBi1sthq0gM1h0Px2l+r0292Sx2/3Ma/fHmTegC3EvGFzRPKEzUWSJ2CLqs6A LaY6w2ZzOJwiJg82E22BQMpv9/j9di9LeSSJaIaUU22j+/SBdrvNZjabSDgQ8PuJ2evxOLUhdoOq SmwICfzU5v+pLWXXnVXj7dvszL4qYf5p2PRTPBdMcq+zKg5kb2OP7Yk/uyCQ0c40ZE6e0E6cS09X V2vVmohJDQerC7HWUd1R7azqjXiD0itzo3ZoQ68ATxw/+uvbhzY0LPe7k/0q3Il+CXeFxEOFNykl vAkp6U5I7oQ7MX/6s69fkvuK9p6+dTodPP3+6TvfHEN9ubemb52We236KjpoTO7XQfrcfXTxfXRn bjIP9+Xuuy83jT6Xm8Zq6GJ0Yoa0h5bCzqKQtO4likSVLxmR1sbpFsroInX5M6J7J0nNSep0VVX1 7eOW+lV4pY29DvfBna5//zv3JZ6yJjeRNWKeNXKRbi51YFvPZTBqWhut2EO22Y1Idadhm/1yImlS XJKkF5w/2ywe3HHmpHYGT8cA8T7TNHNWDug/oEI14OfVKD123+/Gznh57XWlFyUzNJOb+DL9htq/ fL/j+6P1m7a+9ItcLMen4vz75+nWbqybxkxmjRKXibfAvE2iSFux73q5HSttq6axqQC+aXU4BHCi 1WYTwBe6w2xmUx32GKb8BVdnG7kF60ftdCeJs7I0jV+FDzqExjrW0kym+KLS69e+PGPskdxEepz+ 7eX9WzfN+MP3He9/mfs6Z0Qrn8t9SG+F3cdMxu01g3ieByZO0NNUqmaMmmk1MWNTVaom6kDDoPHQ iZdCw9uOmdlueewBjNbphtMntJNAJkwGR6qTWoeYlL59KjAlHtVQ2r//gH2HJ0wvr+ovHT68/I70 2ODsy/DeobSNLWJLQK899OAytkxiY+lYvDJJWEhZhgpBedmdgcw47USD9jHpPfZk3z5kOW1w90t4 h7Iy2rZ3L+f3BxBtQOslktIDjDe2utDEXUTejvLtsmjlmYYGji2FRh04fPgwvxf2PFYF/JDI5P1E yn/Y4qlibfkP9bin6n6JMmmbtAsbyqsJBdEC71DPLH1K2KeYt2fxcnnP9eg/KOqkVsAVTj0NoBuO M5mMl1ZQ+uyWXF1Q+eI7PIGRqeA7TqUd+FhEp+6GvDClTjeHorLiidpsflNb/lMx9xzQg3zyTU5i 5dhAfFYrYivPI70x8YcRHUZ/eI/Cu9X//qTTeJI6FU/6GFgkgC/1oMUCyEk0nkM0q5XHPO/cI88/ s1WNB7UI0BKijOWXUD58CC4EB7Z/rpDVDWyjZaPjt3bFZLAEWK37Uu8lweHhKe6Z3pnBSeHFhsWW Oe6rvIuDjeHr2DXqasv1jg3qA4at2m8D77N31Xctf3GEznW8yaQnkpV9TJSYNBMzbYk5mzg/0+3I jRMdA7cl+vodgjAzoMuG5Rk+lbzrtGE5jJED+R9FqK93a67+FeU+nwvIryaLS9NuzVdR3t+ppZPF BnXq4re3r25ZOWzR24+9c909+59ds+bZZ29ac0kDe5vK9KIXZu3J5d/P5XKv7nzgRfqz3P1fnYKF b9GXC9dzXDmGCfwec2cmu/S4pNuclYvlm9nd7EEjXEqoiagKk0wKtTL6hlm03sz7RGgc92LLTFA3 gM91p5jQiJhQMHtMKEZZD/Lp6poTMT8hq6LbHJVK10j0UWgcVlGmBC0HaDVdRwqksTwDRt9pzcbI VI/tACHW+KuoE1yRNpCGTCLpVFVDP1BhBfu+dejbU+7/e++V8g1D1sR+PuqNWbxvWLtlA/oWpa93 4pLJqdkCbrc61daWP93qdArgS92kaYCiHiXKUdTPK0SjvDQasaMkCgRF3MZe0q3M7PfDA8XJWDwG Ft37ncM8Pkx6n+SNreHxIZhAwp1kwF9odbmYeKFucjgBFd5zXLe43Gxq1MPz+LNb8GhOKhYLmwrg C12M4v/0Nk4j/H38beJlev/BymD1JeWg+pLhdeNvI4bR1nrrFPti61z79a7r3be7XnZ9FPoofCpk PWh50c3C2FAu0qKa+kuYsA1AfiNSE2YrFDVrRlV9IxLyRCIhYyQEbmEMRSRbVGtjT+4Z76TYbg7s 5T0gYjgclFnNTf63Mdoc1+lLbC2JE40O1K3OvTUwNS9lNzOZHWAlEEnu3l1AdvCVMxnOXrAQdVTX nOxoOOF08ZlFtMHeK2MHq+HLH/hiFwUMJA20YUV9fcqbSA/AjPfv368SqC+YMOgC7BgLmGqQDWcH MH/qiYe+2vHgDbc8Qve7v/n922cufuaVx2dGd+4cWj2n/aZDH125+CePbHIfee/znXXPvfzkxtl9 gSnT8h/LPmBKhtZ3TpwlGNA5FgcihHJUzVhxQcuSZpvD6oiazWXeaESOlkWUMlvSZg0EsfzFwXrY 1LghzWeRV0/35gztcG/+I66qmhosIieBLSdf015zVWmHMuU8AFn0borNZ6u1rbfJtc7pztVhaZLv Km2RZ65vle06z3rbJs/t4adsZiUu8V1qi8Vqs8sGivdiqXlyj44OvAQjYBmx0X6tVqtXDhxgT5Ig W6CXopUKmmlzNc2KL42zeIBjcrzZ0JQWvClNSVpLM7T49Iu8JL2lZ6CNDmwJvk0P0IFYSNp1y3lu 1aON3ts5h5mTYhY5zzqdEUsQ5hHTiM5pYj4L0wlSBQsDtdLl9e4BPs6zxMQZBpwDu+aQT6LBh5gk i9PTWmP3Lb551+M3VlzqcVma2tYvWrjZ05r4/OfXvrH4yrm3bMl9+u6v8vTWwIMbsreseczzKLv2 xjm33HZbfO/r81vmznqkV/QXd7Xn/v0xWGwIPECDxGXG4KT1/q466wLrQ9Znrb+1KpdKl9p+Kksu 4DixqpJBMVskA7GC2N+QZIivsmQjzGqTDdJLcMIxQhTfrpuJLKMKecMst7ErX1QUs14UqzR3cUIA fGFiUwF8KVYocxsdoNsMenGy0tCc6GfY4sBSjFG1eSoJ06BPS7g+Lu4BcGIfnwW2195GN4uR/iKT aRCM8DRnL9XaxxBqwQch7Z6BaMsHuapqQ6+MXJBqMdxiD9KGNd9VBR73jm6pqJKKe1ZJclFRNX9E PSYDdXSPVbdUWZsnVFn1dJW1OIK0ZxWvkKmHetGPVjgh/zolJ2VbO25jP/vJa6+15vrRWU9J+85e 8lTuMRD1fR1cop2N8fVhR9FGlun2QzYq4x8zyiaMHeeXfRiVTVZbkyQxjnDjBUuQWMhhbDL9k4zH lsosJtUgWUpvxmIVRMcFio2D/LW8euzpk+O0M5z7c0mEc4sqp+gzOrpcSEwqkVRDsr/LNWC2tHdz 7uSY/o790i3/ul3+bufm+3Ku3Pdtf9lJP6evP8L1p8mQU4Kgcj802T6MFCi91UrC0V58TsD32dRe vVyJqKp0i7psUZOVEzSEjdOYFgAZB5dn+ToHoMCoOSAKHQHQZkHYFQCvBeB0QeCRSrxWzte94ole IfB4uwQeIfVcIPqAiDInufDfKQG9KBoihB3eEAC8ISeEJMQBkdf5fr7c4rVn9WJekb+Wi0P8hTzm PT3fPyFscIoFHnG568LAmdKAfj5a5hvtG53+2PpZH8XUB5s1N9I18krjcssK6yrb9f47yCa6WV5v XGu5zbredqf/Ledrblcx8LklEg/xJB7vzZOecXCY43q0LG4l0QCxohnbe9HzLYk2HTRRUxubr2uZ Joceh4QBrcahOZijjd6zrzzQlIWojvKWkiZvl+AQ9+pe5t3S95wIdbrhJMcacKROhuSqahCd40Qi OBFfTjg/WrGcLK+vp+l0v0ouVl3AeQhy3J7zzEnynGdaKl207KqPD7Z/vnjJhjtzZ957L3fmnivW L16w7vYr528cNHrL5LU7dt5y8zNSuOyBRdvfP7b9yvvLehza+HKeUNp+96/olAW33TprzobbzubH bhn/dPMtz+3okp05TkZJd/rzgpTyoiUWoCTlDLTlz4hJBnBaMBMAp/RufEYDTjGlTiHtOgPOHhlL tyjXpMbbJbvdQyZQKpYtmwYphsrRiK2YL9pcvDyUaSjHrDecLBfcA7POEVE7/M5h7YNfn5NcLmjE 5wLl8e7P9e5iSXQKLP6/vPWH7/rRq/Cm8y/SKweFLvXpyct805NXSlf5loTmJ68P3RjdHLoj+pDv 2dDLoc99H8fPxN0X+R717fRJg8rmqqz0AOSVJJApkIir8W7R8fZZ0B7tEd49+vYEcKQ2tqCVNwKO a1XEAlHEGRBrHcY0oAVYYEsP6DkDW8neVJPzHC45dSdzbsmcx6VOgZxL5FjPaviy3cAlc45ApAH6 GoRysaANYf0qS1UI5UgJkAn7W1xET1MhoHgFLi3b6Vsze/KNE/rT/i8t2XeWGl67++QN1//X4y+8 z958auW1Lc+uufExOlm7/upLb/7zMmtg2mJq/PMxqj2U+wd02U9ye35+UKp8eN+hRzbv2sVxZj/E rfXw4OAWoYF6XFaIajAxtVqWqqkqQ1PsTWoIi2MsHjN26rLLOf+E9CGmvGBZ4IYFhP1QGqX6w4fP PgPlkcGPg8hW6I5RWPxu03tjLsJsTWhNmF0Rmhdmi62z7WwGREvW3z7CzsJBo0EmWqnTSWxlHhrF 2O/Sk4niRHXMHKsuLo5XJxJRcnn0avPl/kUl2uVxCJCLktNnCJ2HmyIgRECzrtY6MMzV2hkIgxjn E06/kPEbGrBWwUjRj9so+DCfl/hkTrJ2ZuAdgEEu6utb8tLAJ69peiiwP/ifN/8EQ8utdf1DrO0w XVjiWjR20ODMU1cMWrhty4O+w+9//nTj4yvHXdJ4Ve5+3mN4lRClHhKCgdjp/H3U7oC9Akvx162d wDeC9JBzWq/npMdXBXWqIuLeWh9tvnGBqVHbKG3Rfqu8prZrpzSLUamHy8YEbYElq/3L+i/bv+wm 2SrbZLuEbU9FliG/GVWDwQrYCN8EaOywj+gOoTvFDVYPipgENv6NDv6NdSQuWz24yxRVFGNUldQ2 tkw3wYP/Mx02e3aAWsBiLLrLGifzDNKkCXCBOCZLW2QqwydSt0ywthuOWaUtVmrl15rDcMTAbjY0 G5jhJ453/yRsHcuD4Jz4FwCOhILayZMkUFMdOllzQkzPSW4B6DKg8VSgEeSPDdqhQ/ZDhzYohRT0 MSZrgcdUFNtCrbJDMhoOQLUg+W842dTTFcthP+B/SdgQYF2DXU1Kl6oGiVX8ntV98HzHw4+9R//r wZHFkQrlwHcj6cu5EWwG3br/mjvv4Os3TkLIn2GmnLBRd6fu/UTGnIzimr4sj0xOS16ZbDLdZlIX hlYpy0xNlluVWy1qqc8kBUq7R31FJpPbFe3evayMRIqiGLcYVDxiDKRVK7dQqZDc9Aq+aqsuzuRU lY+8auRPB4gZVz18EVWnpNLWCL/Daub1rBwvvLyWNdSjKBoXinGcl2NOOfvuBHhd5HwH+fwcAM2Y M3Q8B1BDZvBMTheFAWqArAPRBxdjIWAX/jr1JZSASEAz1VW9nVVY2yj0Jow814krnAlYCbrWMztL 0kR5QVlKJyHWlRfICPBWlt7xZtOV89fdPb35V5tzP6EXrR14yZiRtzya+wtdcnl6+IxBU+7bnNup HKjfP+/ypytKX26ev7uxrzTJ6bty7OilZd9vN1gHLh456To4hlByZf4TZTV4RhF5e+8ctqiIYenh 4pHo36f6LA7FSbltDrwaVhY1k9uKtpCHlOelp2z7pVbb67aj5ETRv4qcdleRs6hI6q52c3aPxGOj bNM8073TgguUxUU3uO5wPSQ9aH8osoM+yXY4/2h3Y/cipHm0kAzK/LClW5VY7np2q9IchMphd9Qq haOySUs7LiHpOFbDUMyfjhupEXKYOtUYjM7BaEPKzDSM5TImYq6PYnksMB+I3dwGA7/OFdSvysni EvAfV0lFuew3pDkfYl6Pi4sJcusrF+Ve/ehk7k8P76LDX/kr7TH4YMUrP3n2HzOXfLz+ib8z1ver 739Fr/7DR7CMHX+z5/Z7H899dc9Luc82vcw5+aPgPTOA0Q6M3Ud673iMDjcWsNOpRR3EiCabaEwo oiaBVCYzxygT1LiCYMoZBFhSKFak/a9R7z/AQTE133ShXvTHqNeJhlyO4io6Qt8+w6/T+0thAzym FfhMy2owEAow1WIGHZgl1evz+Nw+SQ1L/gR12REFjJEE9ZmdCXg0wlzbHX9raQPHUD+suC6vhwE/ U4nyTm2+FFj5KP32+Rk31a9sGnf9PYfX5XbTqnue6ls79v6rxu3MvaUc8BZdekXuyKFncrlnZ5fv 7N+39rOnP/5Pd36W6HFwBu6/aCH36V5ViRqNBgORZE7mZlPUQowGvtIXaa5KwxTpkrg5bmPmkE02 /a/HjNPtD8nVOviyAgIJ4mzgBiqBR6dPZM4NWiedwjrrxE5CZ3hcLjn7qJQ5+0fpNuXAzlzNCznb Tk5FEAfldeiDidypZ0Qf7jbQc91AFx6Jw2bJWMjyv2i3bhF8RiA7mEzuvzXfzKec43/h73z7TxQU LS7vcB5zYdt3SB+c/YhlOybwdg/a2XElWr0EtL8ftJ+ibj0U9oS9rLGUXm50U5dUUkISLj9LEUwD H/44H0JKVX/ULkHHMlGaLk2VYIMC/SptFIowV2o6V1+O4SDt9wXDFKtvmN/PVjSX0tKidNxMzUL4 NQfTczpnAkQ8VmsQHBT9QeO5PUIQNdIMkBjXnF8icOsSEHqEnAxHQpFgRFKtaS3lTcfSxhSckFIB W1GC+BzuBCp73HEDroqVVIJGLMBsjxNR1JRIkBIJkfDYBYbznafO4QS6A9dh9uiHDbALuYfPb+jF wD74fovHJYOBDHBKl7Ild+eObv9zblvrHjrhL9sovTe9K3HFvqXrXrkmMXADZffcdGoIq3mBdhxf 0bSfXv7nd2lT6/y2n/ZZ1jx24m3jN247lPumefYA6sR8HAQqrQUWSeStvRSuRowbWvcMvEgYXPdU VBbSnn0KabeyQppMFdKiaCENhEQKeV+rjCtblF0KZgliyt3YIckSuTes1xNgOj5FFFccmVuIJOy5 FrHKBTpXvy+6Vj9uCSksg7owkZG4WBsel9+tv2DFg1WipRmCTEP98hXVHZ2CAmwewEeOhBXOg69w oQB9HJD/RJqNPjrJs7o2j81XV7JV6kbbRqdqEpjWauGI1kZDukWOOkymtNlsTFugvwhrtQB4gwBw uhBAYbniOTr2JNSploa4m8bdunuCu9Etu2kaRASjXmHt/ryLmv7ayUDHuPZ19eSk1rC8sIZDoOUr yskMmk8aOq1f/fuhI7BWQkEYvMuwbM7oRd1eqf/VLb86TLcHdqwZ3nST9PXZYNsbiz7kHIHLO93R T4Us0a2UyVJUIcY4F+vYM7rDwDAlcVT7X0gbZ7pafI7lq/+N5X/cUOBbhcFOeLe+wv6AAf/XTrzi AXheONASjZ0oWE32w2Z8psBkjHYbLNigUEwzACDCl3o3DlldfLwUh1XCMVNmNFnsxGhiZovK8cOC 3Rox8t/tE1OgYYA/7tpNKOwVIudsAXO4gsrNE3wfp6a9XTt6tJ0bizMZiD3IJV1bRTGDwCxVxJKI ZRErIjZCqteTHPeYYIwges5R7DwuSPVmIelhsSgI/bjhGz3GxbM0tkDiZlelQ0SKVSLUjmXFiPWF d5w/UwD8UeaX2DR4Wmhsmm4jBQ4sXoT+FB5LuLklc7o3mC+GvKYafIl3pqHQGxQhX8Rh/WbCHEYP Cxvl1db11t9gKK2jraMdUpmcsvWw10mXyatt19o32IwWphirbP3t49kYaYRBN461DbObH2APSlsN W407pGcMqos57PY+CvMoCjPCetBHMQI0Wic5JlEdaoTRaDJbQMF2Ow4Hm1ijq9nFXAfYDhhO+7Yo cWwr99XNVpM5rltvtlDLAXTSTi0oYW1QPkww2MQdyzSKnYJpL8aVRqVZAVNgO/Y4B4M2gnw/taE6 0AGi4PoF4NC5ixMN0DYwDJyBdv1C0EG41rHhRrFrjwRUdF65+AWx5r8HDr4LBe5doVuMyVqheHSD 4rGf2PLf7LabucbRaQ59Z1+iyt4jIUyi+wZU2csHCHBvT+R2mj0z9dBOyHLsM9TXY7mmPn//ATTh TDrhvO98AJ7El/XxBWEBpcpLuWm7cnXKge+/vufiCQ9LZ78bKb/5fT/5+PdxSHRzsB5+oLwDr5sw eUOfEHJQj+bxhP3hsCxrssfit4TlZ/377K/ZJb8/EGbxIt053j3er4fqlDrTdG2qc5Z7hn9WYFpo evgO/4NMC0YlyRW1mLzpOMQBzoU4+QAocFUApwRfAvC5wEMABWsRgO/0BMdIQ6i5iBY50pxbqIL3 FhAyGOmSggticGHtBCaOLcjCXKuAFAxR2K2RRLnMhTaxmg3QYOrApjyDKEzm0I20/5t05POtuX0H j+QO7PgNLfrTX2j4us/u+V3uT+wNuoT+7JXcU389ltu+9zd0xi9z/8kdoZU0vIdafpL7CE2aCbvs PyFD9GFevXSONEduklbKcqq0n1QVGS6NNlxaVBsbUTKydLJUb5hZNL3b7W57kivofCBKuoBUFwBT Y6GotAtA5TOttkLlAoDKBQCVCwAqn9FH8krdbOkSViKVpvo7cGIqVdt7RnxacmrqKssi22L7lZ55 gess19uud9yorSppSq2XNllut21y3KmtK7k1da9tq2OrN9q52dgzkXaF0yFTugzLBykLueTyvmkc PWHE1vO68O1hFk75bD2jpSmaUnxgm6f1gmUh2tMUjfokIbhkIKs0FMQWnjRAHPHDYlv4hfWeqRK7 zaIkoDOE4U4Nb2qVpkqKkQcBMtwzhCeyqXeHaOgkzrEIIUzwZI3G6QS4pS6D34mKhTKru3vyVyp4 NVp8iSlNymgZRyi7nU0FcFq38SeVhcrRJ5p2YXtSFAHA8IGRA+g0YLimcCwL9u0UyhrGngArg1VB aLPn1SzsEmVO8Og07xGULvROaLL1fLXE7m/XHzDQPSDKICnxraPSdEmpMNtyuy2EKaGLeT1+n+wX ei8W1pL0zBdts35z49LnJk+YOTh31cSF82/6+qdPfLteOeDY+Wz2saqB9L265uvXf/+z13P/epD+ Sbv6zunDmkbUzk/6Z2cGPDFv6a/mLnxrrf2Ou9ZeNr6iYnG3wXtXrzrStPIzgm71wYp8AOugAZ7v NoVFMeAQzOHGDuN10x6xNFP6ohqnrDc3WFO6l4olGmSrW4RYZOy0CHzdJUz8vUs4Otu1RueQw3UN PNG478ELJCTsmXKZ/ETDx5xLFuT0vn34dg3XLpg7VyRvyoUV286d3/2LtzaIbzqsRmsD9C96uoyk nWWudKCK9HdWufoHRpNRztGuUYE6Mt1Z55oe0B4wPuBgnahbodFQMOOtVCqtI5QR1jHeKcoU62Xe ucpc62LvSmWl9QavQ/HyVdCFczUOeIJC1qzhf3w2OZZWVYX1qCRjrVENRiO21qxWk83ucFhxAsDl 9fkDARjyq/fgqFScp1aXk6f6DK/RFMcpeRbHQVwKi61iNEa9AY/XG3BZTaao1wXQ5YT3SFxzejTN 6TJZjQGv4oAlnDA0SZECmgMyn9EIlxsWcLlgmzSG/P6QNtREJ5I4sSL2IuhEoRP3xblpIBhso3fs 3iH0oYZQcGwHlqaOULAjMK523oiPsUTz4e70KQOEHlL0j/dRBJjBxl64UHEvs/PLFvB4gx3mMUTV PBLQhRFMZg6sXE6sXC0uMzf684VrTDaFzO5iOcM27EB+aJFb1uzI2WPVFZ27hYA/r2hI0Aq3WKwq 3C6sWW5Y1qBYqQZKH83d8PqxktBAnL75/A/jk5GeH7+au/ql3JulBr8n91vlwNma++/7Z4n0YUco 98W/7miVfo6VrGFzfN6o758A9qiwTYwE9ljpon1G0yBJHoydsE/2uPyVEIs+0e0A5CAiiUco+vOe QIIX/VkfDEDuhsiVlsuM3c297fICukBdYPlQlXHiQ1KNBpOqmlTJZLaC4ZriZovHDLlQUk0wep6B BI5caIXUgzlUrRYV378g1NLGgroJToQSA9HZ21hAN1lNk3RzsxlCGN2r27AxHifSpPFwX2EQSvbq UDEJkKRT97AI0hN7bxDF/t5JgCywz2Z/JdGI6c8IwZ1TGTaxCwlmH4IJYCGjYdqx2ZoxwgKq8FkW 0AZuANUQjcn6MUERTFCr0Wqyygfyp+F9dVpsGQiuRsXOq8lUHKwyIsgwXO0O8k3X+i5ml0k4YRkt zCZ1ssEdb35BExNqh11OI3/veJEtkcbmRq5Z07SF7jq7p+Mn3IJ0Sf5TOSIPgQ/uANZT72GymboH baHuZbbu3SEOegeEB3Uf3b3B1tB9kW1h98Y+m2zryx7yPRx61ubt1mWkw9IHvywuFjwdfK7bvuBL 3Q4Fj3T7g/eDbsYRPgqXmNM6dnzUqS6sHV2G7358P28qv475Y4FMj+6VVXJVj9HyxT2mGeszVxoX ZlZbN2CT/VvbtxnngEo7lbXeJZX+8oQnMKtsaRkri/S219jvhrdn3q5ss++yf4V9K+ETBlfBgp4G AJZV7pljF3tddpVvbmKrR/K3sef2Be6Dj4oBE3laD/F2kNpSc3lEspTN1mYTVSicqQSkgy+6xIQv sOmOlapE5isZCk4ITxsAp4XYBOCvnEerU0vEi3Bd4Mglbewy3V6qc0+JeLpPeldaqYJOLdY/iA/v 7uNrZLovz9NtUWxdVrVXse1VtApOPKf1ofyJ/lSguHfJQfWIymJqjcpUMEIYlwUqqgHeHmA5tod5 DBMzHH8QC+uG2ndgl0k407AcNsoM9EuOpw3nzMIwbGQ++ohLCyfgEVRwwhD4hPrLwaA4jxJiA19Y eQG2zqFgLE8JLRT7nTDA8R+2sbhh01A6BIst1lafF5tX/mQaG+x2WDu5sROVpOq5+xftenlU08X9 Fr8/n1bUbrz5uqJs4Oqjt298boJm8he/HPFfcWjpzPIlCxc8ni66derI59eNWzvOY7eFSlLmq3te VL88sPyOMfrsS3pde+r7dRcNpB90i2jdxva+uPGy8RddA4xeD4yOcV0T3oTN+sNUsTpKlH5KraLU xLIxFothdyAyLLIstiWmDnJX+6qxiXhpqMHYYKtzNPguDy0yXmVb4Ljad3WoPfae9X3/+8G/u7/w fxH8R9HxWD4WjCu9Hb09fZQah65c6pigXKm8X/Rv+TvNqnntsspIOALWafZG7JZAyVEL1Sy6pdHS bJELVliLwFGLsL/CWsD1aqHFnhI4hJyCgyKA42I55zl6bz6flpXUWYG9NdQnsljgK6QUY+0UMth2 mqWnqByjNTjrC/dZ2CU41wJwVi/i6EUFqlBhPaEujipUoApqfIOq3NqBqj5OIBT4hNjDX0GD0VED LjTzYfYbYF2BbQy6J8QvgSciUwj8wCGxo8AxBXLXCrIcTnYVTshaUebV4JhTCp9wjgiFvTja85nW Fbuv2LVcz339i5cXs8qp96x+4alVq19QDnT8++7xd7/RlPsq9+7P6NaDU+84/ObR1w5jVZmQ/1Q6 CX4VojM6Pa0q7Tc7qMNCuUlpGexWsitiMQQiMs4Lew1G3nuD6L0B0jFgeHYi5gp05vA7rwkhWTvU AE+qBuFJNcpkpbHIcPdw/2T3ZH+ju9H/MHtYesj2pPZkyGq0Bc2L2EJpkbLKuszWbHvaute0z7zX avVBuf4Hk+zFsxxLHTc7JAccq57Tr+sj7FyNaNYWGL6Ow95lIg6HBUJgVxsjaHqJ3cgH214cRv9K LJkYVh1IFTqnZWy38dm5WMxJSMzJ6Ii35IiBxgw12ICz80oGM69kEOzV0DdceahT5gMBF4i/YUXn YRh8GITLAidXnM6cXCH6DssmXNy1hhP4JyRnzFs9tiwgCEM/E16j56RkPnNS9e6ir37+fu4/Kz67 fedfY7uCN8/Y+NyTty26i67zv3iEFlHzC5St3fVYePFVr7797iu38DVmJObsGCgS+250qv6kmcm2 lK3SNsKm9PP0i0xnU8yTPJMj89lcZZ5pjqcx0h57R/mj+4PgR+6PPF/5/xn8SFCeLxbLhDi5jglx 2oUdtMTWyzeI9bONYbW2kZ7Rkenmabb5to/UT3zf0dN2jXoluwXbOWHggxNnBsDcAxXcMcKR0rSj Tqph077R2ewEaXKcKBCo08UpBxv7WLQ4k3WqHINwVgGsH7lfoypG3GnnI47rLwWVAvhGH8Znx7nS VXIQ+6PHDHmDzKdovEEyRAXKCT5tgEczR0gxbWJZMojVxxCMVk64gNIalo89eY66ONHB7gGZAsb1 k7D4IJynM251SPTDfHG9pjBhoDl6oRPKwHmHbv7jqkXv3Nq4tfeejvgLq1Y/teOGax9b/+jm75/Y RqVNE4cy+3cjmeutN3712vtvHeJzNgZcNAo682LOJuv+GIl4IVM1KA2mqZZ50mJlqWmexQgRnHvj i5E4oU/iUFGEx6Wu95TvPGdCcl/XoGDfyFDX2NDQyEQXfKAjs11LQrMj16rXes+wMwENn3Rw2Pz+ Cb5G3zJ83Czi2KJt15imyeGI2YCzWM9xjO3iZu2gBow7DhrQ+9ygcL8OH7W/CgUIQMFhDkDBvgqg XTeVdq/M2qgtFONm7FS6kqf6UL7MxmjMV6GVGPSS7pVdMwUzH2anMFPoCOACgcEtGQTm413jM3Uh T2zIjO04MU6DxglHM/wJ0wc3P3c6fVR3LK8W+gzfMhCbrHwF5buCgsQKhhCPISH8hGgCGioWUeny Az2+3P8ZTot4/vpHfPXg7KfmlnVzNne8zyZaB067fc2zdJr/iVYaA7O30m65D3PfavFdBxbQ+9YP X/A0uIgbU9gMi4if2vSox0Qdwd7BPkEcJwg+bH3E9qzNGLJ1s2WD7UE5yMejWyhWWWS0SVZHxEy9 LONxy/iOnHmbh3rybl32p2Scpb8XbIkPYt+BlTzVM5FY5RZCgzonk6BuA5l0CsvdhKBczAmH9OCj iPogHLF0eTjm45rLaAL4GFZ+AXz3ohDDnggEX6YHSIKcwYnyLpmaDyz+MKpclNaqYQ84CXMzF625 BzC8+sR2jAfeSiaDaoSEpJlcYeJUHWF8FQCbKTjwATpZUeHEGR3uD4IlCWwNI+31cj/Flm3b3KFb V186MzywfNKII0ekhzYvX1w5crrrZ+aRjVdsPnslKGJYbqL0OSiCe1ot1RstFsXTw5LyXGqp9aim omBRD0va0yNZZenvucQy0jPNUGdZYPnO/G+vvVeyR+mQ5JDSS0u39Njew9A/0b+spsdIy8hEbdmU xJSyhYY5iTlljT2ae7xf+mniy+RXpU6/T/W2sd2t3SJug1hJtDhMB3wdaSbt5CjMB23sRr1ciUQc 5triiNXs81akKsypQOCon2p+3d/ob/bLPTDkbGoPsfvrF2xNSJSCrfkFW/MDo4Wz+OcFtsZrQdrs YmsAzuqXcKT3r3TQFCmOlRx0HHEcc+QdcsxR4xiPhU5QjAM8DE6N8BlEHOEz7BC8jecDDmZ6rExw 9pYZ17lfyNkbfHd+xOE6TpyBVeIkCEe4TJ0onDKCAXG5n2/5CgGyFFTDt9L5BPbr2gq50OPuyl2W 8uErb9wYsNPV2b+cuvr3d758/dPz/rL9l58/+PSNa3bsvP7aHXWhianyuTMGZO+g1R88QOnmB5rP LvrmyLXPS91/337wrVdfe5VbPzbAZYTvCXvo7P045tG+xwtdlastQrxOyf3wXYwDNllkDfIHK/1G p9XpkRQ4HkYUgwcb2ymTXtG/Mm+i7SbqwwizqT4wMCis3UTs4QQCxfcL3ckHDi4+GERTiNdDLnZH +ECaPHxKcP0NVz8AYQNfXJ/BvgeAcT5Oi/7K/pVZ3ykfW+bb7sv68j7ZxzwpQa+6hjacQn9guzgK GUQG8X0nGCoHdL+g0oJYCWcV0KrcSaHfFeRBuDDjPfg4CV5OxnlHYRrPaRRYl/i2KFcpujaCC3Qq jqLwdQrLFDd2COq0q3ZDyq5aw9RmBF3CWT6TWUtA1BR+J0JKhAkOBnPhp6V6nRtab2pf/fMxrasW T7izGiLh1/c2PPlIxyz22IYbJt91Y8dLoMmNmCgUQeozkMP65ab+vAfjTVtM201ZU7vpmOmUyUBM MdMyU7NpW2fWcVPeZI7hVA2+LYKzKap0E2wVCvzeVENKIfI2ebucldvl47LaLp+SGZHj8lFcyXJB VmZTAXSOG3yqMGUytj0QC86GsgJnA1CwwwE4i30PjKE8zvjj0cNGpbDDdZ7X46oWXyRWLM+4uXsd RmVja2ur/M8jR773yunv3wdbzz+O82qDRJ9d5I96rayklMFyBT6mo/iNimKQZSYrbkJtFiZ5rDhX ZTHwHlpUQ8Tp2AKODlsWfNRTZvMWC41ZaizjLRK0jO/0ARwTOrfVhKJgETqlBdILtA84OSE28n7g +ABwwRJ0e3YmeIfOUbWQU6AbwJGBG76Wk5qxJ+E1iF4VNs0L5q6Kig2aseAPYjdqjrRRM4epyW4I YyOcYwQ/ygavvAGc3sVupwEkv741t6C4f2xA/9aKofePlj/7/e+/veFB++h75Znfbz80di6nV+CC 9A3GxcJm62GuG2OtVqepM0ySw/Yv5QysRV2OWqeF1oX9tgIA4ioAIOVPdXEKbKp0jZm51LhbWKRO 7XGVcgvVqVakLljakZEQGfptyFFlWKXUAaZRmAq1p7nOfI20yvy+9A/V8LRKk2rakDJWqQNNNbbx tnq5Xq0z1JtulK9THjS9pv5Bflc9oX5m+I/6rdHrMpuxTS4zbO7D/ogLGCFTBhXefKqE7QzFjO02 mK9wgW1DIivcMGqxEJwkoA4droB8bpRi7LM59ERcaAfCBGAIbYEAZEkRloKuSGgNvtHCQPs5va+g fbGRyo9YgfYFJhMoiKB1oU7gWyOc7oNW298So668cK65ez0/jwLR5wzf8IFGcc7SCfEUR3Gw+8bP FSANiDM5Bky7sVoScaed2DYG7kmm2yQGjyRnJXjB8nrgPz9fYDb1KKoyGXHqAJ51H7YUVSF5pyUu kt0JbvQSZxGw37Yce51im07Nt7ckqjCJ7S0+nnzYovHqPBFXVpHsthRuztQD2fiNuusDmRo9PrzN 46kWEe460xLgN3+xO1yojm29gvUjAwVJ8Ct+jDFJDaBQ+txnuUX04Ie5x26GUfRlms2t7pjLYtfn LuN4eSuiAYJe/7FPEQwKGNS+Z8DAgqtEZb9C2qdvIS0uuFLoKSw3DiWGj1AdU+TxiE4pUkxZhm3R vIJvbvLTpwUGz5+E6WzXvZBsthHaDjWTXcjtuYYvZLDvCsaATiNCYa4L8hhO/2KWu1gWgLzQawB0 8i4yTv4h7+J2AEhjgn1xlsWv+B/n5Le2CkcL9B1rqJqGzJSkr/Nd1cK+Imy8BQAk9Wd9rMVWmZJP yCdMf/N/FFf+qJyJM78xnjQFwnGTJCWjEdXLRQoDVZPY+TUfTdEtqe0plgIfs6e2wCNYFhpbQGhr fDW1cLR2ejhCQzHDeTzOnp2MI7VTsDGIhVhDUVbwyuLaW6cWQxt0ayC1JUzD4nHhc48Li8fh+kvd yR8XFqtkWCjeyM0VFucwrDvqVFwXLH/hNjwP32quSKboUQLa205YDK7V47Fe8XuEaYYfO8XsFOhP cFziE/THn9I5Lad1jxCSxTJChPxBgiWpNnrtnh9zYD4v8CU7cc4zC0z5vKkPFx1iUwK2GS48Q4IW RAxy5TpK10KNTZa0x+oMU5fN27VQd6ou/FwPl55hY0ZUWK6FHH3hwv1Y+dOLVt8fu+mNR5/bk5w5 ZNlPW+vmXrp2kJy+b9ysK+oO7NrXUcp+dtWsQfc92XE/a7n22gkP3dPxHqcVLnN9DHzx0Rt1tyKp brZDa9P+IX3iPiWdcatYS0/p1UCY6zT6gHY0cDyQD8hxo8fu8bkgc1HVZzPb7FZ7SUDIWQEhc1mE tGUR0hYWuk5pyyKWbksxn0xhZBPSlkVIW7j+tjChFiFt4foMvKP50icEOgvNw4FhHLZa2vUQl7wC pwJsWWB7IBtoD8gBeCN7fYI2z+CIaIHyzpPghQJXgQTPC1wQzUGGBYGrYOPjr3D9WIAb5xenfQsE hxhUCKUIbImfAb7wDy5EEC8wyyfPS2E+1WkyG80G+FxqaVg3wtRhdnVOMnc6AzttWC5mudOKKya2 MMUbHl/1QeNjEzRza/fFFzc9I6fv31W7bGz5jR1NbP3VS4be+1aH8EodAdtBKWbRRoJ08T58+wFL iJvvFnAAJ44+1Zs4FBQFLoM5aB2lXmycptYb56sLjcZKbZBrkK9foFYb4xrjqw3MVGaaJmkNrgbf pMASZYlprrbEtcQ3N3AN9ZpUxXaZhM1F82XWq6R5yjzzVVazPyIbnGAZnpKw0H3CAg0MkMwKJh2D MOZ0GgL5qs7JDcWnRPsEwOdBAHzSAbTr7pJUZR942hs0Qxwmnb7HwCN4/mhuSgBsLyFWOxRhIry/ ccSPL6doBGJhQuikWsF/+LF1zLOOR3J2wEjfEDcp8A9SdP2dhEGhAYfzu66xBS7MdWC13N7Dly3T ZGWy6QrlCpPM1yZe0a0NAFESuG9DYiIXKkUjnrz913+hvhv+ecex3Mn9LRvWt+xZt6EFn7orvWt1 7m8dh/95C41S21tvvvX7X7/5Bhq0IbdQTmAGXTj7fIV+l1XrqV2kjdHkmng2zmLxMmuyqNxbXjSs aFl8S9w4yD8ofIn/knC98TLrTP/M8CLjYutCbYl/cbg9/rbng8AHobejJzwnosfj+bgvKWe0jLef PEgbKV+izdA+svyzKKdZnHYYf7jpXPXBdE7swZKjZqqZdXMj9ufkuJjCuJhOyG0f62IvziwmEtcF r3jhQMXnUkh2fAoBfKon+WCbV1J3BatwpQj5ny3mXYZywY07DeXCVHzOUH5GcOMLDOXC2wIsEqhM gzEYyukFDrFcFi4Yyn9sJodWxOmR89ouK7m7i6nC9V4c/il14uDYOTv5hicH3btg49FFq47dMOPu Xs6nV1/7/DMrm3bnFiq/2DRx4ub8A0/kvr/j0kEd30tPHj705h/ffONPnJeug7LwGubQSX6rD+7t pppMk3KlPBwf37xSXimrJqfRZDTZ3E6TjUhGahGDT8ymblvg5V4M90U3K3b+33XIc1LFN7rzAh0S 7kGC412wdoltBVLwGCqIk+Nco7ps1ALBwbaqsWQ1nF7BvYf56EBtFCtSFdF+u8EunLcaVnDv78Lq U7DdwAfWue7xIQtrLrt8yLBhgy/3ROX0Y8svHvRM6aiaxhUd7/BRqIHteTdGoY/k12+Qiz3Fg0yX mEaUTCueV7zGdJfptpKn3c/3eEWymfyhgL/PmB7v+pUwvBGZVk7NgZnGmaaZ5pmWmdaZtkXGRaZF 5kWWRdZFtlZ8YsfBXUlKyvqXzDDXW+am53ZbmVxZ0lzyE/Mj1nu73d/jvj5Pmp+1PlH6JP7Hi1+n fdgsLcg8xV1Asgso6QJEHY6sog4HRB0OiDocKII8q7uiVTOMpSmrWQ7F017Z0qsoxLcbioM9+ODH gjXB8cFZwV3BI0HVEYwFlwaPBeVY8O4gC/4Cc+MFXgirqg7Zj8GYCuc9Dd9PxRa5hq95gKnt8fgq eaprdmclpb1mFl1VxIoiXgPWX77ZKVRg7mwJnZYTo5vTmhzpZYnBU6gkqLsDleX89t7CMigkKc7r YSUE40Mc53cG4/yuoFBRgsKyGsRGaYuhpDtu3RupOtqdAvpYqGoACp8AEQAfBwCfi3Or3UPiVQnY eRvL28tZTXlzOSvnFuISIt7Z+VmPeGGUcb6eA7wBHCh8XyJe4hCk7hDNc8SFGYurxGgi/74Mf2Gn Qav4WJcCFezbaQaGLavT+ME/3qCBU68Y17nJmsksv+D8DS8BE0elmpPLuUe5kKG5ExOEZ372Hf86 N1rhWq6X9owmYWJMOzWX5tYktdgWDxNTN0OYKj0RRT24TNiTYVKMg/zGMijR3UpNZjUj4/NNWhFf 0Qse5dz5hCvW8CnPrF0Lg0vXHz+FCJ/Fc+fq8X0cfHm2Eru0XLS70DkK1jds4BXcjmtaHLffsOba fqmfvPbg+KEDu98z+cZfzHBmrU0L1yzy+XqHbzt4/7SFr9145D16UWTxinkjLkoGUuWj144bdV23 WObiG+YHJs2cNCAZKXKbSyqGrpk5Y9v0FzidluS/Zt2VB3G2+s/7iRk4mExzDRu2egDN+DwCtjDN VCI+DaeXzVgkJItDKybF1OZKWWneYKw11TYaluFU2hYcKcQavd2QNbQbjuLLRNycyVUEAHx3VQBf i+135HDJX+R8IzANOdw4Vlj9+SoDSHAuFBTkF8MBtggeUf13Qxs+bwjDVIrP/cAYduI0N2LyMy+c yTsrKrTfcgUpk0n5sSxjk4bboJ0DxPl4cTqYaaFLq6+4qsdtt+3Zu9ed6RZ9bJs2ZN7jbM5margq d+fmjp+M7YHPEECTBC87zr+8TcfvJyGMjQk6Iou7fZUQqk7pFS5PZcZNS4xun5W6fRZY8J0YJlLh SwX8XHANCanYL+Rhv4szbVh4O90a/EIeFgZiIQn7PXwUcN1pd/QL1QbXZ7grnzo176ftfuofh2Pa 0Dy5EBw6FWLLQttD2VA+JIdg/OQlwvjIv2ATNx01HcfHxLqMaBwoLByddk/IwgW7ZsHsaBJSsEmY HU3jgj9QPrFccDf5H4m7WEH4uNdUF1YOYXIMyZrd5rBxHzJ+7Agir2wNE5vRWTA24UQRlmDQQ+f+ WSkmBzZlv9iLEcYnqWbNHy9/YrxmabU4r5448a7BrY+0XrxkfL8mdm/Hnjv7jpo4+e6NrAqGOUow RdKnmB0z/bxzZ9qvGInZqFLVTGDLUShTSjj6Kb0zH+Cs9GGgBl/tuCAQfrGfQkmxs8rM+bvNWWWC QlNp5BEc4z/fgxQMWaSo8WfdFE1Ukm6IcPWpboLNgPgQ4ep9/aZuvSpJHJHDWka64fBCFelnvpiM Mk/DmdJ6Y53pSnolW2hcaLqWXEOvYdcZrzVdY95AN7D10u2Gjf+nsWuPbeo64+eea/tcn/vyfSRx YmcxGcEGR0q0pg0Ud9xSWhgRj5FQakLUTlqLGGlpqsEEiopWddWGqqFWk0Y1TUhIE6BOC5QkvLrR 7iG1myKyiXVbJ9ZIRSqryoq0lI1liff7jp3QSv1jN743x9fyte/n8/jO9/1+v2McSv6YHUm+JH/K jsmfs7PitHyb/Ua+y/4oP2Lvyxk2LdtxOzLN6mWBLZHdchNDsCYe+fVdcUyaumqRHWj+MLp1hu80 HbnkJEkSaoLfC1vQOeU4kVXUWR6PWyY6wI6rRdgG+0Rxosg6CBBI9om6JaJdbUkZJpMSySjEshS+ DwExuCwKrJcQgHYxLd4BnmqrEUURYr4ckmKZsQhBE/BYtEyUzPFIazU//AO1XQDJZwdmB5rSN64R NhaNdcVCBMtT4as7KDyEpdBxKuTLfPcJDMxAeR48B9Sc9rO5wV9cawOa6aPzc0/Flsw+v3NP3z7+ XYraVtFwZ1E7/FjzPAPCpxyz6n2qcCN1hLmuKPEXjKzAfJIMjJejI14AZgjdGF7A0EolL1LPpadr ECARsLYLa9gWOiywJyC9ASVwDzEDFQepdnQeRp2JidQ7E6krigxRQ1yqu6Mbo8aQQQsMtWWxpZKv 9/q970PFA0Oi8qZJaEQN+tUCIic3o2TLoq5UtrkaIY3OtizuiiWsZJDIJBv9OJZsSJhgbhh+ikEQ UGSNjNmMuVKbWGYUHcg7inuNlc4afW0iEhuMHvMBd6233u93t/i7xdeNnf7+xAHxTeN84oI77n+S mEkWTK/ACnbeKbh5vyNczrr9bxkvGEf0H1rHtRP8hAlIBhtPXHDeQmT1L8nrsevuB/504j/JrAnz gmSrjil1dNTRVUe/Vm0z0nFjPvMMgdCr2+bQhMERuq1ZbcgnvxN1Uy9lo/YtowK08cMgIU1viSx6 fbEtcoc36A17hzzpyRjqIv0c1R+GGvqnwa0doG9UocsQIsQf6l/1kYmQQiLQq4gDq2ggaSpTnof+ vQdYVx8+y1eiJ6Tr5H7lCSMnPN8vIteEsL+D37nNdkLwLwyEEYrSACTSICRsraVAfkb4McP1LMdW X89HP048R8JI+i64HUyGt1K29phN0BbdPqcdj2Ruk9T2yIOEkORboyQUnPZ4ByF1QM/MVFx7TEUk QdTQjo9pt4JbGBRBCmzcMD0wkIZfgwc1soH056Nga60Ovj7a3v8BghXAwNJOMFjae0619D4yaues HH8dsg4adqcyOco63RwA5VMKOamY4z2nunrB6zAqk6cFaTBgFZhFwFrepeCxRmXqtMhVz/o4S+Tz 83ShcbiCuDZ6q8nXRCdd8TW2nJOABD5p4eLqavS+BvU+rzJ1RuZiOdKeUghbFZt2KlfG/RWsHTsa +OmAgsplanDKB6zydRR3hDoUhcINGhQUV8/rWs/cxQsnV8XuOnn+6N33jY/MjV48ufRP6GB+dM37 LX9q9sjvJvgTM+/y4bH/XkZPswh56n+gp2nS/lUbh5pl6GLhgGyj6yfMRBD5yNpGVs5VnjmgAcWm q03pCQRX6Z+agAGijE73jIsVo2hAejK7ohA+7I5ICLxFEFXJFTq7UnSABIFfb6f9vJm38vY91j32 3c4rnlnwC8G6+rJfDsp1u/xdwa66/Yl99n7vQHig7jv2Ie9F/8Xge+ERecJ8PXXRuxB+KD8IP7Fn U7fDSvYL802xPjCzmZi7xn0eaebGha9fnSBWqQwEEu8GJhwwbh+jQmMYBG2+DPEEIlue1WZKTHEk AOMWQMB0/yybyvKO7KUsx6pTq8Zc2CIKz/G+yFzlRz5/1L8EztI5bfW4q7WyBzOo9H1Va4F82mlt svTNVsXikEFYfaYDyC1cYzSTG0alh/FmSf8AgwnRk9Kp6WuNEGgcutGUTt1QJVCU4BSSM06JEYIA LyRGGNoBqnOpZKBGO6hJadSki2AoXWdm5TpVTAw/VSpSWPkb+EeyFRwkjA9jdSu81jqVoCjDHwIo E8nUgXKQp9iBQmXWsN0YnjA+wP08GK5sL61r8JbEzbknf3m12NpSfH90bvD+xZ3DD3fN7TyZKizO 7HabY4XZV/Z+e3gf3z3z1sjqci+mjKxX/yffDkyJST56tOMoJpj8Y/FxwN8T7wX8srgc8EviUsBH xEjAj4qjAT8sDgf8WfFswGeMmZAPGoMh325sD7llWCEPA0PAqzSZ7t529NvcsblmlWxWssEo2Rx1 BHvEQSxNoQstWB6WIPlfQicVNTR1OXs1sdwoQXiypOuHgdJvTJPwKUk+KdYuGA5wzIl8jBJbRVII yFOR5SlfRXFuPBBXIL+cPTM0NKRhVxskTeu+qORCgM4Riz5V1sI3c8v627u7dO0H86XYr3//kxdK m5c+1NC/7U4Jllqr/51vjL+tLPXXaKOy1E3jZoiVvwBJnxJTAZ8UkwF/Q7wR8FPiVMCPiWMBf1m8 HPDnxHMBf1o8HfDHjcdD3mv01izlWqbOwlcDso1lw2QOjKUZrwo60anBgJyVNMiPlCzYK283fBlZ XjKXvZdzyJTCZHlGbIVvKGsh2FjCjAU2IlMhXUBl+M8KZwYZg+r/zxprwU5DQ7BbNU8bYoJFSqZK 1LRW3vZmS7G/HVjfP88XYv+GgVZ+dena+kd775QYNmSqaKvkia36Odt9OKczuJGwprWgQk3qDVXt 6Sbw5LJQP2hln1WTJi1pUpL+ktKPvhdajmvYg+whqGGvw7o661kPVvHZwDYiF7MZ67ZswYoXW7EO 6jb2CCtDw2YH9LHH8MlQ5cNOW4J0sLf2PrCmr1y8/5ldXxvc0Pc/fO1mbwplbmRzdHJlYW0KZW5k b2JqCjQ4IDAgb2JqCjIxNDgwCmVuZG9iagozNCAwIG9iago8PCAvVHlwZSAvRm9udCAvU3VidHlw ZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9aWFVZSFcrQXJpYWxNVCAvRm9udERlc2NyaXB0b3IKNDkg MCBSIC9Ub1VuaWNvZGUgNTAgMCBSIC9GaXJzdENoYXIgMzMgL0xhc3RDaGFyIDMzIC9XaWR0aHMg WyAxMDAwIF0gPj4KZW5kb2JqCjUwIDAgb2JqCjw8IC9MZW5ndGggNTEgMCBSIC9GaWx0ZXIgL0Zs YXRlRGVjb2RlID4+CnN0cmVhbQp4AV2QvW7EIBCEe55iy0txwnaRCiFFF53kIj+KkwfAsLaQzgta 48JvHyDORUqxBTPzwbDy0j/35BPIdw52wASTJ8e4ho0twoizJ9F24LxNx6lqdjFRyAwP+5pw6WkK oJQAkB8ZWRPvcHpyYcSHor2xQ/Y0w+nrMlRl2GK84YKUoBFag8MpX/di4qtZEGRFz73Lvk/7OVN/ ic89IuRGmWh/KtngcI3GIhuaUaim0ep61QLJ/bMOYJyOZNdqVafpHmv+1ylo+eK9kt2Yc5u6h1q0 FPCE91XFEMuDdb4BcJpwGgplbmRzdHJlYW0KZW5kb2JqCjUxIDAgb2JqCjIyNAplbmRvYmoKNDkg MCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAvWlhVWUhXK0FyaWFsTVQg L0ZsYWdzIDQgL0ZvbnRCQm94IFstNjY1IC0zMjUgMjAwMCAxMDA2XQovSXRhbGljQW5nbGUgMCAv QXNjZW50IDkwNSAvRGVzY2VudCAtMjEyIC9DYXBIZWlnaHQgNzE2IC9TdGVtViA5NSAvTGVhZGlu ZwozMyAvWEhlaWdodCA1MTkgL1N0ZW1IIDg0IC9BdmdXaWR0aCA0NDEgL01heFdpZHRoIDIwMDAg L0ZvbnRGaWxlMiA1MiAwIFIgPj4KZW5kb2JqCjUyIDAgb2JqCjw8IC9MZW5ndGggNTMgMCBSIC9M ZW5ndGgxIDY4OTIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBhVkJfFTV1T/33jdL NjKJkHWSecMkg2QSAgEaSNJkskzARiRA0BkaZUKIJAgmmuAuDFUURxBLLVVccKmKWuVlgjgBLVHU VpTlU6p1BZd+an/FoL+fWhfyvv99M0Gx/vq9m/85555z7nbeeffdN+m7dFUHJVOIBHnbV7b1kHFl fwSW035Znxqrp2QRmVsu7Fm2MlY/YwXqFy9bceWFsXqOFXxzZ0fb0lidvgf/RScUsTqbBl7QubLv ilg9+x1w64ru9rg9R6rNK9uuiI9P0q5e3LayQxowlVdA1J7u3j6jSjl3gU/uubQj7s/8REl/njRj aEvMLukYIgbG6QuqorvJAslGpXQukfInJY9MqEu7KbX1d7sfnrE4tepLa65cBtH9H04okvyFO5ec 9+2Ok8tsZE1GNcHwlwa0s1SPnEP1Nvp2x7dX2WIjScvoxQepRZw54M5yHH5aTKRjABcTI548x6CY IPIilQ5vVLgG0seVpdaWCBU9lhpUBe0GdgB7AYUWi3xYbaBrgBCwA9gLHAbMRKDSqgLdwDbgGGAW ecIeUR222gkiG22zsd5UkUnDgA4IcoCWAnOBxcAmYBtgNvykphtYA+wFTgBm8orMyOapmHtm5GaD DSxfUWZU22LV1vON6sB5gRifMy/GG86KuVXE3KZMi6kn1cX4hOIYTy8sC6HzgcSUsqHaDJGBRWZg 4j2gjD9PqYyRg+4V40gDuMBUDY1XpA8UuMu27RUKMcEFo6Xk0IcEi6SkldUmcp0PUzo5+Gf8eMzC jw+MSSvbVvsr/gHtAPYCgn+A8j5/n9bwYzLmoDXANmAvcAgYBsz8GMpRlPf4e5TK36VSoAZYDGwD 9gLDgIW/C2rj78iMMaiUawDO3wG18bexrLdBU/lbkN7ib+lD/LVI+cyyQUPwlMYFR2FcyMyNC+kZ ZVH+auSbicgoN+40MmqPGE/VNFWMjxROcURFVqSqyxHlHw6oHse9tZP5EdIAjpkcwchHSAWagSDQ A5ghvQ7pdQoBtwL3AhqALAO1ASrfD7wCvE6TAS/QDFj54QiGifJDEXedozaDH+R/oUxE/AD/q8Ff 4S8a/GX+gsFfAs+HfT9/MZLvoNok2AltbOA28FLYTfzZgYJ0h16bxvcigg7QUqAGmAssBjYBZr6X j48sdaSjkz20H8+wg0foU4M/RPdbybvc4XXXIwFVSdwVv4QEsk3d5uZe95Y7UJXEfctmSJK4r98A SRL3VWshSeJecRkkSdxLl0OSxL1oMSRJ3HNbIIFE+T1PFUxwlM+9iKm1qfxyROlyROlyROlyUvjl stA3ipzjnZGiIkRsq9czscgR2s1CT7PQfBa6n4U6WGg1C61loSoWuoCFPCxkZ6F8FvKy0B42A6EI Me/O06ozvVkstJ+FHmehXhZys1AhCxWwkMrKvVHujJyFpw7MZ7CBWvnQcefAL6ux+6RyJyLqRM47 sSfsBT0E6EbNCyd1fMw5O1/y8QNFNbH6pIqy7trZfB8a7sNt2EdHAQU3aB/SaB862YfuUkFrgMXA EDAM6IAZ3uOxjk0GTQUtBWqAxcAaYBgwG9MZxlQ4dYPKKe4wJlYKWgPMlTW+D2U8ipM7vXk2u81j my022VlqPpubr+fzcsrIwL6cnmZNi7KUXV+n/PvrFEqoTeC38E2Uhxtxa5xvinyT54iy2yPuPY7a cewPlK8g69hMcrNC8BnUa9Snk90q9dPIzh8DL4vYz0Wz1Ii72LGbjZGtdjm+sX/k+NQe5RA/se9x vKFGFRZx/A2ax3Y5jthvcrxUGrVC87Q7ysB2q4broH2G4/H9hutaGLZGHKsl2+W41j7LcZHdMHTE DBf0ouZNdcx3L3LMRn8N9iUOby/63OWosV/gqIp5TZdtdjkmYwqemFiEyU60G4O68o0OF5ZHWae3 2LLF4rfMtfzCUmYptjgtDkueJdcy1pputVnHWJOtiVar1WxVrNxK1rFR/ZjXI996Y83Gy8+MhGak GLINOwyT2wwocWbl9CvSzhBNvGlBHWvShtqpaYmqfbXAFWWJ8xZpJlcd09KbqKmlTpvhaYpa9Pla uadJszT/2t/P2C0BaDW+PsqoxR9lulSty9XS6/2DxFjauo25kp+5bmMgQFkZl9Vk1aRXp81sbPgZ EjSUwQbPD1fWD6Iny5OnbWla4NcezQtoZVLQ8wJN2u8WqK3+QfYFO+FrGGSfSxbwD4pq9oVvvtSL 6oZAoCnKzjX8SGWfww8ZAwY/K17M0o9Ua37Mb2vMrxDt4VcgGfwSEqjQ8CtMSDD8FCb9+nsLfA39 BSDwyVSp1/DpzVR/7LO/ED6FIPDJCNF+w2d/Rkj6aNVGN3Y7XPJB4MJyyG642FmO4WLMvN9wKY27 3HTK5SZjJBGbjeEjCbpJOTbqk3IMPj8K5H8XO+o8HjZQGWhv9XW4fEGXrwMIajdf1pmlhZaoan97 QBpUTbiDS9o7JW/r0AKujgat3dWg9lca7X5ibpXmSldDP7X6Wvz9rd6Ohkilt9LnamsIDMxqnlZ+ 2lg3nRprWvPPjNUsO5smx5pltPvJWOXSPEuOVS7HKpdjzfLOMsYiI8eb/f1WqgvU4/5JPsCTEpGv wVxnoC7D1lNtJG+lM2t17m6cVrZTkiegJbvqtBRA5nVJbUmtNOGZkqYxUKfGTVmrK525u9n2uMkG dZqrjjx9q3pXUZavqyH214sLqr5V8lbEqEfqfvaCi0/ztjXIs3WTVrSgSauZt8jfb7FAG2wIQFcx qktK8kX1oZhyEpQV0lGIU45SVyV1CQlxx//MBWNOUCM6gzho7Blg3nzWR70BoeU3tXBsBS2LEIbW Rf7dOEvJl0RvAAvsZR7WO9qbXIchU0xDWHbvKPpWxaV4LPri3HDt9ZCndzQko915ZLAMYsSqz4Ot zbSbsoEc08OUrbgJ3z/6x8Anko906Z9Iu+T8n9joonEQbafHWRc9TnvpOXYCrXbQIO0keQRqoLvo GrqNbsRrbRE0N9F8FBP0t7FsfSe+TO7DC/M+OgDf82g17aYMlqV/SmtonXgNrdZRCo2nWmqmbtrI ztZXUSsdVa6jcjqbLqYeFtL9+i36Zv2P9CANir/qJymJcqgd5YD+menv+jtUgha/pzvoKNuc8CR5 MUoInnfTpbRVnK8wfZn+LWbgpMsxB4Xm0AE2xD3ovYM+ZlnsGlGPXh7QNf15eNnpfOqkrbSbTWez uNPUqs/RD1AGxrgCvd5BEdqFEqVn6C2WbDqh/1E/QdlUTGdhPTvpIBsSIyfXjtQgbiZEaSLNhKWb /kx/ocPMxZ7l3aZkU5nJa7pKP0JjaQotxGwfRsv/ZV/z1ShrxItKo16Hj7x19FsZbXqB3mc5rJTN Zefyibyb3yMuJStGnIKylLoQ79vR+3tIo108mR8SDyiPKd+Z80aO6WNwR9x0J91Nz7IUrFRlvew3 7HX2Ia/ni/md/ANxm/KI8qqlDau+gFbSRnqMvmbpbAabx37NOtk17Eb2W3YHO8AOs094LW/hF/Fh 0SkuEc8odSgLlF7lOtMNppvNn4z4R54f+Z+Rr/Uy/Qaah3xYi9n/nu7BygbpEL2JcpQ+YCaWxMag qMzJFrKrUVazjex+tp09wnZilMPsA/YpXklfsu843rTczHNx+JFHIBe/FCfM2/hd/BDKYf4v/o3I FOOFR0wXVSIgujGrG8WtKE+K95Uc5ZCiI85lpi2mbabtpsdMz5lOmJMtv8E7/pXvHzhZdPK9ERpZ P7JlJDKyU3+fxuEe4u2BT7AqzL4NZTnu9xZk3A56jSUjdjmsiFWzsxGZxWw5u4RdgUhez7ayB425 P8GeRpTeYMOYcwq3G3OexKfzOj4X5QLewS/BYWwz38lf598Ki0gSqWKcKBKzxPmiQ/SJK8UWoYlX xLviA/GV+B5FVxIVhzJecSseZZayWFml3KN8rHxsajW9bPqHOdG80nyDOWr+HKeaakuzZZ7lfMsm yy7LEWsQ2bmPnqSnkIGnLnZMrBU+8STdwqcq2fiEOYh8XkxLxRyOTOXb2Xp+LdvJC0xXmCt5JTuH TihuxPpFvo1/xSvFHNbEFtByPiXWoXms8iikKmUfHVeextoOoucrzMlsNR82J1MEZ6SZOCO9ICYr HvEyvSWOMotyH72tJLJMdpw/LJqRBc8o1SY/OcVd9IS4hF1LT3IfUeJ31g3I43PYo9gXWlgZ+7fQ cQw+B1lULj6k6+gi/nc6jud4Pf2BLVWW0S00lV1DH9NDeCommi42F5nHsZd4lxLmZ7CdxJVHsLqZ rIAJ01i6np0vtpqH+Zu0ig4pifSe+BNmf4g/IeYoJ0zzWSeegGvpBrpEX0tXmvzKq2wZCXYuFSrH sLtdI8oUJ/ga7Cqt2NN24enejX2gVsyBJguZczbyYiF2iK0ot2OfUJBBXXjGz8MudpB2mlt4lJaZ xjDsOvil5uWR+bRIf4ju0JfRxfpmKsF+cKN+DXrcTv+gTbSdrRu5mnrwKfkmnu2zTY38kKlRL+Fh /iZfwLecfn8R7UKWRf9EeQJ3ptq0h8LKG7SAavQN+t+Q3Wdih72DluDA+hFW+RlGmC2GaOrIObxf bxQ9WO9Rmqc/rDtYInXqK2guPU0PWkzUZvHgHmvsVaz3aurg8/U+0THShThsQhS8iNYq7D83eesX ttR6a6p/WVVZMXNG+fRpU8umTC6dVFLsKZp45gR3YYFrvFN15OfZc3OyszIzxo09Iz3NljomJTkp McFqMZsUwRkV+1yNQVVzBzXF7Zo9u0TWXW1QtP1IEdRUqBpP99FU2a4NptM8vfC88Cee3pin95Qn s6lVVFVSrPpcqnagwaVG2aJ5fsgbG1wBVTtuyHMM+VZDToHsdKKB6svqbFA1FlR9WuNlnWFfsKGk mPUnJda76jsSS4qpPzEJYhIkLdPV088yq5kh8ExfRT8nawqWqOW4GnxatgtN0Y0o9LUt1Zrn+X0N uU5noKRYY/XtriUayZOSx3ChemMYzVyvWYxh1C6ccTS6We0vHgpviNpoSdCTvNS1tK3Vr4k29OHT 0jwYt0HLvOqjrB+q6Bxnsht/bM0VYV9Wlyqdw+EbVe3eef4ftc11yh4CAfSBtrywMRhuxNAbcKea 5Flc4+sCfo2tw5A4WBYaq4qtL3bqLQwuV7UEV52rM7w8iFuTE9Zo/pXOSE6Od1A/Rjk+Ndzidzm1 mlxXoK3B3j+WwvOvHMj2qtmnW0qK+21pscD2j0mNC8kpPxY6EPSYzZAMdyk1zT8VWSbn6DoLJ0FN bVcxE78La5ohSccMCrfPwA3AFWBopS3FHenSEuqDYVuF1GOJTDMV2lxq+EtCBriO/+t0TVtcYy60 fUnSKPPkVKpprG1U1jwerahIpoilHvcUc6w26tNLii+Lcperx4bvZ/nRQM2IbVugohThdzrlDb45 6qUlqGihef5YXaUluRHyluJszYPSMjRqGbdQWkKjllPNgy5k8k75PUvjNKv71F+qLeMMX2eFxjL+ i7kjZm9a4GrC0Vj1hYPxrG1qOa0Ws8uAIm6wxSXtjHq/yOXQSYnnCsMaOyGPuuC47E/WlEL8mY2k Xhq1WJGVhoapjZotODtGA4lOZ/yZ+f8aRfUTspXBfmgWX4ZW4YlPNDZtrfK0+mnTSw6LphZsORwn +3A48TQbUi02y7PiDBmPD32nWq/RQjyZhfjDJ8cMiUCu5kXIYGnBU2SoA7nx6mmOufFGAVwyO0uK G7FnhsONLrUxHAy3RfXQEpdqc4UH+XP8uXCPD7tdLHGi+u6bc7XGDQFErJNV4PHgVNfvYuvn9XvZ +gWL/IP4iUNd3+KPcMbrg3WB/gLY/IMqkdfQcqmVSumiygo1MSwywq2Gf+6glyhkWBVDYdTb8euG oYs5QceoPcpjOtuoH4dOiem8hk6uT+4x9S3++G0xEkI+esgh/EMF3eBX0GEiCDJ5Cf/pMQOEU/6o BimNs7f8pQbEhILTvQUOac60QhD8qkPfq2Loe6+JviNVGZJ29GhJx1eC9EyiKm+62cSZklhltVos iiISE6sSoiw7YqkygT0lqujl5De/zPLYvjopC9VU2WQ5nonX39TpU8c54xg+wN47wN49eMC45JwA XPoEnDF/7oKdcUvHiq6e3q5ew4FRenylZvkPoEX+hYHZ53lqL+1qWzGn5f8Asn0XQAplbmRzdHJl YW0KZW5kb2JqCjUzIDAgb2JqCjQ2MjMKZW5kb2JqCjExIDAgb2JqCjw8IC9UeXBlIC9Gb250IC9T dWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL05TSE9ISStBcmlhbC1Cb2xkTVQgL0ZvbnREZXNj cmlwdG9yCjU0IDAgUiAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcgL0ZpcnN0Q2hhciAzMiAv TGFzdENoYXIgMTIyIC9XaWR0aHMgWyAyNzgKMCAwIDAgMCAwIDcyMiAwIDMzMyAzMzMgMCAwIDAg MCAyNzggMCA1NTYgMCA1NTYgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAowIDcyMiAwIDcyMiAw IDAgNjExIDc3OCAwIDAgNTU2IDAgNjExIDgzMyA3MjIgNzc4IDY2NyAwIDAgNjY3IDYxMSAwIDAg OTQ0CjAgMCAwIDAgMCAwIDAgMCAwIDU1NiA2MTEgNTU2IDYxMSA1NTYgMzMzIDAgNjExIDI3OCAw IDU1NiAyNzggODg5IDYxMSA2MTEKMCAwIDM4OSA1NTYgMzMzIDYxMSAwIDc3OCAwIDAgNTAwIF0g Pj4KZW5kb2JqCjU0IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL05T SE9ISStBcmlhbC1Cb2xkTVQgL0ZsYWdzIDMyIC9Gb250QkJveApbLTYyOCAtMzc2IDIwMDAgMTAx OF0gL0l0YWxpY0FuZ2xlIDAgL0FzY2VudCA5MDUgL0Rlc2NlbnQgLTIxMiAvQ2FwSGVpZ2h0Cjcx NiAvU3RlbVYgMTQ1IC9MZWFkaW5nIDMzIC9YSGVpZ2h0IDUxOSAvU3RlbUggMTIxIC9BdmdXaWR0 aCA0NzkgL01heFdpZHRoCjIwMDAgL0ZvbnRGaWxlMiA1NSAwIFIgPj4KZW5kb2JqCjU1IDAgb2Jq Cjw8IC9MZW5ndGggNTYgMCBSIC9MZW5ndGgxIDIxMTcyIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+ CnN0cmVhbQp4AZ28CXyU1dU/fu999tlnMpkty8xkkskyCQnJhBCI5AkkEYxIWJugKWEJi1ZJFARt BbQoi1qx7kJLtBUQbR0miAlIjUtduknrUrX1NW2xqJXK2ypSJTO/730muPTt//1/fr8J9567nbue e+45596HNVeu7SEWsokIRF96+eJeYvzC3P/N0qvXhIwoySonRFm4vHfF5Zl4YCsh0u9XfOua5Zl4 QSEhlf9Y2bN4WSZOzgJOWImETJzGAQtXXr5mfSYe6gbs/9bqpWP54WOIz7l88fqx9skfEQ9dsfjy HkD85twCr6R39VVrjCiZ4wNc03tlz1h52kGI83fjJg7fncnnvo0QClBC/kEayG1EJow4SCWZj5E0 sGeIhDjPl+yX/HTmlp8vsjd8ovpVjkge/EtDHoc/37lk/mefnR11ELUQZTWjPM8AnjIldRGZ5iCf ffbZtY5MSzzn3K/kwLxNTVbhUfIYHBqGH4Lrh8NEC48OKNZqfRDQ5TZg0hOrHkoPC48mJ9UY6RV3 Vm96UniELCI1SH4kOZ8nPzKgN/PijwzUTM7AyvEGTKqZbMVdHWwKAK0SjhH7WGgW4G1wu+GegpPR oUfIO3BpOEHYJzyYbA2i4odQkb3JLTyEIerwX4ZLwwno/UMYy0Pko7EUEb360YBm4c3/yMDKEX4E LDt8B9wmuMfgXoaTyGr4u+HScAJCDyLvQcKEB4UHko6go8kk/JBshGPC/cROKQmi9nsHHMbc3Ddg z6rWmxzCXaQdjpGEMJMMwzFUezvQbicMxduSFeONKWwbMNmqHSh/Mzp9MzpyM5rsh0+NuI4QL3/z QJaHd/67SbvTwPt2siqeCQw4fNXtmIX1hAo9whUkQoLCBsB8wKWAeYBLhGXEavRTH7A7qjehvUYU bxSySSmymwQPqQZsFgIkxyi2NmnLtLM2WVJWjRFPE3xGEbtgJXEUVQUlWR0MHRF0Y/K3Dmhm3r+t SUd29VHhRkEhbpTahFLeoP2oYMIam4yRzBvQrNU7mizCPAxzHqYliD5SzDL3deGKJCpqcgotQi7x IO8yIY9kA7YK+QbcKzxAWhH/wUA0Nzh8RLjDwPo+rxTNT8mQ1pQBq616uEkTpiA3IXwPC/A9o/Ed A9GJ1aQpKpSQKjiGOd6I0EaEHMJ2hLZj1bZjpbZjpbajU9tBfUTYhpxtKFMpXEt6hXVkB9xuhDlZ ZScxoXwzZCcLS6qHBL/gw8Q4jmAqKVIDA5qN98yXdGUZxXwDFlt141HhKjILjmHIawa8vurVR4Qy YyjlA74cjtCbBLkeFbyZpUFNHr4kR4VcTASfmDwhP5kdTDQFEeeEHCSU/YId45PEXmGv8eVmLyPO 4S/H4K/H4G8yMD3MjmU2BfsdhyNNuexdVLaIvU12I8TYEfYsqUIFb7FBvvrsTTZEGgHfQHwZ4BBg DeDhZPjF4CAbHABA33cmrR4+WPZsMlY5FggWjQW8OWMBl6e6qYg9w54muaji94CFgE+zYVIA+BSg D3CYrSEvAj7OaslkwINj8Dn2JCdx9gQ7RCYCDiRtvAuJpMLBY0mZg58mSSbWXhl8kv2UPUICKPqT ZDSAzH0D0cKg/Qjqo+whtiaZF3Q1mdgDtIN+jEL95A0OiYs9mKzjlexIPhkKDrEdbIfuq9OL9Ap9 j1BVVFVRtUcIFYUqQnWhPaEmB/seGMhuhv3LboZfR0IM1AOnw+1g25JiXaJpFGPi42JkE/x+I9QN v9cIEfgOI8RzTxmhRnYjmQXHUMcGuI1wm+CuJyL8a+G+DfcduOuMlDUIrYVbB27SC4xeYPQCo9fA 6AVGLzB6gdFrYPCWe4HRa2B0A6MbGN3A6DYwuoHRDYxuYHQbGLy/3cDoNjDagdEOjHZgtBsY7cBo B0Y7MNoNjHZgtAOj3cDQgaEDQweGbmDowNCBoQNDNzB0YOjA0A2MKmBUAaMKGFUGRhUwqoBRBYwq A6MKGFXAqDIwQsAIASMEjJCBEQJGCBghYIQMjBAwQsAIGRgOYDiA4QCGw8BwAMMBDAcwHAaGAxgO YDgMjBFgjABjBBgjBsYIMEaAMQKMEQNjBBgjwBhh6w4Ix5p+DpRjQDkGlGMGyjGgHAPKMaAcM1CO AeUYUI6NDZ1PBCeYYeAOA3cYuMMG7jBwh4E7DNxhA3cYJYeBO2zgJoCRAEYCGAkDIwGMBDASwEgY GAlgJICRMDD6gdEPjH5g9BsY/cDoB0Y/MPoNjH5g9AOj38DYAYwdwNgBjB0Gxg5g7ADGDmDsMDB2 AGMHMHYYGP/XS8Oupx0qzlq2iZYacCP50IAbyBsGvI4cMOB3yB4DfpvcYMBrSZ0B15GoAbHUBlxD gipNBuvsTR6wgFlwi+BWw+2GewzuKTjFCL2M0DtwaVarF4h2ZZayW3lMeUqRHlNGFGaXZ8m75cfk p2TpMXlEZqGmHGY1+ChYC7kNeJRshP8RHA4R+I1GqJHF0W4cfLYWf3EW150nQx+V0ZfL6FNl9LEy elsZbdLY+VQ0OF2I1DFMAO3QLdEpwTfg6qLFU8CZvnfoQ28wGZ0QHKRPZkCpHkP0Q7gDcHvgboCr g6uGq4ArggvC1UXLgNahF4xV+SRgMVwYLgRXRzweiIkup6oPMSvdM/BzK9F4O8UlwDuSLK4CGEwW zwJ4Ilm8JNik0UOkmEtF9HFsqkcAH0sGjyP7JxnwaDJ4BLF9yWAcoCtZPA7g4mTxr4NNVjqfBEWO Om8MzsWC8/icZHABis1OBksBYsniKC9dhoaKkFsKifo4IMIGdmGmpUgyOBmlC5LBel5aJcV84alM KozuSQjzuDCADn00RDtEqpuDJ4N3BD9Ef/+GiQV5vBkaFAFeLhqkC3RT8MmKH6JwUzDZZOLlcT4c GIMJDh8P7inaFtyJumjRoeB9wXHB71UMqki+Ff3eZjSRDN4QGmSP6FnBTcGq4JqK48GrghcEFwfn BLuKkJ4MXhJ8kneTdNIO9sihYDsqnIFRFCWD5xehL+hia/CaoB4sDtaHnuTzSybypkHJFU/yGSDV mdbLMb9lRWg9GZxfN0ideplyStmhXKxMVSYrEaVAyVfyFLfqUh2qTbWoJlVVZVVUmUpU92B6RI9x PcEtG+qCLPKIaIQdjIfhwSeMqoxcQBJZQhtrmzuVtiWGl5K2JaHE6bmRQWqavTAhRabShKuNtM2b mpgYaxtU0nMSdbG2hNJ+cccBSr/XidQE2zpIybyOQZrmSTfmJFzTkEluvDVniFDqv/HWzk7i81zd 6Gt0TXHWtzb/B6/bSOxujn358301mJe4u21uR2J/XmeimgfSeZ1tievnhi7pGGJ2Zm1pHmI2Djo7 hsReZm+Zw9PF3uZOFDtuFAM121CMFHOAYupUEuLFwE+m8mJYo0y5KNBRLswBypmsJGqUi5qsRjmR 8nIH3gi1NB8IwUOZIkLeMMq8UUS+UgYUA9zmA1F4KBUJ0Q5einZEQkbHSo2KgkEUqYCHIhTynlFR kBqNJSq/LFI0VqT2iyK1RltCpj9GNdxDNe6Sc2XcJSjz5UT+v4V6psbowPi1G55t6Ym0dEdaeuC6 EzdfvdKX2LQkFDqwYS3PCCWEaPeSpSs5XNyTWBvpaU5siDSHDow38P4t+1mePT7SfIA82zKv48Cz ek9zcrw+viWyuLlzoLGho+lrbW37oq2Ohv/QVgOvrIO31Wjg/VtbTTy7kbfVxNtq4m016o1GWy2r ON23dxxQydTOaVhXDgeY2QQa7s4Jd071OHqncIIemhz2bcg5LBK6j5hjnQlLZGrCCsezKpoqmngW 9hnPsiHZPpbl2zA5nHOY7hvLciDZGZlKzi0E4fhtidrZbYnw3IUdnFQSOqbgP63ZVfxnZPtIy6pm /EN8jeHWXLXmXI0cEl7yf/7W/Kff2rVrr1oDb23sKkLaEmVz2xITZqMnioKmups7kTbuXJogGGkH NK1lMD2MzBg6Qdfw5ngoRmOYQd1EZKKwfrlfYVyLWDMQyKtefRRyw0Y4qMNsXRKmBJ61bqCgCNoS ilTWZiDUVR5PBsLVaGGgDqgcFmWg7qxAYEfRjooddf1F/RX9dTJyD+1BYnAPP0qTlXsEsiZ21bnJ QHBNJyYb3eLtPZDMzTMa7ueBWKwzdhU15utc+S+hkY7olxOLMRq/q4zq+XwbMwyfBzHpPBfrkWl9 LY/xXyZg4GKeDSSkolQmZiRx78sfYjAVHSa5httLcsUodCySPn7OpValj/M8DtkH4OSwIHE39kuS R8nvaQkNkQH6GfGSM9RPx5MZoM5PoU88RkbJXVDv55G7qYsUQhudT2ZQEWVi5Ba6M311+n1yHvk+ eTD9BL0hvR/5t5HnyRn04L9wYtaRi1B+Pukh7wvvks70/UQlW4iZTCZzqIcsJq/j7xP04w5yJ/kZ /U76DFp1kxtQXwNpIk3pp9NnSRm5RdwhvaE9Tm4nR6icXppeBQmpgGxnsfTr6XdIlHSSH5FH0acY HRankzC5jNxI7qV+4XmE7iI/JilqYV3CNOkptDSDLCBXkHVkO9lPfkFdtF16QzqV/nb6BKgwCxa5 xWQVeZ/W0pnsIdGSnpJ+i1xMhsiLGC//GxYvFvdKF6ca0z9IPwPt+wlqok/Sp6Vq6Xuj16cfSP8U 9sooGY8ZuQjtLCHfJU+Tl8h/k3+wjemNZDqZi5Z/TvNoiEYx468zP9vANgivkHEYbRd6u5bsJgmS JIfJEXIUc/MHMkLepW6aQy+gS+jt9B/Mwpaxl4WdwkHhVZGKD2O+I6QIc7SGPEQOkV+RX5OXqYT6 q2g7vZSupvfQH9ARlmAfsk9FVfyu+Lk4KkVTI6nP0xelP4HOHSAXkmvJRsztj8gAOUh+Q16DVfKf 5DR10Il0JX2AJugI/ZBprIDNYr3sbmjPPxEuEm4XnhZrxaniZeKvxbekm6SblcVK6uye1B2pn6R+ m34i/VvQjg31R2HAWUWuB1U8RJ4ir6D2N8nb5M+cflD/ZLqQfhOtXEW30jvpT+jP6W/pBxglJA78 FbDJrBmtrmZXYp5uYHewO9H6y9zSASPF2+xv7BNBEgqECUKf8ICQEAaFY8JfRYcYFceJ48VZ4kIx jZWpls6X5kr7pEekZ6RTcoO8TO6V31NuUDarvxotG/2vFEmtTCVSA6BdFZR0LWbihwRGQMzFEfIL zOhv0OMR8jFWIUDDtBj9rqettI3OpN+gl9AeegPdQr9P76U76YP0pxgBxsAU9D3Gmthctpj1sM1s C7sVtoyD7DB7ib0Og8pJ9NwrRISYMF6YISwULhauwBjWwJS3GTN7u7BfeFl4RTghvCecxKp5xXxx rXiteJ+4Vzwo/la6ULocfw9KT0nD0m+ls9JZmckBOVeulC+V98l/VmRlgtKubFNeVf6p9tJcWoae h0D7X/yYH3swn+1nbnEjPYnkPGgddow8hnWYi13xT9IopLAuNp6PvmUzv5jF0WVdTEAQXEOPkFr6 c7JRZgIEQ3GEJOkf2Yj4LDuPvEa7qV/cK1wh/YKFySPgRjvYk+wInUoOsga2gO0SCH0Xp+K7oPf1 5E56Gb2KPEJP0kn0OlpHN5JXmUeYSzeThvSDTKQanUFPEfSAXC8uI9/8Ygj/MUDrYZ1/P/VD0Sp+ B/xpkNyNFX2UvEMfJp9RKf0huJsAbrQYXOYW0PuNhHO9LuyzjdiPfnCQb8kvk4NUhg29Tp4iXktO kX+R96XDoKip4KYnUqvEH4p/SdelK7DDsMvIPuy7leR87Jh3QSVHEeexS7DTTeAlMD6SdrIQxrPr wPVuTyfSu9LfTV+TXk1+CdzPaDn9jPZjRwwCowF2rxexS96kN2Mfnv8fh/f/m5haRobJB9RHi2g1 9sNJ6Wpph7RfOij9TPq1PB6zvZnsBEX/GdRswgiWkt+SD8inVMXa+Ek5iaO/E9H3DvIt1ikcJdNo gPRiz5aAj08dG8lVqOUGzN4u7Oej2BunwCcuIT+D/YxRL0a0FO2rqKcN87yIXEX2YAW/SweQsgxc u4z8DeO20YkwD5QTHTXdDa41jD79kfwVs502+lUOvtBMF6CuT8k3yDK0MIG00wNYgUOkHpy1WfgV 5ruQOshUWkB/DLxu7FAbjN/10l8oI+Wpi9IT2SrhKM6YNNL7cXrlkPNoH3phxzhGSTadRWpTc9CH V6ggJujvjF7cx3rSW4R1qW+RX5KHsSa6eLXSTIjeNE9vnHJew+RJ9RPrauM11eOrKsdVlMfKSkuK o0WFkYJwKJifl5sT8Pu8nmx3lsvpsNusFrNJUxVZEgVGSXlLpLU7lIh2J8RoZPr0Ch6PLEbC4q8k dCdCSGr9eplEiOMtRtbXSuooufzfSuqZkvoXJakj1EAaKspDLZFQ4tfNkdAgXTgb2kTi1uZIZyhx 0gjPNMI7jLAV4XAYCKEW38rmUIJ2h1oSrVev3N7S3VxRTg+YTdMi03pMFeXkgMmMoBmhhDfSe4B6 p1AjwLwtkw4woloxxEQg0tyS8EeAimqEopbFyxLtsztamnPC4c6K8gSdtjSyJEG49BszipBpRjMJ eVpCMZoJrYJ0myA3hw6UD2+/ZdBBlnTHLMsiyxZf0pEQFqOOloQzhnabE95rj/u+jKJyyMlbvpqb I2xv8a0K8cLbt28JJYZnd3wFNyfMa+jsRB3AZUWt3dtb0fQtWKk2rlIl2I2dHQl6I5qEslBkjCoz vowmU9R9aSihRaZGVm6/tBtLE9ieIHOuCScDAX0oPUICLaHt8zoi4URjTqRzcXPuATfZPueaAb8e 8n89p6L8gMOZmdgDNvtYwGL9aqAHk57JM0JGcR5qm/PFzFLex8gMyOOJ0NIQetIRwZgmcq9nItm+ dCIWAL9OCqzEMqzIqoQ2rXu7YxJPxxBpQipyRELbPyGggMjJD7+esngsRS5yfEJ4JqeTL0gtQRef CydisURZGScRZRrWFH2cYsRrK8qvHmQTIr0O2EYmQBEk7ZjbxZ2TKjH94TBf4JsHdbIEkcSm2R2Z eIgsyUkSvRL6EuvmOVjATE72fJ6z6VzOF+jdEVDyQW63INkJNfrFP7vDk9WyclKCev6X7J5Mftvc SBu0m1DL9u4xqm2b97VYJp9PKOYNeWOhRNa0DiGHIY2HWI5g5IIoL1n4RRFEOiwJsQj/ZN5p7A4B RGkk0FBrwtE9PeN3msLhsS3zP3EGFfUrSIPpUxzLAF+ijY0iMSk21s9MrxOTvxb/Wu8s24W2eeA4 rG3ewu3bTV/LawUv2769NRJq3d69ffFgetOSSMgR2T7E9rK923tbwIUyCzqYPnxzTqL1lk4MZSWd BLJlZOqBCN06+4BOt0J9HYKJKbR1XkeSUTate2rngULkdQyFwHKNVPZFKi8T4jHSRkHoSaYaWTlD OiGbjLKikWDEl8K8ZKRlCiGNkqWDLJPmMMp1dnZWQOCHZaseutMLZCHbTy6Dm4b4HeJVZAFcDdJ5 3mLxL+QeuZ4sQVoE4R/I+8ntSL8XaZ3SAnIX3AVIL1duJQrKzEB4C+B8wHmATajXh/D3x+rexqGS RzYg7Xa4Obj05OWrUC6I+K2oV4P+X0AIOsjJl0CrkHFKEhKCNpJJ4akQxOAESDPnfhICkF5gyP7f fvwpgWYUMEEO5D8LnBUnpR3vEJxGigvaEP+5Df/rXja0Di9kez+0B4KTFdomzl7cz6F/YaNoAbSS QuglBPI//xUbPt5dkAnUTufR++ggmyRYhV+IK8THpQ5pr/SanFZS6g3qB6aAqcd8k+VWq9n6sC1s L7bvdRQ71jttzmZXvuuOLHPWddmh7ISn0Fvt/RdqxeGKVcIf5kEhUw8ympKVQdaoZxFJTAnEpIgp SvyqLKWY8CSNEg0KjY/4Yo7TDaMNFzk+bpg52kAaEXachTe+KuwMO4vgwQJKzoaE4bO6RD4nIXGY t7Aw/Za0R3oFazMOhlimrzc7TZUBp7+yLlhX9YPCPbaH/Q+FHi7cM86iiXLEL3ojRUJZXjQ8serO yEnhrwFzbm4gL8/q9/sikVBlZdXEiVZrdWXEL5RPzA0IYjSURwVMriBPrIyE8nIDfqtWW7o4i9ae L5upmQQmRXc6PJUe5hmkm3WrqXynHU8Udjj6HaJjkObr9uqddlPQVGUSTP76md/xxTC+rpmjo10n HXAXOf5KGhtnnmw86fTWu+rrqdMF6K03YlscaoMCx+EBmU2b1zFwPEIjsA3jTjseAHwCUHDA45aL rs7xVaSLdhUp0WJZjoSKo7XxCXVR7tdUQwiSlawJdV5ZVjweWjehNh6NFMjZbq8gw/fUVE+ok/bs v+6qzhe3p/6+/bJ9e9sufO3nP3v90gd+VRhIRSeGKu8ajV44b3bLtAv10sXd65ZNvXb6wJvnXdZ+ 4f3rdt76p7mdD0y/ceiZWzr7e1L/1FdM2nJdWfkqwTKpSZ9w4bTy+AWpjeO3T7/4qngD3z+XpWaz lVgxB2nVbSX2vQJTNbyXcRCXepQW8Icz8Am7Uzdp/7TsDIlVIhMH2d0Dzocu4zTSdXL045OOk5g3 R4MD1EG7aCTKah0YXQ1j2W6X18N6nr6vf+mCzcPbVpxXG0nNPkH/8T4URTZyNPXb1Df+/uPUvp3L eU+moSe60ZMZuq+YFZtWsBWme8A099kUTcVDHvTJwfuEzZnp00H1n9JOC++N69JpvDcnR49/vTNZ U4TaOBNqPK5st8KElrnNk3KXb3vqnr1T2x5NzU7+7Mw7a/9OH6aVv0/ln/ntR6mPU5/zntwB71Hq Bz0X6tlsIjGxqN3YvFWgeb+44upzhENALeOrarAj7uDmj9QJznEWpE+INmkY3CJE7tDb1pu2mvbS /cp+ba/tCe1FTV3g7PR0BhYEVzhXelYGVgTVelYvT9AmWGewGXKL1mrdq/2SvSQ/pz1nfZP9QX5V e9XqdPhCPuaDcU4vcnnivj2qNWivtDO7jph9D5Hy3pgFa0egwP2G2R9+5RmjfzNB0Kf7ZmJtTsb6 uOOrQ7q6aLXX43QocqSAOB11E7wFsiI7HR6D6iY4HdEoq35t/W071r32euoz+DXtnrz4rJoMkIbv PZhalOo+dDfUzj30h4fufr9p3uUp/J6GFvAt6Djs6SbMYA10XgvmII826ose9x0KDOX8QnzBd8x3 zH8soE7LmZY7LW+Bf6d4l2+/uCdXlQMhUiLXBaaL03zT/NMCaqGv0F8YEDxRcYG41bcrZ1furrz9 ufvzVBfJc+SF8sbnXZ23OW9H3ut5ah6fFY87O57HHBZ7ngOzzkJ4p6Fj+bitEzNEBtkDA4xa7Pza KhK0VFqYhc+cZU+WpL2BHTgLXQ4E7W841jF//rnp+9iYv4aGmZy8R2N9x8EEY119DU4XOENNrIsb QUleejjprOd9SNoNoNsc9aLqqJdUJ6CzPmOH7MywDN2s5fhzWE4W5dYCVIR/nFPQrrbZHUdJDkTh XLi89MjEiRM7aV8XVssZnuCqm3CORyhFEwrHGIgsyopoOVvs6P/wZ7FJPZ0dK9XUe36qPv/mmfNn 1qROn++hUurzO6n2hwON35j/zZ5Lv5373i8++OnSgSVNH7fj2GHYSAQ2ksM4F0y0aYgo6Td0ra4+ LpfAU/i0aiW1cVmHh9gbenu4GHnwSkmZWCaVmCotE0md1Gi5lFzKeoTl0kp1hek9wX6BTDkTEUya JioapSGi4JRUZE0UQ5LsliRZNemBvCkm3oQ5kBc3FTFBkEV+k6rbZIVJIkyjqsXrDWDlFuOOD3XA YLeJCjgWC3UtqNEqbZPGtMOskIgooYUkKvnN31x6bmP6T3f1fdzV5xu9qKWnGVy9AcypsWHmScx3 JVYx1rBFGhfbct1zW8b5OFAcDQ1bnnsus0gHtbhmBRPn69KWMMNYnw8Rd4gI6VRSFU2H0ynM1NkD sog1yqxSZo3DYQF/NJwlCNJTqZ9tGj10Tep5NpnWl/3ieTozNSAdPrudhUZHOIdZnD4hfRO8LkBe 1y+6Sdvm3ubZDYHpBe1V4VXzJ4JWpJVYSqyl7lLPWmmtdpOkKlmK15vl9ZayMqFIUkqk+6R7tJeE n5ulRjoL226Og9ARKPrMoHmnDzQP2jdhHNBpda+vQlRtus0Vt7UtstNZdmrXs31x7IcSvcBVYRLs H9kWkI+IUVWgKpfmZhf3K9SuBJUqRYC4cMtAzoa5mckFR7nI0XW6a+bJj/m++Bhb4niMQx7oypx6 IFtJFiMhMBgSDnk9XinKDzhwGRxtYiMNTk39+sPUH1Nb6bU0Tq37llWn/hB46Oof/fLF/qv3s5yL T71Pb4Pl8wp61+5vJlqv3PxB6rPUBx/igSgl94CzbAbNauRKvVGVRFkqUkJqlfqU+o4qVqo7cGWr EkEsAifSiKo04jUCk+cIkINYIGSuMjOzqIVAklV8qtjNA6bxY+Pico4xsIaZH3dxiYfLPCAX7PjR BkEChRicPhuiD9w9wsnRyWzZ6C7p8JnUQ2dGb+d9W4JVPYpVDZE39NaJ+W35C5Sr1astN6qbLTd6 N+doslfOcXldOSXOEl9JoCRfnW6+WJynLTRfKn5bvNa3JnDIdsjxgvV5x+8dJxw2IVcO8VXUg4F6 vGcjGBL15FbImosvpKttVhbN4quYxVexzFNhh92QhvyLkFzsWsCCoZCAIRdUFbACf3G/iZ6TfPhq hjfs/tpq8sE7Pj7ZZ+yPzKpiUU86+W7pi3GWN7awtDbsxMoWFLLaONhSTUgcW9tsh4uLLbVCI9vQ ldr9+F9T+x8dHrr1d9RJa8pTbwUf2fTMu+892XVkGsv5dHRw4ban6YpX3qXLFs149xd137ru9D9S n6c+nxE/jHFG0ieEX2OFXWShXrhK3Wtl87Tl2irrKscq57WObQ7FNN18vb0CnAVL6ApRhmXUXb1u WuWmbvNHQRM1+bNG146xgpMzHX19p8eEWJDp8cxAaNjpViCYFUSLizxeTpa1bA8tDsX+PPTmB5R6 pVDVkqVzsGW7Dy3ZtPOffwttiM/qS6J3PwD9PST9FAL1eXqgXeEnnogdSVRRCkDC+CppyeOHMp3I kFaKExXmudEQk7jQEM7+AS1hI9JPP5/xKacfEJHsx8gtzKebzUJUjZoFUaACVEhdy50UN4UmTY5r XOQcg/qPc8chFZ6sqaa/aB+aRFEzmbJYrujQgqYIKxdDWiUEqZVij3apaR1bL/5Y2296XDtsOq19 ZvLsFndou03Pay+Zfs/eEF/X3jSdYO+J72ofmKzrtPWm77JbxO9qt5h2MKXD3MMuFVdoK01Xs2tE pZm1ic1am+kb6je0DpPiM1Xa4mySGNcmmxptisAsoqxppmwWEL2aMnb2BTFRJk2yKEq1bLNUQ11w QNhsV61xM/eMUdrM1riq24rjZu4haZfu4AGzKkDfoEwx4RIC3LwRJOkdO1u7aOVJx6tg7d76nMH0 ZL0CrYREVdOqBdEtCCIun03VAkOQoRrBIjJmMeFsUtSgjdoGqXWAWyEPQ86TwDIv7opLfNN5586L S9WKrmxUqXp0I1bhqDlktoDYJuouSoiOgkRHIVIdtFALr8Y6HkTn+LjvZCzmaPi7oyHgd4z2jfY1 BHwOHDlIcBzvQ+e5oNzYgN5+/QwaO2+y5uKoUdMjB8whfrhAAsCv70p+xJBYXxfIhoJ2w05I0M7b 6RHYgxX6ZOpk6u3UX1L/BXr1Ce991ire8PkG7kBT9+KMj3B+SX+j2zRBVv2CVxVdKk7cwTQZcJkb AY1hc6iXYURCtaK6FUUVVMYUQcN8Ya4EkY9Y5CMWq+WXcd7ybefXze3mbrPQa95kZv3mYTPL8FgV VGpUyqFumzs3rlUbTHeYS2UG2x3boNgROI5nOvggT3dlYgbzhfZVX0/gtozjg8cpnaEjfhCP6Bqo Qg1laGT4CZzXqm4c2iiJcxtvCFBq0yFzrbrJXGsM7LzAuLg6F54keIRqQRfEVuFGHBf9alI9LsjP CS+rb6lCSKhU48JkdZb6fWG32i88piaEp1RzRhiqgSqhw0NsRLdWVsdZiHuKuxYp9+haeFyczYNn lG7NDyEGT2WK4mOCVylnxcpkVqNcxHTlErZA0dwsR5nJWpT7lUeUX+I18XvshPIvZi5mJcoFynpl q/IokymmxVh8PgcxSO8ZUugkBiVwHkKd99IQ66BZqd+PHgABVAivfNYqPHkWhnmGG+UT0gmcSHZY IR7U598j3aPea7nXJqpUsal2xVfsW6+tcynrnOuzbxK3qdssN9ludG1zb83e6t3quylgUVyghEC2 K+AO+LIDSlaFVfNXKIKn+DETJSaHKQRNGueJHqrK0/O683rzNuX158mhvFN5LM9R3E8o15uqjDW/ ZSB3w7NfHDpY8D7IaIZ20ggdCoTeR7qy4nUTIOrWjAkOhLr5oZLRjjunVf9kxbYBXHzcmNqQOpoa Sm2g4/964MBf3n7iiRH26si9vcnYpNQVqftTP0ithviw8l+pdDp99gw0OoZbbiKewS7g87BOL5Kl IfeQTzhfoiuk1yXmchZZbTaS4+BSg52oGJ5C+SriHT9WE+PzBPOqxsYn5TnsX+XyuV8VIHDYnI4Z ozonPhg2E9LVR/mCQRTiuj8UrkjEzzA0PrbiaOQu+gdqm7Nh/5J7Lrr0pacffOzqad+cXtsvHfaE 335sy+AqZ/bo78VnUt3jljS1r7SasKsvSP9V/AfWtZwe088bcg7mHSp5vlyEkJgNITHbF+uRekrW yOuta0retLwesXSa5tvmF3RGVlqWu1aEV5WsKF+Xd1Pe3WGLK8JPk/xgnEO9xx+Izy6YHXm64OmI 2FfQF7m+4PrInwr+FJFjpjJrYUFhpN4aj7SZ2qzNBdMil1p7ItdYry3YZt1esMe017qvIEszaVa5 AIYdk9/qKVAKIiarSL0LfLo/FF/to6t9u6HFHmY90HSGdQvEmhyaU+EWyHTK2cSMQCheRXVczHfT HbQfdqhhXL39XdQD9Q5otxVlmu+jtJd69Sxv3NumFEcD44LF/Y6Egzna6EfOjEznr/jdmECHd20H iD6xE4Iqt+2cBoxdyUXWvtjHXbHjGXhl7Dg4cWZbGQpdAeYjJ28K5uPYGPxLMqu+ANMDgNSXki4e O6bbXfXWkKveZDg7T3tPt1mQZq03+bjLGjufjJ0LtjR2DGZPMk2y1hbUYh5nWKcVtEb2mB4uMJGM wQhkklVkqOIGYRSDOGAx+lLMUriRyCMaVMTl6wtoKLB7y223n3dhfOjv3Vs2fvQwruG9SuqNrOuu u35GZflEmnh57S1p8lTqg9Tr9O3c27deMzs+I8c1bvKCa37a++zyf/zC2re0tqA+XlS5/PKjN2/4 42V4BAr6wjdj4hD2iwIpO1KpVYlVUrvWC51rh6bIVGJFuLVTiKpBRRM38rOAVugmWYGWhqcSEKwR dQq2dryH2MR2MJH51dFHM3sfiu4BhlUxpOzRBoja0NCOGxx/tIHL2LQLTK2Wy9j0ndRM8dbUReIz Z858zj9egdVWuZnLRzStu2JCTA6Za8wikalZD0yK4+3SpgFA4Ssw6a/FCXRC17iW6YdnORcjPIaT fkTvhH1DDMFTILLIlgDJ1kpJkaa8bzph+VT7l+lTi/SC9JLpBctb5FVISK9bPiDvatoj4o+kR0wP WY6IA9IR0+OWF0VtnFggVZpClp3iHdJO010WdUyfVKnNyh9WDdjCvHNQqxGAgBPmXd41kJF9dunZ XBJaxmNmGaK8AnEHGowxM1+RdoxjMefgM2ZRCg2mqwZkCDuD6Wr9EoFYQkRgLIR3qlhEkyxJ1WaT 24xrVlmBiqS5VVUTzRbLmFiERgQL1CLRIkgmMyxssqooElRvBiZoCEhEtWF9KyH/DNIq3RSSj5qP 6pVcHkXUEuIqOaN+6zmtO+CfOdoV8I2OBvyjXb5zindG2uE+/zN6jzPdWc8NrASW1S3SzK9q4mMK +RjA1jGsI1wEymwj41VYXxdXsyEBZQFSSntSD9LKt6kFfIP+iZaldqWeh3L5Ng5Dp/DRWdjsIBFN /3wQhDkj/R7evkyB9b2a9ukrlYCaK+V5AhfkTM+dUfQHxztObYK/1f+N6HL/iuhN0e/77wjsgenq hcCLORZZtmZ7ZL+nWC7N7vSvYzexPfLj8vOy5an4mw6WV1g93lluLdRj4+KFekEJPH9efHXh2UJW 2GqYqKps9vh5eZTbrxJ5/8oT8/LKaQ3RkcrPSEbmh/VcZ2NYz3HA8wXiYbzbe1xULLBic9pBngGR bUCUKEcJXXeb88dH1VKtxNoZtOy2MEijaQikug32rcCsOI13Y+d8rwrTVFMaXuSl73jpLO8i72qv 4PXXrGoaO5GvBHfsO9nFFWDo8Tx2nJv9IcrGoAlDRDN4pqEOxzJknazMo32dJ88JZYXp4Sdy8uLz CpcVsq5YZxcwIMAJNujNfFP3wfLYR4vByqrBvAS3xxsGbys2NDDO4WDhyhzzlJ+Ohg3cMHrRnnTs dy8/Odgm5BSlPjA7FGH6j7t+fHTBzu///ML21W3z6DcnfFBY19F8YUuNw8z+PO7+Ozu3PZEavOXG C3Pr/Gpra3LrwlvbcotCubNbJqd+56r2FTdMXlAdrSvswZRvATXcaUgFueQHQ8SVPqOPN9fX5Zyf w1wL5AWmBZ4Fvs7cTxW5VpxsnZxVm9Mitlnbslpy7lTu00wWG8ifBLAISUlx87XIMpvtxOQNq4He fJrvKGVCFCaWUt1Ce8kmtOfPa8zMdx9MUaMNf70I0gKXgBoacefA1ULShyuDaR26ebm83LTcs9y3 KlfqgqwX49oipg4vJwhXWbOzcAp8IRltof4bks+kUqNDFx/QXfEZ13R9d/OKnpukw6On7kydSP0r dSr11sWdu1jZQ7N6dz9y6AGosJTMx9gbsRP85E/67A57p6vTs9K+yrXKc53vGv897B7L847nfb93 vO57X35ffT/r/ewzctbErInZF7gu8LT6Oi2rLMokV52nziesk9bZt0g32bf597n2eoZchzyajVOs LyfO4eMud9xWY+Up/vy4Ae3OuPUwXlSZMGcup5noKEp0lCM1O0Cnh8G+RGSFvArlqTRMKq08YA3P gsYWyFHCbn+gIzOVhpUbxqjYxydj3HDRdRwUy61RgFzV7wPp0Yz56dzNCic6bpkCKYrjU3+zLZ21 6rqNl7Uvz6bu2Me/fj/1N+o5+cy77MPqufNu339018WrK3/2DN4/idC0ivZyaXIe5m7xGN3s0Ctc nXKnqdOVoZZ7QRpnNK03f1M+bvDilknZcf8FQrPlguxm/32axukkKZk51eg2s2KzYylM3lKbNUo5 pdjtJHAbp52w6s/raDA2Jx8ht2BwijFOA04thhWjj9OKdZW8yrTKlaEWuQvvU2rHBgjZ2Qv94Kuk Ii5Ofd50YOETsLY8k7yB+kddlc3XLt66ecWyLbsu7sTjPZxV1H8nc5zt3X/hFQ/9+IkHdmO8TRhv MWjFTXLpj4aIA/uk1Vx/n3a/9W7HPmmv6Yh2xDoYUFU3nc7Ol1tNs/L3WQ/JhwIvmF60vG56w3JG +dRqzbXnZuvgENm6zRm3Zz+V/XK2kM2pwp7faECbF5DdqlvsNle7rdvGbD4XlwsP+XPitMZlGDTz QhnDZkFpBsYqMtCXa0DdDnYKrYPgOouRRS4XpnlANLt8fLoLzQoJ08rsDBFV5i/KX52/O1/Mt4dV 3WqPY8LHuGHsaxbOkxALdbdPL3E3+vR8OzywYB/n1fxE6mwcNcRGFwaCEi4+IBQyIMpxmDxXFAZp jmK8nsZbrWFIknxQSS8HiQHNNMWINoUbjcfPncc5B+XXDLrbpmOWbLxRG28eplxvo3EUdhrmbGiI OFpruPAELSoG42vmypHTOBHChkCZxU2wiuxln1HfhPcfS/3txlXU/cpJ6pJHdeGGxVMXFgvrF1zS 0EDpnMr7H3j89rdBC7HUC6mj1908nX7r2o3Tpl3F+YYPG+Cv0Dw8ZFCHLZeWiSFHyNkpbvJJqviU j2V7nMzt8jhtWbgrt2VRfBjo1lS7mS4yp2F85QthkqnT7qFpD/XwaD5eOeAJIyVyltuk1TRC+W6H 7aHEUelc5GTOQSrqVltWlLkXkX7PML/bBU1olrjH710/xFbhqhq3uDGwVH4/fbYLIqX/OPGBqXLL LVwjvPpqO35j51AWdHh+EHkVbpTOzq7JjoC9Rny76u9bu/6q6LQp59X+7nepE7vEaPtNm+cWPueo n9329tknhBl8/N+HZNyJve8hST1mp0E8dq1hNY6pdKrzv+i/qKZIHqmQdThXOiVKWZbb6coS3Iza +UjzBAXWOXe2CR+RmU1RVdNDhfHHNJrWqBYwbvc8BYXxHb5+H+v1nfKxj3y4iXdHPXx76HaU7c+m p7Jptt/bmGENMAZkbIvcLHB6LJaRGGFjOgk5y2scwaohV+M+mh8i+Swbw40bFnmZB+kjW48u3jUr L3UiNPu81itqUidwdLy7e3rv1ttGb2fj9y6sbd520+iHGDQ2lXE3iiB/TbBuiGjoWaPT1Khr7Rrb pCW0Ye2Y9pEmBbVubaPWjwRJkBU8NRDA6XRyjIwAswvnpizh9srEFPBVPjotXBgX/erYuIxRZXid sYSG+d2wwIObXxnL4p2Gw6Vr6gTe0h6iYurs5xeI0c/fwgptwwotQg/N5J/cCvT2gNVp2Lj06/wV cQVGxyy5WFsuP2Z6yvSi9kvTWybTXKFbYFbFp7XK31CvlqVD2jviSfGs+IksXaRcpC6XrxNvEXeK u6T75fuV+1VTUHTJMTEmlcllSplaaW0T2yQT5Baov6pJMsHKJppxM8GfXpjNqgIbicmMS/PL9YBU qdYHYVvosTJzlG4ilBv2/ZbGb4+JYXw1/bi19eFyhcvLmAP4/C6C2wvV6xzPnXt9wIf2YlILj11U cQmZXAmpi0sKXCgOU8W5DZfSM+jC1F0wmfw29cl3IRCfplenvjP6Tfr2ttSjaPrL1Zw7xM2feilf S6ldYpukBF5PH5M+kqSg1C1tlPqRIGFIeDICuYZyVmWsGi7E/8eqGRvtSqMvWCPp8GetaGsDrNv3 4hQpppOHSCmwu9AWOJUlW/ZY4kJcjfvikWbWorb4miMWWOJK52rdpZtKd5f+WN6r7LE8Lj9uSZQe Kx0ptZHSytJ2ZDxV+k6pXKoHcuONiG8yMiUlLCqBPM5akiaFS9F6vqg4nM7inNzcaDHsVrLdEXU5 9YW13U66GoQ0yFp1eyAnmpeLtNW5tBv3X0g7WBSNFvNTOYn3ORjtgF1r5FCfgH4Xo2ix3gTXAFdY HC/WJ50Xryx+ufidYsFeHCzeVCyQ4lBxVXG6WCz2l/wls2HHzHc4BPi1smO0ATawGNjW6b4uDs5t Xb70/JTn6hK/JsZ8XgnjLzZwLCucjT3s8RqSNJ7TYrnjxZyPGVv5y129gQo3Dy+/u6r1wUvWPliC vZ1XPHvyynGpE/mNE5pWVqROiNHbH543f/68RZc03zvayRb9cFzD9JvvTjHWunNheevm+0bPYs1w IyF2Ys08ZLfuU7K8WQvVlaqIDy+xWo5mtdn+vkOSDdbmVKDkWsxmiDOMRj3EYG34Tx9Qyf8XazOZ oxbY30uTVivU8jEOZ6GnoL18ncMZMwXV5OtMLrMxzklC4a+xNGOSwOjEztSJwtn1M9bEwCikm1/p un9WkOU/2jOxfXMyFRSjuw5OW7n525yvzYGMcz9GaoVEfI8+/T16Qv0069Ns8QX2HgyEfsmvsU7H gqwFnk7fPexe+V71Hsug9hr7g/RH7TULjKzye1bHXvWX7Ffys+rzFmmtuk3erAqgLVCh2cunyC0q 7nol0J3TixcAtjAMEF8RYTOKQEaw40pAHyQ7bZVjOeS6VT6RdkEJgGko7sLak2w3lIDCaJHxUCij Nc3ZPrrrv2k89dKH3099up2G7r7iirvuuuKKu1nBLVTennrho/9OPbs5ve+H+/b179q3j59jWwgR 6jBeB9mnl9wjUc1G50rLpbWSUOnqsK209bpEk2a3BC3sNkvawhots/BoYpCt00sVBWssMNlUgmdC WhXMQqIW2Oja7WKLXBtdj7mOuUSXg0S5maBUNzO2CaY82AmcjUM0N3NY46z+YklPd/lnZo5rUDxW uB6vx/kzlT58KOfF3Xst/3jOVD0RE4Alxrp+cXDLTtrPV3XaZc3dnd84/7zJcyrF6D2XNdd+Mq5p f+q/McYqrKkDYyxjz+jDslOOqMVepzdyr+te9z3Fd5VpirvVzVxHrEO2F8LvRs5YTxfIpdb51h7r XeZ7XHsLhixKU0QvbI6uKFgW3eLa4r6p4LuFWl20RW41X2CdZW8NT4WNs7A4WmepDXOLXm2hIpsk pxb2WYstBQUFEaWwQC+/yrLefU321aVry7Zmby67P/uusoMFByPWTfQ27y2++8oeLkuUy96wRw9H 4h49F98pe+g7EI1q1HB70W1FrEj35cWLAlzp173gPO3ltKqcVpbT8vxwlYM6amiY82LOnQyIIhne zO9D/LH1g/xoOQuOY2j4Y7uI26g/xnaKnSRjZslamVKZemi0YEK4NTyPdnqX0VXe07hf8jIxEC5g JVlWCysJLIIltrXE3B6ggdYsBbIV/vGrt3Ouqy9niBSkfzlQUgYTRgZy6+lAfiGPjwwEC+NGHLZm HtdzELjMSicUtBbca72z4LmCVwvkcIHFKop4/QH1EdI/qeF6wIC3ohHQEJSNeEFRnEM9D/yfwBjF LcdiN56JnMIjQeow7MiiUTLLg5KU6jNxh7hIPIUnbBiCR0fVnhqvjnq9OqRvr15bF/dyC45XLyqF h3rt3qBhLBG98wM6hDN7gLYH0gE2NnjDlIy55eomlzP5awjjuobL7rArj1mtuBEL7LsPv67Mu6HC 9Eu6ZnY12kvghQfTHx6y1lvclnoeTFq4NfmDA+Z6Q8THp5OdMAxk7ML8HRDsJiC6zEvCzO37mFmY f10B3TZaRQOuK5ZeXlfkzp6RevTiDW+9+9arJalPnYs6VleFcqP06c6Ojz96c5RWxubML8mtDGW7 nW1TFty3/cnv3Tx+ytSgJ5Kfnbv8grabvv+7BHZRMP0eu136Afjir/XSEAnRiKnUPsl2ga3Trviz iU/wZBOvKwt2ZxdzU5+gKSbF4uPTbSfefm/CK3QDDMPeBFE+CSUbzHCAZPNXqNCBLWZcUFfivyCj i8AluLBf4hOiXtf87Eb3bvdjbqHbvcm9w33MfcotEbfDHXJXuUWo/+v7x0SmK9sSdeATk403Ou70 MDctc00AlmXHx4YmANMKf92A5yk4Sp01Y5pAF4XY7+aqEd5hYtK4qd0Zqa2pLXKya4fNxbnFF/iW fOfCa+vN2vXX04AYHUnNuyGWm/NWWc3slvF30ZdHXvlxahvm51Zwmbn4istDdunebzhXOO+WBE32 yw2swYn/B8B5gimG9O8UzR5iynZDyYGmE83Ohpm8FGY646TMqEP/y0mpqZzUDSVApadgk/36EWm8 XRk7H2eebIBk8YXomDkhuzJmAbxAhcRgDBuXTwgKF006uuqy/RdSf3BO4/Qry6h/9/wl39x/N+tP +UZ6Js9ae5wOQ6zGOPEiWp6IcVro2/p4Yqb4LpmZFEnLIR6WLzrx/MGt5ZucFothmo+Y64V6ebow Xb5XuFc2LEL6uvLz43hRLYqSqJlNoiWHBESP5Nb8pmyLJUJKxGKpQisxFVvG41nZFK2VnM/Ol6Yr M7R1ZL24TlqPJwnrLFvIVnGLtFXbatpieZO8Kb4mvQar/Guwyn8gHpeO4+3Cccu/yL/E09IZ5TTM 96ctFf9uh4fUbNjhsxEwQ4j90uIua/gwjYvb5yzuXAKr/8LcPnPM3H6hXs3N7f+bCV3OmNDxMKIR lgzY0VX8XyD8SajMLidmOJ0I1HYwBAP6c0P4jsygZm5CH7OgZwzoXeiMIQwa/n+2oIP5GEbyPlwP w1hw0Kxb63GxcCZprccoz4CxmHULTzkFxoIUDhAbSWKFAM6xGc7E8N4Axyxs61n8Hw0LAu1MJajz hSeo/cAvaXbqkdQ/njgoRkens0HuPn+LPTI6H7RRAGniddCGg8486HpJpOC6aX28wxk3UXgKVU3s U3rGxOrM55vOt3TgP/NYRVexjS71HfGY5SNxxCKaKsUHlCP47E3FY8R5uqbhQoJWWh4wto7d4SCm 28TdYNyh6Li4iP/05KBmqnHY+bGAg49DvYiffHZcztqr7Lp9o122B/BSYxjyCHMpag3ZZNnBRRgc ORrqUCxeHsP/ngJr41g1/3Z+WnB+Otcbqhk/P7nQ0hW7Ei/iYY/DWwWe8nHDydiVfI1GP8HzUC7U fHKc9p2ziVNcE9o0Xxy34KYqQJOicmmem3UySwYxJxajfYYFiaVP6SZzvdlhgbMarL+T1NTSCXWy IuE+jCoTasLZBfR7SyrHt6e2CVekLr1tbS4d+AN9qReXMuz9F1LlOxW8I+LSrPFLF5PfZ0L/5pcg LmA/m/Fdg5Nk4TvtQhIleNVJKkglruvH48vMGjIBXzVOIs2kBV8on4+vHmfgm8UL8XXhLHwhOJvM wfeLC/D1YQe+3+wy6qfEBUrgP/6lOLlo7vRZ02fEmq5ctfhbFVNXf2vZzHnI+j+/ozrHCmVuZHN0 cmVhbQplbmRvYmoKNTYgMCBvYmoKMTU0MzMKZW5kb2JqCjU3IDAgb2JqCihvYXV0aC1hc3NlcnRp b25zLWlldGY4OS5wcHR4KQplbmRvYmoKNTggMCBvYmoKKE1hYyBPUyBYIDEwLjguNSBRdWFydHog UERGQ29udGV4dCkKZW5kb2JqCjU5IDAgb2JqCihCcmlhbiBDYW1wYmVsbCkKZW5kb2JqCjYwIDAg b2JqCigpCmVuZG9iago2MSAwIG9iagooUG93ZXJQb2ludCkKZW5kb2JqCjYyIDAgb2JqCihEOjIw MTQwMzAzMTYyMTQ5WjAwJzAwJykKZW5kb2JqCjYzIDAgb2JqCigpCmVuZG9iago2NCAwIG9iagpb ICgpIF0KZW5kb2JqCjEgMCBvYmoKPDwgL1RpdGxlIDU3IDAgUiAvQXV0aG9yIDU5IDAgUiAvU3Vi amVjdCA2MCAwIFIgL1Byb2R1Y2VyIDU4IDAgUiAvQ3JlYXRvcgo2MSAwIFIgL0NyZWF0aW9uRGF0 ZSA2MiAwIFIgL01vZERhdGUgNjIgMCBSIC9LZXl3b3JkcyA2MyAwIFIgL0FBUEw6S2V5d29yZHMK NjQgMCBSID4+CmVuZG9iagp4cmVmCjAgNjUKMDAwMDAwMDAwMCA2NTUzNSBmIAowMDAwMjA4MjM0 IDAwMDAwIG4gCjAwMDAwMDE0OTkgMDAwMDAgbiAKMDAwMDE1NjU4MiAwMDAwMCBuIAowMDAwMDAw MDIyIDAwMDAwIG4gCjAwMDAwMDE0NzkgMDAwMDAgbiAKMDAwMDAwMTYwMyAwMDAwMCBuIAowMDAw MTUxMjIxIDAwMDAwIG4gCjAwMDAwMDE3OTEgMDAwMDAgbiAKMDAwMDAwODMyNiAwMDAwMCBuIAow MDAwMTUwMDEzIDAwMDAwIG4gCjAwMDAxOTE3MjIgMDAwMDAgbiAKMDAwMDE2Mzc0MiAwMDAwMCBu IAowMDAwMDA4MzQ2IDAwMDAwIG4gCjAwMDAxNDQ3NjMgMDAwMDAgbiAKMDAwMDE0NDc4NiAwMDAw MCBuIAowMDAwMTQ2NzU5IDAwMDAwIG4gCjAwMDAxNTQxMTQgMDAwMDAgbiAKMDAwMDE0Njc4MCAw MDAwMCBuIAowMDAwMTQ3MjU3IDAwMDAwIG4gCjAwMDAxNDcyNzcgMDAwMDAgbiAKMDAwMDE0OTk5 MiAwMDAwMCBuIAowMDAwMTUwMDUwIDAwMDAwIG4gCjAwMDAxNTEyMDAgMDAwMDAgbiAKMDAwMDE1 MTI1NyAwMDAwMCBuIAowMDAwMTU0MDkzIDAwMDAwIG4gCjAwMDAxNTYyNTYgMDAwMDAgbiAKMDAw MDE1NDE1MSAwMDAwMCBuIAowMDAwMTU2MjM1IDAwMDAwIG4gCjAwMDAxNTYzNjMgMDAwMDAgbiAK MDAwMDAwMDAwMCAwMDAwMCBuIAowMDAwMTYwMjk3IDAwMDAwIG4gCjAwMDAwMDAwMDAgMDAwMDAg biAKMDAwMDE1NjczNiAwMDAwMCBuIAowMDAwMTg2MjQ1IDAwMDAwIG4gCjAwMDAxNTY2NzIgMDAw MDAgbiAKMDAwMDE1NzIxOSAwMDAwMCBuIAowMDAwMTU2OTAxIDAwMDAwIG4gCjAwMDAxNTcxOTkg MDAwMDAgbiAKMDAwMDE1NzQ2OSAwMDAwMCBuIAowMDAwMTYwMjc2IDAwMDAwIG4gCjAwMDAxNjA4 MDkgMDAwMDAgbiAKMDAwMDE2MDQ3NCAwMDAwMCBuIAowMDAwMTYwNzg5IDAwMDAwIG4gCjAwMDAx NjEwNTEgMDAwMDAgbiAKMDAwMDE2MzcyMSAwMDAwMCBuIAowMDAwMTY0MzkyIDAwMDAwIG4gCjAw MDAxNjQ2NTIgMDAwMDAgbiAKMDAwMDE4NjIyMyAwMDAwMCBuIAowMDAwMTg2NzI5IDAwMDAwIG4g CjAwMDAxODY0MDkgMDAwMDAgbiAKMDAwMDE4NjcwOSAwMDAwMCBuIAowMDAwMTg2OTg4IDAwMDAw IG4gCjAwMDAxOTE3MDEgMDAwMDAgbiAKMDAwMDE5MjE1NyAwMDAwMCBuIAowMDAwMTkyNDI0IDAw MDAwIG4gCjAwMDAyMDc5NDggMDAwMDAgbiAKMDAwMDIwNzk3MCAwMDAwMCBuIAowMDAwMjA4MDE3 IDAwMDAwIG4gCjAwMDAyMDgwNjkgMDAwMDAgbiAKMDAwMDIwODEwMiAwMDAwMCBuIAowMDAwMjA4 MTIxIDAwMDAwIG4gCjAwMDAyMDgxNTAgMDAwMDAgbiAKMDAwMDIwODE5MiAwMDAwMCBuIAowMDAw MjA4MjExIDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgNjUgL1Jvb3QgMzUgMCBSIC9JbmZvIDEg MCBSIC9JRCBbIDw3NDljYWExOWQ5ZmNjYWZhZDgyOGQ0NDVhNWFjZjY5Nz4KPDc0OWNhYTE5ZDlm Y2NhZmFkODI4ZDQ0NWE1YWNmNjk3PiBdID4+CnN0YXJ0eHJlZgoyMDg0MDkKJSVFT0YK --089e01294672d0e5c904f3c72574-- From nobody Tue Mar 4 07:41:23 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F621A0085 for ; Tue, 4 Mar 2014 07:41:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.913 X-Spam-Level: X-Spam-Status: No, score=-2.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyFeJbPtZzYD for ; Tue, 4 Mar 2014 07:41:18 -0800 (PST) Received: from na3sys009aog109.obsmtp.com (na3sys009aog109.obsmtp.com [74.125.149.201]) by ietfa.amsl.com (Postfix) with ESMTP id E86251A005E for ; Tue, 4 Mar 2014 07:41:17 -0800 (PST) Received: from mail-ie0-f169.google.com ([209.85.223.169]) (using TLSv1) by na3sys009aob109.postini.com ([74.125.148.12]) with SMTP ID DSNKUxX0GnmFfiF3simIQPguxwvXjdtbfT3X@postini.com; Tue, 04 Mar 2014 07:41:15 PST Received: by mail-ie0-f169.google.com with SMTP id to1so1513198ieb.14 for ; Tue, 04 Mar 2014 07:41:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=KBf+gCYSxN6GszX1/Sx2ZS2weQ33U0p06LP73Xigxw4=; b=fcdytuo2qmjwzCoKlA7pbRIzR2ySlF1pB8u+13HJeL2sFyk2+NtKofgaCsnOAUMlH9 mkKrheYbrwlWI5Gytx0HXu+M+C5umZg++KrmQz8jbbcr/1hfF0a0KnlN+ovC5q3XZ60h Xnv/DcaxwixHIFg0zmajPhOMSPi1sVLa95kycKyiCGcN+HnscUt6nhK8tGfhvOMSiuxl fwRB1XQG/ITMIACv6RXWk2Ib3HQHZAqtbSrZzmatH6DnCQdv4ckAvIXFSyJA/MRMaPzP jcM9AZGqLACPPjHaVFLK9a57HA0qR/hEBNrufsr9WSHXtP5w246YT+olKnLY84TdvnfQ Ii2Q== X-Gm-Message-State: ALoCoQnQqPDNDkGAe5344igRJxS+HANqOx9lZnZf+tmqNlsgBKKO7oMV7vm8i6V0hVO39zc9ha24Tm1PIZMOcoK4Dk7D+wK0W7r3Rc6/9TO02zeHaIBdBXXUhRPJ+6l2EUAQ3s62JxZOUz9hk3Fp7Kh9z26UdxHYdQ== X-Received: by 10.50.182.170 with SMTP id ef10mr4066534igc.9.1393947674406; Tue, 04 Mar 2014 07:41:14 -0800 (PST) X-Received: by 10.50.182.170 with SMTP id ef10mr4066518igc.9.1393947674195; Tue, 04 Mar 2014 07:41:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Tue, 4 Mar 2014 07:40:44 -0800 (PST) In-Reply-To: References: From: Brian Campbell Date: Tue, 4 Mar 2014 15:40:44 +0000 Message-ID: To: Jared Hanson , "jose@ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kj8qcFAcX6UI9UJSc8iMMKfHcRc Cc: oauth Subject: Re: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 15:41:21 -0000 I might be suffering from a touch of confirmation bias but I think this underscores what I was trying to say near the end of the JOSE session in Vancouver during the "key finding algorithm" discussion. Namely that finding a key is not the same as trusting a key and that I'm concerned that explaining how to find a key might lead to implementations that blindly trust whatever key is found. Looking again at the drafts, I found some guidance/precautionary text in JWS and JWT (there might be more I missed), which I've copied with references below. I think that's all there is and I don't know if it's really sufficient. Nor do I know if either WG could agree on saying much more specific. That's probably not exactly what you were looking for, Jared, but was what I could dig up. Maybe some more discussion will be catalyzed. The newish Notes on Key Selection appendix in JWS [0] has this cautionary text: 4. Make trust decisions about the keys. Signatures made with keys not meeting the application's trust criteria would not be accepted. Such criteria might include, but is not limited to the source of the key, whether the TLS certificate validates for keys retrieved from URLs, whether a key in an X.509 certificate is backed by a valid certificate chain, and other information known by the application. And the last paragraph of the Security Considerations in JWT [1], which I think was just recently added in -18, also has some words of caution: "The contents of a JWT cannot be relied upon in a trust decision unless its contents have been cryptographically secured and bound to the context necessary for the trust decision. In particular, the key(s) used to sign and/or encrypt the JWT will typically need to verifiably be under the control of the party identified as the issuer of the JWT." [0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-23#appendix-D [1] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18#section-11 On Wed, Feb 12, 2014 at 6:26 PM, Jared Hanson wrote: > I'm wondering if there is any guidance on including "jku", "jwk", "x5u", and > "x5c" > claims in a JWT/JWS used as a bearer assertion for authentication. > > Specifically, in the case of service-to-service authentication, where the > "iss" is > set to the service acting as a client, say "https://client.example.net/" > making a > request to "https://api.example.com/", and the assertion is signed using > client.example.net's private key. > > In this situation, api.example.com authenticates the assertion by finding > the > corresponding public key (possibly in a JWK set, the location of which can > be > obtained by something like OpenID Provider Configuration [1]). > > It is clear that any claims in the assertion are self-asserted until > validated, > including both the "iss" and any keys or URLs to keys. Thus, when a service > validates the assertion, it *must not* use the values of "jku", etc to > validate > the signature. Instead it should use some trusted channel to obtain the > keys > directly from the issuer. > > If this were not done, a malicious entity could freely generate assertions > claiming to be client.example.net, using any private key and including a > malicious > reference to its own public key using a "jku" set to > "https://malicious.com/jwks.json" > > This security consideration is not called out anywhere that I've noticed, > which > I've seen leading to insecure implementations and/or bad examples. For > example, > this example on Gluu's wiki: http://ox.gluu.org/doku.php?id=oxauth:jwt is > blindly > using the value of "jku" to fetch the key used to validate the signature, > without > any way to validate that the URL itself belongs to the issuer. > > I'm raising this point hoping that guidance can be clarified and included in > the > specification. > > Thanks, > Jared Hanson > > PS. I separately sent this same message to the JOSE list, and later figured > it was equally relevant to OAuth, if not more so. > > [1] http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig > > -- > Jared Hanson > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From nobody Tue Mar 4 08:23:29 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 700E41A01C5; Tue, 4 Mar 2014 08:23:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08e8HBMdvrGw; Tue, 4 Mar 2014 08:23:13 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) by ietfa.amsl.com (Postfix) with ESMTP id 8F6B61A00F5; Tue, 4 Mar 2014 08:23:12 -0800 (PST) Received: from BY2PR03CA029.namprd03.prod.outlook.com (10.242.234.150) by BY2PR03MB126.namprd03.prod.outlook.com (10.242.36.21) with Microsoft SMTP Server (TLS) id 15.0.888.9; Tue, 4 Mar 2014 16:23:07 +0000 Received: from BY2FFO11FD049.protection.gbl (2a01:111:f400:7c0c::135) by BY2PR03CA029.outlook.office365.com (2a01:111:e400:2c2c::22) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Tue, 4 Mar 2014 16:23:07 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD049.mail.protection.outlook.com (10.1.15.186) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Tue, 4 Mar 2014 16:23:07 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0174.002; Tue, 4 Mar 2014 16:22:34 +0000 From: Mike Jones To: Brian Campbell , Jared Hanson , "jose@ietf.org" Thread-Topic: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions Thread-Index: Ac83xfPOqOa+UrzkRZqei9l+wTZyJQ== Date: Tue, 4 Mar 2014 16:22:34 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0B00C9@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0B00C9TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(377454003)(199002)(189002)(164054003)(5170400?= =?us-ascii?Q?5)(24454002)(13464003)(80976001)(50986001)(69226001)(4986600?= =?us-ascii?Q?1)(81542001)(87266001)(54356001)(76176001)(81342001)(5185600?= =?us-ascii?Q?1)(33656001)(76482001)(81686001)(74876001)(87936001)(4797600?= =?us-ascii?Q?1)(95666003)(15202345003)(46102001)(81816001)(2656002)(85806?= =?us-ascii?Q?002)(74706001)(54316002)(92566001)(65816001)(19300405004)(80?= =?us-ascii?Q?022001)(56816005)(90146001)(92726001)(85306002)(94316002)(66?= =?us-ascii?Q?066001)(15188155005)(93136001)(74662001)(47446002)(74502001)?= =?us-ascii?Q?(86612001)(77096001)(95416001)(31966008)(15395725003)(162366?= =?us-ascii?Q?75002)(86362001)(94946001)(84326002)(512954002)(93516002)(76?= =?us-ascii?Q?786001)(76796001)(15975445006)(63696002)(71186001)(53806001)?= =?us-ascii?Q?(79102001)(20776003)(55846006)(74366001)(85852003)(4396001)(?= =?us-ascii?Q?56776001)(47736001)(6806004)(19580395003)(44976005)(83322001?= =?us-ascii?Q?)(77982001)(19580405001)(59766001)(16799955002)(83072002);DI?= =?us-ascii?Q?R:OUT;SFP:1101;SCL:1;SRVR:BY2PR03MB126;H:mail.microsoft.com;?= =?us-ascii?Q?CLIP:131.107.125.37;FPR:AF47F1FD.A73EB112.2EE3BC4B.4EF6BDCD.?= =?us-ascii?Q?20594;MLV:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01401330D1 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/thqxFwhuBOv_4NttY1HO9OIlXbA Cc: oauth Subject: Re: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 16:23:21 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0B00C9TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable To this, I'll add that the OpenID Connect ID Token specification at http://= openid.net/specs/openid-connect-core-1_0.html#IDToken adds this, prohibitin= g the use of header parameters to communicate the keys: ID Tokens SHOULD NOT use the JWS or JWE x5u, x5c, jku, or jwk header parame= ter fields. Instead, references to keys used are communicated in advance us= ing Discovery and Registration parameters, per Section 10 (Signatures and E= ncryption). This is for exactly the reasons described in this thread. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell Sent: Tuesday, March 04, 2014 7:41 AM To: Jared Hanson; jose@ietf.org Cc: oauth Subject: Re: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer asserti= ons I might be suffering from a touch of confirmation bias but I think this und= erscores what I was trying to say near the end of the JOSE session in Vanco= uver during the "key finding algorithm" discussion. Namely that finding a key is not the same as trusting a key and that I'm co= ncerned that explaining how to find a key might lead to implementations tha= t blindly trust whatever key is found. Looking again at the drafts, I found some guidance/precautionary text in JW= S and JWT (there might be more I missed), which I've copied with references= below. I think that's all there is and I don't know if it's really suffici= ent. Nor do I know if either WG could agree on saying much more specific. T= hat's probably not exactly what you were looking for, Jared, but was what I= could dig up. Maybe some more discussion will be catalyzed. The newish Notes on Key Selection appendix in JWS [0] has this cautionary = text: 4. Make trust decisions about the keys. Signatures made with keys not meeting the application's trust criteria would not be accepted. Such criteria might include, but is not limited to the source of the key, whether the TLS certificate validates for keys retrieved from URLs, whether a key in an X.509 certificate is backed by a valid certificate chain, and other information known by the application. And the last paragraph of the Security Considerations in JWT [1], which I t= hink was just recently added in -18, also has some words of caution: "The contents of a JWT cannot be relied upon in a trust decision unless its contents have been cryptographically secured and bound to the context necessary for the trust decision. In particular, the key(s) used to sign and/or encrypt the JWT will typically need to verifiably be under the control of the party identified as the issuer of the JWT." [0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-23#append= ix-D [1] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18#section-1= 1 On Wed, Feb 12, 2014 at 6:26 PM, Jared Hanson > wrote: > I'm wondering if there is any guidance on including "jku", "jwk", > "x5u", and "x5c" > claims in a JWT/JWS used as a bearer assertion for authentication. > > Specifically, in the case of service-to-service authentication, where > the "iss" is set to the service acting as a client, say > "https://client.example.net/" > making a > request to "https://api.example.com/", and the assertion is signed > using client.example.net's private key. > > In this situation, api.example.com authenticates the assertion by > finding the corresponding public key (possibly in a JWK set, the > location of which can be obtained by something like OpenID Provider > Configuration [1]). > > It is clear that any claims in the assertion are self-asserted until > validated, including both the "iss" and any keys or URLs to keys. > Thus, when a service validates the assertion, it *must not* use the > values of "jku", etc to validate the signature. Instead it should use > some trusted channel to obtain the keys directly from the issuer. > > If this were not done, a malicious entity could freely generate > assertions claiming to be client.example.net, using any private key > and including a malicious reference to its own public key using a > "jku" set to "https://malicious.com/jwks.json" > > This security consideration is not called out anywhere that I've > noticed, which I've seen leading to insecure implementations and/or > bad examples. For example, this example on Gluu's wiki: > http://ox.gluu.org/doku.php?id=3Doxauth:jwt is blindly using the value > of "jku" to fetch the key used to validate the signature, without any > way to validate that the URL itself belongs to the issuer. > > I'm raising this point hoping that guidance can be clarified and > included in the specification. > > Thanks, > Jared Hanson > > PS. I separately sent this same message to the JOSE list, and later > figured it was equally relevant to OAuth, if not more so. > > [1] > http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConf > ig > > -- > Jared Hanson > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A0B00C9TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

To this, I'll add that the OpenID Connect ID Toke= n specification at ht= tp://openid.net/specs/openid-connect-core-1_0.html#IDToken adds this, p= rohibiting the use of header parameters to communicate the keys:=

 

ID= Tokens SHOULD NOT use the JWS or JWE x5u, x5c, jku, or jwk header parameter fields. Instead, references to keys used = are communicated in advance using Discovery and Registration parameters, per Section 10 (Signatures and Encryption).

 

This is for exactly the reasons described in this= thread.

 

        &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp; -- Mike

 

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Tuesday, March 04, 2014 7:41 AM
To: Jared Hanson; jose@ietf.org
Cc: oauth
Subject: Re: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer asserti= ons

 

I might be suffering from a touch of confirmation= bias but I think this underscores what I was trying to say near the end of= the JOSE session in Vancouver during the "key finding algorithm"= discussion.

Namely that finding a key is not the same as trus= ting a key and that I'm concerned that explaining how to find a key might l= ead to implementations that blindly trust whatever key is found.=

 

Looking again at the drafts, I found some guidanc= e/precautionary text in JWS and JWT (there might be more I missed), which I= 've copied with references below. I think that's all there is and I don't k= now if it's really sufficient. Nor do I know if either WG could agree on saying much more specific. That's pr= obably not exactly what you were looking for, Jared, but was what I could d= ig up. Maybe some more discussion will be catalyzed.

 

The newish Notes on Key Selection appendix in JWS= [0]  has this cautionary text:

 

   4.  Make trust decisions about = the keys.  Signatures made with keys

       not meeting = the application's trust criteria would not be

       accepted.&nb= sp; Such criteria might include, but is not limited to the

       source of th= e key, whether the TLS certificate validates for keys

       retrieved fr= om URLs, whether a key in an X.509 certificate is

       backed by a = valid certificate chain, and other information known

       by the appli= cation.

 

 

And the last paragraph of the Security Considerat= ions in JWT [1], which I think was just recently added in -18, also has som= e words of

caution:

 

   "The contents of a JWT cannot b= e relied upon in a trust decision

   unless its contents have been crypto= graphically secured and bound to

   the context necessary for the trust = decision.  In particular, the

   key(s) used to sign and/or encrypt t= he JWT will typically need to

   verifiably be under the control of t= he party identified as the issuer

   of the JWT."

 

 

[0] http://tools.ietf.org= /html/draft-ietf-jose-json-web-signature-23#appendix-D

[1] http://tools.ietf.org= /html/draft-ietf-oauth-json-web-token-18#section-11

 

On Wed, Feb 12, 2014 at 6:26 PM, Jared Hanson <= ;jaredhanson@gmail.com> wrote:=

> I'm wondering if there is any guidance on in= cluding "jku", "jwk",

> "x5u", and "x5c"

> claims in a JWT/JWS used as a bearer asserti= on for authentication.

> 

> Specifically, in the case of service-to-serv= ice authentication, where

> the "iss" is set to the service ac= ting as a client, say

> "https://client.exam= ple.net/"

> making a

> request to "https://api= .example.com/", and the assertion is signed

> using client.example.net's private key.=

> 

> In this situation, api.example.com authentic= ates the assertion by

> finding the corresponding public key (possib= ly in a JWK set, the

> location of which can be obtained by somethi= ng like OpenID Provider

> Configuration [1]).

> 

> It is clear that any claims in the assertion= are self-asserted until

> validated, including both the "iss"= ; and any keys or URLs to keys. 

> Thus, when a service validates the assertion= , it *must not* use the

> values of "jku", etc to validate t= he signature.  Instead it should use

> some trusted channel to obtain the keys dire= ctly from the issuer.

> 

> If this were not done, a malicious entity co= uld freely generate

> assertions claiming to be client.example.net= , using any private key

> and including a malicious reference to its o= wn public key using a

> "jku" set to "https://malicious.com/jwks.json"

> 

> This security consideration is not called ou= t anywhere that I've

> noticed, which I've seen leading to insecure= implementations and/or

> bad examples.  For example, this exampl= e on Gluu's wiki:

> http://ox= .gluu.org/doku.php?id=3Doxauth:jwt is blindly using the value

> of "jku" to fetch the key used to = validate the signature, without any

> way to validate that the URL itself belongs = to the issuer.

> 

> I'm raising this point hoping that guidance = can be clarified and

> included in the specification.

> 

> Thanks,

> Jared Hanson

> 

> PS. I separately sent this same message to t= he JOSE list, and later

> figured it was equally relevant to OAuth, if= not more so.

> 

> [1]

> http://openid.net/spe= cs/openid-connect-discovery-1_0.html#ProviderConf

> ig

> 

> --

> Jared Hanson <http://jared= hanson.net/>

> 

> ____________________________________________= ___

> OAuth mailing list

> OAuth@ietf.org<= /o:p>

> https://w= ww.ietf.org/mailman/listinfo/oauth

> 

 

_______________________________________________

OAuth mailing list

OAuth@ietf.org=

https://www.ie= tf.org/mailman/listinfo/oauth

--_000_4E1F6AAD24975D4BA5B16804296739439A0B00C9TK5EX14MBXC286r_-- From nobody Tue Mar 4 08:56:41 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D97F31A01A8 for ; Tue, 4 Mar 2014 08:56:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.449 X-Spam-Level: X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nOWTGHFiNZt for ; Tue, 4 Mar 2014 08:56:35 -0800 (PST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5E21A00BB for ; Tue, 4 Mar 2014 08:56:35 -0800 (PST) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s24GuVjF006024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 4 Mar 2014 11:56:31 -0500 Received: from [10.10.49.213] (vpn-49-213.rdu2.redhat.com [10.10.49.213]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s24GqNSV009193 for ; Tue, 4 Mar 2014 11:52:24 -0500 Message-ID: <531604CC.5020409@redhat.com> Date: Tue, 04 Mar 2014 11:52:28 -0500 From: Bill Burke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: oauth Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/csZyrtmXspClyHhMdrFtVVnwUA4 Subject: [OAUTH-WG] can public clients be as safe in Auth Code Grants? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 16:56:38 -0000 Section 3.2.1 talks about the need for and benefits of confidential clients. For Auth Code Grants, can't public clients be as safe as confidential clients if: * HTTPS is being used for all communication * Valid redirect_uri patterns are registered at the Auth Server for the public clients * Auth server validates the client's redirect_uri when processing a Authorization Request. The browser would ensure you are redirecting to a valid domain. * "state" parameter is validated by the client from the Authorization Response. * Client sends its "client_id" and "redirect_uri" when making a Access Token Request * Auth server revalidates "client_id", "redirect_uri" to data used to create the Auth Code. Nobody could fake being the public client because an auth code could only be sent to the registered redirect URLs of the public client. As for the statement that it might be easier to change client credentials than to revoke refresh tokens, couldn't his also be mitigated if the Auth Server supported setting a revocation policy for the client? Thanks in advance. Bill p.s. FYI, maybe I did something wrong, but I couldn't seem to get anything posted on the Google Group for OAuth. Hope its ok to post these kinds of questions here. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nobody Tue Mar 4 09:18:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 923351A026B for ; Tue, 4 Mar 2014 09:18:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.746 X-Spam-Level: X-Spam-Status: No, score=-4.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XCcHYjxNQdB for ; Tue, 4 Mar 2014 09:18:30 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 52E3E1A0264 for ; Tue, 4 Mar 2014 09:18:30 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s24HIQ63030862 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 4 Mar 2014 17:18:27 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s24HIPY9007674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 4 Mar 2014 17:18:26 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s24HIPib001623 for ; Tue, 4 Mar 2014 17:18:25 GMT Received: from dhcp-hotel-wifi-156-0b.meeting.ietf.org (/130.129.156.11) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 04 Mar 2014 09:18:25 -0800 From: Phil Hunt Content-Type: multipart/alternative; boundary="Apple-Mail=_E9A2FFC7-3A38-415C-9892-F26BB5B27447" Message-Id: <629DE80D-5682-4DF3-9626-8150E74BBB76@oracle.com> Date: Tue, 4 Mar 2014 17:18:19 +0000 To: "oauth@ietf.org list" Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) X-Mailer: Apple Mail (2.1510) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/NxiC-sIDuCT1RRRwsUvsGHFgwIE Subject: [OAUTH-WG] Thoughts from this mornings dyn reg discussion X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 17:18:39 -0000 --Apple-Mail=_E9A2FFC7-3A38-415C-9892-F26BB5B27447 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Keeping the conversation from this morning going=85 This morning I raised the issue that it is not clear to my as to why a = client would need to "manage" its registration (note: I think this = analysis applies equally to both the the management draft and the = earlier SCIM profile I published). What would drive need for a = management API would have to come from some lifecycle event in the = client software: 1. A new client registers for the very first time (no pre-existing = client_id) 2. A client, having registered before is updated in some way (e.g. has = a new software statement) where some of its registration information has = changed. How can the client notify the server of the change without = loosing current authorizations (to maintain user-experience) 3. A client, wants (e.g. because of administrative re-configuration?) = to change its registration information 4. A client needs to "rotate" its client credential (client_secret, = nego new key etc) 5. A client wishes to de-register 6. A resource server changes its policies. Eg. requiring the client to = get a new credential type 7. Others? e.g. meta data change because of a change in language by = the user? My view is that most cases can be handled by what is already in the core = dyn reg draft (maybe with some explanation). Even when a client updates = frequently (as Justin mentions), it does not seem like they would change = their metadata between software updates. The only case I can think of = is web clients which may be re-configured. But wouldn't they be handled = through OOB administration rather than use dyn reg? Phil @independentid www.independentid.com phil.hunt@oracle.com --Apple-Mail=_E9A2FFC7-3A38-415C-9892-F26BB5B27447 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252

1. =  A new client registers for the very first time (no pre-existing = client_id)
2.  A client, having registered before is = updated in some way (e.g. has a new software statement) where some of = its registration information has changed. How can the client notify the = server  of the change without loosing current authorizations (to = maintain user-experience)
3.  A client, wants (e.g. = because of administrative re-configuration?) to change its registration = information
4.  A client needs to "rotate" its client = credential (client_secret, nego new key etc)
5.  A client = wishes to de-register
6.  A resource server changes its = policies. Eg. requiring the client to get a new credential = type
7.  Others?  e.g. meta data change because of a = change in language by the user?

My view is that = most cases can be handled by what is already in the core dyn reg draft = (maybe with some explanation). Even when a client updates frequently (as = Justin mentions), it does not seem like they would change their metadata = between software updates.  The only case I can think of is web = clients which may be re-configured. But wouldn't they be handled through = OOB administration rather than use dyn = reg?

= --Apple-Mail=_E9A2FFC7-3A38-415C-9892-F26BB5B27447-- From nobody Tue Mar 4 10:05:13 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 396291A02BE for ; Tue, 4 Mar 2014 10:05:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFE_FhjyzL0U for ; Tue, 4 Mar 2014 10:05:08 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 4951A1A02C1 for ; Tue, 4 Mar 2014 10:05:05 -0800 (PST) Received: from [192.168.10.253] ([31.133.162.210]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M3zT0-1XBLs92rjO-00ra1N for ; Tue, 04 Mar 2014 19:04:59 +0100 Message-ID: <531615C8.6070805@gmx.net> Date: Tue, 04 Mar 2014 19:04:56 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: oauth@ietf.org X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="knvHHEwUKrE7cVIxlu83fX8dEQRfmAgIX" X-Provags-ID: V03:K0:36PQf0u3+SkzGvcriZETczejE1xcKI15bgp6pHirp63NGOXgb0c X4zHb98m6xLbTwnojtZrwDwMJ7C9Y4JU2eu9TQmtrwwMnt2Qb77FnN6Dz3OqXVyR5QgT85y rw0wV9F0lxLn+zJwldtcqt6fbCpQY6WkLQF9OUEWD1NsUeyZbuIFxFJEoLdhqcngTjExpPo 8w5WcZtNFJqywNVlGPaUw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/eGtrli04kXHPQjKeSZcGxRnpeO4 Subject: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 18:05:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --knvHHEwUKrE7cVIxlu83fX8dEQRfmAgIX Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, at today's OAuth meeting I suggested to get together during the week to continue our conversation about draft-ietf-oauth-dyn-reg-management-00, which dominated our conversation at the meeting today. I would suggest to get together on **Thursday, at 11:30** (for lunch) at the IETF registration desk. Objections?* Ciao Hannes PS: I know that your schedule during the IETF meeting is quite full ... --knvHHEwUKrE7cVIxlu83fX8dEQRfmAgIX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTFhXJAAoJEGhJURNOOiAtrqEIAJAQQdH5B8UzIMZphILQrR77 QA/q/lQRHl8ejrtIF363jq66NJIKHk+SEp3Jhhwu9ElrSoHFTxB2V+8PTVDKCbja wRK5R48xXiZvCR9nkD2bRkVIvJFnyPMszNslc0F41uJdA2DYE5uJcPR13X7HhCPV zCfxdMgvxpPTqh3bim3Kiv84CtMvQ04pE1AOKT3ysqVSowlHciQFx/fZ8A16Uy9X Fxs449nPaUT0UpXap48AUWvQORf5CGNBtnZtgaKT34Hld+QLIaWQmUP2z7WAiKYM lJcg3YM40rdLHugNnrPr++0E2U9pxJ6h7vK7aHDayXUUuErBdYtKXm0DKgqea48= =6N6f -----END PGP SIGNATURE----- --knvHHEwUKrE7cVIxlu83fX8dEQRfmAgIX-- From nobody Tue Mar 4 10:06:25 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 906641A02EF for ; Tue, 4 Mar 2014 10:06:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmuEqmoOSW8j for ; Tue, 4 Mar 2014 10:06:11 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id EBC651A0187 for ; Tue, 4 Mar 2014 10:06:03 -0800 (PST) Received: from [192.168.10.253] ([31.133.162.210]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LkgEO-1Wt8553YKy-00aUPN for ; Tue, 04 Mar 2014 19:05:59 +0100 Message-ID: <53161606.9000404@gmx.net> Date: Tue, 04 Mar 2014 19:05:58 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: oauth@ietf.org References: <53160654.3030708@gmx.net> In-Reply-To: <53160654.3030708@gmx.net> X-Enigmail-Version: 1.5.2 X-Forwarded-Message-Id: <53160654.3030708@gmx.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9L572VGHvloP7uaa3arsjmaPNtewaXn2G" X-Provags-ID: V03:K0:lC+kkexGlMfKvnOalQnLXGQQ4CC+VKBvbl9QBX49H+C0HrO1CVx k/o528BVhzEZeg0y6nrSffDPNUgxPGEosaxXJUxp0Z6YX0/5ivup9LE0HGmRqUQ5sDCssKz YyTIo6fmhEY4L09lLQSp8QAAU54/io2wwsPntMwiB5chcijQmzUd6aksNRmZrebHHxsZTwW 2w8Azt771RoWtFRYCqVHA== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vn7_g0kW1qcT1PFN8DJgL2_CQq4 Subject: [OAUTH-WG] Fwd: IETF#89 OAuth Meeting Summary X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 18:06:18 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9L572VGHvloP7uaa3arsjmaPNtewaXn2G Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable FYI: Here is the summary I sent to the SAAG list. -------- Original Message -------- Subject: IETF#89 OAuth Meeting Summary Date: Tue, 04 Mar 2014 17:59:00 +0100 From: Hannes Tschofenig To: saag@ietf.org This morning we had our OAuth working group meeting and here is a short summary of the discussion. * JSON Web Token (JWT)=09 Mike Jones, specification editor, has updated the specification to incorporate the remaining WGLC review comments. The reviewers will have to check whether their feedback has been addresses appropriately. The document is then ready to be forwarded to the IESG for publication but the completion will depend on the finalization of the work in the JOSE WG. The chairs will work on the shepherd write-up. * Assertions The group worked on the use of assertions for client authentication as well as an authorization grant type. The work is documented in three specifications (draft-ietf-oauth-assertions-14, draft-ietf-oauth-jwt-bearer-07, and draft-ietf-oauth-saml2-bearer-18). The assertion framework and the SAML bearer specification are completed and waiting for a publication request by the chairs. During the meeting we decided to put the third document, draft-ietf-oauth-jwt-bearer-07, forward to the IESG at the same time as the other two documents for easier readability. Since draft-ietf-oauth-jwt-bearer-07 depends on the completion of the JWT specification, and that furthermore depends on the work in the JOSE WG to complete there might be a little bit of delay. * Dynamic Client Registration A large part of the time was used to discuss this topic. There are currently three document: - Core: draft-ietf-oauth-dyn-reg-16 - Meta-data: draft-ietf-oauth-dyn-reg-metadata-00 - Management: draft-ietf-oauth-dyn-reg-management-00 The core and meta-data was seen as rather uncontroversial but these two documents will require reviews and several persons volunteered. The management specification, however, raised questions. Concerns were raised about the maturity of the work and suggestions were to add text to the draft to highlight that it is only one possible solution. Changing the document to an Informational or Experimental document was also suggested. The chairs will schedule an informal discussion during this IETF week to get a better understanding of the software development lifecyle and the associated requirements for management of credentials and configuration parameters. * Security The chairs presented a summary of the current state of the work for developing mechanisms that provide security properties beyond bearer tokens. The bearer token concept is described in RFC 6750. Currently, the solutions are documented in draft-ietf-oauth-v2-http-mac-05, and draft-tschofenig-oauth-hotk-03. Based on a discussion last Sunday morning the existing documents will be re-structured and the f2f meeting was used to solicit feedback. We hope to have text within the next few weeks so that those who are deploying solutions already today can be involved in the work. A charter and a milestone update will be necessary to accommodate for the document split. --9L572VGHvloP7uaa3arsjmaPNtewaXn2G Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTFhYGAAoJEGhJURNOOiAtSm0H/R4dbHIl4sTurcWP+j+PyauJ PQF378XBgcyMapbjKO0dtAvnRpcffANyVwuX3B2ZaD25Zi1m67WUwyRMtVWgTBnP zH6pNx4DmSFyk8SOx7EHPwu3PHNEExg74/rpW2q/4ajUItLXHKvn6Jw0o1Nk/kQB 6OB2uGcnlB1AHe3DbAxyFz0nnviSe5Qg4fQSZDJeBOQgoD0doL/I02t805oMJ+GN F7gYSHMwGy4rLd7tCkOaanSlbW9VspNqZqlf1XxwPIr98hoMa5VO7hEosf/6xSj2 ZUm8nZuHODDjGLGM6PK6d9WualgYw8t1FH6CEmLtIWkbrTEdUIteYMYEKa26Exg= =6udQ -----END PGP SIGNATURE----- --9L572VGHvloP7uaa3arsjmaPNtewaXn2G-- From nobody Tue Mar 4 10:13:35 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07CB21A02F3 for ; Tue, 4 Mar 2014 10:13:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.748 X-Spam-Level: X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxDgnDbP-qJN for ; Tue, 4 Mar 2014 10:13:28 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 467B91A02E4 for ; Tue, 4 Mar 2014 10:13:26 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s24IDHga030684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Mar 2014 18:13:18 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s24IDGNS005637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 4 Mar 2014 18:13:17 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s24IDGdY014265; Tue, 4 Mar 2014 18:13:16 GMT Received: from [130.129.159.48] (/130.129.159.48) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 04 Mar 2014 10:13:16 -0800 References: <531615C8.6070805@gmx.net> Mime-Version: 1.0 (1.0) In-Reply-To: <531615C8.6070805@gmx.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> X-Mailer: iPhone Mail (11B651) From: Phil Hunt Date: Tue, 4 Mar 2014 18:13:13 +0000 To: Hannes Tschofenig X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/z622jXoSR5RAysSxHMgNB8yxrx4 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 18:13:33 -0000 WFM Phil > On Mar 4, 2014, at 18:04, Hannes Tschofenig wr= ote: >=20 > Hi all, >=20 > at today's OAuth meeting I suggested to get together during the week to > continue our conversation about draft-ietf-oauth-dyn-reg-management-00, > which dominated our conversation at the meeting today. >=20 > I would suggest to get together on **Thursday, at 11:30** (for lunch) at > the IETF registration desk. >=20 > Objections?* >=20 > Ciao > Hannes >=20 > PS: I know that your schedule during the IETF meeting is quite full ... >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Tue Mar 4 10:32:25 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1721A030B for ; Tue, 4 Mar 2014 10:32:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.913 X-Spam-Level: X-Spam-Status: No, score=-2.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T98bCZkD3DtK for ; Tue, 4 Mar 2014 10:32:18 -0800 (PST) Received: from na3sys009aog123.obsmtp.com (na3sys009aog123.obsmtp.com [74.125.149.149]) by ietfa.amsl.com (Postfix) with ESMTP id 73F781A02CE for ; Tue, 4 Mar 2014 10:32:18 -0800 (PST) Received: from mail-ie0-f181.google.com ([209.85.223.181]) (using TLSv1) by na3sys009aob123.postini.com ([74.125.148.12]) with SMTP ID DSNKUxYcL79RZyH/2gUIZqVL0ymqx+h+ZZz4@postini.com; Tue, 04 Mar 2014 10:32:15 PST Received: by mail-ie0-f181.google.com with SMTP id tp5so4651517ieb.12 for ; Tue, 04 Mar 2014 10:32:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8Liv4I+9AsSlMbKgXsRLGUfgFOOb4DkvFt91JmxV9B8=; b=NBILcx0KfPUsK+hSF8/kqbhTKT+sRLMcft46tW+pGM+iJ9cQRPEww65hXb4vq0ipTO lkRaoU4DQw0Kkm9SOnIVRhk1QEnWf1QO6T6qLcGLJ8t+BcaBjXdt+/5rgScgmnMpMju0 RacXdJaS4sE2Oezm/LnjQCQOCk50xQqB7CqCWSHuI+f61qkxUor8o/H3HHbY9xcgbzmw hx+pbfs+WoL/VUabAdYOamA7sK1Qlhfc1uvfwAkuKbjNAYdVI0MzSKR2Gk3zXTAUcA3p nvVem9mlVLFrdvZPx7vQ0hwqbRplnoQe50Zu16B28ut5kJw9HPFmHCDWbyUeYNLIo4We TaYQ== X-Gm-Message-State: ALoCoQnTKjGoKABZ0SJy2+25PqVKPUXxjVt2bkxh/A0H5akJ2ob45FW9562hK4COcOBddXCwp4A3VUa8kLqPfWjFJ7KfZ9JBqsmKBG3+P55DUDTN6NEcv6CwdMIg6mcbRgYPRM7SrIg3+qbSA2V2LiI6nNlc1vwCVg== X-Received: by 10.50.182.170 with SMTP id ef10mr4965751igc.9.1393957934971; Tue, 04 Mar 2014 10:32:14 -0800 (PST) X-Received: by 10.50.182.170 with SMTP id ef10mr4933328igc.9.1393957552218; Tue, 04 Mar 2014 10:25:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Tue, 4 Mar 2014 10:25:22 -0800 (PST) In-Reply-To: <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> References: <531615C8.6070805@gmx.net> <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> From: Brian Campbell Date: Tue, 4 Mar 2014 18:25:22 +0000 Message-ID: To: Phil Hunt Content-Type: text/plain; charset=ISO-8859-1 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/K1YexwN2L93jAD8-gZqoTnofY08 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 18:32:20 -0000 WFM too On Tue, Mar 4, 2014 at 6:13 PM, Phil Hunt wrote: > WFM > > Phil > >> On Mar 4, 2014, at 18:04, Hannes Tschofenig wrote: >> >> Hi all, >> >> at today's OAuth meeting I suggested to get together during the week to >> continue our conversation about draft-ietf-oauth-dyn-reg-management-00, >> which dominated our conversation at the meeting today. >> >> I would suggest to get together on **Thursday, at 11:30** (for lunch) at >> the IETF registration desk. >> >> Objections?* >> >> Ciao >> Hannes >> >> PS: I know that your schedule during the IETF meeting is quite full ... >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Tue Mar 4 10:34:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4EC1A02EE for ; Tue, 4 Mar 2014 10:34:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.048 X-Spam-Level: X-Spam-Status: No, score=-15.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAMK_beyRs4Q for ; Tue, 4 Mar 2014 10:34:28 -0800 (PST) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id E7AE81A0262 for ; Tue, 4 Mar 2014 10:34:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=532; q=dns/txt; s=iport; t=1393958065; x=1395167665; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=X3nFEkVG6weBCgY0l/u+k5o25aleYqux1nRqQJAQKGo=; b=ftXys+DbrqO2npwGg9QOf9mzPyQKiqfcSeYAfc778gI80nE5obqWMrBt VSPO64staMTvOGuZu32lnb/If9/jRwmlYsRV8XE8BpCczyg/TK+zZhyHu XqhuP2aMs06vMBtkWE4YUfmgM1hi3CA+GdPFxOX5vN6dGch2t7kd1qSOZ k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFAN0bFlOtJV2d/2dsb2JhbABagwaBEsBtgR4WdIImAQEEOk8CAQg2EDIlAgQBEodlAxHNHBeMPIIchDgBA5g8kiuDLYIq X-IronPort-AV: E=Sophos;i="4.97,586,1389744000"; d="scan'208";a="307963990" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-2.cisco.com with ESMTP; 04 Mar 2014 18:34:24 +0000 Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s24IYOAs006631 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 4 Mar 2014 18:34:24 GMT Received: from xmb-rcd-x08.cisco.com ([169.254.8.225]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.03.0123.003; Tue, 4 Mar 2014 12:34:24 -0600 From: "Morteza Ansari (moransar)" To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work Thread-Index: AQHPN9hdVyDXS0fe1E2DDEMwxz4jyA== Date: Tue, 4 Mar 2014 18:34:23 +0000 Message-ID: References: <531615C8.6070805@gmx.net> In-Reply-To: <531615C8.6070805@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 x-originating-ip: [10.21.84.178] Content-Type: text/plain; charset="us-ascii" Content-ID: <6C794EDCCD501446A98422E7C37ED186@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-SXgqqK6lJtWqsC0EJwbMco5_X8 Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 18:34:29 -0000 WFM too. On 3/4/14 6:04 PM, "Hannes Tschofenig" wrote: >Hi all, > >at today's OAuth meeting I suggested to get together during the week to >continue our conversation about draft-ietf-oauth-dyn-reg-management-00, >which dominated our conversation at the meeting today. > >I would suggest to get together on **Thursday, at 11:30** (for lunch) at >the IETF registration desk. > >Objections?* > >Ciao >Hannes > >PS: I know that your schedule during the IETF meeting is quite full ... > From nobody Tue Mar 4 10:41:17 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB45B1A02B5 for ; Tue, 4 Mar 2014 10:41:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZcmEvabd6i4X for ; Tue, 4 Mar 2014 10:41:12 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id BBE231A02DD for ; Tue, 4 Mar 2014 10:41:03 -0800 (PST) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB590.namprd03.prod.outlook.com (10.255.124.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Tue, 4 Mar 2014 18:40:59 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0893.001; Tue, 4 Mar 2014 18:40:59 +0000 From: Anthony Nadalin To: "Morteza Ansari (moransar)" , Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work Thread-Index: AQHPN9hjL0yOA/8GUUerP+rE+fHQ55rRQslQ Date: Tue, 4 Mar 2014 18:40:58 +0000 Message-ID: <8b99f77e6cde4817a40bd7880eacadce@BLUPR03MB309.namprd03.prod.outlook.com> References: <531615C8.6070805@gmx.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:67c:1232:84:f50a:7762:d18e:32bb] x-forefront-prvs: 01401330D1 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(199002)(377454003)(53754006)(189002)(13464003)(52024003)(53824002)(24454002)(51704005)(479174003)(495834002)(76786001)(76576001)(76796001)(46102001)(85852003)(74316001)(92566001)(85306002)(81542001)(53806001)(69226001)(81686001)(74366001)(87936001)(19580405001)(83072002)(76482001)(87266001)(81816001)(80976001)(83322001)(19580395003)(86612001)(94316002)(94946001)(86362001)(93516002)(93136001)(81342001)(47976001)(95416001)(54316002)(2656002)(54356001)(80022001)(51856001)(56816005)(77982001)(90146001)(31966008)(79102001)(33646001)(50986001)(49866001)(59766001)(47736001)(47446002)(74876001)(95666003)(63696002)(15975445006)(65816001)(4396001)(74502001)(74706001)(42262001)(24736002)(3826001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB590; H:BLUPR03MB309.namprd03.prod.outlook.com; CLIP:2001:67c:1232:84:f50a:7762:d18e:32bb; FPR:896C941.1CCF9FCA.1FDB16A.944C9FEA.20182; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Zp1ULttl-9h4szx2x_IldUOypqk Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 18:41:16 -0000 MFW -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Morteza Ansari (mo= ransar) Sent: Tuesday, March 4, 2014 10:34 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Manage= ment Work WFM too. On 3/4/14 6:04 PM, "Hannes Tschofenig" wrote: >Hi all, > >at today's OAuth meeting I suggested to get together during the week to=20 >continue our conversation about draft-ietf-oauth-dyn-reg-management-00, >which dominated our conversation at the meeting today. > >I would suggest to get together on **Thursday, at 11:30** (for lunch)=20 >at the IETF registration desk. > >Objections?* > >Ciao >Hannes > >PS: I know that your schedule during the IETF meeting is quite full ... > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Mar 5 01:19:37 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B19B1A0388 for ; Wed, 5 Mar 2014 01:19:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.747 X-Spam-Level: X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FCJlF4JyDYLq for ; Wed, 5 Mar 2014 01:19:31 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE621A035D for ; Wed, 5 Mar 2014 01:19:31 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 7A2C91F02D1; Wed, 5 Mar 2014 04:19:27 -0500 (EST) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 61EF31F02DC; Wed, 5 Mar 2014 04:19:27 -0500 (EST) Received: from IMCMBX01.MITRE.ORG ([169.254.1.95]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.03.0174.001; Wed, 5 Mar 2014 04:19:27 -0500 From: "Richer, Justin P." To: Phil Hunt , Hannes Tschofenig Thread-Topic: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work Thread-Index: AQHPN9V9FKgJdUHKGUu1NTzMEXqeoJrSOA3D Date: Wed, 5 Mar 2014 09:19:25 +0000 Message-ID: References: <531615C8.6070805@gmx.net>, <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> In-Reply-To: <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.83.31.52] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/B7BYUXzvgsYM0SE6nJ2JAq6nq2w Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 09:19:33 -0000 I can do that, too.=0A= =0A= -- Justin=0A= ________________________________________=0A= From: OAuth [oauth-bounces@ietf.org] on behalf of Phil Hunt [phil.hunt@orac= le.com]=0A= Sent: Tuesday, March 04, 2014 1:13 PM=0A= To: Hannes Tschofenig=0A= Cc: oauth@ietf.org=0A= Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Manage= ment Work=0A= =0A= WFM=0A= =0A= Phil=0A= =0A= > On Mar 4, 2014, at 18:04, Hannes Tschofenig w= rote:=0A= >=0A= > Hi all,=0A= >=0A= > at today's OAuth meeting I suggested to get together during the week to= =0A= > continue our conversation about draft-ietf-oauth-dyn-reg-management-00,= =0A= > which dominated our conversation at the meeting today.=0A= >=0A= > I would suggest to get together on **Thursday, at 11:30** (for lunch) at= =0A= > the IETF registration desk.=0A= >=0A= > Objections?*=0A= >=0A= > Ciao=0A= > Hannes=0A= >=0A= > PS: I know that your schedule during the IETF meeting is quite full ...= =0A= >=0A= > _______________________________________________=0A= > OAuth mailing list=0A= > OAuth@ietf.org=0A= > https://www.ietf.org/mailman/listinfo/oauth=0A= =0A= _______________________________________________=0A= OAuth mailing list=0A= OAuth@ietf.org=0A= https://www.ietf.org/mailman/listinfo/oauth=0A= From nobody Wed Mar 5 01:20:33 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 076E11A035D for ; Wed, 5 Mar 2014 01:20:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODncbIMT2_TN for ; Wed, 5 Mar 2014 01:20:25 -0800 (PST) Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com [74.125.82.41]) by ietfa.amsl.com (Postfix) with ESMTP id 669F81A0215 for ; Wed, 5 Mar 2014 01:20:25 -0800 (PST) Received: by mail-wg0-f41.google.com with SMTP id n12so853344wgh.24 for ; Wed, 05 Mar 2014 01:20:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=3K8VlIIQGy1uIvEwFTmmKLJM7qdxEwdSKAq+eXMFvtE=; b=YyCyyIs53llGDOyYhZSMsYsFgoGwi3F/d/A/JOdLQR9x9XTHnQ589/UnC3d17EvBw1 bhJ47GiP5MDvHZQ42Nsati8b3nDhcnjmZTlRvoJs0d6IbsJc0afEXgTTK3oDqgbzTPNb 8HD8YzLHg7btS17qDagc+l5RqaHXkcam0sgmv6fuxXHj0EmFMei9QmKS5Vmw2arp/hZd 46xv8Y8w9/auIq6NjnUqO8QEYMiA+K7Q5pP58rmVZmhZ/NnJT1TL+HTJpNfg3LVhha0R tymP9hv34HkDX5kfUXyu8B+mtMZHElWdp0bBHRnf8PSHKcPt7e+k60GLCmrZEAGwzmQs 1lYg== X-Gm-Message-State: ALoCoQkiZuMoDVGDeNV/xn9v94J+LMeDY40Hr9dlJosM/XRAvepEM1gplK4gRa1VDzKWH5oCZy04 X-Received: by 10.194.58.180 with SMTP id s20mr6847203wjq.54.1394011221477; Wed, 05 Mar 2014 01:20:21 -0800 (PST) Received: from ?IPv6:2001:67c:1232:88:244b:8393:8076:29a4? ([2001:67c:1232:88:244b:8393:8076:29a4]) by mx.google.com with ESMTPSA id q15sm8702790wjw.18.2014.03.05.01.20.20 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 05 Mar 2014 01:20:20 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Wed, 5 Mar 2014 09:20:17 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <4840BBBC-1887-4698-828E-18133B4AE8A8@ve7jtb.com> References: <531615C8.6070805@gmx.net>, <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> To: "Justin P. Richer" X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/u3hpeJ_lfzMyohD_XYAZR_2MH64 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 09:20:31 -0000 OK On Mar 5, 2014, at 9:19 AM, Richer, Justin P. wrote: > I can do that, too. >=20 > -- Justin > ________________________________________ > From: OAuth [oauth-bounces@ietf.org] on behalf of Phil Hunt = [phil.hunt@oracle.com] > Sent: Tuesday, March 04, 2014 1:13 PM > To: Hannes Tschofenig > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration = Management Work >=20 > WFM >=20 > Phil >=20 >> On Mar 4, 2014, at 18:04, Hannes Tschofenig = wrote: >>=20 >> Hi all, >>=20 >> at today's OAuth meeting I suggested to get together during the week = to >> continue our conversation about = draft-ietf-oauth-dyn-reg-management-00, >> which dominated our conversation at the meeting today. >>=20 >> I would suggest to get together on **Thursday, at 11:30** (for lunch) = at >> the IETF registration desk. >>=20 >> Objections?* >>=20 >> Ciao >> Hannes >>=20 >> PS: I know that your schedule during the IETF meeting is quite full = ... >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Mar 5 01:37:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27EA91A00F2 for ; Wed, 5 Mar 2014 01:37:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.045 X-Spam-Level: X-Spam-Status: No, score=-2.045 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X9ZvkeeV3FaH for ; Wed, 5 Mar 2014 01:37:25 -0800 (PST) Received: from nm11-vm0.bullet.mail.bf1.yahoo.com (nm11-vm0.bullet.mail.bf1.yahoo.com [98.139.213.136]) by ietfa.amsl.com (Postfix) with ESMTP id BD3B61A000D for ; Wed, 5 Mar 2014 01:37:24 -0800 (PST) Received: from [98.139.212.152] by nm11.bullet.mail.bf1.yahoo.com with NNFMP; 05 Mar 2014 09:37:21 -0000 Received: from [98.139.212.239] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 05 Mar 2014 09:37:21 -0000 Received: from [127.0.0.1] by omp1048.mail.bf1.yahoo.com with NNFMP; 05 Mar 2014 09:37:21 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 114709.33302.bm@omp1048.mail.bf1.yahoo.com Received: (qmail 79793 invoked by uid 60001); 5 Mar 2014 09:37:20 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1394012240; bh=WLXP0mf5LPIC4o6YgIkP2N0p5Kp85f4IopCt/svyzY8=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=VbezJVSOnhgCegz/ROmu9XwVJyDO304Zqocpqf8+QB0dn3ewb1kXkRpaJXV+Xd+VT9i/t5yIQbX2pjxKr86/ksdzKo6P8ddquChnrAzg0eLwqevdlN0ju2GsejzHGZv29CSjWhDnT8wYGhDih6AS2XdLFPF4rz5zc4WTozRz7bE= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=x9rS5/igeC6lHge6BUqPA7cP/EUkPE5f3p8DNEQy9F7juynqkAH75ex4JjFPi6MQvewq1smSyIL0Lni6hWRSb5kpgWeDRpNCLzi+t0eLH4VajOe9jVzZ9Heuc3J/nFQEqboAfNllfTFzAiYTBCAGdeyEYIpQdqrTWzhGYfKHgaY=; X-YMail-OSG: 0q3SnBgVM1kDAxeVU404o1ZV.NqVoJUhoCsLcxjQZacYBop Jrl2.fzjGV8qNYqhDYmDNp1pRGEjTHdP6gWo5oyJXmD4dWfqxZkg4PEMXJjj jYnz2EwakapgeCRAEJY_BY.49XJEoJdssUnwQ3ghWp.41bE2FZcVsXqTJRwD VeiEfM_kXFm7hO6JgttiW_FzwpJUnx9K3Qun5ZiuYfcqfYCXgE1OQ8ZlxNTE SN9NSjbMmdigeSS9FNHyrUULtmjj_9mREPfUkENTuV9t.AcHXyitrRR4l_w_ WxB73e8DKC7t0ZPtX.4nQYJPsMk5RZBnAgCnloyExHTU5i7dKjw9hJfG_S3Q .2V0p8sqY94UdfVIbaM5BbEZIi42lOcGPEDGoNTNTK5oTouafvxE2J.NuAs1 cIXIEsAUYMgnghx.FY6dexhzBQoVcJvyAtlaNrAyi.5ANZiGfp1atupX.INM 6HkNY6xZc5vo2_ekIxhTY7QuUSFAsiRlhDULl65N.u6GHzjR.eSmOpy2_PdK JaxR6cfyqIDhNPiUyH.2Zamx0EcP1T67hn8BK.uwq_ledGWAwVSOTMPC_sPe E3PGlNuiGZYbO2meAHCKdhx1SFw-- Received: from [209.131.62.115] by web142803.mail.bf1.yahoo.com via HTTP; Wed, 05 Mar 2014 01:37:20 PST X-Rocket-MIMEInfo: 002.001, SSdtIGluLgoKCgpPbiBXZWRuZXNkYXksIE1hcmNoIDUsIDIwMTQgMToyMCBBTSwgSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbT4gd3JvdGU6CiAKT0sKT24gTWFyIDUsIDIwMTQsIGF0IDk6MTkgQU0sIFJpY2hlciwgSnVzdGluIFAuIDxqcmljaGVyQG1pdHJlLm9yZz4gd3JvdGU6Cgo.IEkgY2FuIGRvIHRoYXQsIHRvby4KPiAKPiAtLSBKdXN0aW4KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj4gRnJvbTogT0F1dGggW29hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIG9uIGIBMAEBAQE- X-Mailer: YahooMailWebService/0.8.177.636 References: <531615C8.6070805@gmx.net>, <014E4428-C5CA-4839-9EDD-9D8B6DC626F3@oracle.com> <4840BBBC-1887-4698-828E-18133B4AE8A8@ve7jtb.com> Message-ID: <1394012240.2175.YahooMailNeo@web142803.mail.bf1.yahoo.com> Date: Wed, 5 Mar 2014 01:37:20 -0800 (PST) From: Bill Mills To: John Bradley , "Justin P. Richer" In-Reply-To: <4840BBBC-1887-4698-828E-18133B4AE8A8@ve7jtb.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="905790552-281532346-1394012240=:2175" Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kGWQhcbW-NjGzxvDwxoMAGWnDX4 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 09:37:27 -0000 --905790552-281532346-1394012240=:2175 Content-Type: text/plain; charset=us-ascii I'm in. On Wednesday, March 5, 2014 1:20 AM, John Bradley wrote: OK On Mar 5, 2014, at 9:19 AM, Richer, Justin P. wrote: > I can do that, too. > > -- Justin > ________________________________________ > From: OAuth [oauth-bounces@ietf.org] on behalf of Phil Hunt [phil.hunt@oracle.com] > Sent: Tuesday, March 04, 2014 1:13 PM > To: Hannes Tschofenig > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work > > WFM > > Phil > >> On Mar 4, 2014, at 18:04, Hannes Tschofenig wrote: >> >> Hi all, >> >> at today's OAuth meeting I suggested to get together during the week to >> continue our conversation about draft-ietf-oauth-dyn-reg-management-00, >> which dominated our conversation at the meeting today. >> >> I would suggest to get together on **Thursday, at 11:30** (for lunch) at >> the IETF registration desk. >> >> Objections?* >> >> Ciao >> Hannes >> >> PS: I know that your schedule during the IETF meeting is quite full ... >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --905790552-281532346-1394012240=:2175 Content-Type: text/html; charset=us-ascii
I'm in.


On Wednesday, March 5, 2014 1:20 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
OK
On Mar 5, 2014, at 9:19 AM, Richer, Justin P. <jricher@mitre.org> wrote:

> I can do that, too.
>
> -- Justin
> ________________________________________
> From: OAuth [oauth-bounces@ietf.org] on behalf of Phil Hunt [phil.hunt@oracle.com]
> Sent: Tuesday, March 04, 2014 1:13 PM
> To: Hannes Tschofenig
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work
>
> WFM
>
> Phil
>
>> On Mar 4, 2014, at 18:04, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>
>> Hi all,
>>
>> at today's OAuth meeting I suggested to get together during the week to
>> continue our conversation about draft-ietf-oauth-dyn-reg-management-00,
>> which dominated our conversation at the meeting today.
>>
>> I would suggest to get together on **Thursday, at 11:30** (for lunch) at
>> the IETF registration desk.
>>
>> Objections?*
>>
>> Ciao
>> Hannes
>>
>> PS: I know that your schedule during the IETF meeting is quite full ...
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--905790552-281532346-1394012240=:2175-- From nobody Wed Mar 5 05:43:19 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A5A1A0080 for ; Wed, 5 Mar 2014 05:43:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-7Ij-lC4Omm for ; Wed, 5 Mar 2014 05:43:14 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 5AECD1A0070 for ; Wed, 5 Mar 2014 05:43:14 -0800 (PST) Received: from [192.168.10.131] ([31.133.156.1]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LxxKu-1XFU0f3YZA-015L4G for ; Wed, 05 Mar 2014 14:43:10 +0100 Message-ID: <531729EB.8050802@gmx.net> Date: Wed, 05 Mar 2014 14:43:07 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: oauth@ietf.org X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="KOnkw6BPQuEMGLUwrxOV68shhBIMM3s7i" X-Provags-ID: V03:K0:rgYa8pR6yGuZcgUatC+7H0hRz0+rVwkmY6G9sOb6SQ9W6chmLZb zzSzfas8Roukphz1ObcBy29SVx/mAPhPi4tLOEeopETrVo0Rw0VUrxrVmJHwHOPrUFrOsVS vV/D5QM1QdnltHAw6Bd/Xwe5hAHt5CNxK2XXmazV4XHTTTHHRwE+T1zgZXPgrqv9NThhnso l+Ywcffuy5txaHMIfqHIg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1MOmdASTQMUtMlM8f9HI5rIcaSo Subject: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 13:43:17 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KOnkw6BPQuEMGLUwrxOV68shhBIMM3s7i Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all here are the notes from the OAuth f2f meeting this week: http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth They are rather short! If someone took some more detailed notes please send us a mail. Ciao Hannes & Derek --KOnkw6BPQuEMGLUwrxOV68shhBIMM3s7i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTFynrAAoJEGhJURNOOiAt+R0IAIXgUKpXkeAEBeOMp1vYd4sY 99ospj244xH2ZdY3Va9/8XKk2++z/RBYYqPWp5+KaNeWGsXZVQt+HQ7It3ZQR688 7tWgb6HJSV2ICvyKjrK9UcglFyTWcKO7vWw7sxNpPNunKKpekxvzEiBH3feER/EV nI/XwqX3DVCSs2TWOU+XP7RF7/ElA1dlAPP7c99CPjRH6WpX7hccaLmkEIjXVzQ9 N+nAIu6DiRjCMfePzUf8waKtxQJprl0GWilLuMXNbwyeFFhF7t+KNujRnuZ9AwdK 55JZanYJk6txue66dkNj4Fs5kbmqDc8Wjrlv0wLSzE1ukmgbr5Yhm29Q3InrrK0= =YyS6 -----END PGP SIGNATURE----- --KOnkw6BPQuEMGLUwrxOV68shhBIMM3s7i-- From nobody Thu Mar 6 00:38:22 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1C01A0121 for ; Thu, 6 Mar 2014 00:38:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.347 X-Spam-Level: X-Spam-Status: No, score=0.347 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3LSqELmRsaf for ; Thu, 6 Mar 2014 00:38:15 -0800 (PST) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.29.24]) by ietfa.amsl.com (Postfix) with ESMTP id B19721A0020 for ; Thu, 6 Mar 2014 00:38:15 -0800 (PST) Received: from [80.67.16.112] (helo=webmail.df.eu) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from ) id 1WLTog-0006ZD-LQ for oauth@ietf.org; Thu, 06 Mar 2014 09:38:10 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 06 Mar 2014 08:38:10 +0000 From: torsten@lodderstedt.net To: oauth@ietf.org In-Reply-To: <531729EB.8050802@gmx.net> References: <531729EB.8050802@gmx.net> Message-ID: <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> X-Sender: torsten@lodderstedt.net User-Agent: Roundcube Webmail X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7jsYiQy7_4VhgwfAeMZU73eUWNY Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 08:38:20 -0000 Hi, regarding dynamic client registration: it has been suggested to merge core and meta data, or at least move some elements (such as scopes) to the core spec. Would you please add this? regards, Torsten. Am 05.03.2014 13:43, schrieb Hannes Tschofenig: > Hi al > > here are the notes from the OAuth f2f meeting this week: > http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth > > They are rather short! If someone took some more detailed notes please > send us a mail. > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 6 01:05:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3FF1A0170 for ; Thu, 6 Mar 2014 01:05:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.048 X-Spam-Level: X-Spam-Status: No, score=-15.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYIiRUuOFeyG for ; Thu, 6 Mar 2014 01:05:26 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id AD95E1A0166 for ; Thu, 6 Mar 2014 01:05:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1419; q=dns/txt; s=iport; t=1394096723; x=1395306323; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=BQF4Eckc6Iorbp5LMZicbm2Owk5GhpHzgFyNZfdGRog=; b=GJPlvaVnnoqSI4IxV7NHVzpVCY06uVZZpWUUXpWXD3ghoYsD+D8Fwj/0 dXh2DqZpHIkU7QvPWp8Zg3zgwFXZdTl2ZWX01CK1MkUsa4vt5FGtSEtB8 ERWr7NwUQeFcof5VWqZB7cvYGzNzNJWwbf+FcjXSy2emEFvV673p7Zaj6 E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgQFAM85GFOtJV2d/2dsb2JhbABagwY7V8EcgRsWdIIlAQEBBAEBAWsKEQsYCRYPCQMCAQIBFTAGAQwGAgEBh3UNzwoXjh46hDgBA4kTjyqSK4Mtgio X-IronPort-AV: E=Sophos;i="4.97,598,1389744000"; d="scan'208";a="308504552" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP; 06 Mar 2014 09:05:22 +0000 Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s2695MAD028042 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Mar 2014 09:05:22 GMT Received: from che-vpn-cluster-1-479.cisco.com (10.86.241.224) by xhc-rcd-x05.cisco.com (173.37.183.79) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 6 Mar 2014 03:05:22 -0600 Message-ID: <53183A51.7000405@cisco.com> Date: Thu, 6 Mar 2014 09:05:21 +0000 From: Matt Miller User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Hannes Tschofenig , References: <531615C8.6070805@gmx.net> In-Reply-To: <531615C8.6070805@gmx.net> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.86.241.224] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ukHv0dedm5YzmgOpovEE9KtCw0I Subject: Re: [OAUTH-WG] Discussion about Dynamic Client Registration Management Work X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 09:05:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 3/4/14, 6:04 PM, Hannes Tschofenig wrote: > Hi all, > > at today's OAuth meeting I suggested to get together during the > week to continue our conversation about > draft-ietf-oauth-dyn-reg-management-00, which dominated our > conversation at the meeting today. > > I would suggest to get together on **Thursday, at 11:30** (for > lunch) at the IETF registration desk. > > Objections?* > > Ciao Hannes > > PS: I know that your schedule during the IETF meeting is quite full > ... > > > > _______________________________________________ OAuth mailing list > OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth > Works for me, too. - -- - - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTGDpQAAoJEDWi+S0W7cO1laUH/A8Uh3E2fRXRLrcyW+CvoUdz xYIaH4NcTmpwuNnAlDv1eYiNqee4rPIPsdMDjWV4tdEpxj/Ctf0e6gQ1piTnTCsg rckSguZGmA1uMa4o+AvyNuXIunQaaBA64jXc+jAXWsQkFxNRRI35tN7dHDxLgDb1 KO4OEaveWJkGwQsSdNymmwbqKcikpMdJ/4t9SWbxaIh5xo7N9dH7kwjiLbsltmcc NsAMbBMUM3VYBidaDIW0G6Udzwof/gJC4mEInk9Ns0/PeshInLX+bUqhYi5I3a29 5ZH81M0aQMgWgRtWJ8/Jv9t93sZRHpCr3j5Cxnq4MzkkaiejE/troD/BjiFFm5w= =OQW1 -----END PGP SIGNATURE----- From nobody Thu Mar 6 01:37:20 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4861A0189 for ; Thu, 6 Mar 2014 01:37:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEw61QiAkNY9 for ; Thu, 6 Mar 2014 01:37:16 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0189.outbound.protection.outlook.com [207.46.163.189]) by ietfa.amsl.com (Postfix) with ESMTP id 4DCF71A0188 for ; Thu, 6 Mar 2014 01:37:16 -0800 (PST) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB004.namprd03.prod.outlook.com (10.255.208.38) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 6 Mar 2014 09:37:10 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0893.001; Thu, 6 Mar 2014 09:37:10 +0000 From: Anthony Nadalin To: "torsten@lodderstedt.net" , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] IETF #89 OAuth Meeting Notes Thread-Index: AQHPOHjfg/w3XOjCmEaFruDLCJBbtZrTvd0AgAAQTtA= Date: Thu, 6 Mar 2014 09:37:09 +0000 Message-ID: <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> References: <531729EB.8050802@gmx.net> <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> In-Reply-To: <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:67c:1232:152:414c:2c65:2011:3112] x-forefront-prvs: 0142F22657 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(13464003)(199002)(189002)(377454003)(51704005)(55885003)(77982001)(49866001)(90146001)(15975445006)(47736001)(79102001)(59766001)(97186001)(20776003)(97336001)(56816005)(63696002)(15202345003)(4396001)(83072002)(69226001)(74706001)(85852003)(81342001)(46102001)(81686001)(81816001)(76576001)(50986001)(33646001)(47976001)(76796001)(76786001)(83322001)(19580405001)(19580395003)(80976001)(74366001)(81542001)(47446002)(93136001)(74502001)(51856001)(80022001)(95416001)(86362001)(86612001)(93516002)(65816001)(95666003)(54356001)(87936001)(54316002)(53806001)(92566001)(74876001)(76482001)(2656002)(74316001)(74662001)(31966008)(94316002)(94946001)(56776001)(87266001)(85306002)(42262001)(24736002)(3826001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB004; H:BLUPR03MB309.namprd03.prod.outlook.com; FPR:B4E6C53E.2CDA8DEA.6DD3DFB.D0D1DCD9.20195; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GkDj_-zpYEq-IUXT59BUkgZg7Pw Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 09:37:19 -0000 I'm not convinced that scope should be in core -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@loddersted= t.net Sent: Thursday, March 6, 2014 12:38 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes Hi, regarding dynamic client registration: it has been suggested to merge core = and meta data, or at least move some elements (such as scopes) to the core = spec. Would you please add this? regards, Torsten. Am 05.03.2014 13:43, schrieb Hannes Tschofenig: > Hi al >=20 > here are the notes from the OAuth f2f meeting this week: > http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth >=20 > They are rather short! If someone took some more detailed notes please=20 > send us a mail. >=20 > Ciao > Hannes & Derek >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 6 02:23:47 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3FA1A020D for ; Thu, 6 Mar 2014 02:23:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.912 X-Spam-Level: X-Spam-Status: No, score=-2.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3IrjVcLIe86q for ; Thu, 6 Mar 2014 02:23:44 -0800 (PST) Received: from na3sys009aog111.obsmtp.com (na3sys009aog111.obsmtp.com [74.125.149.205]) by ietfa.amsl.com (Postfix) with ESMTP id 227931A01FE for ; Thu, 6 Mar 2014 02:23:44 -0800 (PST) Received: from mail-ig0-f174.google.com ([209.85.213.174]) (using TLSv1) by na3sys009aob111.postini.com ([74.125.148.12]) with SMTP ID DSNKUxhMrG5vjuixc1TKSJtaZFdE1lcON4a0@postini.com; Thu, 06 Mar 2014 02:23:40 PST Received: by mail-ig0-f174.google.com with SMTP id h18so15915752igc.1 for ; Thu, 06 Mar 2014 02:23:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=6V2ejZiJgjWPkInfRXSdapYcAs8ky2TvABwSUwKQWlo=; b=VF/AOAaNE6XtKUZQR1Jed/om95XMgVd0LaJ/Tj++vQ0HpEDu64MB+nnAMjkFqKDClg MMO+El8obuwRrykm8tAbKJ39pzo7jW2aaX9lreqtAS5EZfBx+02ZLGgNGtJAkK8frRAp Um7psWfYazCTyLz13F7A7F/HouO83gppQz97rf6vcRuuXF8sS1Vv9juscLpb2hTdf5zV sqsLM7GEMskdzE0NVCUk1xFky+6f/UJh01mM0wk2eS7uWvNiVa5S7lCTNj+AOm3Vrx6I +Xclwyii/pW0MBirobvYmRSQot/sJlMxnjziu8cQ7CDIHkovjp2winAXdfJXICgqy5Ds VIGA== X-Gm-Message-State: ALoCoQmR471qD6m9DCpgylA/B0nsjfXmQYTbzKL1qJr1RM0yXzykyTGaeMtyRkoA71mgHcw2h/teeHwpYduv1IR3O/nVVzwmJzKX7RwIGvIGunI2EqUUlCD5/pO0vmRh1ROP/8tZUXGlHkwv7TQ5H7gpDWTMWPosSA== X-Received: by 10.42.67.130 with SMTP id t2mr9418235ici.17.1394101417042; Thu, 06 Mar 2014 02:23:37 -0800 (PST) X-Received: by 10.42.67.130 with SMTP id t2mr9418227ici.17.1394101416865; Thu, 06 Mar 2014 02:23:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Thu, 6 Mar 2014 02:23:06 -0800 (PST) In-Reply-To: <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> References: <531729EB.8050802@gmx.net> <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> From: Brian Campbell Date: Thu, 6 Mar 2014 10:23:06 +0000 Message-ID: To: Anthony Nadalin Content-Type: multipart/alternative; boundary=20cf30334bfdbc0de404f3ed870a Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/iIqnWHUeF2EcPqys2NBcMHDCk9Y Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 10:23:46 -0000 --20cf30334bfdbc0de404f3ed870a Content-Type: text/plain; charset=ISO-8859-1 While I'm sure we can and will discuss the organization of the documents for some time, I wanted to reiterate that I believe the client credential management part of this needs to be reevaluated (not just reorganized). On Thu, Mar 6, 2014 at 9:37 AM, Anthony Nadalin wrote: > I'm not convinced that scope should be in core > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of > torsten@lodderstedt.net > Sent: Thursday, March 6, 2014 12:38 AM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes > > Hi, > > regarding dynamic client registration: it has been suggested to merge core > and meta data, or at least move some elements (such as scopes) to the core > spec. Would you please add this? > > regards, > Torsten. > > Am 05.03.2014 13:43, schrieb Hannes Tschofenig: > > Hi al > > > > here are the notes from the OAuth f2f meeting this week: > > http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth > > > > They are rather short! If someone took some more detailed notes please > > send us a mail. > > > > Ciao > > Hannes & Derek > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --20cf30334bfdbc0de404f3ed870a Content-Type: text/html; charset=ISO-8859-1
While I'm sure we can and will discuss the organization of the documents for some
time, I wanted to reiterate that I believe the client credential management part of this needs to be reevaluated (not just reorganized).


On Thu, Mar 6, 2014 at 9:37 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
I'm not convinced that scope should be in core

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@lodderstedt.net
Sent: Thursday, March 6, 2014 12:38 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes

Hi,

regarding dynamic client registration: it has been suggested to merge core and meta data, or at least move some elements (such as scopes) to the core spec. Would you please add this?

regards,
Torsten.

Am 05.03.2014 13:43, schrieb Hannes Tschofenig:
> Hi al
>
> here are the notes from the OAuth f2f meeting this week:
> http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth
>
> They are rather short! If someone took some more detailed notes please
> send us a mail.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--20cf30334bfdbc0de404f3ed870a-- From nobody Thu Mar 6 05:19:40 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0884D1A027D for ; Thu, 6 Mar 2014 05:19:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y2Vm8wZutOMq for ; Thu, 6 Mar 2014 05:19:30 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0145.outbound.protection.outlook.com [207.46.163.145]) by ietfa.amsl.com (Postfix) with ESMTP id 69F7F1A023E for ; Thu, 6 Mar 2014 05:19:29 -0800 (PST) Received: from CH1PR03CA012.namprd03.prod.outlook.com (10.255.156.157) by BLUPR03MB049.namprd03.prod.outlook.com (10.255.209.149) with Microsoft SMTP Server (TLS) id 15.0.893.10; Thu, 6 Mar 2014 13:19:24 +0000 Received: from BN1AFFO11FD050.protection.gbl (10.255.156.132) by CH1PR03CA012.outlook.office365.com (10.255.156.157) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Thu, 6 Mar 2014 13:19:23 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD050.mail.protection.outlook.com (10.58.53.65) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Thu, 6 Mar 2014 13:19:23 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Thu, 6 Mar 2014 13:18:42 +0000 From: Mike Jones To: Anthony Nadalin , "torsten@lodderstedt.net" , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] IETF #89 OAuth Meeting Notes Thread-Index: AQHPOHjg9rsM/+W1UUu+IUzUNNx6x5rTvd0AgAAQe4CAADz8YA== Date: Thu, 6 Mar 2014 13:18:41 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0C3D8F@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <531729EB.8050802@gmx.net> <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> In-Reply-To: <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.32] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(6009001)(438001)(199002)(189002)(51704005)(377454003)?= =?us-ascii?Q?(51856001)(53806001)(86362001)(93516002)(81542001)(66066001)?= =?us-ascii?Q?(76786001)(76796001)(80022001)(54356001)(49866001)(50986001)?= =?us-ascii?Q?(81816001)(94946001)(81342001)(47976001)(97186001)(92726001)?= =?us-ascii?Q?(97336001)(46406003)(2201001)(47736001)(95666003)(92566001)(?= =?us-ascii?Q?23726002)(86612001)(95416001)(33656001)(83072002)(74876001)(?= =?us-ascii?Q?46102001)(63696002)(4396001)(19580395003)(15975445006)(83322?= =?us-ascii?Q?001)(19580405001)(6806004)(85806002)(55846006)(69226001)(816?= =?us-ascii?Q?86001)(74366001)(85306002)(44976005)(31966008)(15202345003)(?= =?us-ascii?Q?56816005)(90146001)(47776003)(20776003)(76482001)(87936001)(?= =?us-ascii?Q?54316002)(65816001)(94316002)(77096001)(80976001)(85852003)(?= =?us-ascii?Q?56776001)(79102001)(47446002)(1511001)(74502001)(74662001)(5?= =?us-ascii?Q?0466002)(2656002)(87266001)(77982001)(74706001)(59766001)(93?= =?us-ascii?Q?136001);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB049;H:mail.micr?= =?us-ascii?Q?osoft.com;CLIP:131.107.125.37;FPR:B4E4F53E.A4DA8CE2.36EDBDFB?= =?us-ascii?Q?.D0D1CCD9.20208;MLV:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;L?= =?us-ascii?Q?ANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0142F22657 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/v21YsYtpAJIHMBzbQWg2hS6M9Lg Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 13:19:37 -0000 I also disagree with moving "scope" into the core registration spec. The m= etadata values in the core spec are those that are essential to use to achi= eve registration. Those in the metadata spec are those that are useful in = some applications but not needed by some others. "scope" is of the second = class. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, March 06, 2014 1:37 AM To: torsten@lodderstedt.net; oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes I'm not convinced that scope should be in core -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@loddersted= t.net Sent: Thursday, March 6, 2014 12:38 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes Hi, regarding dynamic client registration: it has been suggested to merge core = and meta data, or at least move some elements (such as scopes) to the core = spec. Would you please add this? regards, Torsten. Am 05.03.2014 13:43, schrieb Hannes Tschofenig: > Hi al >=20 > here are the notes from the OAuth f2f meeting this week: > http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth >=20 > They are rather short! If someone took some more detailed notes please=20 > send us a mail. >=20 > Ciao > Hannes & Derek >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 6 05:20:52 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A043E1A0118 for ; Thu, 6 Mar 2014 05:20:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.747 X-Spam-Level: X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEt18gniZna3 for ; Thu, 6 Mar 2014 05:20:42 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B04CE1A01F3 for ; Thu, 6 Mar 2014 05:20:38 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id B495B1F0525; Thu, 6 Mar 2014 08:20:34 -0500 (EST) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 6615B1F0520; Thu, 6 Mar 2014 08:20:34 -0500 (EST) Received: from IMCMBX01.MITRE.ORG ([169.254.1.95]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.03.0174.001; Thu, 6 Mar 2014 08:20:34 -0500 From: "Richer, Justin P." To: "torsten@lodderstedt.net" , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] IETF #89 OAuth Meeting Notes Thread-Index: AQHPOHjhAp1NkKSGd0KRBt4rD+vZjZrUEa4A///6cU0= Date: Thu, 6 Mar 2014 13:20:33 +0000 Message-ID: References: <531729EB.8050802@gmx.net>, <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> In-Reply-To: <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.83.31.52] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2knHqptriu-c97eq_VkJMPMQ3iI Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 13:20:46 -0000 I would like everything from the metadata spec moved to core with the same = optionality that it has in the two documents, in order to facilitate readab= ility and ease of use for developers. I would be fine with having it in lis= ted in two separate subsections.=0A= =0A= Also, so it doesn't get lost, we should adopt the "jwks" metadata parameter= from OIDC as well, to go alongside of jwks_uri.=0A= =0A= -- Justin=0A= =0A= ________________________________________=0A= From: OAuth [oauth-bounces@ietf.org] on behalf of torsten@lodderstedt.net [= torsten@lodderstedt.net]=0A= Sent: Thursday, March 06, 2014 3:38 AM=0A= To: oauth@ietf.org=0A= Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes=0A= =0A= Hi,=0A= =0A= regarding dynamic client registration: it has been suggested to merge=0A= core and meta data, or at least move some elements (such as scopes) to=0A= the core spec. Would you please add this?=0A= =0A= regards,=0A= Torsten.=0A= =0A= Am 05.03.2014 13:43, schrieb Hannes Tschofenig:=0A= > Hi al=0A= >=0A= > here are the notes from the OAuth f2f meeting this week:=0A= > http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth=0A= >=0A= > They are rather short! If someone took some more detailed notes please=0A= > send us a mail.=0A= >=0A= > Ciao=0A= > Hannes & Derek=0A= >=0A= >=0A= > _______________________________________________=0A= > OAuth mailing list=0A= > OAuth@ietf.org=0A= > https://www.ietf.org/mailman/listinfo/oauth=0A= =0A= _______________________________________________=0A= OAuth mailing list=0A= OAuth@ietf.org=0A= https://www.ietf.org/mailman/listinfo/oauth=0A= From nobody Thu Mar 6 05:25:16 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A70861A025E for ; Thu, 6 Mar 2014 05:25:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.748 X-Spam-Level: X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2_LGG_rH-OA for ; Thu, 6 Mar 2014 05:25:14 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 22D3C1A0073 for ; Thu, 6 Mar 2014 05:25:14 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s26DP9OZ019626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Mar 2014 13:25:09 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s26DP8cV023850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Mar 2014 13:25:08 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s26DP8ql016336; Thu, 6 Mar 2014 13:25:08 GMT Received: from [31.133.163.210] (/31.133.163.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 06 Mar 2014 05:25:07 -0800 References: <531729EB.8050802@gmx.net> <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739439A0C3D8F@TK5EX14MBXC286.redmond.corp.microsoft.com> Mime-Version: 1.0 (1.0) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A0C3D8F@TK5EX14MBXC286.redmond.corp.microsoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <5280BFA8-6619-4CAB-BAE6-3F5BB6F37352@oracle.com> X-Mailer: iPhone Mail (11B651) From: Phil Hunt Date: Thu, 6 Mar 2014 13:25:06 +0000 To: Mike Jones X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/XBUNsxGRAnogXJUgrp6sreXUFdQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 13:25:15 -0000 If metadata is optional i don't see the issue with it being in core.=20 Then again i don't think metadata should be in a separate draft.=20 Phil > On Mar 6, 2014, at 13:18, Mike Jones wrote: >=20 > I also disagree with moving "scope" into the core registration spec. The m= etadata values in the core spec are those that are essential to use to achie= ve registration. Those in the metadata spec are those that are useful in so= me applications but not needed by some others. "scope" is of the second cla= ss. >=20 > -- Mike >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin > Sent: Thursday, March 06, 2014 1:37 AM > To: torsten@lodderstedt.net; oauth@ietf.org > Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes >=20 > I'm not convinced that scope should be in core >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@lodderste= dt.net > Sent: Thursday, March 6, 2014 12:38 AM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes >=20 > Hi, >=20 > regarding dynamic client registration: it has been suggested to merge core= and meta data, or at least move some elements (such as scopes) to the core s= pec. Would you please add this? >=20 > regards, > Torsten. >=20 > Am 05.03.2014 13:43, schrieb Hannes Tschofenig: >> Hi al >>=20 >> here are the notes from the OAuth f2f meeting this week: >> http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth >>=20 >> They are rather short! If someone took some more detailed notes please=20= >> send us a mail. >>=20 >> Ciao >> Hannes & Derek >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 6 05:55:31 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAADA1A02A5 for ; Thu, 6 Mar 2014 05:55:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oCs0_5iXfLX for ; Thu, 6 Mar 2014 05:55:26 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0186.outbound.protection.outlook.com [207.46.163.186]) by ietfa.amsl.com (Postfix) with ESMTP id 13D271A01FE for ; Thu, 6 Mar 2014 05:55:25 -0800 (PST) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB590.namprd03.prod.outlook.com (10.255.124.36) with Microsoft SMTP Server (TLS) id 15.0.888.9; Thu, 6 Mar 2014 13:55:21 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0893.001; Thu, 6 Mar 2014 13:55:21 +0000 From: Anthony Nadalin To: Mike Jones , "torsten@lodderstedt.net" , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] IETF #89 OAuth Meeting Notes Thread-Index: AQHPOHjfg/w3XOjCmEaFruDLCJBbtZrTvd0AgAAQTtCAAD4SgIAACgWw Date: Thu, 6 Mar 2014 13:55:20 +0000 Message-ID: References: <531729EB.8050802@gmx.net> <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739439A0C3D8F@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A0C3D8F@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:67c:370:160:8d0b:249c:e590:9026] x-forefront-prvs: 0142F22657 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(199002)(377454003)(189002)(15202345003)(1511001)(49866001)(50986001)(95666003)(63696002)(59766001)(31966008)(77982001)(90146001)(33646001)(79102001)(74876001)(47446002)(74706001)(15975445006)(97186001)(4396001)(74502001)(74662001)(97336001)(47736001)(65816001)(51856001)(81686001)(83072002)(76482001)(87266001)(86362001)(19580405001)(74316001)(87936001)(74366001)(81816001)(69226001)(76796001)(85852003)(47976001)(46102001)(76786001)(76576001)(2201001)(81542001)(53806001)(92566001)(85306002)(80022001)(54316002)(93136001)(56776001)(81342001)(56816005)(54356001)(95416001)(2656002)(86612001)(94316002)(83322001)(80976001)(19580395003)(93516002)(94946001)(42262001)(24736002)(3826001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB590; H:BLUPR03MB309.namprd03.prod.outlook.com; CLIP:2001:67c:370:160:8d0b:249c:e590:9026; FPR:B4E4F536.A4DA8CE2.36E1B5FB.D2D1CDD9.2021B; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/HDNbU3uvEZyca1AtglKrKv0KAhY Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 13:55:29 -0000 +1 should not be merged -----Original Message----- From: Mike Jones=20 Sent: Thursday, March 6, 2014 5:19 AM To: Anthony Nadalin; torsten@lodderstedt.net; oauth@ietf.org Subject: RE: [OAUTH-WG] IETF #89 OAuth Meeting Notes I also disagree with moving "scope" into the core registration spec. The m= etadata values in the core spec are those that are essential to use to achi= eve registration. Those in the metadata spec are those that are useful in = some applications but not needed by some others. "scope" is of the second = class. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, March 06, 2014 1:37 AM To: torsten@lodderstedt.net; oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes I'm not convinced that scope should be in core -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@loddersted= t.net Sent: Thursday, March 6, 2014 12:38 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes Hi, regarding dynamic client registration: it has been suggested to merge core = and meta data, or at least move some elements (such as scopes) to the core = spec. Would you please add this? regards, Torsten. Am 05.03.2014 13:43, schrieb Hannes Tschofenig: > Hi al >=20 > here are the notes from the OAuth f2f meeting this week: > http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth >=20 > They are rather short! If someone took some more detailed notes please=20 > send us a mail. >=20 > Ciao > Hannes & Derek >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 6 05:59:49 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABA61A0156 for ; Thu, 6 Mar 2014 05:59:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.747 X-Spam-Level: X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45RajGI1pHlv for ; Thu, 6 Mar 2014 05:59:44 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 3C2D61A0078 for ; Thu, 6 Mar 2014 05:59:44 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s26Dxcmf010500 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Mar 2014 13:59:39 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s26Dxbeo010197 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Mar 2014 13:59:38 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s26Dxb7T022141; Thu, 6 Mar 2014 13:59:37 GMT Received: from dhcp-a680.meeting.ietf.org (/31.133.166.128) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 06 Mar 2014 05:59:37 -0800 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Phil Hunt In-Reply-To: Date: Thu, 6 Mar 2014 13:59:36 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <641CC82B-0599-49AB-9515-632EDCD9192F@oracle.com> References: <531729EB.8050802@gmx.net> <346018d1df7534a815c267bfcc920cd8@lodderstedt.net> <19fab520a70b4065b587a32a31f69470@BLUPR03MB309.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739439A0C3D8F@TK5EX14MBXC286.redmond.corp.microsoft.com> To: Anthony Nadalin X-Mailer: Apple Mail (2.1510) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/dOCzhom97KjbZzmtzbKzgGdd8t0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 13:59:46 -0000 I'm getting the impression you don't want the particular meta data = that's been specified. Hence why you want the separate spec. What's the issue? Maybe we should change the metadata? I'd rather not see people do similar things that are done different = ways. Whatever we do is already breaking for us, so nows the time to = change it. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2014-03-06, at 1:55 PM, Anthony Nadalin = wrote: > +1 should not be merged >=20 > -----Original Message----- > From: Mike Jones=20 > Sent: Thursday, March 6, 2014 5:19 AM > To: Anthony Nadalin; torsten@lodderstedt.net; oauth@ietf.org > Subject: RE: [OAUTH-WG] IETF #89 OAuth Meeting Notes >=20 > I also disagree with moving "scope" into the core registration spec. = The metadata values in the core spec are those that are essential to use = to achieve registration. Those in the metadata spec are those that are = useful in some applications but not needed by some others. "scope" is = of the second class. >=20 > -- Mike >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony = Nadalin > Sent: Thursday, March 06, 2014 1:37 AM > To: torsten@lodderstedt.net; oauth@ietf.org > Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes >=20 > I'm not convinced that scope should be in core >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of = torsten@lodderstedt.net > Sent: Thursday, March 6, 2014 12:38 AM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes >=20 > Hi, >=20 > regarding dynamic client registration: it has been suggested to merge = core and meta data, or at least move some elements (such as scopes) to = the core spec. Would you please add this? >=20 > regards, > Torsten. >=20 > Am 05.03.2014 13:43, schrieb Hannes Tschofenig: >> Hi al >>=20 >> here are the notes from the OAuth f2f meeting this week: >> http://www.ietf.org/proceedings/89/minutes/minutes-89-oauth >>=20 >> They are rather short! If someone took some more detailed notes = please=20 >> send us a mail. >>=20 >> Ciao >> Hannes & Derek >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 6 06:15:06 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24CF61A036B for ; Thu, 6 Mar 2014 06:15:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TSmRhrVebhc7 for ; Thu, 6 Mar 2014 06:15:03 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 196051A0361 for ; Thu, 6 Mar 2014 06:15:03 -0800 (PST) Received: from [192.168.10.136] ([31.133.156.1]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0M1VlJ-1XANPX1StF-00tWpu for ; Thu, 06 Mar 2014 15:14:58 +0100 Message-ID: <531882E0.7010809@gmx.net> Date: Thu, 06 Mar 2014 15:14:56 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: oauth@ietf.org X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="JWpJLRSftPpvDcQbvI68O5rvs1CN8KV7H" X-Provags-ID: V03:K0:fLVu/rL+Xfy5n/yF/MdTAFc8QeE6V8/4JdQzizLUrfODvcLujIR WzUL2ca1xHMvsx33oqvywfoc/lStLibZfcRYY8xe0NVisAFvTklIDVAercna05FWxUEgNOG wKaaI54Wh6407cceo6i0+uKu63/xrerlqSg20jeVxyQnkFzumel2Bb4j9OMUZu6ZiuqrQG5 8zqtUJ0j6O/iQwEhi44VQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/MnSFP3XmqA3Nn1pDilGKaZbJDTw Subject: [OAUTH-WG] OAuth Dynamic Registration Management API: Our Lunch Chat Today X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 14:15:05 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JWpJLRSftPpvDcQbvI68O5rvs1CN8KV7H Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, several OAuth folks met today to talk about the next steps regarding the OAuth dynamic client registration management API. At the end of our short lunch chat I asked each participant individually what they think should be done next. Here are the notes I took. Phil: We need to document what events does the client want to notify the server. Phil, volunteered to write a slide deck. Justin: Document the deployment characteristics (for the different client types). He also suggested to publish the current document as an experimental draft and let people play around with it. Tony: The work on the management API is not mature enough for standardization Mat: Decide what is in scope and what is out-of-scope. Morteza: Investigate use cases further Brian: Document use cases and assumptions Mike: Focus on the dynamic registration and the meta-data work for now. The management API is not mature enough. John: We first need to figure out what we need the management API for. Bill: Document what problem we are solving. Kaoru: Document use cases and better understand the relationship with the other specs. As you can see the views are all over the map. It does, however, seem to be useful to get a better understanding of the deployment and the use cas= es. Ciao Hannes --JWpJLRSftPpvDcQbvI68O5rvs1CN8KV7H Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTGILgAAoJEGhJURNOOiAtBhsH/RMqYTma3YLpzsZBhMtp0qTW Xn6OtzcbLeOdXj8QTd9z3Dz41bnBHcsQ/SKJM1HpFNp9/2D6DoIMzvw5w/zhtcQv fRk4HLg7VfY5KsckbNlPaejuUPKU+ClN15FspgrmMSmLColiDJCCnh+k0VvsxngF UWqbiRQhqC8G5fO65kCFdiVlvHfG08spbbCoQZHyVyJ1LImHKYW5RoDtPAn/ltgT R0OHk7u9mKM0gYyuo5AgtfQHPN8dLqF3M1Mp2ZuJG5sLRD2uZD2HG55hq3QxuKJH gFAQQlUjKutP/UqL1/HIlTBTghXNeWT5Yt5YpxmrPXLSOb2ykp6J1tNBTFzqw74= =i1Tk -----END PGP SIGNATURE----- --JWpJLRSftPpvDcQbvI68O5rvs1CN8KV7H-- From nobody Thu Mar 6 07:01:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3143A1A00C6 for ; Thu, 6 Mar 2014 07:01:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cBB0nsDCahj for ; Thu, 6 Mar 2014 07:01:54 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0210.outbound.protection.outlook.com [207.46.163.210]) by ietfa.amsl.com (Postfix) with ESMTP id 861EF1A0063 for ; Thu, 6 Mar 2014 07:01:54 -0800 (PST) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB591.namprd03.prod.outlook.com (10.255.124.37) with Microsoft SMTP Server (TLS) id 15.0.888.9; Thu, 6 Mar 2014 15:01:42 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0893.001; Thu, 6 Mar 2014 15:01:42 +0000 From: Anthony Nadalin To: Mike Jones , "oauth@ietf.org list" Thread-Topic: Working Group Versions of Refactored OAuth Dynamic Client Registration Specs Thread-Index: Ac8kNnz3PF/lDi5zTKOXOi6a7z33lwVFgm5Q Date: Thu, 6 Mar 2014 15:01:42 +0000 Message-ID: <532782efb0bd4dd8b69e26905d5250a1@BLUPR03MB309.namprd03.prod.outlook.com> References: <4E1F6AAD24975D4BA5B16804296739438B1882D3@TK5EX14MBXC288.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739438B1882D3@TK5EX14MBXC288.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:67c:1232:84:89c7:a001:3270:9ed0] x-forefront-prvs: 0142F22657 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(428001)(189002)(199002)(377454003)(65816001)(54356001)(76576001)(51856001)(95666003)(76796001)(50986001)(76482001)(15202345003)(77982001)(53806001)(59766001)(47736001)(74316001)(74706001)(63696002)(81342001)(1511001)(95416001)(49866001)(97186001)(56776001)(76786001)(97336001)(54316002)(79102001)(74876001)(83072002)(19609705001)(94316002)(46102001)(74366001)(19580405001)(93516002)(16236675002)(92566001)(90146001)(86612001)(80022001)(85852003)(86362001)(56816005)(85306002)(81686001)(80976001)(2656002)(87266001)(74662001)(47976001)(19580395003)(4396001)(93136001)(47446002)(31966008)(83322001)(81542001)(69226001)(19300405004)(81816001)(15975445006)(87936001)(94946001)(33646001)(74502001)(42262001)(24736002)(3826001)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB591; H:BLUPR03MB309.namprd03.prod.outlook.com; CLIP:2001:67c:1232:84:89c7:a001:3270:9ed0; FPR:BC84F8BD.8CF26FC8.AEEC36C7.46D435D0.201EE; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_532782efb0bd4dd8b69e26905d5250a1BLUPR03MB309namprd03pro_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-oCSl8YD0bc4wrACKVtz4wrizPY Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 15:01:57 -0000 --_000_532782efb0bd4dd8b69e26905d5250a1BLUPR03MB309namprd03pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable So the current core makes the registration_access_token required and there= are open registration endpoints, so this should be optional, there are als= o cases where the client_id is signed and that becomes the right to the reg= istration endpoint From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Friday, February 7, 2014 10:58 AM To: oauth@ietf.org list Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Clie= nt Registration Specs There are now OAuth working group ve= rsions of the refactored OAuth Dynamic Client Registration specifications: * OAuth 2.0 Dynamic Client Registration Core Protocol * OAuth 2.0 Dynamic Client Registration Metadata * OAuth 2.0 Dynamic Client Registration Management Protocol These versions address review comments by Phil Hunt and Tony Nadalin. Phil= is now also an author. The data structures and messages used are the same= as the previous versions. The drafts are available at: * http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 * http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-00 HTML formatted versions are also available at: * https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-16.html * https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-metadata-0= 0.html * https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-management= -00.html -- Mike P.S. I also posted this notice at http://self-issued.info/?p=3D1180 and as= @selfissued. --_000_532782efb0bd4dd8b69e26905d5250a1BLUPR03MB309namprd03pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

So the current core ma= kes the registration_access_token  required and there are open registr= ation endpoints, so this should be optional, there are also cases where the= client_id is signed and that becomes the right to the registration endpoint

 

From: OAuth [mailto:oauth-bounces@ietf.org] <= b>On Behalf Of Mike Jones
Sent: Friday, February 7, 2014 10:58 AM
To: oauth@ietf.org list
Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynam= ic Client Registration Specs

 

There are now OAuth working group versions of the refactored OAuth Dynamic Client Reg= istration specifications:

·         OAuth 2.0 Dynamic Client Registration Core P= rotocol

·         OAuth 2.0 Dynamic Client R= egistration Metadata

·         OAuth 2.0 Dynamic Client Registration Manage= ment Protocol

 

These versions address review comments by Phil Hunt = and Tony Nadalin.  Phil is now also an author.  The data structur= es and messages used are the same as the previous versions.

 

The drafts are available at:

·         http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-= 16

·         http://tools.ietf.org/html/draft-ietf-oauth= -dyn-reg-metadata-00

·         http://tools.ietf.org/html/draft-ietf-oau= th-dyn-reg-management-00

 

HTML formatted versions are also available at:<= /o:p>

·         https://self-issued.info/docs/draft-ietf-oau= th-dyn-reg-16.html

·         https://self-issued.info/docs/draft= -ietf-oauth-dyn-reg-metadata-00.html

·         https://self-issued.info/docs/dra= ft-ietf-oauth-dyn-reg-management-00.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  I also posted this notice at http://self-issued.info/?p=3D1180 and as @selfissued.

 

--_000_532782efb0bd4dd8b69e26905d5250a1BLUPR03MB309namprd03pro_-- From nobody Thu Mar 6 08:01:13 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E03641A0074 for ; Thu, 6 Mar 2014 08:01:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrNUa1nzCVrS for ; Thu, 6 Mar 2014 08:01:09 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 012A71A0030 for ; Thu, 6 Mar 2014 08:01:08 -0800 (PST) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) with Microsoft SMTP Server (TLS) id 15.0.893.10; Thu, 6 Mar 2014 16:00:56 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0893.001; Thu, 6 Mar 2014 16:00:56 +0000 From: Anthony Nadalin To: Anthony Nadalin , Mike Jones , "oauth@ietf.org list" Thread-Topic: Working Group Versions of Refactored OAuth Dynamic Client Registration Specs Thread-Index: Ac8kNnz3PF/lDi5zTKOXOi6a7z33lwVFgm5QAAIciaA= Date: Thu, 6 Mar 2014 16:00:56 +0000 Message-ID: <370d79ce16e24a4997ac444591829e35@BLUPR03MB309.namprd03.prod.outlook.com> References: <4E1F6AAD24975D4BA5B16804296739438B1882D3@TK5EX14MBXC288.redmond.corp.microsoft.com> <532782efb0bd4dd8b69e26905d5250a1@BLUPR03MB309.namprd03.prod.outlook.com> In-Reply-To: <532782efb0bd4dd8b69e26905d5250a1@BLUPR03MB309.namprd03.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:67c:1232:84:89c7:a001:3270:9ed0] x-forefront-prvs: 0142F22657 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(428001)(377454003)(189002)(199002)(1511001)(87936001)(86362001)(47446002)(46102001)(74662001)(54356001)(74706001)(81686001)(63696002)(79102001)(87266001)(59766001)(76482001)(65816001)(53806001)(94946001)(93136001)(31966008)(74502001)(74876001)(94316002)(97186001)(56776001)(51856001)(77982001)(97336001)(95416001)(81816001)(83322001)(2656002)(80022001)(86612001)(85306002)(19580395003)(19580405001)(85852003)(56816005)(76786001)(76796001)(33646001)(50986001)(19300405004)(80976001)(83072002)(74316001)(93516002)(16236675002)(92566001)(19609705001)(74366001)(76576001)(54316002)(4396001)(15202345003)(47976001)(47736001)(95666003)(49866001)(81542001)(15975445006)(90146001)(81342001)(69226001)(42262001)(3826001)(24736002)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB309; H:BLUPR03MB309.namprd03.prod.outlook.com; CLIP:2001:67c:1232:84:89c7:a001:3270:9ed0; FPR:BC84F8BD.8CF2AFC8.AEEC36E7.46D835D0.20224; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_370d79ce16e24a4997ac444591829e35BLUPR03MB309namprd03pro_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FLBjln46b42ZoELYOrWU3VaNm_0 Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 16:01:12 -0000 --_000_370d79ce16e24a4997ac444591829e35BLUPR03MB309namprd03pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Same is true for the registration_client_uri as I may not need/want this, s= hould be optional From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, March 6, 2014 7:02 AM To: Mike Jones; oauth@ietf.org list Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic = Client Registration Specs So the current core makes the registration_access_token required and there= are open registration endpoints, so this should be optional, there are als= o cases where the client_id is signed and that becomes the right to the reg= istration endpoint From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Friday, February 7, 2014 10:58 AM To: oauth@ietf.org list Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Clie= nt Registration Specs There are now OAuth working group ve= rsions of the refactored OAuth Dynamic Client Registration specifications: * OAuth 2.0 Dynamic Client Registration Core Protocol * OAuth 2.0 Dynamic Client Registration Metadata * OAuth 2.0 Dynamic Client Registration Management Protocol These versions address review comments by Phil Hunt and Tony Nadalin. Phil= is now also an author. The data structures and messages used are the same= as the previous versions. The drafts are available at: * http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 * http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-00 HTML formatted versions are also available at: * https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-16.html * https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-metadata-0= 0.html * https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-management= -00.html -- Mike P.S. I also posted this notice at http://self-issued.info/?p=3D1180 and as= @selfissued. --_000_370d79ce16e24a4997ac444591829e35BLUPR03MB309namprd03pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Same is true for the r= egistration_client_uri as I may not need/want this, should be optional=

 

From: OAuth [mailto:oauth-bounces@ietf.org] <= b>On Behalf Of Anthony Nadalin
Sent: Thursday, March 6, 2014 7:02 AM
To: Mike Jones; oauth@ietf.org list
Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth D= ynamic Client Registration Specs

 

So the current core ma= kes the registration_access_token  required and there are open registr= ation endpoints, so this should be optional, there are also cases where the= client_id is signed and that becomes the right to the registration endpoint

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, February 7, 2014 10:58 AM
To: oauth@ietf.org list
Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynam= ic Client Registration Specs

 

There are now OAuth working group versions of the refactored OAuth Dynamic Client Reg= istration specifications:

·         OAuth 2.0 Dynamic Client Registration Core P= rotocol

·         OAuth 2.0 Dynamic Client R= egistration Metadata

·         OAuth 2.0 Dynamic Client Registration Manage= ment Protocol

 

These versions address review comments by Phil Hunt = and Tony Nadalin.  Phil is now also an author.  The data structur= es and messages used are the same as the previous versions.

 

The drafts are available at:

·         http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-= 16

·         http://tools.ietf.org/html/draft-ietf-oauth= -dyn-reg-metadata-00

·         http://tools.ietf.org/html/draft-ietf-oau= th-dyn-reg-management-00

 

HTML formatted versions are also available at:<= /o:p>

·         https://self-issued.info/docs/draft-ietf-oau= th-dyn-reg-16.html

·         https://self-issued.info/docs/draft= -ietf-oauth-dyn-reg-metadata-00.html

·         https://self-issued.info/docs/dra= ft-ietf-oauth-dyn-reg-management-00.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  I also posted this notice at http://self-issued.info/?p=3D1180 and as @selfissued.

 

--_000_370d79ce16e24a4997ac444591829e35BLUPR03MB309namprd03pro_-- From nobody Thu Mar 6 08:25:11 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 804891A0092 for ; Thu, 6 Mar 2014 08:25:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.746 X-Spam-Level: X-Spam-Status: No, score=-4.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krTOg6-Zhofm for ; Thu, 6 Mar 2014 08:25:06 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 55FA11A0051 for ; Thu, 6 Mar 2014 08:25:06 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s26GP1nW028023 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Mar 2014 16:25:02 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s26GP1T6024525 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 6 Mar 2014 16:25:01 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s26GP0mw024417; Thu, 6 Mar 2014 16:25:00 GMT Received: from dhcp-a680.meeting.ietf.org (/31.133.166.128) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 06 Mar 2014 08:25:00 -0800 Content-Type: multipart/alternative; boundary="Apple-Mail=_01F377B2-1BE5-470F-9910-20084E328084" Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Phil Hunt In-Reply-To: <370d79ce16e24a4997ac444591829e35@BLUPR03MB309.namprd03.prod.outlook.com> Date: Thu, 6 Mar 2014 16:25:00 +0000 Message-Id: <99FD6D99-DB50-4DB8-AAA6-977742CE1A1E@oracle.com> References: <4E1F6AAD24975D4BA5B16804296739438B1882D3@TK5EX14MBXC288.redmond.corp.microsoft.com> <532782efb0bd4dd8b69e26905d5250a1@BLUPR03MB309.namprd03.prod.outlook.com> <370d79ce16e24a4997ac444591829e35@BLUPR03MB309.namprd03.prod.outlook.com> To: Anthony Nadalin X-Mailer: Apple Mail (2.1510) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/xCzDNbwZZftnskYdS-L-Dr87meE Cc: "oauth@ietf.org list" Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 16:25:08 -0000 --Apple-Mail=_01F377B2-1BE5-470F-9910-20084E328084 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Where is registration_client_uri in the spec? Phil @independentid www.independentid.com phil.hunt@oracle.com On 2014-03-06, at 4:00 PM, Anthony Nadalin = wrote: > Same is true for the registration_client_uri as I may not need/want = this, should be optional > =20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony = Nadalin > Sent: Thursday, March 6, 2014 7:02 AM > To: Mike Jones; oauth@ietf.org list > Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth = Dynamic Client Registration Specs > =20 > So the current core makes the registration_access_token required and = there are open registration endpoints, so this should be optional, there = are also cases where the client_id is signed and that becomes the right = to the registration endpoint > =20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Friday, February 7, 2014 10:58 AM > To: oauth@ietf.org list > Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic = Client Registration Specs > =20 > There are now OAuth working group versions of the refactored OAuth = Dynamic Client Registration specifications: > =B7 OAuth 2.0 Dynamic Client Registration Core Protocol > =B7 OAuth 2.0 Dynamic Client Registration Metadata > =B7 OAuth 2.0 Dynamic Client Registration Management Protocol > =20 > These versions address review comments by Phil Hunt and Tony Nadalin. = Phil is now also an author. The data structures and messages used are = the same as the previous versions. > =20 > The drafts are available at: > =B7 http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 > =B7 = http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 > =B7 = http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-00 > =20 > HTML formatted versions are also available at: > =B7 = https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-16.html > =B7 = https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-metadata-00.html > =B7 = https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-management-00.html > =20 > -- Mike > =20 > P.S. I also posted this notice at http://self-issued.info/?p=3D1180 = and as @selfissued. > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_01F377B2-1BE5-470F-9910-20084E328084 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 Where = is 
On 2014-03-06, at 4:00 PM, Anthony Nadalin <tonynad@microsoft.com> = wrote:

Same is = true for the registration_client_uri as I may not need/want this, should = be optional
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony = Nadalin
Sent: Thursday, March 6, 2014 = 7:02 AM
To: Mike Jones; oauth@ietf.org = list
Subject: Re: [OAUTH-WG] Working = Group Versions of Refactored OAuth Dynamic Client Registration = Specs
So the current core makes the = registration_access_token  required and there are open registration = endpoints, so this should be optional, there are also cases where the = client_id is signed and that becomes the right to the registration = endpoint
 
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Friday, February 7, 2014 = 10:58 AM
To: oauth@ietf.org list
Subject: [OAUTH-WG] Working Group = Versions of Refactored OAuth Dynamic Client Registration = Specs
There are now OAuth working group versions of the refactored = OAuth Dynamic Client Registration specifications:
=B7 OAuth = 2.0 Dynamic Client Registration Core Protocol
=B7 OAuth 2.0 Dynamic Client Registration = Metadata
=B7 OAuth = 2.0 Dynamic Client Registration Management Protocol
 
These = versions address review comments by Phil Hunt and Tony Nadalin.  = Phil is now also an author.  The data structures and messages used = are the same as the previous = versions.
The drafts are = available at:
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_01F377B2-1BE5-470F-9910-20084E328084-- From nobody Thu Mar 6 10:47:16 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFE5C1A0084 for ; Thu, 6 Mar 2014 10:47:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.746 X-Spam-Level: X-Spam-Status: No, score=-4.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-8AApE4XjXI for ; Thu, 6 Mar 2014 10:47:11 -0800 (PST) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id CC3561A00E3 for ; Thu, 6 Mar 2014 10:47:10 -0800 (PST) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5F1381F05BE; Thu, 6 Mar 2014 13:47:06 -0500 (EST) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 4487C1F05B7; Thu, 6 Mar 2014 13:47:06 -0500 (EST) Received: from IMCMBX01.MITRE.ORG ([169.254.1.95]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.03.0174.001; Thu, 6 Mar 2014 13:47:05 -0500 From: "Richer, Justin P." To: Anthony Nadalin , Mike Jones , "oauth@ietf.org list" Thread-Topic: Working Group Versions of Refactored OAuth Dynamic Client Registration Specs Thread-Index: Ac8kNnz3PF/lDi5zTKOXOi6a7z33lwVFgm5QAAIciaAABcin8Q== Date: Thu, 6 Mar 2014 18:47:04 +0000 Message-ID: References: <4E1F6AAD24975D4BA5B16804296739438B1882D3@TK5EX14MBXC288.redmond.corp.microsoft.com> <532782efb0bd4dd8b69e26905d5250a1@BLUPR03MB309.namprd03.prod.outlook.com>, <370d79ce16e24a4997ac444591829e35@BLUPR03MB309.namprd03.prod.outlook.com> In-Reply-To: <370d79ce16e24a4997ac444591829e35@BLUPR03MB309.namprd03.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.83.31.52] Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E4C180B4FIMCMBX01MITREOR_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/hvpJGAXC-OXKQhXFdPP2OG1rt4o Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 18:47:14 -0000 --_000_B33BFB58CCC8BE4998958016839DE27E4C180B4FIMCMBX01MITREOR_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Neither registration_access_token nor registration_client_uri are mentioned= in core-16. They're both required in the management draft, and it makes se= nse there. If you're not implementing the management draft (or you've got y= our own thing for that), then you don't return either of them. -- Justin ________________________________ From: OAuth [oauth-bounces@ietf.org] on behalf of Anthony Nadalin [tonynad@= microsoft.com] Sent: Thursday, March 06, 2014 11:00 AM To: Anthony Nadalin; Mike Jones; oauth@ietf.org list Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic = Client Registration Specs Same is true for the registration_client_uri as I may not need/want this, s= hould be optional From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, March 6, 2014 7:02 AM To: Mike Jones; oauth@ietf.org list Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic = Client Registration Specs So the current core makes the registration_access_token required and there= are open registration endpoints, so this should be optional, there are als= o cases where the client_id is signed and that becomes the right to the reg= istration endpoint From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Friday, February 7, 2014 10:58 AM To: oauth@ietf.org list Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Clie= nt Registration Specs There are now OAuth working group ve= rsions of the refactored OAuth Dynamic Client Registration specifications: =B7 OAuth 2.0 Dynamic Client Registration Core Protocol =B7 OAuth 2.0 Dynamic Client Registration Metadata =B7 OAuth 2.0 Dynamic Client Registration Management Protocol These versions address review comments by Phil Hunt and Tony Nadalin. Phil= is now also an author. The data structures and messages used are the same= as the previous versions. The drafts are available at: =B7 http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 =B7 http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 =B7 http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-= 00 HTML formatted versions are also available at: =B7 https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-16.html =B7 https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-metadata= -00.html =B7 https://self-issued.info/docs/draft-ietf-oauth-dyn-reg-manageme= nt-00.html -- Mike P.S. I also posted this notice at http://self-issued.info/?p=3D1180 and as= @selfissued. --_000_B33BFB58CCC8BE4998958016839DE27E4C180B4FIMCMBX01MITREOR_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Neither registration_access_token nor registration_client_uri are me= ntioned in core-16. They're both required in the management draft, and it m= akes sense there. If you're not implementing the management draft (or you've got your own thing for that), then you don= 't return either of them.

 -- Justin

From: OAuth [oauth-bounces@ietf.org] on b= ehalf of Anthony Nadalin [tonynad@microsoft.com]
Sent: Thursday, March 06, 2014 11:00 AM
To: Anthony Nadalin; Mike Jones; oauth@ietf.org list
Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth D= ynamic Client Registration Specs

Same is true for the r= egistration_client_uri as I may not need/want this, should be optional

 

From: OAuth [mailto:oauth-bounces@ietf.org] <= b>On Behalf Of Anthony Nadalin
Sent: Thursday, March 6, 2014 7:02 AM
To: Mike Jones; oauth@ietf.org list
Subject: Re: [OAUTH-WG] Working Group Versions of Refactored OAuth D= ynamic Client Registration Specs

 

So the current core ma= kes the registration_access_token  required and there are open registr= ation endpoints, so this should be optional, there are also cases where the= client_id is signed and that becomes the right to the registration endpoint

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, February 7, 2014 10:58 AM
To: oauth@ietf.o= rg list
Subject: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynam= ic Client Registration Specs

 

There are now OAuth working group versions of the refactored OAuth Dynamic Client Reg= istration specifications:

=B7         OAuth 2.0 Dynamic Client Registration Core Protocol

=B7         OAuth 2.0 Dynamic Client Registratio= n Metadata

=B7         OAuth 2.0 Dynamic Client Registration Management Proto= col

 

These versions address review comments by Phil Hunt = and Tony Nadalin.  Phil is now also an author.  The data structur= es and messages used are the same as the previous ve= rsions.

 

The drafts are available at:

=B7         http://tools.ietf.org/html/draft-ietf-oauth-= dyn-reg-16

=B7         http://tools.ietf.org/html/draft-ie= tf-oauth-dyn-reg-metadata-00

=B7         http://tools.ietf.org/html/draft-= ietf-oauth-dyn-reg-management-00

 

HTML formatted versions are also available at:

=B7         https://self-issued.info/docs/draft-= ietf-oauth-dyn-reg-16.html

=B7         https://self-issued.info/do= cs/draft-ietf-oauth-dyn-reg-metadata-00.html

=B7         https://self-issued.info/= docs/draft-ietf-oauth-dyn-reg-management-00.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  I also posted this notice at http://self-issued.info/?p=3D1180 and as @selfissued.

 

--_000_B33BFB58CCC8BE4998958016839DE27E4C180B4FIMCMBX01MITREOR_-- From takahiko.kawasaki@neovisionaries.com Mon Mar 3 09:20:15 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A36AC1A0260 for ; Mon, 3 Mar 2014 09:20:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgHvx-OUHy2h for ; Mon, 3 Mar 2014 09:20:13 -0800 (PST) Received: from mail-vc0-f176.google.com (mail-vc0-f176.google.com [209.85.220.176]) by ietfa.amsl.com (Postfix) with ESMTP id 39E8C1A0258 for ; Mon, 3 Mar 2014 09:20:13 -0800 (PST) Received: by mail-vc0-f176.google.com with SMTP id la4so3840175vcb.21 for ; Mon, 03 Mar 2014 09:20:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pM94xl0w/Bi+aFPI4m4A+9lHKQiaVcAhU6kavfTpMgk=; b=A1oidFLFvYtONXx8sqb9qjec2uvmWGxppgz/qEiqM8HwAKJ5WVK1iLa8e8Us3+JV61 53cXnFwjag7McE0cyeSNYIT3cXf0oe4qldm8FkPxHjT6i8ipdw4N9WG1as5mU3ndH09w fdCOpYCZxV5RVI6okK1ILkG9cJ86C3v+04ok1HcxwJi/jdj3TZDVTOPo2Rd5nNhxuZUX 5KIgswAjbcYDjIB0hL3sCJ/yjUUCMQ+9xzaVHu4fnN9NkI+RPHcLf9uUOlvTIdzgiGQS RQ579zaJ1AGFmxCb6UZZAmdLi7WHRasdTg7LArx3wxugmijuAfP4c4Fw/1zaqwWA29nq 00sQ== X-Gm-Message-State: ALoCoQkS3Y3ctaQWoYo+YAWk4JLrjiytR9TMrdjj333IJCcauscdkMxiKNlQVblDVd3BcZaHCUMd MIME-Version: 1.0 X-Received: by 10.58.238.35 with SMTP id vh3mr13013394vec.16.1393867209900; Mon, 03 Mar 2014 09:20:09 -0800 (PST) Received: by 10.220.92.137 with HTTP; Mon, 3 Mar 2014 09:20:09 -0800 (PST) X-Originating-IP: [58.87.202.217] In-Reply-To: <20140301141431.C1F887FC396@rfc-editor.org> References: <20140301141431.C1F887FC396@rfc-editor.org> Date: Tue, 4 Mar 2014 02:20:09 +0900 Message-ID: From: Kawasaki Takahiko To: RFC Errata System Content-Type: multipart/alternative; boundary=047d7bb04396e921b404f3b6ff69 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/H3vAlO0pTGAhuvlRKpLK5bKsuhw X-Mailman-Approved-At: Mon, 10 Mar 2014 00:41:29 -0700 Cc: turners@ieca.com, derek@ihtfp.com, oauth@ietf.org Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3904) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 17:28:07 -0000 --047d7bb04396e921b404f3b6ff69 Content-Type: text/plain; charset=ISO-8859-1 Hello, I made an errata report for RFC 6749 (The OAuth 2.0 Authorization Framework). http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3904 Is there any next action I should take? Is the errata reviewed without my further action? Best Regards, Takahiko Kawasaki 2014-03-01 23:14 GMT+09:00 RFC Errata System : > The following errata report has been submitted for RFC6749, > "The OAuth 2.0 Authorization Framework". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3904 > > -------------------------------------- > Type: Technical > Reported by: Takahiko Kawasaki > > Section: 11.2.2. > > Original Text > ------------- > > > Corrected Text > -------------- > o Parameter name: error > o Parameter usage location: authorization response, token response > o Change controller: IETF > o Specification document(s): RFC 6749 > > > Notes > ----- > "error" is missing and should be added to the list of Initial Registry > Contents of OAuth Parameters Registry. > > Instructions: > ------------- > This errata is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6749 (draft-ietf-oauth-v2-31) > -------------------------------------- > Title : The OAuth 2.0 Authorization Framework > Publication Date : October 2012 > Author(s) : D. Hardt, Ed. > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG > --047d7bb04396e921b404f3b6ff69 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hello,

I made an errata repo= rt for RFC 6749 (The OAuth 2.0 Authorization Framework).


Is there any next action I should take? Is the errata r= eviewed without my further action?

Best Regards,
Takahiko Kawasaki



2014-03-01 23:14 GMT+09:00 RFC Errata Sy= stem <rfc-editor@rfc-editor.org>:
The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc= =3D6749&eid=3D3904

--------------------------------------
Type: Technical
Reported by: Takahiko Kawasaki <takahiko.kawasaki@neovisionaries.com>

Section: 11.2.2.

Original Text
-------------


Corrected Text
--------------
=A0 =A0o =A0Parameter name: error
=A0 =A0o =A0Parameter usage location: authorization response, token respons= e
=A0 =A0o =A0Change controller: IETF
=A0 =A0o =A0Specification document(s): RFC 6749


Notes
-----
"error" is missing and should be added to the list of Initial Reg= istry Contents of OAuth Parameters Registry.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, plea= se
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title =A0 =A0 =A0 =A0 =A0 =A0 =A0 : The OAuth 2.0 Authorization Framework Publication Date =A0 =A0: October 2012
Author(s) =A0 =A0 =A0 =A0 =A0 : D. Hardt, Ed.
Category =A0 =A0 =A0 =A0 =A0 =A0: PROPOSED STANDARD
Source =A0 =A0 =A0 =A0 =A0 =A0 =A0: Web Authorization Protocol
Area =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0: Security
Stream =A0 =A0 =A0 =A0 =A0 =A0 =A0: IETF
Verifying Party =A0 =A0 : IESG

--047d7bb04396e921b404f3b6ff69-- From nobody Tue Mar 11 07:13:56 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E451A072C for ; Tue, 11 Mar 2014 07:13:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55vTv8duq8-m for ; Tue, 11 Mar 2014 07:13:50 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id BA4381A0718 for ; Tue, 11 Mar 2014 07:13:49 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by DM2PR02MB320.namprd02.prod.outlook.com (10.141.83.149) with Microsoft SMTP Server (TLS) id 15.0.888.9; Tue, 11 Mar 2014 14:13:43 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 14:13:42 +0000 From: Antonio Sanso To: "oauth@ietf.org" Thread-Topic: JSON Web Token (JWT) Profile Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsA== Date: Tue, 11 Mar 2014 14:13:41 +0000 Message-ID: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.104.215.11] x-forefront-prvs: 0147E151B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(51694002)(189002)(199002)(95416001)(76796001)(92726001)(76786001)(74876001)(47446002)(97336001)(76176001)(76482001)(87266001)(93516002)(53806001)(74502001)(74366001)(33656001)(93136001)(36756003)(92566001)(94946001)(56776001)(54316002)(77096001)(15202345003)(94316002)(86362001)(31966008)(69226001)(95666003)(54356001)(56816005)(83716003)(59766001)(77982001)(66066001)(47736001)(46102001)(4396001)(50986001)(81342001)(49866001)(16236675002)(2656002)(87936001)(15975445006)(19580395003)(80976001)(83322001)(80022001)(82746002)(65816001)(81816001)(51856001)(63696002)(85306002)(83072002)(81686001)(90146001)(97186001)(47976001)(85852003)(74662001)(81542001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR02MB320; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:193.104.215.11; FPR:BFEE5EF4.2CF021CB.497C9188.C4EF3AD2.20142; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_3A1BC33F1AE2492FBCE9CCB9CF4C3C83adobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FWXA1-aLWmZcBYTUjBeetNNasB8 Subject: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 14:13:53 -0000 --_000_3A1BC33F1AE2492FBCE9CCB9CF4C3C83adobecom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable hi *, JSON Web Token (JWT) Profile section 3 [0] explicitely says The JWT MUST contain a "sub" (subject) claim Now IMHO there are cases where having the sub is either not needed or redun= dant (since it might overlap with the issuer).\ As far as I can see =93even Google=94 currently violates this spec [1] ( I = know that this doesn=92t matter, just wanted to bring a real use case scena= rio). WDYT might the =93sub=94 be optional in some situation? regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount --_000_3A1BC33F1AE2492FBCE9CCB9CF4C3C83adobecom_ Content-Type: text/html; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable
hi *,

JSON Web Token (JWT) Profile section 3 [0] explicitely says  

The JWT MUST contain a "sub"=
; (subject) claim

Now IMHO there are cases where having the sub is either not needed or = redundant (since it might overlap with the issuer).\

As far as I can see =93even Google=94 currently violates this spec [1]= ( I know that this doesn=92t matter, just wanted to bring a real use case = scenario).

WDYT might the =93sub=94 be optional in some situation?

regards

antonio 

[0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 --_000_3A1BC33F1AE2492FBCE9CCB9CF4C3C83adobecom_-- From nobody Tue Mar 11 07:27:08 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F551A0738 for ; Tue, 11 Mar 2014 07:27:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.446 X-Spam-Level: X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHAYfCqaDE_u for ; Tue, 11 Mar 2014 07:27:04 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id C9A801A0736 for ; Tue, 11 Mar 2014 07:27:02 -0700 (PDT) Received: from IWINB07 ([81.189.215.250]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MFLhE-1WQh1X2bVk-00EQ3o for ; Tue, 11 Mar 2014 15:26:55 +0100 From: "Manfred Steyer" To: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> In-Reply-To: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> Date: Tue, 11 Mar 2014 15:26:54 +0100 Message-ID: <009501cf3d35$f4257410$dc705c30$@gmx.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0096_01CF3D3E.55EF3340" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQMQvuGC6nCHESWBhgEiO0rGzvkC2phY7aIw Content-Language: de X-Provags-ID: V03:K0:VZNqDmovIAaVmxgdj1Q6O4AOTPBd+JAFkkqJxcJunhjC70WtbLw /SdAZn+EqTVN3Toa/A/Mqgb1j1dUCMU0zm1OnQiX+vpE1h+oWuhQezYIWPbiO26s3wgGiJF 9euq46F4rJ6cUuZzAkohyEpw0NAWJbG8ox3tu78pzGlCwKlbfmLS0RJsUVqYP9Rien6UUol JrwV3lP/RiuxWXpz1ZEZQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JSoVXvme6Yj9fSFfypkD_1GRo2o Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 14:27:08 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0096_01CF3D3E.55EF3340 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Antonio, =20 some time ago, I wrote about the same issue, but =96 unfortunately =96 = didn=92t get an answer. I place my thoughts about this at the end of this mail. =20 Wishes, Manfred =20 8<------------------------------- =20 =20 Hi, =20 the draft about the =20 JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants = [1] =20 says: =20 =84The JWT MUST contain a "sub" (subject) claim identifying theprincipal = that is the subject of the JWT. Two cases need to be differentiated: =20 A. For the authorization grant, the subject SHOULD identify an authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). =20 B. For client authentication, the subject MUST be the "client_id" of the OAuth client.=93 =20 =20 I=92m not sure, if this makes sense, cause in an federation-scenario the original jwt is issued in an other security-domain and the auth-server = in question does not necessarily know the users in thouse domain. = Furthermore, it is very likely that the auth-server is not interested in the subject claim, but just in other incoming claims in view of mapping them to = outgoing ones. IMHO, all the auth-server can do with the subject-claim is to = create a protocol entry that says that some action was performed for this = subject. =20 Do I see that right? =20 Wishes, Manfred =20 [1] https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 =20 =20 Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Antonio Sanso Gesendet: Dienstag, 11. M=E4rz 2014 15:14 An: oauth@ietf.org Betreff: [OAUTH-WG] JSON Web Token (JWT) Profile =20 hi *, =20 JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 =20 The JWT MUST contain a "sub" (subject) claim=20 =20 Now IMHO there are cases where having the sub is either not needed or redundant (since it might overlap with the issuer).\ =20 As far as I can see =93even Google=94 currently violates this spec [1] ( = I know that this doesn=92t matter, just wanted to bring a real use case = scenario). =20 WDYT might the =93sub=94 be optional in some situation? =20 regards =20 antonio=20 =20 [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3=20 [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount ------=_NextPart_000_0096_01CF3D3E.55EF3340 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi Antonio,

 

some time ago, I wrote about the same issue, but – = unfortunately – didn’t get an answer. I place my thoughts = about this at the end of this mail.

 

Wishes,

Manfred

 

8<-------------------------------

 

 

Hi,

 

the draft about the

 

JWT Profile for OAuth = 2.0 Client Authentication and Authorization Grants = [1]

 

says:

 

„The JWT MUST = contain a "sub" (subject) claim identifying theprincipal that = is the subject of the JWT.  Two cases need to be = differentiated:

 

        A.  For the = authorization grant, the subject SHOULD identify = an

          =   authorized accessor for whom the access token is = being

          =   requested (typically the resource owner, or an = authorized

          =   delegate).

 

        B.  For = client authentication, the subject MUST be the

          =   "client_id" of the OAuth = client.“

 

 

I’m not sure, if this makes sense, cause in an = federation-scenario the original jwt is issued in an other = security-domain and the auth-server in question does not necessarily = know the users in thouse domain. Furthermore, it is very likely that the = auth-server is not interested in the subject claim, but just in other = incoming claims in view of mapping them to outgoing ones. IMHO, all the = auth-server can do with the subject-claim is to create a protocol entry = that says that some action was performed for this = subject.

 

Do I see that right?

 

Wishes,

Manfred

 

[1] https= ://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07

 

 

Von:<= /b> = OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Antonio = Sanso
Gesendet: Dienstag, 11. M=E4rz 2014 15:14
An: = oauth@ietf.org
Betreff: [OAUTH-WG] JSON Web Token (JWT) = Profile

 

hi = *,

 

JSON Web Token (JWT) Profile section 3 [0] explicitely = says 

 

The =
JWT MUST contain a "sub" (subject) claim =

 

Now IMHO there are cases where having the sub is = either not needed or redundant (since it might overlap with the = issuer).\

 

As far as I can see “even Google” = currently violates this spec [1] ( I know that this doesn’t = matter, just wanted to bring a real use case = scenario).

 

WDYT might the “sub” be optional in some = situation?

 

regards

 

antonio 

 

[0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3

------=_NextPart_000_0096_01CF3D3E.55EF3340-- From nobody Tue Mar 11 07:45:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B7C1A0735 for ; Tue, 11 Mar 2014 07:45:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJNtVcktqe11 for ; Tue, 11 Mar 2014 07:45:43 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 398821A045D for ; Tue, 11 Mar 2014 07:45:43 -0700 (PDT) Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LrIPo-1XJrkN3OuK-0133Cn; Tue, 11 Mar 2014 15:45:31 +0100 Message-ID: <531F1F72.8010805@gmx.net> Date: Tue, 11 Mar 2014 15:36:34 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Antonio Sanso , "oauth@ietf.org" References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> In-Reply-To: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uIT25RUGIQ1GOD4afXOhX20j1pkTNTJr6" X-Provags-ID: V03:K0:1ZyGaEIM1tAQXDU/MhCiBLW0OA+0ydafo3CV8B1hsPlffXSQoNe QubHyh9XE8lM2l8ZtbPTNqlh5wWWGRAvMywOeq09XyIgki/hp2Z+69mo5SgjjX7I37UridL BpFovyRrPF6h923MKXk7g+9DobC66UKPaPoblRzgcPH63x9HXKCqI6Mwb7CP6W4yeYoNhzO 35oYA8om5FN6xuuhMCQNw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GwuyCRXYAxF5NgViBFPrrsu0Vek Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 14:45:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uIT25RUGIQ1GOD4afXOhX20j1pkTNTJr6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi Manfred, Hi Antonio, Note that there are two documents that talk about the JWT and you guys might be looking at the wrong document. The main JWT document (see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines the subject claim as optional (see Section 4.1.2). The JWT bearer assertion document (see http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed define it as mandatory but that's intentional since the purpose of the spec is to authenticate the client (or the resource owner for an authorization grant). The assertion documents are used for interworking with "legacy" identity infrastructure (such as SAML federations). So, are you sure you are indeed looking at the right document? Ciao Hannes On 03/11/2014 03:13 PM, Antonio Sanso wrote: > hi *, >=20 > JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >=20 > The JWT MUST contain a "sub" (subject) claim=20 >=20 >=20 > Now IMHO there are cases where having the sub is either not needed or > redundant (since it might overlap with the issuer).\ >=20 > As far as I can see =93even Google=94 currently violates this spec [1] = ( I > know that this doesn=92t matter, just wanted to bring a real use case > scenario). >=20 > WDYT might the =93sub=94 be optional in some situation? >=20 > regards >=20 > antonio=20 >=20 > [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3= > [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --uIT25RUGIQ1GOD4afXOhX20j1pkTNTJr6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTHx9yAAoJEGhJURNOOiAtuBoH/iFURQrJB3iP6zjaaaT7VXVP 70NEzlkKnYI/W4Gn6Yc9xAw4BGgkz7Wv6nLWLtoZd1zrDCIdo+3BYhfPkLLsDvmb TrnjWBetaeXKNknPA3owzg5kkFVT25LDsVE3jzK4j8aOsbSKO8Nlm/HgHzBTbafX CYfLlO9SWJsqycGDrk+pD7i7y2FAEPyFQYyiECGL4nTQR8zaYvdifaO3YrFCZPDb s6B2rjOAvoOKt9e6SGxBZ1pTzI0x2dQ9KeqDLzjKC8AFuHNQ9JzKjECjTuNDJAdD 6j78BiNNuOthJc3XHH0t9QMeL0y3YRAMZyH47fHOwDOQ6TPCEVWg2KRvYyql7DA= =CNol -----END PGP SIGNATURE----- --uIT25RUGIQ1GOD4afXOhX20j1pkTNTJr6-- From nobody Tue Mar 11 07:57:05 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260D31A0744 for ; Tue, 11 Mar 2014 07:57:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciQbISbJm7_g for ; Tue, 11 Mar 2014 07:57:01 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0188.outbound.protection.outlook.com [207.46.163.188]) by ietfa.amsl.com (Postfix) with ESMTP id 30FE31A044B for ; Tue, 11 Mar 2014 07:57:01 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by BL2PR02MB307.namprd02.prod.outlook.com (10.141.91.21) with Microsoft SMTP Server (TLS) id 15.0.893.10; Tue, 11 Mar 2014 14:56:54 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 14:56:53 +0000 From: Antonio Sanso To: Hannes Tschofenig Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgA= Date: Tue, 11 Mar 2014 14:56:52 +0000 Message-ID: <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> In-Reply-To: <531F1F72.8010805@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.104.215.11] x-forefront-prvs: 0147E151B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(199002)(189002)(51704005)(51694002)(377454003)(479174003)(24454002)(2656002)(95666003)(92566001)(94316002)(74662001)(31966008)(15975445006)(81816001)(47446002)(81542001)(83716003)(97186001)(74876001)(63696002)(74502001)(87936001)(85306002)(95416001)(36756003)(97336001)(87266001)(94946001)(79102001)(56816005)(47976001)(90146001)(54316002)(82746002)(74366001)(47736001)(74706001)(83072002)(93516002)(66066001)(46102001)(65816001)(85852003)(93136001)(15202345003)(92726001)(59766001)(77982001)(80022001)(83322001)(86362001)(54356001)(81686001)(53806001)(51856001)(4396001)(19580395003)(33656001)(77096001)(49866001)(81342001)(76796001)(76786001)(76482001)(69226001)(56776001)(80976001)(50986001)(19580405001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR02MB307; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:193.104.215.11; FPR:AFFC75F5.ACFAD1C9.7CFF1DB3.C6EDB6E2.202CD; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="Windows-1252" Content-ID: <56ACA17F11CDA94C9B9094C4222C2134@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/AxD9HPBbZLFv-a1GPr2vL4ZvYh0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 14:57:03 -0000 hi Hannes, I am aware of the 2 documents, I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer= -07 is also about Authorization Grant Processing (this is the part I do use= in my implementation ) and not only Client Authentication Processing. Just my 0.02 $ but this seems to be a place where different implementer hav= e the same issue :) regards antonio On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig = wrote: > Hi Manfred, Hi Antonio, >=20 > Note that there are two documents that talk about the JWT and you guys > might be looking at the wrong document. >=20 > The main JWT document (see > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines > the subject claim as optional (see Section 4.1.2). >=20 > The JWT bearer assertion document (see > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed > define it as mandatory but that's intentional since the purpose of the > spec is to authenticate the client (or the resource owner for an > authorization grant). >=20 > The assertion documents are used for interworking with "legacy" identity > infrastructure (such as SAML federations). >=20 > So, are you sure you are indeed looking at the right document? >=20 > Ciao > Hannes >=20 >=20 > On 03/11/2014 03:13 PM, Antonio Sanso wrote: >> hi *, >>=20 >> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>=20 >> The JWT MUST contain a "sub" (subject) claim=20 >>=20 >>=20 >> Now IMHO there are cases where having the sub is either not needed or >> redundant (since it might overlap with the issuer).\ >>=20 >> As far as I can see =93even Google=94 currently violates this spec [1] (= I >> know that this doesn=92t matter, just wanted to bring a real use case >> scenario). >>=20 >> WDYT might the =93sub=94 be optional in some situation? >>=20 >> regards >>=20 >> antonio=20 >>=20 >> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 >> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 >=20 From nobody Tue Mar 11 08:02:34 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5801A0479 for ; Tue, 11 Mar 2014 08:02:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1V9bGmzLnZvA for ; Tue, 11 Mar 2014 08:02:30 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 132051A044B for ; Tue, 11 Mar 2014 08:02:30 -0700 (PDT) Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MdoR7-1WX6Pe2PKn-00PcBB; Tue, 11 Mar 2014 16:02:19 +0100 Message-ID: <531F234E.90609@gmx.net> Date: Tue, 11 Mar 2014 15:53:02 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Antonio Sanso References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> In-Reply-To: <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cJrs67sA3ANt0b0BMO1Cfhep66A8kVWVF" X-Provags-ID: V03:K0:x7LQv7y3J9LOaBA0jV9FO8uKsitzWmm6jla5xLR2vNS7xG7ZNXh /OMTY3WARCEQFvzZ/MYcQnoEChPyZsXZDjd88Tppg1hA6vPX3xHjx+ZXe9TCuigj1S7G01C sk0GLttxIX4wCoEeRlq+pDxtPTu6HyRNf/42bDHqzCbwHhHMKAFkeFsoMX6UAi7fg9h/c/w kOpQlN0UIeOX62tEfXk8A== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/G6ncr9_N4i9uwCewatcQtOKS19o Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 15:02:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --cJrs67sA3ANt0b0BMO1Cfhep66A8kVWVF Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Thanks for clarifying. I took a quick look at the Google API and it seems that in their use case the client creates the JWT and consequently the subject and the issue would actually be the same. I suspect that this is the reason why they omitted the subject. Could you explain why you would like to omit the subject claim in the JWT= ? Ciao Hannes PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is timely since we are about to finish all three assertion specs. On 03/11/2014 03:56 PM, Antonio Sanso wrote: > hi Hannes, >=20 > I am aware of the 2 documents, >=20 > I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-be= arer-07 is also about Authorization Grant Processing (this is the part I = do use in my implementation ) and not only Client Authentication Processi= ng. >=20 > Just my 0.02 $ but this seems to be a place where different implementer= have the same issue :) >=20 > regards >=20 > antonio >=20 > On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig wrote: >=20 >> Hi Manfred, Hi Antonio, >> >> Note that there are two documents that talk about the JWT and you guys= >> might be looking at the wrong document. >> >> The main JWT document (see >> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines= >> the subject claim as optional (see Section 4.1.2). >> >> The JWT bearer assertion document (see >> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed= >> define it as mandatory but that's intentional since the purpose of the= >> spec is to authenticate the client (or the resource owner for an >> authorization grant). >> >> The assertion documents are used for interworking with "legacy" identi= ty >> infrastructure (such as SAML federations). >> >> So, are you sure you are indeed looking at the right document? >> >> Ciao >> Hannes >> >> >> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>> hi *, >>> >>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>> >>> The JWT MUST contain a "sub" (subject) claim=20 >>> >>> >>> Now IMHO there are cases where having the sub is either not needed or= >>> redundant (since it might overlap with the issuer).\ >>> >>> As far as I can see =93even Google=94 currently violates this spec [1= ] ( I >>> know that this doesn=92t matter, just wanted to bring a real use case= >>> scenario). >>> >>> WDYT might the =93sub=94 be optional in some situation? >>> >>> regards >>> >>> antonio=20 >>> >>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section= -3 >>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >=20 --cJrs67sA3ANt0b0BMO1Cfhep66A8kVWVF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTHyNOAAoJEGhJURNOOiAt90MH/ihENwnBBhLK1Rtevg5sgbjp 19hfX72m3AvGJ1Qm/EXumLYpfq4imWzPIceGa24LW/311ZRczJwzldQGC1fhhRRA 7MsxOiih52MbNMzq2jfLfTIKyU6c6/kf7ikbT3Xt7l7Z3L5rJx7hY2R1sAyiD4TC UOwR325CCrI2DjjW93iwkpxZpXGb286E8kECdvB6UbEgDZMOypU1s5ui//SaKvmy uymK7PaE1x7U58wni4ozZgj2OuTTCL7FW7sGzQfxzt8esPYYD+ldwWOIQ/zhEsod WI/LbNQpiWu1R+P80NGLlhp4FkDuvvLbrYfWyn5LzZ6ax7x+AX7h8X5LC/FjV9g= =Svrl -----END PGP SIGNATURE----- --cJrs67sA3ANt0b0BMO1Cfhep66A8kVWVF-- From nobody Tue Mar 11 08:08:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E867E1A075E for ; Tue, 11 Mar 2014 08:08:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bivdPc8lgEqn for ; Tue, 11 Mar 2014 08:08:44 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id 934021A0479 for ; Tue, 11 Mar 2014 08:08:44 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by BLUPR02MB310.namprd02.prod.outlook.com (10.141.77.146) with Microsoft SMTP Server (TLS) id 15.0.893.10; Tue, 11 Mar 2014 15:08:38 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 15:08:37 +0000 From: Antonio Sanso To: Hannes Tschofenig Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgD///7sAIAABF2A Date: Tue, 11 Mar 2014 15:08:36 +0000 Message-ID: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> In-Reply-To: <531F234E.90609@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [178.83.47.250] x-forefront-prvs: 0147E151B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(51704005)(51694002)(377454003)(189002)(199002)(479174003)(24454002)(52604005)(81542001)(76796001)(76786001)(19580395003)(97186001)(31966008)(74662001)(83322001)(74502001)(80976001)(85306002)(81342001)(65816001)(47446002)(66066001)(19580405001)(74366001)(69226001)(36756003)(77096001)(80022001)(97336001)(49866001)(47736001)(4396001)(51856001)(59766001)(83072002)(82746002)(93136001)(92566001)(81816001)(74876001)(15975445006)(92726001)(2656002)(95666003)(85852003)(81686001)(95416001)(94316002)(54356001)(77982001)(87266001)(86362001)(47976001)(33656001)(46102001)(87936001)(83716003)(50986001)(93516002)(76482001)(53806001)(79102001)(56776001)(74706001)(54316002)(90146001)(94946001)(56816005)(63696002)(15202345003); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR02MB310; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:178.83.47.250; FPR:EFFFF575.ACF2D1E9.78FF1DBF.46EDF662.2038F; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="Windows-1252" Content-ID: <197E279DFA89DE4F98A2C9FF551C79BB@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/NVgQDQDW6rFh_nqYmXxy242f8zE Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 15:08:47 -0000 On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig = wrote: > Thanks for clarifying. >=20 > I took a quick look at the Google API and it seems that in their use > case the client creates the JWT and consequently the subject and the > issue would actually be the same. I suspect that this is the reason why > they omitted the subject. agreed that is why in my mail I said the subject might overlap with the iss= uer. The subject in the google case is still called with its obsolete name (prn)= and it is actually listed as =91additional claims=92 hence not mandatory. regards antonio >=20 > Could you explain why you would like to omit the subject claim in the JWT= ? >=20 > Ciao > Hannes >=20 > PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is timely > since we are about to finish all three assertion specs. >=20 >=20 > On 03/11/2014 03:56 PM, Antonio Sanso wrote: >> hi Hannes, >>=20 >> I am aware of the 2 documents, >>=20 >> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bea= rer-07 is also about Authorization Grant Processing (this is the part I do = use in my implementation ) and not only Client Authentication Processing. >>=20 >> Just my 0.02 $ but this seems to be a place where different implementer = have the same issue :) >>=20 >> regards >>=20 >> antonio >>=20 >> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig wrote: >>=20 >>> Hi Manfred, Hi Antonio, >>>=20 >>> Note that there are two documents that talk about the JWT and you guys >>> might be looking at the wrong document. >>>=20 >>> The main JWT document (see >>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines >>> the subject claim as optional (see Section 4.1.2). >>>=20 >>> The JWT bearer assertion document (see >>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed >>> define it as mandatory but that's intentional since the purpose of the >>> spec is to authenticate the client (or the resource owner for an >>> authorization grant). >>>=20 >>> The assertion documents are used for interworking with "legacy" identit= y >>> infrastructure (such as SAML federations). >>>=20 >>> So, are you sure you are indeed looking at the right document? >>>=20 >>> Ciao >>> Hannes >>>=20 >>>=20 >>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>> hi *, >>>>=20 >>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>>>=20 >>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>=20 >>>>=20 >>>> Now IMHO there are cases where having the sub is either not needed or >>>> redundant (since it might overlap with the issuer).\ >>>>=20 >>>> As far as I can see =93even Google=94 currently violates this spec [1]= ( I >>>> know that this doesn=92t matter, just wanted to bring a real use case >>>> scenario). >>>>=20 >>>> WDYT might the =93sub=94 be optional in some situation? >>>>=20 >>>> regards >>>>=20 >>>> antonio=20 >>>>=20 >>>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-= 3 >>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>=20 >>>>=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>>=20 >>>=20 >>=20 >=20 From nobody Tue Mar 11 08:15:07 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B1A1A0746 for ; Tue, 11 Mar 2014 08:15:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xtRPetn5DbL for ; Tue, 11 Mar 2014 08:15:01 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 86A361A0479 for ; Tue, 11 Mar 2014 08:15:01 -0700 (PDT) Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LoaCE-1Wpabc1Wfq-00gXsO; Tue, 11 Mar 2014 16:14:54 +0100 Message-ID: <531F2632.2090204@gmx.net> Date: Tue, 11 Mar 2014 16:05:22 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Antonio Sanso References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="o5LEDUoQamiQIhNtSlHP2nwcXNljVTU7U" X-Provags-ID: V03:K0:rBeAAt5u52iB8tLaivXCYrtwtE94OoBXSweQ7zLeU1Jdv0vUom0 P9HBnrB66LcZ1ROMB2G2ToUrwLklUhnjx4Y9AbWlq7H7d6cdRJiaAmsik6nj97Gs8Z0Nrac UHDg+zrtc2CA5TG/B40nqFBBWs5CuDoPr1R8yzK504yDrFHsukiGGdoDSWna/OYZs1BiGrR peZ1MukH4jafEwf6zgSVw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/krBTtAe-ZNTHxITFJ8c7eU_KqpY Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 15:15:04 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --o5LEDUoQamiQIhNtSlHP2nwcXNljVTU7U Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Maintaining both information in the JWT is IMHO valuable since it gives you some information about the security properties. Needless to say that there is a substantial difference between a self-created JWT and a JWT from a third party the relying party has some confidence in. Why Google has an old implementation and whether they are planning to update their code remains to be seen. More importantly, however, is why you argue that the subject claim has to be optional. Ciao Hannes Ps: I also noticed in the examples that all URIs have their URI scheme missing. While that might be OK I am not entirely sure... On 03/11/2014 04:08 PM, Antonio Sanso wrote: >=20 > On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig wrote: >=20 >> Thanks for clarifying. >> >> I took a quick look at the Google API and it seems that in their use >> case the client creates the JWT and consequently the subject and the >> issue would actually be the same. I suspect that this is the reason wh= y >> they omitted the subject. >=20 > agreed that is why in my mail I said the subject might overlap with the= issuer. > The subject in the google case is still called with its obsolete name (= prn) and it is actually listed as =91additional claims=92 hence not manda= tory. >=20 > regards >=20 > antonio >=20 >> >> Could you explain why you would like to omit the subject claim in the = JWT? >> >> Ciao >> Hannes >> >> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is timel= y >> since we are about to finish all three assertion specs. >> >> >> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>> hi Hannes, >>> >>> I am aware of the 2 documents, >>> >>> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-= bearer-07 is also about Authorization Grant Processing (this is the part = I do use in my implementation ) and not only Client Authentication Proces= sing. >>> >>> Just my 0.02 $ but this seems to be a place where different implement= er have the same issue :) >>> >>> regards >>> >>> antonio >>> >>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig wrote: >>> >>>> Hi Manfred, Hi Antonio, >>>> >>>> Note that there are two documents that talk about the JWT and you gu= ys >>>> might be looking at the wrong document. >>>> >>>> The main JWT document (see >>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defin= es >>>> the subject claim as optional (see Section 4.1.2). >>>> >>>> The JWT bearer assertion document (see >>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does inde= ed >>>> define it as mandatory but that's intentional since the purpose of t= he >>>> spec is to authenticate the client (or the resource owner for an >>>> authorization grant). >>>> >>>> The assertion documents are used for interworking with "legacy" iden= tity >>>> infrastructure (such as SAML federations). >>>> >>>> So, are you sure you are indeed looking at the right document? >>>> >>>> Ciao >>>> Hannes >>>> >>>> >>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>> hi *, >>>>> >>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>>>> >>>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>> >>>>> >>>>> Now IMHO there are cases where having the sub is either not needed = or >>>>> redundant (since it might overlap with the issuer).\ >>>>> >>>>> As far as I can see =93even Google=94 currently violates this spec = [1] ( I >>>>> know that this doesn=92t matter, just wanted to bring a real use ca= se >>>>> scenario). >>>>> >>>>> WDYT might the =93sub=94 be optional in some situation? >>>>> >>>>> regards >>>>> >>>>> antonio=20 >>>>> >>>>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#secti= on-3 >>>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccoun= t >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>> >> >=20 --o5LEDUoQamiQIhNtSlHP2nwcXNljVTU7U Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTHyYzAAoJEGhJURNOOiAtGjYH/jwxkD5ijLEmuK2cSIX25KPB sAzY1G0sRsPFVgrx1+bupJXVgIdDpbxoNWvhSQ5DcHTrkTD0WmjtM+ymAEIWe1L5 RrhfDNWbuwmCfNY99y9uSMYa9DGv1Sdxwg7A6P4E3C60hdr37Ld5rIYMJ7zvbm3m nO/W95TTbZ+1DoGIr2KjWohArgJgDehFvBZCu58J2XZ8IbYx2Gf/9WK/aVOzxnDl +18xhPZGGAUJJEv6kiuia9fG7J2WcDIqs173dwJXOZACxcpYH9FYXL7/foGAxvXP SO5t5hZzYCPh6NLVGj791jSt2WnkwceRiYgACfKvoOWzbno006/HbwjpwsCXvjY= =huGs -----END PGP SIGNATURE----- --o5LEDUoQamiQIhNtSlHP2nwcXNljVTU7U-- From nobody Tue Mar 11 08:25:29 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D14EE1A03F7 for ; Tue, 11 Mar 2014 08:25:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlB_8OXD-D2I for ; Tue, 11 Mar 2014 08:25:23 -0700 (PDT) Received: from mail-yh0-f45.google.com (mail-yh0-f45.google.com [209.85.213.45]) by ietfa.amsl.com (Postfix) with ESMTP id 7F9051A074E for ; Tue, 11 Mar 2014 08:25:17 -0700 (PDT) Received: by mail-yh0-f45.google.com with SMTP id a41so569410yho.4 for ; Tue, 11 Mar 2014 08:25:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=JBn5osmi8bFVmBtYW5d4fttL6n7utwuJDY6YXS3ypw0=; b=gINuXg55UtfoEmzdFrXbBdyzDB4OqxXvj0hUsTTL8+WZc7lHUygqFs0EMRu0NbLo2V oKdORXz7a39weV5+vG3Ny0+ZQWEz32em3Ip7k2NlNbqH/MuJnPgCJxd+ZNxRtwvfcAEo 36CjypyJ7WDxLC6K2A1NQUQZ8BqeueclKkMGe3ppeeSZ6KVp1P5hyWReH+7gq3MVXGeV Xi2PuKqzpv61D15ElSpm3otu9jJ4cT5DICBegNj3MKZaMbp2PE5XIyMfvMlpNE6qsXRi Gvkk/fYPA/Hwo5Va5upjwRCP6InE8g+MV5ELtbXEf02T5a9/+S10w/Hpleme56TlbHWq KbRA== X-Gm-Message-State: ALoCoQn6LOZHfecYlYaF5MROsb8jNn4HyOejwg+5VwazN4DMPIZe7RepTqJVf0vlkRv+NFCC8Kpx X-Received: by 10.236.93.208 with SMTP id l56mr3310052yhf.112.1394551511662; Tue, 11 Mar 2014 08:25:11 -0700 (PDT) Received: from [192.168.0.200] ([201.188.147.185]) by mx.google.com with ESMTPSA id 23sm66205128yhj.5.2014.03.11.08.25.09 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Mar 2014 08:25:10 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_8216894A-310A-453C-B8FB-4844F298B38C"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <531F2632.2090204@gmx.net> Date: Tue, 11 Mar 2014 12:25:05 -0300 Message-Id: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> To: Hannes Tschofenig X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/cKzKWylHmyzAhLwCZPE9Zm8USCk Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 15:25:26 -0000 --Apple-Mail=_8216894A-310A-453C-B8FB-4844F298B38C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The missing scheme especially on JWT issued by google is something I = understand they are working on but need to be careful about breaking = existing code, so will possibly need new endpoints that are spec = compliant.=20 While in this google case the subject and the issuer happen to be the = same they may well not be even in the self signed case. In WG = discussions being consistent in providing the subject was considered to = be better for interoperability than optimizing for the case where sub or = issuer could be dropped. =20 John B. On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig = wrote: > Maintaining both information in the JWT is IMHO valuable since it = gives > you some information about the security properties. Needless to say = that > there is a substantial difference between a self-created JWT and a JWT > from a third party the relying party has some confidence in. >=20 > Why Google has an old implementation and whether they are planning to > update their code remains to be seen. >=20 > More importantly, however, is why you argue that the subject claim has > to be optional. >=20 > Ciao > Hannes >=20 > Ps: I also noticed in the examples that all URIs have their URI scheme > missing. While that might be OK I am not entirely sure... >=20 > On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>=20 >> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig = wrote: >>=20 >>> Thanks for clarifying. >>>=20 >>> I took a quick look at the Google API and it seems that in their use >>> case the client creates the JWT and consequently the subject and the >>> issue would actually be the same. I suspect that this is the reason = why >>> they omitted the subject. >>=20 >> agreed that is why in my mail I said the subject might overlap with = the issuer. >> The subject in the google case is still called with its obsolete name = (prn) and it is actually listed as =91additional claims=92 hence not = mandatory. >>=20 >> regards >>=20 >> antonio >>=20 >>>=20 >>> Could you explain why you would like to omit the subject claim in = the JWT? >>>=20 >>> Ciao >>> Hannes >>>=20 >>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is = timely >>> since we are about to finish all three assertion specs. >>>=20 >>>=20 >>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>> hi Hannes, >>>>=20 >>>> I am aware of the 2 documents, >>>>=20 >>>> I might be wrong but = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about = Authorization Grant Processing (this is the part I do use in my = implementation ) and not only Client Authentication Processing. >>>>=20 >>>> Just my 0.02 $ but this seems to be a place where different = implementer have the same issue :) >>>>=20 >>>> regards >>>>=20 >>>> antonio >>>>=20 >>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig = wrote: >>>>=20 >>>>> Hi Manfred, Hi Antonio, >>>>>=20 >>>>> Note that there are two documents that talk about the JWT and you = guys >>>>> might be looking at the wrong document. >>>>>=20 >>>>> The main JWT document (see >>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) = defines >>>>> the subject claim as optional (see Section 4.1.2). >>>>>=20 >>>>> The JWT bearer assertion document (see >>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does = indeed >>>>> define it as mandatory but that's intentional since the purpose of = the >>>>> spec is to authenticate the client (or the resource owner for an >>>>> authorization grant). >>>>>=20 >>>>> The assertion documents are used for interworking with "legacy" = identity >>>>> infrastructure (such as SAML federations). >>>>>=20 >>>>> So, are you sure you are indeed looking at the right document? >>>>>=20 >>>>> Ciao >>>>> Hannes >>>>>=20 >>>>>=20 >>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>> hi *, >>>>>>=20 >>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>>>>>=20 >>>>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>>>=20 >>>>>>=20 >>>>>> Now IMHO there are cases where having the sub is either not = needed or >>>>>> redundant (since it might overlap with the issuer).\ >>>>>>=20 >>>>>> As far as I can see =93even Google=94 currently violates this = spec [1] ( I >>>>>> know that this doesn=92t matter, just wanted to bring a real use = case >>>>>> scenario). >>>>>>=20 >>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>=20 >>>>>> regards >>>>>>=20 >>>>>> antonio=20 >>>>>>=20 >>>>>> [0] = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 >>>>>> [1] = https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>=20 >>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_8216894A-310A-453C-B8FB-4844F298B38C Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5 MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5 AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5 QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ 4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0 aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzExMTUyNTA2WjAjBgkqhkiG9w0BCQQxFgQUfQr/bFWM xuW5MeHx8wZIxlE+pr0wgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAcO/iLz+Nn9X00rjTuIaBJPbBSfNX8OV+YSyAypv0 9KrpC804+gvHimADfi7mtycpr2xGKV+xQ0k/JDTewnTpxOj+twLOWs/tyiTIw/aYWR06+n6T6OrM b60Tg1NP8E5+gTGiyuLITDHr1SAezWpbykGDgFSESl4GvGRw/UB4BsHr1F42jScVFFYxxYZOg9CO Zpt3s737J2agpVb76+6jreE5j6L550y7q1rQRoPk8kiWKmmtjk/VSs+bLf6sAP8odR69CYrzra/4 D1RSlz34gOwtImfs4wsuAsbQ4MkOqcXBRuhkahJg9w2jptXTQ4P2FVAYxi59vHPjMdA2oUxZfgAA AAAAAA== --Apple-Mail=_8216894A-310A-453C-B8FB-4844F298B38C-- From nobody Tue Mar 11 10:12:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F171A076A for ; Tue, 11 Mar 2014 10:12:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T8GPKQcC13ts for ; Tue, 11 Mar 2014 10:12:08 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0141.outbound.protection.outlook.com [207.46.163.141]) by ietfa.amsl.com (Postfix) with ESMTP id D5AAA1A0767 for ; Tue, 11 Mar 2014 10:12:07 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by BY2PR02MB314.namprd02.prod.outlook.com (10.141.140.147) with Microsoft SMTP Server (TLS) id 15.0.893.10; Tue, 11 Mar 2014 17:12:00 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 17:11:59 +0000 From: Antonio Sanso To: John Bradley Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgD///7sAIAABF2A////FQCAAAWCgIAAHd0A Date: Tue, 11 Mar 2014 17:11:59 +0000 Message-ID: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [178.83.47.250] x-forefront-prvs: 0147E151B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(24454002)(51704005)(51694002)(52604005)(199002)(189002)(479174003)(377454003)(74662001)(31966008)(74502001)(47446002)(95666003)(85852003)(83072002)(56816005)(74366001)(50986001)(47976001)(87936001)(66066001)(80022001)(15202345003)(79102001)(49866001)(97186001)(97336001)(76786001)(2656002)(76796001)(90146001)(87266001)(77096001)(33656001)(83716003)(74706001)(94946001)(47736001)(4396001)(36756003)(74876001)(92566001)(53806001)(54356001)(51856001)(81342001)(81686001)(46102001)(95416001)(80976001)(81816001)(19580395003)(76482001)(19580405001)(81542001)(83322001)(92726001)(69226001)(56776001)(54316002)(77982001)(85306002)(63696002)(94316002)(65816001)(93136001)(82746002)(93516002)(86362001)(59766001)(15975445006); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR02MB314; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:178.83.47.250; FPR:ECFFF575.AEF2D1D1.38FF1133.86E4F672.20513; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="Windows-1252" Content-ID: <66D3DF2994B6004F8F06CC881E76C8C6@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_HnW3MISO8S8UzTS7I5Xpp9BmnY Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 17:12:11 -0000 Ok this is my use case: - I am John Doe and going to AS to register my app named app1 - I then either upload my public key or download a private key - at this point I am ready to build my assertion, the issuer claim is going= to be app1 and should suffice. is the subject really needed in this use case?=20 regards antonio On Mar 11, 2014, at 4:25 PM, John Bradley wrote: > The missing scheme especially on JWT issued by google is something I unde= rstand they are working on but need to be careful about breaking existing c= ode, so will possibly need new endpoints that are spec compliant.=20 >=20 > While in this google case the subject and the issuer happen to be the sam= e they may well not be even in the self signed case. In WG discussions be= ing consistent in providing the subject was considered to be better for int= eroperability than optimizing for the case where sub or issuer could be dro= pped. =20 >=20 > John B. >=20 > On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig wrote: >=20 >> Maintaining both information in the JWT is IMHO valuable since it gives >> you some information about the security properties. Needless to say that >> there is a substantial difference between a self-created JWT and a JWT >> from a third party the relying party has some confidence in. >>=20 >> Why Google has an old implementation and whether they are planning to >> update their code remains to be seen. >>=20 >> More importantly, however, is why you argue that the subject claim has >> to be optional. >>=20 >> Ciao >> Hannes >>=20 >> Ps: I also noticed in the examples that all URIs have their URI scheme >> missing. While that might be OK I am not entirely sure... >>=20 >> On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>>=20 >>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig wrote: >>>=20 >>>> Thanks for clarifying. >>>>=20 >>>> I took a quick look at the Google API and it seems that in their use >>>> case the client creates the JWT and consequently the subject and the >>>> issue would actually be the same. I suspect that this is the reason wh= y >>>> they omitted the subject. >>>=20 >>> agreed that is why in my mail I said the subject might overlap with the= issuer. >>> The subject in the google case is still called with its obsolete name (= prn) and it is actually listed as =91additional claims=92 hence not mandato= ry. >>>=20 >>> regards >>>=20 >>> antonio >>>=20 >>>>=20 >>>> Could you explain why you would like to omit the subject claim in the = JWT? >>>>=20 >>>> Ciao >>>> Hannes >>>>=20 >>>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is timel= y >>>> since we are about to finish all three assertion specs. >>>>=20 >>>>=20 >>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>>> hi Hannes, >>>>>=20 >>>>> I am aware of the 2 documents, >>>>>=20 >>>>> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-= bearer-07 is also about Authorization Grant Processing (this is the part I = do use in my implementation ) and not only Client Authentication Processing= . >>>>>=20 >>>>> Just my 0.02 $ but this seems to be a place where different implement= er have the same issue :) >>>>>=20 >>>>> regards >>>>>=20 >>>>> antonio >>>>>=20 >>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig wrote: >>>>>=20 >>>>>> Hi Manfred, Hi Antonio, >>>>>>=20 >>>>>> Note that there are two documents that talk about the JWT and you gu= ys >>>>>> might be looking at the wrong document. >>>>>>=20 >>>>>> The main JWT document (see >>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defin= es >>>>>> the subject claim as optional (see Section 4.1.2). >>>>>>=20 >>>>>> The JWT bearer assertion document (see >>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does inde= ed >>>>>> define it as mandatory but that's intentional since the purpose of t= he >>>>>> spec is to authenticate the client (or the resource owner for an >>>>>> authorization grant). >>>>>>=20 >>>>>> The assertion documents are used for interworking with "legacy" iden= tity >>>>>> infrastructure (such as SAML federations). >>>>>>=20 >>>>>> So, are you sure you are indeed looking at the right document? >>>>>>=20 >>>>>> Ciao >>>>>> Hannes >>>>>>=20 >>>>>>=20 >>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>>> hi *, >>>>>>>=20 >>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>>>>>>=20 >>>>>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> Now IMHO there are cases where having the sub is either not needed = or >>>>>>> redundant (since it might overlap with the issuer).\ >>>>>>>=20 >>>>>>> As far as I can see =93even Google=94 currently violates this spec = [1] ( I >>>>>>> know that this doesn=92t matter, just wanted to bring a real use ca= se >>>>>>> scenario). >>>>>>>=20 >>>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>>=20 >>>>>>> regards >>>>>>>=20 >>>>>>> antonio=20 >>>>>>>=20 >>>>>>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#secti= on-3 >>>>>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccoun= t >>>>>>>=20 >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 From nobody Tue Mar 11 12:00:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A43D1A07FC for ; Tue, 11 Mar 2014 12:00:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GZj99qNPckm for ; Tue, 11 Mar 2014 12:00:10 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 277E61A0800 for ; Tue, 11 Mar 2014 12:00:10 -0700 (PDT) Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MKHik-1WLnTp1fYk-001i9j for ; Tue, 11 Mar 2014 20:00:03 +0100 Message-ID: <531F5A2A.2090109@gmx.net> Date: Tue, 11 Mar 2014 19:47:06 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="BKAxrt9Ng0u1IvjKujAfNrAwxfiBIiRL9" X-Provags-ID: V03:K0:59ZW4T6fNSN165zvaSxP2U8PefVgvo2caHuIwJWB983qG1njAZr s0jKi759Ois5eytKt2FHKbvJbbx4FjWMKL3t2lrGeP3DJ1TGZNTykEmgEf9iKWngZ+pLvqs aJrpVL+EA8F5sMRl9nbrdoboGkPr2XiyaaLWXIoho7TeoMC+sVmlLAsM+XuwfebwsyWq/fo dme06gGyagMWHkMvRrAhw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2ZE0cPPUrg2FGEIkMEDmAQe9G60 Subject: [OAUTH-WG] Working Group Last Call on draft-ietf-oauth-jwt-bearer-07 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 19:00:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BKAxrt9Ng0u1IvjKujAfNrAwxfiBIiRL9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This is a Last Call for comments on http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 Please have your comments in no later than March 25th. It is a fairly short document - have a look at it. Thanks! Hannes & Derek --BKAxrt9Ng0u1IvjKujAfNrAwxfiBIiRL9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTH1oqAAoJEGhJURNOOiAtuW8H/3h3CltJE3UZbopIerYxcv61 GKIzFoXwkQ03+iaZQhg+OqoPOdZTfT7qBLVcuyM/oB8ni6RoXL9pCLerxCL5BgTx qeW/HEXUwlI5VPx6zBiDyApW0GMNneBRf1NVOyZ5n1nBCemNH2srKoWFZjUD/Cva Bq3tb66fdP/xiEvxlSb+0Mll0Q/BdsYmYIy0zvt3GMdYGFA51WBo4KP87sMorUID j5XlEIDOfCNL91NXMIuVdX0SwJrlGviL1jWqMAjokK/OkF8tfpF35UqOtplNamEN B0BMNf2ScFIe2Md754tnkF3JGE1hQKZ/nlHctQV6trxypHStwCY4JvH8oKbBmwA= =cWZ0 -----END PGP SIGNATURE----- --BKAxrt9Ng0u1IvjKujAfNrAwxfiBIiRL9-- From nobody Tue Mar 11 12:12:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F5FB1A07BE for ; Tue, 11 Mar 2014 12:12:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.146 X-Spam-Level: X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iTnSuIFWML5G for ; Tue, 11 Mar 2014 12:12:55 -0700 (PDT) Received: from mail-yk0-f172.google.com (mail-yk0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6151A07B8 for ; Tue, 11 Mar 2014 12:12:55 -0700 (PDT) Received: by mail-yk0-f172.google.com with SMTP id 200so24228846ykr.3 for ; Tue, 11 Mar 2014 12:12:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=MsBwp5acytn0KV4/atsNHvSv8vL2uQWHO8Gc3ojed4Y=; b=CwywUIhYeO3jKJgxFkr9wX0SQ1RDLKolAeruFJyBatREcKf96OaSWsp8cebwWfxQEh ZwO+iJXJBA2P0VPNvwCVFWTVyB//G5236WHZNaRgzfW9Ui3Nm/6pL9Ce3+S3ChbDJvCN 9EpKqi4YdD1tsgFsZlFBFr8fYQyx06R3ygkhNtxyFnEUyF+LMcUmehIqy71J/0pnXXiL R5IdZ7S/nmQRS6UxahREG2+O3/JALCdSyQUkZfQ0UL8XTBMBerYBVXz6u9z0MHX6pGYb LgoaVxJfPIwGp/R8jsX30/m/2W3lnmWkLr2+yIBgOfA3dnZkNwWInOB5EV0tn1i1Ph5s BZqQ== X-Gm-Message-State: ALoCoQnsSqLz8wiezitjWsO1eA5Jd5PeIDAy9HUXkhRHQm6k7BgBXhBHM1nbytSYqmnwkkyTmCy3 X-Received: by 10.236.92.115 with SMTP id i79mr53705976yhf.62.1394565169370; Tue, 11 Mar 2014 12:12:49 -0700 (PDT) Received: from [192.168.0.200] ([201.188.147.185]) by mx.google.com with ESMTPSA id i62sm67668293yhm.26.2014.03.11.12.12.45 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Mar 2014 12:12:47 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_919D8F02-9796-48B6-AC10-55BF2E23E8E7"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Tue, 11 Mar 2014 16:12:42 -0300 Message-Id: <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com> References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> To: Antonio Sanso X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/N79RE74bNeeUPksRIyXg-9X4cSs Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 19:12:58 -0000 --Apple-Mail=_919D8F02-9796-48B6-AC10-55BF2E23E8E7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The specification is intended to allow the interoperation of standard = libraries. =20 In some cases the subject and the iss may be the same, however the = underlying OAuth library may be a general one and always require a = subject for security processing. It is possible that all libraries could have a special rule for when sub = is not present and use the value of iss as sub. This will save some = bytes in the JWT but it is probably not worth creating an extra code = path in libraries for the size optimization.=20 I don't think your saying there is no subject just that it is redundant = with iss in some cases. John B. On Mar 11, 2014, at 2:11 PM, Antonio Sanso wrote: > Ok this is my use case: >=20 > - I am John Doe and going to AS to register my app named app1 > - I then either upload my public key or download a private key > - at this point I am ready to build my assertion, the issuer claim is = going to be app1 and should suffice. >=20 > is the subject really needed in this use case?=20 >=20 > regards >=20 > antonio >=20 >=20 > On Mar 11, 2014, at 4:25 PM, John Bradley wrote: >=20 >> The missing scheme especially on JWT issued by google is something I = understand they are working on but need to be careful about breaking = existing code, so will possibly need new endpoints that are spec = compliant.=20 >>=20 >> While in this google case the subject and the issuer happen to be the = same they may well not be even in the self signed case. In WG = discussions being consistent in providing the subject was considered to = be better for interoperability than optimizing for the case where sub or = issuer could be dropped. =20 >>=20 >> John B. >>=20 >> On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig = wrote: >>=20 >>> Maintaining both information in the JWT is IMHO valuable since it = gives >>> you some information about the security properties. Needless to say = that >>> there is a substantial difference between a self-created JWT and a = JWT >>> from a third party the relying party has some confidence in. >>>=20 >>> Why Google has an old implementation and whether they are planning = to >>> update their code remains to be seen. >>>=20 >>> More importantly, however, is why you argue that the subject claim = has >>> to be optional. >>>=20 >>> Ciao >>> Hannes >>>=20 >>> Ps: I also noticed in the examples that all URIs have their URI = scheme >>> missing. While that might be OK I am not entirely sure... >>>=20 >>> On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>>>=20 >>>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig = wrote: >>>>=20 >>>>> Thanks for clarifying. >>>>>=20 >>>>> I took a quick look at the Google API and it seems that in their = use >>>>> case the client creates the JWT and consequently the subject and = the >>>>> issue would actually be the same. I suspect that this is the = reason why >>>>> they omitted the subject. >>>>=20 >>>> agreed that is why in my mail I said the subject might overlap with = the issuer. >>>> The subject in the google case is still called with its obsolete = name (prn) and it is actually listed as =91additional claims=92 hence = not mandatory. >>>>=20 >>>> regards >>>>=20 >>>> antonio >>>>=20 >>>>>=20 >>>>> Could you explain why you would like to omit the subject claim in = the JWT? >>>>>=20 >>>>> Ciao >>>>> Hannes >>>>>=20 >>>>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is = timely >>>>> since we are about to finish all three assertion specs. >>>>>=20 >>>>>=20 >>>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>>>> hi Hannes, >>>>>>=20 >>>>>> I am aware of the 2 documents, >>>>>>=20 >>>>>> I might be wrong but = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about = Authorization Grant Processing (this is the part I do use in my = implementation ) and not only Client Authentication Processing. >>>>>>=20 >>>>>> Just my 0.02 $ but this seems to be a place where different = implementer have the same issue :) >>>>>>=20 >>>>>> regards >>>>>>=20 >>>>>> antonio >>>>>>=20 >>>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig = wrote: >>>>>>=20 >>>>>>> Hi Manfred, Hi Antonio, >>>>>>>=20 >>>>>>> Note that there are two documents that talk about the JWT and = you guys >>>>>>> might be looking at the wrong document. >>>>>>>=20 >>>>>>> The main JWT document (see >>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) = defines >>>>>>> the subject claim as optional (see Section 4.1.2). >>>>>>>=20 >>>>>>> The JWT bearer assertion document (see >>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does = indeed >>>>>>> define it as mandatory but that's intentional since the purpose = of the >>>>>>> spec is to authenticate the client (or the resource owner for an >>>>>>> authorization grant). >>>>>>>=20 >>>>>>> The assertion documents are used for interworking with "legacy" = identity >>>>>>> infrastructure (such as SAML federations). >>>>>>>=20 >>>>>>> So, are you sure you are indeed looking at the right document? >>>>>>>=20 >>>>>>> Ciao >>>>>>> Hannes >>>>>>>=20 >>>>>>>=20 >>>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>>>> hi *, >>>>>>>>=20 >>>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>>>>>>>=20 >>>>>>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Now IMHO there are cases where having the sub is either not = needed or >>>>>>>> redundant (since it might overlap with the issuer).\ >>>>>>>>=20 >>>>>>>> As far as I can see =93even Google=94 currently violates this = spec [1] ( I >>>>>>>> know that this doesn=92t matter, just wanted to bring a real = use case >>>>>>>> scenario). >>>>>>>>=20 >>>>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>>>=20 >>>>>>>> regards >>>>>>>>=20 >>>>>>>> antonio=20 >>>>>>>>=20 >>>>>>>> [0] = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 >>>>>>>> [1] = https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>=20 >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >=20 --Apple-Mail=_919D8F02-9796-48B6-AC10-55BF2E23E8E7 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5 MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5 AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5 QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ 4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0 aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzExMTkxMjQzWjAjBgkqhkiG9w0BCQQxFgQUxl5iNY7M gkRda2lbqF6EZItsRNcwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAdzcNEjexgAo8qLD0/LwapcDBrbjiaaIauL86S9ZP llMlqZP0Y9aWfc5+IhRngTdV4jGbKYk4xRohmx9BI4bInnc2Uz5oWIG576syjuU/8jXYv4xR79UW vZ1l7gBnuCf0GQsPA3CdU+VQ59+aBeMLUWLIV10pwqDPp8BP4Yt6OX0UtUiGWFHqs+6jlG6S+mRl yZpvFAcmT2FDZ1nVWU7/G3gSL58FLqcO71DYjjbKdeyPFHvlkozMElRR5l19dwun4skYQ29cXRA0 s2MMNXGuElVkPmUDy8K0XrQwutjbFz9qo3thTU7WipyKxGPNDy6Tk+EHXgy400sdK1AyQFDZ6wAA AAAAAA== --Apple-Mail=_919D8F02-9796-48B6-AC10-55BF2E23E8E7-- From nobody Tue Mar 11 12:28:22 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6391A052E for ; Tue, 11 Mar 2014 12:28:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6AVQEErfCtzs for ; Tue, 11 Mar 2014 12:28:18 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 912E21A04AB for ; Tue, 11 Mar 2014 12:28:18 -0700 (PDT) Received: from IWINB07 ([178.191.195.241]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MBVwM-1WUZcy43c6-00AYlF; Tue, 11 Mar 2014 20:28:11 +0100 From: "Manfred Steyer" To: "'Hannes Tschofenig'" , "'Antonio Sanso'" References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> In-Reply-To: <531F2632.2090204@gmx.net> Date: Tue, 11 Mar 2014 20:28:03 +0100 Message-ID: <003201cf3d60$09a4be20$1cee3a60$@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQMQvuGC6nCHESWBhgEiO0rGzvkC2gFy0GcIAOtUr0cCG1yEnQJJqlGNAoka7XaYDqTe4A== Content-Language: de X-Provags-ID: V03:K0:wypwKq2e1ns16o8aCEz2gQhdInxaOFJBAloU26YOlRHlR1dcpPk /hnnMpuUYnctnrYiHivTSwpnhDfSwJtgpQsgXD0dV8helHE/mMBAu6GxYbUETIl+BrF1TwZ 7KiE+1TDL7vndjdWoWiSlKBmiFnpZqdUTgj4hBMR5oOFSAv+RD2Ou/pcRrseQpSKHjqEU8M hQCYbbp8/1sAm5MHlHbfg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/M6cw4UKizHCVtla3JEAIz70vG-E Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 19:28:21 -0000 Hi, perhaps you can show that I'm wrong, but I still think, that there are cases, where the subject is unknown cause it's not relevant. Let's = consider the following federation-scenario: 1. Bob has a Token T1 that says, that he works for Company A on Project = B. The Subject of this token is "Bob". 2. Company X says, that everyone in Company A working for Project B gets access to Accounting-Information. 3. Bob exchanges this Token T1 at Company X's AuthServer for another = Token T2. T2 contains a claim AccessLevel=3DAccouting. T2 could also get a = copy of the subj-claim, but Company X doesn't care about that, cause no one in Company B knows Bob. The only reason I can imagine, why the sub-claim should be copied into = T2 is because of tracing and finding out, that there is a correlation between = T2 und T1. But this could be accomplished with other mechanisms too. Did I oversee something? If there is another reason, why sub is = mandatory, I think, it would not hurt too much to copy the sub-claim from T1 to T2 = (and from T2 to T3 etc.)... Wishes Manfred -----Urspr=FCngliche Nachricht----- Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Hannes = Tschofenig Gesendet: Dienstag, 11. M=E4rz 2014 16:05 An: Antonio Sanso Cc: oauth@ietf.org Betreff: Re: [OAUTH-WG] JSON Web Token (JWT) Profile Maintaining both information in the JWT is IMHO valuable since it gives = you some information about the security properties. Needless to say that = there is a substantial difference between a self-created JWT and a JWT from a third party the relying party has some confidence in. Why Google has an old implementation and whether they are planning to = update their code remains to be seen. More importantly, however, is why you argue that the subject claim has = to be optional. Ciao Hannes Ps: I also noticed in the examples that all URIs have their URI scheme missing. While that might be OK I am not entirely sure... On 03/11/2014 04:08 PM, Antonio Sanso wrote: >=20 > On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig = wrote: >=20 >> Thanks for clarifying. >> >> I took a quick look at the Google API and it seems that in their use=20 >> case the client creates the JWT and consequently the subject and the=20 >> issue would actually be the same. I suspect that this is the reason=20 >> why they omitted the subject. >=20 > agreed that is why in my mail I said the subject might overlap with = the issuer. > The subject in the google case is still called with its obsolete name (prn) and it is actually listed as =91additional claims=92 hence not = mandatory. >=20 > regards >=20 > antonio >=20 >> >> Could you explain why you would like to omit the subject claim in the JWT? >> >> Ciao >> Hannes >> >> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is=20 >> timely since we are about to finish all three assertion specs. >> >> >> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>> hi Hannes, >>> >>> I am aware of the 2 documents, >>> >>> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about Authorization Grant Processing (this is the part I do use in my implementation ) and not only Client Authentication Processing. >>> >>> Just my 0.02 $ but this seems to be a place where different=20 >>> implementer have the same issue :) >>> >>> regards >>> >>> antonio >>> >>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig wrote: >>> >>>> Hi Manfred, Hi Antonio, >>>> >>>> Note that there are two documents that talk about the JWT and you=20 >>>> guys might be looking at the wrong document. >>>> >>>> The main JWT document (see >>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18)=20 >>>> defines the subject claim as optional (see Section 4.1.2). >>>> >>>> The JWT bearer assertion document (see >>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does=20 >>>> indeed define it as mandatory but that's intentional since the=20 >>>> purpose of the spec is to authenticate the client (or the resource=20 >>>> owner for an authorization grant). >>>> >>>> The assertion documents are used for interworking with "legacy"=20 >>>> identity infrastructure (such as SAML federations). >>>> >>>> So, are you sure you are indeed looking at the right document? >>>> >>>> Ciao >>>> Hannes >>>> >>>> >>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>> hi *, >>>>> >>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says >>>>> >>>>> The JWT MUST contain a "sub" (subject) claim >>>>> >>>>> >>>>> Now IMHO there are cases where having the sub is either not needed = >>>>> or redundant (since it might overlap with the issuer).\ >>>>> >>>>> As far as I can see =93even Google=94 currently violates this spec = [1]=20 >>>>> ( I know that this doesn=92t matter, just wanted to bring a real = use=20 >>>>> case scenario). >>>>> >>>>> WDYT might the =93sub=94 be optional in some situation? >>>>> >>>>> regards >>>>> >>>>> antonio >>>>> >>>>> [0]=20 >>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section- >>>>> 3 [1]=20 >>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>> >> >=20 From nobody Tue Mar 11 12:49:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09A291A07CB for ; Tue, 11 Mar 2014 12:49:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsi-3dxlbsaw for ; Tue, 11 Mar 2014 12:49:39 -0700 (PDT) Received: from mail-yh0-f48.google.com (mail-yh0-f48.google.com [209.85.213.48]) by ietfa.amsl.com (Postfix) with ESMTP id 9AB2D1A07C1 for ; Tue, 11 Mar 2014 12:49:39 -0700 (PDT) Received: by mail-yh0-f48.google.com with SMTP id z6so9166300yhz.35 for ; Tue, 11 Mar 2014 12:49:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=61D/Y/ozcHSN4FS8rdiFk8ugL3+2adXH3KAcONP3JgY=; b=TjEQIXR3lmkMW8PfRqYRDJ0Mt7mdI1b4LoP/TVWIPYHt3eErdG4L+o1On/fVNn57Yp YMVKl8Bcsose11HuUCx3ZkMIkBHOWRgQFpcxMSPN83T8GXgDdkIpDuNWkeJJRoSiJoHO sXHMCegGN+auSaEi1etob45ZgQF/Uaq7ZNWscCNUcLS3fWuYVKkfh3zjRBP84jYN1WE+ cXy5zSmu4nLYFqSopkyWAewfaXdBXSuprHboCkoK2bGtFg3u0T73/Szj4zkYomCWXgvK xRgP8aiU7D5WX6v0bxNaKcls08RAR76MBm3KzccqjIZ5W0wyC836Qdkjksc0vLXShONR k4tQ== X-Gm-Message-State: ALoCoQnX1vtsb3piuYPebCjjdhKr/JhPKLBwqhyNRp1hAPRVGveEpAExW00OXc53ESNhaV8eJJUY X-Received: by 10.236.121.15 with SMTP id q15mr8315556yhh.26.1394567373431; Tue, 11 Mar 2014 12:49:33 -0700 (PDT) Received: from [192.168.0.200] ([201.188.147.185]) by mx.google.com with ESMTPSA id z24sm67863339yhk.21.2014.03.11.12.49.31 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Mar 2014 12:49:32 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_3995F21E-2FD3-4C6D-9F09-E48A94914582"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <003201cf3d60$09a4be20$1cee3a60$@gmx.net> Date: Tue, 11 Mar 2014 16:49:27 -0300 Message-Id: <8523B6DF-C085-42F0-A02A-51F2A9AF0FFB@ve7jtb.com> References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> <003201cf3d60$09a4be20$1cee3a60$@gmx.net> To: Manfred Steyer X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-rfbL_swibu9Dlnzw0i5IDoPt3c Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 19:49:43 -0000 --Apple-Mail=_3995F21E-2FD3-4C6D-9F09-E48A94914582 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Company X will likely care about the subject being asserted by company A = for auditing and possible revocation. It may be that the extension claim accessLevel=3DAccounting is = sufficient to grant the access token. =20 By Policy A could make sub itself, or an identifier for the user of the = client in it's namespace. =20 Yes there are some cases where it may be redundant or not disclosed for = a privacy reason, but the current decision is to keep the library = consistent and push that decision to the application logic. You can make the case the decision was wrong. =20 The other reason for it is that the JWT and SAML assertions are parallel = and in SAML subject is required. That was the other consistency reason = for making it mandatory. =20 John B. On Mar 11, 2014, at 4:28 PM, Manfred Steyer = wrote: > Hi, >=20 > perhaps you can show that I'm wrong, but I still think, that there are > cases, where the subject is unknown cause it's not relevant. Let's = consider > the following federation-scenario: >=20 > 1. Bob has a Token T1 that says, that he works for Company A on = Project B. > The Subject of this token is "Bob". > 2. Company X says, that everyone in Company A working for Project B = gets > access to Accounting-Information. > 3. Bob exchanges this Token T1 at Company X's AuthServer for another = Token > T2. T2 contains a claim AccessLevel=3DAccouting. T2 could also get a = copy of > the subj-claim, but Company X doesn't care about that, cause no one in > Company B knows Bob. >=20 > The only reason I can imagine, why the sub-claim should be copied into = T2 is > because of tracing and finding out, that there is a correlation = between T2 > und T1. But this could be accomplished with other mechanisms too. >=20 > Did I oversee something? If there is another reason, why sub is = mandatory, I > think, it would not hurt too much to copy the sub-claim from T1 to T2 = (and > from T2 to T3 etc.)... >=20 > Wishes > Manfred >=20 >=20 >=20 > -----Urspr=FCngliche Nachricht----- > Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Hannes = Tschofenig > Gesendet: Dienstag, 11. M=E4rz 2014 16:05 > An: Antonio Sanso > Cc: oauth@ietf.org > Betreff: Re: [OAUTH-WG] JSON Web Token (JWT) Profile >=20 > Maintaining both information in the JWT is IMHO valuable since it = gives you > some information about the security properties. Needless to say that = there > is a substantial difference between a self-created JWT and a JWT from = a > third party the relying party has some confidence in. >=20 > Why Google has an old implementation and whether they are planning to = update > their code remains to be seen. >=20 > More importantly, however, is why you argue that the subject claim has = to be > optional. >=20 > Ciao > Hannes >=20 > Ps: I also noticed in the examples that all URIs have their URI scheme > missing. While that might be OK I am not entirely sure... >=20 > On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>=20 >> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig = > wrote: >>=20 >>> Thanks for clarifying. >>>=20 >>> I took a quick look at the Google API and it seems that in their use=20= >>> case the client creates the JWT and consequently the subject and the=20= >>> issue would actually be the same. I suspect that this is the reason=20= >>> why they omitted the subject. >>=20 >> agreed that is why in my mail I said the subject might overlap with = the > issuer. >> The subject in the google case is still called with its obsolete name > (prn) and it is actually listed as =91additional claims=92 hence not = mandatory. >>=20 >> regards >>=20 >> antonio >>=20 >>>=20 >>> Could you explain why you would like to omit the subject claim in = the > JWT? >>>=20 >>> Ciao >>> Hannes >>>=20 >>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is=20 >>> timely since we are about to finish all three assertion specs. >>>=20 >>>=20 >>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>> hi Hannes, >>>>=20 >>>> I am aware of the 2 documents, >>>>=20 >>>> I might be wrong but > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also = about > Authorization Grant Processing (this is the part I do use in my > implementation ) and not only Client Authentication Processing. >>>>=20 >>>> Just my 0.02 $ but this seems to be a place where different=20 >>>> implementer have the same issue :) >>>>=20 >>>> regards >>>>=20 >>>> antonio >>>>=20 >>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig > wrote: >>>>=20 >>>>> Hi Manfred, Hi Antonio, >>>>>=20 >>>>> Note that there are two documents that talk about the JWT and you=20= >>>>> guys might be looking at the wrong document. >>>>>=20 >>>>> The main JWT document (see >>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18)=20 >>>>> defines the subject claim as optional (see Section 4.1.2). >>>>>=20 >>>>> The JWT bearer assertion document (see >>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does=20 >>>>> indeed define it as mandatory but that's intentional since the=20 >>>>> purpose of the spec is to authenticate the client (or the resource=20= >>>>> owner for an authorization grant). >>>>>=20 >>>>> The assertion documents are used for interworking with "legacy"=20 >>>>> identity infrastructure (such as SAML federations). >>>>>=20 >>>>> So, are you sure you are indeed looking at the right document? >>>>>=20 >>>>> Ciao >>>>> Hannes >>>>>=20 >>>>>=20 >>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>> hi *, >>>>>>=20 >>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says >>>>>>=20 >>>>>> The JWT MUST contain a "sub" (subject) claim >>>>>>=20 >>>>>>=20 >>>>>> Now IMHO there are cases where having the sub is either not = needed=20 >>>>>> or redundant (since it might overlap with the issuer).\ >>>>>>=20 >>>>>> As far as I can see =93even Google=94 currently violates this = spec [1]=20 >>>>>> ( I know that this doesn=92t matter, just wanted to bring a real = use=20 >>>>>> case scenario). >>>>>>=20 >>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>=20 >>>>>> regards >>>>>>=20 >>>>>> antonio >>>>>>=20 >>>>>> [0]=20 >>>>>> = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section- >>>>>> 3 [1]=20 >>>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>=20 >>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_3995F21E-2FD3-4C6D-9F09-E48A94914582 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5 MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5 AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5 QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ 4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0 aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzExMTk0OTI4WjAjBgkqhkiG9w0BCQQxFgQUUQ1EFHi5 SPBva3GnPqlS6j/GD2wwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAlVhsP//CYXm24s4wV+0TAhqCr9/ORKzplPLM4DgA F36K4H/pNBE2goVo2LgBQ201ehKsYUHsYg4P3Xz+KAZH7eXbDvWI/tyR8qkCxa6ewsU6WU5jURDF e+Dht7GAMNZpM8ZnxlLOC8UY7+K1bOu58LgprsymF9IrkaaTJYLt/z3rWaigw4V/zAxFiecOImUA /LQdlSidzfT4fWbmbTTnDBODln161xkGSzCTHGpDtnCiBnoTNC2PZgmAb79vBF9y9Z8g2reJgrSo uHkfUJU//vID7yoWY+bwd5HhtitD0MGYfuSm1e0LvVb5oMH3ZVWKmx8jOV4sOXKJS+V+Zu8chgAA AAAAAA== --Apple-Mail=_3995F21E-2FD3-4C6D-9F09-E48A94914582-- From nobody Tue Mar 11 13:44:07 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 784581A072D for ; Tue, 11 Mar 2014 13:44:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.146 X-Spam-Level: X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVNbGdeBgvfd for ; Tue, 11 Mar 2014 13:44:04 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0240.outbound.protection.outlook.com [207.46.163.240]) by ietfa.amsl.com (Postfix) with ESMTP id 1EFE21A072C for ; Tue, 11 Mar 2014 13:44:03 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by DM2PR02MB318.namprd02.prod.outlook.com (10.141.83.142) with Microsoft SMTP Server (TLS) id 15.0.888.9; Tue, 11 Mar 2014 20:43:56 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 20:43:55 +0000 From: Antonio Sanso To: John Bradley Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgD///7sAIAABF2A////FQCAAAWCgIAAHd0AgAAhvACAABl8gA== Date: Tue, 11 Mar 2014 20:43:54 +0000 Message-ID: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com> In-Reply-To: <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [178.83.47.250] x-forefront-prvs: 0147E151B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(189002)(199002)(51704005)(24454002)(479174003)(377454003)(52604005)(51694002)(47446002)(15202345003)(74706001)(59766001)(19580395003)(19580405001)(51856001)(54316002)(79102001)(77096001)(56776001)(83322001)(81542001)(76796001)(46102001)(76786001)(53806001)(50986001)(95666003)(69226001)(49866001)(74502001)(74662001)(94316002)(31966008)(47736001)(94946001)(81686001)(54356001)(80976001)(85306002)(36756003)(76482001)(97186001)(92726001)(63696002)(93516002)(83716003)(82746002)(81342001)(33656001)(92566001)(95416001)(77982001)(47976001)(87936001)(83072002)(74876001)(74366001)(15975445006)(85852003)(2656002)(87266001)(97336001)(90146001)(56816005)(86362001)(65816001)(93136001)(81816001)(80022001)(4396001)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR02MB318; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:178.83.47.250; FPR:ECCFF175.AFF2D1D1.387F113B.86E4F772.205E8; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="Windows-1252" Content-ID: <0D64FDBDCCFAFB4F8323AB34109F5D5B@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RyryptfTUJosiFG5JpQ-oHUXTSM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 20:44:06 -0000 agree, but in some cases the subject is not only same as the issuer but sim= ply it doesn=92t matter. In my example below all it matters is that the assertion signed by app1 is = valid=85.=20 Continue in my probably not relevant =93Google example=94 if I set the prn = same as the issuer it would not work (keeping only the issuer without any s= ubject gives me back a correct access token instead). Again this is not relevant spec wise. AFIU there is consensus in the workin= g group to keep the subject mandatory. Would it make sense at least to add = a little not that in some situations the issuer and the subject are the sam= e? This might clarify at least something to people that do wonder... regards antonio On Mar 11, 2014, at 8:12 PM, John Bradley wrote: > The specification is intended to allow the interoperation of standard lib= raries. =20 >=20 > In some cases the subject and the iss may be the same, however the underl= ying OAuth library may be a general one and always require a subject for se= curity processing. >=20 > It is possible that all libraries could have a special rule for when sub = is not present and use the value of iss as sub. This will save some bytes = in the JWT but it is probably not worth creating an extra code path in libr= aries for the size optimization.=20 >=20 > I don't think your saying there is no subject just that it is redundant w= ith iss in some cases. >=20 > John B. >=20 > On Mar 11, 2014, at 2:11 PM, Antonio Sanso wrote: >=20 >> Ok this is my use case: >>=20 >> - I am John Doe and going to AS to register my app named app1 >> - I then either upload my public key or download a private key >> - at this point I am ready to build my assertion, the issuer claim is go= ing to be app1 and should suffice. >>=20 >> is the subject really needed in this use case?=20 >>=20 >> regards >>=20 >> antonio >>=20 >>=20 >> On Mar 11, 2014, at 4:25 PM, John Bradley wrote: >>=20 >>> The missing scheme especially on JWT issued by google is something I un= derstand they are working on but need to be careful about breaking existing= code, so will possibly need new endpoints that are spec compliant.=20 >>>=20 >>> While in this google case the subject and the issuer happen to be the s= ame they may well not be even in the self signed case. In WG discussions = being consistent in providing the subject was considered to be better for i= nteroperability than optimizing for the case where sub or issuer could be d= ropped. =20 >>>=20 >>> John B. >>>=20 >>> On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig wrote: >>>=20 >>>> Maintaining both information in the JWT is IMHO valuable since it give= s >>>> you some information about the security properties. Needless to say th= at >>>> there is a substantial difference between a self-created JWT and a JWT >>>> from a third party the relying party has some confidence in. >>>>=20 >>>> Why Google has an old implementation and whether they are planning to >>>> update their code remains to be seen. >>>>=20 >>>> More importantly, however, is why you argue that the subject claim has >>>> to be optional. >>>>=20 >>>> Ciao >>>> Hannes >>>>=20 >>>> Ps: I also noticed in the examples that all URIs have their URI scheme >>>> missing. While that might be OK I am not entirely sure... >>>>=20 >>>> On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>>>>=20 >>>>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig wrote: >>>>>=20 >>>>>> Thanks for clarifying. >>>>>>=20 >>>>>> I took a quick look at the Google API and it seems that in their use >>>>>> case the client creates the JWT and consequently the subject and the >>>>>> issue would actually be the same. I suspect that this is the reason = why >>>>>> they omitted the subject. >>>>>=20 >>>>> agreed that is why in my mail I said the subject might overlap with t= he issuer. >>>>> The subject in the google case is still called with its obsolete name= (prn) and it is actually listed as =91additional claims=92 hence not manda= tory. >>>>>=20 >>>>> regards >>>>>=20 >>>>> antonio >>>>>=20 >>>>>>=20 >>>>>> Could you explain why you would like to omit the subject claim in th= e JWT? >>>>>>=20 >>>>>> Ciao >>>>>> Hannes >>>>>>=20 >>>>>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is tim= ely >>>>>> since we are about to finish all three assertion specs. >>>>>>=20 >>>>>>=20 >>>>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>>>>> hi Hannes, >>>>>>>=20 >>>>>>> I am aware of the 2 documents, >>>>>>>=20 >>>>>>> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jw= t-bearer-07 is also about Authorization Grant Processing (this is the part = I do use in my implementation ) and not only Client Authentication Processi= ng. >>>>>>>=20 >>>>>>> Just my 0.02 $ but this seems to be a place where different impleme= nter have the same issue :) >>>>>>>=20 >>>>>>> regards >>>>>>>=20 >>>>>>> antonio >>>>>>>=20 >>>>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig wrote: >>>>>>>=20 >>>>>>>> Hi Manfred, Hi Antonio, >>>>>>>>=20 >>>>>>>> Note that there are two documents that talk about the JWT and you = guys >>>>>>>> might be looking at the wrong document. >>>>>>>>=20 >>>>>>>> The main JWT document (see >>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) def= ines >>>>>>>> the subject claim as optional (see Section 4.1.2). >>>>>>>>=20 >>>>>>>> The JWT bearer assertion document (see >>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does in= deed >>>>>>>> define it as mandatory but that's intentional since the purpose of= the >>>>>>>> spec is to authenticate the client (or the resource owner for an >>>>>>>> authorization grant). >>>>>>>>=20 >>>>>>>> The assertion documents are used for interworking with "legacy" id= entity >>>>>>>> infrastructure (such as SAML federations). >>>>>>>>=20 >>>>>>>> So, are you sure you are indeed looking at the right document? >>>>>>>>=20 >>>>>>>> Ciao >>>>>>>> Hannes >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>>>>> hi *, >>>>>>>>>=20 >>>>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20 >>>>>>>>>=20 >>>>>>>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> Now IMHO there are cases where having the sub is either not neede= d or >>>>>>>>> redundant (since it might overlap with the issuer).\ >>>>>>>>>=20 >>>>>>>>> As far as I can see =93even Google=94 currently violates this spe= c [1] ( I >>>>>>>>> know that this doesn=92t matter, just wanted to bring a real use = case >>>>>>>>> scenario). >>>>>>>>>=20 >>>>>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>>>>=20 >>>>>>>>> regards >>>>>>>>>=20 >>>>>>>>> antonio=20 >>>>>>>>>=20 >>>>>>>>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#sec= tion-3 >>>>>>>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAcco= unt >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> _______________________________________________ >>>>>>>>> OAuth mailing list >>>>>>>>> OAuth@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>=20 >>>>>>>>=20 >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>>=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>=20 >=20 From nobody Tue Mar 11 15:06:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 304B91A0811 for ; Tue, 11 Mar 2014 15:06:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.293 X-Spam-Level: X-Spam-Status: No, score=-2.293 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfyJdQxXtALM for ; Tue, 11 Mar 2014 15:06:06 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0428B1A0800 for ; Tue, 11 Mar 2014 15:06:05 -0700 (PDT) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s2BM4RkB025857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 11 Mar 2014 22:04:27 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s2BM4QSO012122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Mar 2014 22:04:26 GMT Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s2BM4Qu4024262; Tue, 11 Mar 2014 22:04:26 GMT Received: from [192.168.1.186] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 11 Mar 2014 15:04:26 -0700 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Phil Hunt In-Reply-To: Date: Tue, 11 Mar 2014 15:04:15 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <974419E4-29B9-4EC3-BCA3-91F577495EB8@oracle.com> References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com> To: Antonio Sanso X-Mailer: Apple Mail (2.1510) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tOcSzOCho0bgK1e_nYcXV5eF3hc Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 22:06:09 -0000 I think that's the wrong perspective. If you intend the issuer to be the = subject, you need to declare it. I wouldn't worry that it duplicates issuer. The fields have different = meaning. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2014-03-11, at 1:43 PM, Antonio Sanso wrote: > agree, but in some cases the subject is not only same as the issuer = but simply it doesn=92t matter. >=20 > In my example below all it matters is that the assertion signed by = app1 is valid=85.=20 >=20 > Continue in my probably not relevant =93Google example=94 if I set the = prn same as the issuer it would not work (keeping only the issuer = without any subject gives me back a correct access token instead). >=20 > Again this is not relevant spec wise. AFIU there is consensus in the = working group to keep the subject mandatory. Would it make sense at = least to add a little not that in some situations the issuer and the = subject are the same? > This might clarify at least something to people that do wonder... >=20 > regards >=20 > antonio >=20 > On Mar 11, 2014, at 8:12 PM, John Bradley wrote: >=20 >> The specification is intended to allow the interoperation of standard = libraries. =20 >>=20 >> In some cases the subject and the iss may be the same, however the = underlying OAuth library may be a general one and always require a = subject for security processing. >>=20 >> It is possible that all libraries could have a special rule for when = sub is not present and use the value of iss as sub. This will save some = bytes in the JWT but it is probably not worth creating an extra code = path in libraries for the size optimization.=20 >>=20 >> I don't think your saying there is no subject just that it is = redundant with iss in some cases. >>=20 >> John B. >>=20 >> On Mar 11, 2014, at 2:11 PM, Antonio Sanso wrote: >>=20 >>> Ok this is my use case: >>>=20 >>> - I am John Doe and going to AS to register my app named app1 >>> - I then either upload my public key or download a private key >>> - at this point I am ready to build my assertion, the issuer claim = is going to be app1 and should suffice. >>>=20 >>> is the subject really needed in this use case?=20 >>>=20 >>> regards >>>=20 >>> antonio >>>=20 >>>=20 >>> On Mar 11, 2014, at 4:25 PM, John Bradley wrote: >>>=20 >>>> The missing scheme especially on JWT issued by google is something = I understand they are working on but need to be careful about breaking = existing code, so will possibly need new endpoints that are spec = compliant.=20 >>>>=20 >>>> While in this google case the subject and the issuer happen to be = the same they may well not be even in the self signed case. In WG = discussions being consistent in providing the subject was considered to = be better for interoperability than optimizing for the case where sub or = issuer could be dropped. =20 >>>>=20 >>>> John B. >>>>=20 >>>> On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig = wrote: >>>>=20 >>>>> Maintaining both information in the JWT is IMHO valuable since it = gives >>>>> you some information about the security properties. Needless to = say that >>>>> there is a substantial difference between a self-created JWT and a = JWT >>>>> from a third party the relying party has some confidence in. >>>>>=20 >>>>> Why Google has an old implementation and whether they are planning = to >>>>> update their code remains to be seen. >>>>>=20 >>>>> More importantly, however, is why you argue that the subject claim = has >>>>> to be optional. >>>>>=20 >>>>> Ciao >>>>> Hannes >>>>>=20 >>>>> Ps: I also noticed in the examples that all URIs have their URI = scheme >>>>> missing. While that might be OK I am not entirely sure... >>>>>=20 >>>>> On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>>>>>=20 >>>>>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig = wrote: >>>>>>=20 >>>>>>> Thanks for clarifying. >>>>>>>=20 >>>>>>> I took a quick look at the Google API and it seems that in their = use >>>>>>> case the client creates the JWT and consequently the subject and = the >>>>>>> issue would actually be the same. I suspect that this is the = reason why >>>>>>> they omitted the subject. >>>>>>=20 >>>>>> agreed that is why in my mail I said the subject might overlap = with the issuer. >>>>>> The subject in the google case is still called with its obsolete = name (prn) and it is actually listed as =91additional claims=92 hence = not mandatory. >>>>>>=20 >>>>>> regards >>>>>>=20 >>>>>> antonio >>>>>>=20 >>>>>>>=20 >>>>>>> Could you explain why you would like to omit the subject claim = in the JWT? >>>>>>>=20 >>>>>>> Ciao >>>>>>> Hannes >>>>>>>=20 >>>>>>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is = timely >>>>>>> since we are about to finish all three assertion specs. >>>>>>>=20 >>>>>>>=20 >>>>>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>>>>>> hi Hannes, >>>>>>>>=20 >>>>>>>> I am aware of the 2 documents, >>>>>>>>=20 >>>>>>>> I might be wrong but = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about = Authorization Grant Processing (this is the part I do use in my = implementation ) and not only Client Authentication Processing. >>>>>>>>=20 >>>>>>>> Just my 0.02 $ but this seems to be a place where different = implementer have the same issue :) >>>>>>>>=20 >>>>>>>> regards >>>>>>>>=20 >>>>>>>> antonio >>>>>>>>=20 >>>>>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig = wrote: >>>>>>>>=20 >>>>>>>>> Hi Manfred, Hi Antonio, >>>>>>>>>=20 >>>>>>>>> Note that there are two documents that talk about the JWT and = you guys >>>>>>>>> might be looking at the wrong document. >>>>>>>>>=20 >>>>>>>>> The main JWT document (see >>>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) = defines >>>>>>>>> the subject claim as optional (see Section 4.1.2). >>>>>>>>>=20 >>>>>>>>> The JWT bearer assertion document (see >>>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) = does indeed >>>>>>>>> define it as mandatory but that's intentional since the = purpose of the >>>>>>>>> spec is to authenticate the client (or the resource owner for = an >>>>>>>>> authorization grant). >>>>>>>>>=20 >>>>>>>>> The assertion documents are used for interworking with = "legacy" identity >>>>>>>>> infrastructure (such as SAML federations). >>>>>>>>>=20 >>>>>>>>> So, are you sure you are indeed looking at the right document? >>>>>>>>>=20 >>>>>>>>> Ciao >>>>>>>>> Hannes >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>>>>>> hi *, >>>>>>>>>>=20 >>>>>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says=20= >>>>>>>>>>=20 >>>>>>>>>> The JWT MUST contain a "sub" (subject) claim=20 >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> Now IMHO there are cases where having the sub is either not = needed or >>>>>>>>>> redundant (since it might overlap with the issuer).\ >>>>>>>>>>=20 >>>>>>>>>> As far as I can see =93even Google=94 currently violates this = spec [1] ( I >>>>>>>>>> know that this doesn=92t matter, just wanted to bring a real = use case >>>>>>>>>> scenario). >>>>>>>>>>=20 >>>>>>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>>>>>=20 >>>>>>>>>> regards >>>>>>>>>>=20 >>>>>>>>>> antonio=20 >>>>>>>>>>=20 >>>>>>>>>> [0] = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 >>>>>>>>>> [1] = https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> _______________________________________________ >>>>>>>>>> OAuth mailing list >>>>>>>>>> OAuth@ietf.org >>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>=20 >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>=20 >>>=20 >>=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Tue Mar 11 15:44:51 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD4AB1A086D for ; Tue, 11 Mar 2014 15:44:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBxhJ2SD59Qr for ; Tue, 11 Mar 2014 15:44:40 -0700 (PDT) Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 371C51A088D for ; Tue, 11 Mar 2014 15:44:39 -0700 (PDT) Received: by mail-la0-f44.google.com with SMTP id hr13so6107475lab.17 for ; Tue, 11 Mar 2014 15:44:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4XjJaCOZ3eoeZxsrZmq8m1uUEKKnmIJKKnE7BGRiK7k=; b=wQNy0RSKbZYFPj5bS7YfvRmqqZd+god1Bwog778NFNctp8hkL4l4NGeG4iriwnw6nT xYgc3kng6m83bLq1hef/GTNeNqdGjCnA4ZRdMLJl83SH6oTJvJuEsu7ijGLsQQpIJRZv CUxib8VgBlXI+Yoew/P2gnk6AtDID20hABL2m5fBaveFiE/cl1I0owlDm1ZcJRIiM+nc u+W8hMvo0TENxXnUHU6OF5mMtizqb4eoBCWJjIm7gA+IPPOJ9Jb1a4tTKLuDc5xo0M3r 74z8Az5vCfZqn3h1YIXttXUZQwvhe9cS3MH6TsoGhjmyAeycI88Dbyd2tPFUDRlnZxkJ Wq4w== MIME-Version: 1.0 X-Received: by 10.152.37.99 with SMTP id x3mr10345189laj.7.1394577872709; Tue, 11 Mar 2014 15:44:32 -0700 (PDT) Received: by 10.112.145.226 with HTTP; Tue, 11 Mar 2014 15:44:32 -0700 (PDT) In-Reply-To: <974419E4-29B9-4EC3-BCA3-91F577495EB8@oracle.com> References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com> <974419E4-29B9-4EC3-BCA3-91F577495EB8@oracle.com> Date: Wed, 12 Mar 2014 07:44:32 +0900 Message-ID: From: Nat Sakimura To: Phil Hunt Content-Type: multipart/alternative; boundary=089e0158b87cb6eb2204f45c76ef Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/QPHnnU3_Rj7hu2DmEAet2z3EksM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 22:44:45 -0000 --089e0158b87cb6eb2204f45c76ef Content-Type: text/plain; charset=ISO-8859-1 +1. Saving a few bytes in exchange to interoperability and security possible downgrade does not seem to be a good strategy for me. Nat 2014-03-12 7:04 GMT+09:00 Phil Hunt : > I think that's the wrong perspective. If you intend the issuer to be the > subject, you need to declare it. > > I wouldn't worry that it duplicates issuer. The fields have different > meaning. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On 2014-03-11, at 1:43 PM, Antonio Sanso wrote: > > > agree, but in some cases the subject is not only same as the issuer but > simply it doesn't matter. > > > > In my example below all it matters is that the assertion signed by app1 > is valid.... > > > > Continue in my probably not relevant "Google example" if I set the prn > same as the issuer it would not work (keeping only the issuer without any > subject gives me back a correct access token instead). > > > > Again this is not relevant spec wise. AFIU there is consensus in the > working group to keep the subject mandatory. Would it make sense at least > to add a little not that in some situations the issuer and the subject are > the same? > > This might clarify at least something to people that do wonder... > > > > regards > > > > antonio > > > > On Mar 11, 2014, at 8:12 PM, John Bradley wrote: > > > >> The specification is intended to allow the interoperation of standard > libraries. > >> > >> In some cases the subject and the iss may be the same, however the > underlying OAuth library may be a general one and always require a subject > for security processing. > >> > >> It is possible that all libraries could have a special rule for when > sub is not present and use the value of iss as sub. This will save some > bytes in the JWT but it is probably not worth creating an extra code path > in libraries for the size optimization. > >> > >> I don't think your saying there is no subject just that it is redundant > with iss in some cases. > >> > >> John B. > >> > >> On Mar 11, 2014, at 2:11 PM, Antonio Sanso wrote: > >> > >>> Ok this is my use case: > >>> > >>> - I am John Doe and going to AS to register my app named app1 > >>> - I then either upload my public key or download a private key > >>> - at this point I am ready to build my assertion, the issuer claim is > going to be app1 and should suffice. > >>> > >>> is the subject really needed in this use case? > >>> > >>> regards > >>> > >>> antonio > >>> > >>> > >>> On Mar 11, 2014, at 4:25 PM, John Bradley wrote: > >>> > >>>> The missing scheme especially on JWT issued by google is something I > understand they are working on but need to be careful about breaking > existing code, so will possibly need new endpoints that are spec compliant. > >>>> > >>>> While in this google case the subject and the issuer happen to be the > same they may well not be even in the self signed case. In WG discussions > being consistent in providing the subject was considered to be better for > interoperability than optimizing for the case where sub or issuer could be > dropped. > >>>> > >>>> John B. > >>>> > >>>> On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >>>> > >>>>> Maintaining both information in the JWT is IMHO valuable since it > gives > >>>>> you some information about the security properties. Needless to say > that > >>>>> there is a substantial difference between a self-created JWT and a > JWT > >>>>> from a third party the relying party has some confidence in. > >>>>> > >>>>> Why Google has an old implementation and whether they are planning to > >>>>> update their code remains to be seen. > >>>>> > >>>>> More importantly, however, is why you argue that the subject claim > has > >>>>> to be optional. > >>>>> > >>>>> Ciao > >>>>> Hannes > >>>>> > >>>>> Ps: I also noticed in the examples that all URIs have their URI > scheme > >>>>> missing. While that might be OK I am not entirely sure... > >>>>> > >>>>> On 03/11/2014 04:08 PM, Antonio Sanso wrote: > >>>>>> > >>>>>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >>>>>> > >>>>>>> Thanks for clarifying. > >>>>>>> > >>>>>>> I took a quick look at the Google API and it seems that in their > use > >>>>>>> case the client creates the JWT and consequently the subject and > the > >>>>>>> issue would actually be the same. I suspect that this is the > reason why > >>>>>>> they omitted the subject. > >>>>>> > >>>>>> agreed that is why in my mail I said the subject might overlap with > the issuer. > >>>>>> The subject in the google case is still called with its obsolete > name (prn) and it is actually listed as 'additional claims' hence not > mandatory. > >>>>>> > >>>>>> regards > >>>>>> > >>>>>> antonio > >>>>>> > >>>>>>> > >>>>>>> Could you explain why you would like to omit the subject claim in > the JWT? > >>>>>>> > >>>>>>> Ciao > >>>>>>> Hannes > >>>>>>> > >>>>>>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is > timely > >>>>>>> since we are about to finish all three assertion specs. > >>>>>>> > >>>>>>> > >>>>>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: > >>>>>>>> hi Hannes, > >>>>>>>> > >>>>>>>> I am aware of the 2 documents, > >>>>>>>> > >>>>>>>> I might be wrong but > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about > Authorization Grant Processing (this is the part I do use in my > implementation ) and not only Client Authentication Processing. > >>>>>>>> > >>>>>>>> Just my 0.02 $ but this seems to be a place where different > implementer have the same issue :) > >>>>>>>> > >>>>>>>> regards > >>>>>>>> > >>>>>>>> antonio > >>>>>>>> > >>>>>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >>>>>>>> > >>>>>>>>> Hi Manfred, Hi Antonio, > >>>>>>>>> > >>>>>>>>> Note that there are two documents that talk about the JWT and > you guys > >>>>>>>>> might be looking at the wrong document. > >>>>>>>>> > >>>>>>>>> The main JWT document (see > >>>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) > defines > >>>>>>>>> the subject claim as optional (see Section 4.1.2). > >>>>>>>>> > >>>>>>>>> The JWT bearer assertion document (see > >>>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does > indeed > >>>>>>>>> define it as mandatory but that's intentional since the purpose > of the > >>>>>>>>> spec is to authenticate the client (or the resource owner for an > >>>>>>>>> authorization grant). > >>>>>>>>> > >>>>>>>>> The assertion documents are used for interworking with "legacy" > identity > >>>>>>>>> infrastructure (such as SAML federations). > >>>>>>>>> > >>>>>>>>> So, are you sure you are indeed looking at the right document? > >>>>>>>>> > >>>>>>>>> Ciao > >>>>>>>>> Hannes > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: > >>>>>>>>>> hi *, > >>>>>>>>>> > >>>>>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says > >>>>>>>>>> > >>>>>>>>>> The JWT MUST contain a "sub" (subject) claim > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Now IMHO there are cases where having the sub is either not > needed or > >>>>>>>>>> redundant (since it might overlap with the issuer).\ > >>>>>>>>>> > >>>>>>>>>> As far as I can see "even Google" currently violates this spec > [1] ( I > >>>>>>>>>> know that this doesn't matter, just wanted to bring a real use > case > >>>>>>>>>> scenario). > >>>>>>>>>> > >>>>>>>>>> WDYT might the "sub" be optional in some situation? > >>>>>>>>>> > >>>>>>>>>> regards > >>>>>>>>>> > >>>>>>>>>> antonio > >>>>>>>>>> > >>>>>>>>>> [0] > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 > >>>>>>>>>> [1] > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> _______________________________________________ > >>>>>>>>>> OAuth mailing list > >>>>>>>>>> OAuth@ietf.org > >>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>> > >>> > >> > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --089e0158b87cb6eb2204f45c76ef Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
+1. Saving a few bytes in exchange to interoperability and= security possible downgrade does not seem to be a good strategy for me.&nb= sp;

Nat


2014-03-12 7:04 GMT+09:00 Phil Hunt <phil.hunt@oracle.com>:
I think that's the wrong perspective. If you intend the issuer to be th= e subject, you need to declare it.

I wouldn't worry that it duplicates issuer. The fields have different m= eaning.

Phil

@independentid
www.independenti= d.com
phil.hunt@oracle.com

On 2014-03-11, at 1:43 PM, Antonio Sanso <asanso@adobe.com> wrote:

> agree, but in some cases the subject is not only same as the issuer bu= t simply it doesn’t matter.
>
> In my example below all it matters is that the assertion signed by app= 1 is valid….
>
> Continue in my probably not relevant “Google example” if I= set the prn same as the issuer it would not work (keeping only the issuer = without any subject gives me back a correct access token instead).
>
> Again this is not relevant spec wise. AFIU there is consensus in the w= orking group to keep the subject mandatory. Would it make sense at least to= add a little not that in some situations the issuer and the subject are th= e same?
> This might clarify at least something to people that do wonder...
>
> regards
>
> antonio
>
> On Mar 11, 2014, at 8:12 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> The specification is intended to allow the interoperation of stand= ard libraries.
>>
>> In some cases the subject and the iss may be the same, however the= underlying OAuth library may be a general one and always require a subject= for security processing.
>>
>> It is possible that all libraries could have a special rule for wh= en sub is not present and use the value of iss as sub.  This will save= some bytes in the JWT but it is probably not worth creating an extra code = path in libraries for the size optimization.
>>
>> I don't think your saying there is no subject just that it is = redundant with iss in some cases.
>>
>> John B.
>>
>> On Mar 11, 2014, at 2:11 PM, Antonio Sanso <asanso@adobe.com> wrote:
>>
>>> Ok this is my use case:
>>>
>>> - I  am John Doe and going to AS to register my app named= app1
>>> - I then either upload my public key or download a private key=
>>> - at this point I am ready to build my assertion, the issuer c= laim is going to be app1 and should suffice.
>>>
>>> is the subject really needed in this use case?
>>>
>>> regards
>>>
>>> antonio
>>>
>>>
>>> On Mar 11, 2014, at 4:25 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>
>>>> The missing scheme especially on JWT issued by google is s= omething I understand they are working on but need to be careful about brea= king existing code, so will possibly need new endpoints that are spec compl= iant.
>>>>
>>>> While in this google case the subject and the issuer happe= n to be the same they may well not be even in the self signed case.   = In WG discussions being consistent in providing the subject was considered = to be better for interoperability than optimizing for the case where sub or= issuer could be dropped.
>>>>
>>>> John B.
>>>>
>>>> On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wr= ote:
>>>>
>>>>> Maintaining both information in the JWT is IMHO valuab= le since it gives
>>>>> you some information about the security properties. Ne= edless to say that
>>>>> there is a substantial difference between a self-creat= ed JWT and a JWT
>>>>> from a third party the relying party has some confiden= ce in.
>>>>>
>>>>> Why Google has an old implementation and whether they = are planning to
>>>>> update their code remains to be seen.
>>>>>
>>>>> More importantly, however, is why you argue that the s= ubject claim has
>>>>> to be optional.
>>>>>
>>>>> Ciao
>>>>> Hannes
>>>>>
>>>>> Ps: I also noticed in the examples that all URIs have = their URI scheme
>>>>> missing. While that might be OK I am not entirely sure= ...
>>>>>
>>>>> On 03/11/2014 04:08 PM, Antonio Sanso wrote:
>>>>>>
>>>>>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig <= ;hannes.tschofenig@gmx.net= > wrote:
>>>>>>
>>>>>>> Thanks for clarifying.
>>>>>>>
>>>>>>> I took a quick look at the Google API and it s= eems that in their use
>>>>>>> case the client creates the JWT and consequent= ly the subject and the
>>>>>>> issue would actually be the same. I suspect th= at this is the reason why
>>>>>>> they omitted the subject.
>>>>>>
>>>>>> agreed that is why in my mail I said the subject m= ight overlap with the issuer.
>>>>>> The subject in the google case is still called wit= h its obsolete name (prn) and it is actually listed as ‘additional cl= aims’ hence not mandatory.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> antonio
>>>>>>
>>>>>>>
>>>>>>> Could you explain why you would like to omit t= he subject claim in the JWT?
>>>>>>>
>>>>>>> Ciao
>>>>>>> Hannes
>>>>>>>
>>>>>>> PS: Your feedback on the  draft-ietf-oaut= h-jwt-bearer-07 spec is timely
>>>>>>> since we are about to finish all three asserti= on specs.
>>>>>>>
>>>>>>>
>>>>>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>>>>>> hi Hannes,
>>>>>>>>
>>>>>>>> I am aware of the 2 documents,
>>>>>>>>
>>>>>>>> I might be wrong but http://t= ools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about Authori= zation Grant Processing (this is the part I do use in my implementation ) a= nd not only Client Authentication Processing.
>>>>>>>>
>>>>>>>> Just my 0.02 $ but this seems to be a plac= e where different implementer have the same issue :)
>>>>>>>>
>>>>>>>> regards
>>>>>>>>
>>>>>>>> antonio
>>>>>>>>
>>>>>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschof= enig <hannes.tschofenig@gmx= .net> wrote:
>>>>>>>>
>>>>>>>>> Hi Manfred, Hi Antonio,
>>>>>>>>>
>>>>>>>>> Note that there are two documents that= talk about the JWT and you guys
>>>>>>>>> might be looking at the wrong document= .
>>>>>>>>>
>>>>>>>>> The main JWT document (see
>>>>>>>>> http://tools.ietf.org= /html/draft-ietf-oauth-json-web-token-18) defines
>>>>>>>>> the subject claim as optional (see Sec= tion 4.1.2).
>>>>>>>>>
>>>>>>>>> The JWT bearer assertion document (see=
>>>>>>>>> http://tools.ietf.org/htm= l/draft-ietf-oauth-jwt-bearer-07) does indeed
>>>>>>>>> define it as mandatory but that's = intentional since the purpose of the
>>>>>>>>> spec is to authenticate the client (or= the resource owner for an
>>>>>>>>> authorization grant).
>>>>>>>>>
>>>>>>>>> The assertion documents are used for i= nterworking with "legacy" identity
>>>>>>>>> infrastructure (such as SAML federatio= ns).
>>>>>>>>>
>>>>>>>>> So, are you sure you are indeed lookin= g at the right document?
>>>>>>>>>
>>>>>>>>> Ciao
>>>>>>>>> Hannes
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 03/11/2014 03:13 PM, Antonio Sanso = wrote:
>>>>>>>>>> hi *,
>>>>>>>>>>
>>>>>>>>>> JSON Web Token (JWT) Profile secti= on 3 [0] explicitely says
>>>>>>>>>>
>>>>>>>>>> The JWT MUST contain a "sub&q= uot; (subject) claim
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Now IMHO there are cases where hav= ing the sub is either not needed or
>>>>>>>>>> redundant (since it might overlap = with the issuer).\
>>>>>>>>>>
>>>>>>>>>> As far as I can see “even Go= ogle” currently violates this spec [1] ( I
>>>>>>>>>> know that this doesn’t matte= r, just wanted to bring a real use case
>>>>>>>>>> scenario).
>>>>>>>>>>
>>>>>>>>>> WDYT might the “sub” b= e optional in some situation?
>>>>>>>>>>
>>>>>>>>>> regards
>>>>>>>>>>
>>>>>>>>>> antonio
>>>>>>>>>>
>>>>>>>>>> [0] http://= tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3
>>>>>>>>>> [1] https://de= velopers.google.com/accounts/docs/OAuth2ServiceAccount
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> __________________________________= _____________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> = OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listin= fo/oauth
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth



--
= Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_= en
--089e0158b87cb6eb2204f45c76ef-- From nobody Tue Mar 11 22:42:24 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C9E71A02D0 for ; Tue, 11 Mar 2014 22:42:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.201 X-Spam-Level: X-Spam-Status: No, score=-2.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxYyWgFx8bQJ for ; Tue, 11 Mar 2014 22:42:17 -0700 (PDT) Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) by ietfa.amsl.com (Postfix) with ESMTP id 957141A04B0 for ; Tue, 11 Mar 2014 22:42:15 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.97,635,1389704400"; d="scan'208,217";a="191261811" Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipoani.tcif.telstra.com.au with ESMTP; 12 Mar 2014 16:42:09 +1100 X-IronPort-AV: E=McAfee;i="5400,1158,7374"; a="214622782" Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipccni.tcif.telstra.com.au with ESMTP; 12 Mar 2014 16:42:09 +1100 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Wed, 12 Mar 2014 16:42:08 +1100 From: "Manger, James" To: Mike Jones , "oauth@ietf.org WG" , Hannes Tschofenig Date: Wed, 12 Mar 2014 16:42:07 +1100 Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT) Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/ZmLZ98AgUVpnFCADWIk8A== Message-ID: <255B9BB34FB7D647A506DC292726F6E11540251D0A@WSMSG3153V.srv.dir.telstra.com> References: <5202113B.1020505@gmx.net> <255B9BB34FB7D647A506DC292726F6E1152869AC01@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739439A0A9521@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A0A9521@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E11540251D0AWSMSG3153Vsrv_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/t78BHTu4Lww-LNzGZsjbe7CdNEU Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2014 05:42:21 -0000 --_000_255B9BB34FB7D647A506DC292726F6E11540251D0AWSMSG3153Vsrv_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciB0YWxraW5nIHRoZSB0aW1lIHRvIHJlcGx5IHRvIHRoZSBpbmRpdmlkdWFsIGNv bW1lbnRzLCBNaWtlLg0KDQoNClRoZSBzdHJ1Y3R1cmUgb2YgdGhlIEpXVCBkb2MgaXMgc3RpbGwg Zmxhd2VkLiBUaGUgcm9vdCBjYXVzZSBpcyB0aGF0IEpXVCB0cmllcyB0byBkbyB0aHJlZSB0YXNr czoNCg0KMS4gICAgICAgRGVzY3JpYmUgaG93IGEgSk9TRSBtZXNzYWdlIGNhbiBiZSBhIEpXRSBv ciBhIEpXUy4NCg0KMi4gICAgICAgRGVzY3JpYmUgaG93IEpPU0UgbWVzc2FnZXMgY2FuIG5lc3Qg KGVnIEpXUyBpbiBhIEpXRTsgSldFIGluIGEgSldTOyBKV1MgaW4gYSBKV0UgaW4gYSBKV1MgaW4g YSBKV0UpLg0KDQozLiAgICAgICBEZXNjcmliZSBhIEpTT04gb2JqZWN0IHJlcHJlc2VudGluZyBh IGNvbGxlY3Rpb24gb2YgY2xhaW1zOyBpbmNsdWRpbmcgaXNzLCBzdWIsIGF1ZCwgZXhwLCBuYmYs IGlhdCwganRpIG1lbWJlcnMuDQoNCiMxIGFuZCAjMiBhcmUgbm90IHNwZWNpZmljIHRvIEpXVC4g VGhleSBzaG91bGRu4oCZdCBiZSBzcGVjaWZpZWQgaW4gSldUOyB0aGV5IGNlcnRhaW5seSBzaG91 bGRu4oCZdCB1c2UgYSBKV1Qtc3BlY2lmaWMgdmFsdWUgKCJjdHkiOiJKV1QiKSB0byBpbmRpY2F0 ZSB3aGVuIG5lc3RpbmcgaXMgb2NjdXJyaW5nOyBhbmQgdGhleSBzaG91bGRu4oCZdCByZXF1aXJl IGludHJvZHVjaW5nIEpXVC1zcGVjaWZpYyB0ZXJtaW5vbG9neSAoZWcg4oCcSldUIEhlYWRlcuKA nSkuDQpUaGUgSldUIGRvYyBoYXMgdGhpcyBwcm9ibGVtIGJlY2F1c2UgdGhlIEpPU0Ugc3BlY3Mg ZG9u4oCZdCBkZWZpbmUgYSBKT1NFIG1lc3NhZ2UsIHRoZXkgb25seSBzcGVjaWZ5IEpXUyBhbmQg SldFIHNlcGFyYXRlbHkuIFRoYXQgSk9TRSBvbWlzc2lvbiBoYXMgcHJvcGFnYXRlZCB1cCB0aGUg c3RhY2sgdG8gc3Vic3RhbnRpYWxseSBjb21wbGljYXRlIHRoZSBKV1QgZG9jLCBhbmQgcHJlc3Vt YWJseSB0aGF0IGNvbXBsaWNhdGlvbiBoYXMgdG8gYmUgcmVwZWF0ZWQgZm9yIGV2ZXJ5IG90aGVy IHNwZWNpZmljYXRpb24gb2YgYW4gYXBwbGljYXRpb24gbGlrZSBKV1QgdGhhdCB3YW50IHRvIHVz ZSBKT1NFIG1lc3NhZ2VzLg0KDQoNCkN1cmlvdXNseSwgZm9yIGFsbCB0aGUgdGV4dCBhYm91dCBu ZXN0ZWQgSk9TRSBtZXNzYWdlcywgdGhlIEpXVCBkb2Mgc3RpbGwgaXNu4oCZdCBzcGVjaWZpYyBh Ym91dCB3aGF0IGNvbWJpbmF0aW9ucyBNVVNUIGJlIHN1cHBvcnRlZCBmb3IgaW50ZXJvcGVyYWJp bGl0eS4gSSB3b3VsZG7igJl0IGV4cGVjdCBtYW55IEpXVC1jb21wbGlhbnQgcmVjZWl2ZXJzIHRv IGFjY2VwdCBjbGFpbXMtaW4tYS1KV1MtaW4tYS1KV0UtaW4tYW5vdGhlci1KV0UtaW4tYW5vdGhl ci1KV1MsIGJ1dCBJIGNhbm5vdCB0ZWxsIHdoaWNoIG5lc3Rpbmcgd2lsbCBvciB3aWxsIG5vdCB3 b3JrIHdpZGVseS4NCg0KDQoNClRoZSB0ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFt ZXMgaXMgc3RpbGwgc2lsbHkgc2luY2UgeW91IGxvc2UgdGhlIGNvbGxpc2lvbi1yZXNpc3RhbmNl IHdoZW4geW91IGNvbWJpbmUgbXVsdGlwbGUgbmFtZXNwYWNlcyAoZG9tYWluIG5hbWVzLCBPSURz LCBldGMpLg0KDQotLQ0KSmFtZXMgTWFuZ2VyDQoNCkZyb206IE1pa2UgSm9uZXMgW21haWx0bzpN aWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb21dDQpTZW50OiBUdWVzZGF5LCA0IE1hcmNoIDIwMTQg OToyMiBBTQ0KVG86IE1hbmdlciwgSmFtZXM7IG9hdXRoQGlldGYub3JnIFdHDQpTdWJqZWN0OiBS RTogW09BVVRILVdHXSBXR0xDIG9uIEpTT04gV2ViIFRva2VuIChKV1QpDQoNCg0KVGhhbmtzIGZv ciB0YWtpbmcgdGhlIHRpbWUgdG8gc2VuZCBpbiB0aGUgY29tbWVudHMsIEphbWVzLiAgSSBhbSBz ZW5kaW5nIHlvdSB0aGlzIHRvIGRlc2NyaWJlIHRoZSBjaGFuZ2VzIHRoYXQgd2VyZSBtYWRlIGlu IHJlc3BvbnNlIHRvIHlvdXIgY29tbWVudHMgKG1vc3RseSBpbiAtMTMgYnV0IGFsc28gYSBmZXcg aW4gLTE4KS4gIFNlZSBpbmRpdmlkdWFsIHJlc3BvbnNlcyBpbmxpbmUuDQoNCg0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBN aWtlDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogb2F1dGgtYm91bmNl c0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZz4gW21haWx0bzpvYXV0aC1i b3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgTWFuZ2VyLCBKYW1lcyBIDQpTZW50OiBUaHVy c2RheSwgQXVndXN0IDA4LCAyMDEzIDc6NTUgQU0NClRvOiBvYXV0aEBpZXRmLm9yZzxtYWlsdG86 b2F1dGhAaWV0Zi5vcmc+IFdHDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBXR0xDIG9uIEpTT04g V2ViIFRva2VuIChKV1QpDQoNCg0KDQpDb21tZW50cyBvbiBkcmFmdC1pZXRmLW9hdXRoLWpzb24t d2ViLXRva2VuLTExOg0KDQoNCg0KMS4gU2hvdWxkIEpXVCByZWFsbHkgZ28gdG8gV0dMQyBiZWZv cmUgdGhlIEpPU0UgZG9jcyB0aGF0IGl0IGRlcGVuZHMgb24gc28gaGVhdmlseSAoSldTL0pXRS8u Li4pPyBFdmVuIGlmIHRoZSAiYnl0ZXMtb24tdGhlLXdpcmUiIGFyZSBmYWlybHkgc3RhYmxlLCBK V1QgcmVwZWF0cyBhIGxvdCBvZiB0ZXh0IGZyb20gSldTL0pXRSBzb21lIG9mIHdoaWNoIGlzIGxp a2VseSB0byBjaGFuZ2UuIEZpbmlzaGluZyBXR0xDIG5vdyBhbmQgcXVldWluZyB0aGUgZG9jIHRv IGJlIGF1dG8tcHVibGlzaGVkIHdoZW4gSldTL0pXRSBhcmUgcHVibGlzaGVkIHdvdWxkIGJlIGJh ZCAodW5sZXNzIHRoZSBkdXBsaWNhdGUgdGV4dCBpcyByZW1vdmVkKS4NCg0KDQoNCkluIHByYWN0 aWNlLCBpdCBzZWVtcyB0aGF0IEpXVCBoYXMgd2FpdGVkIGZvciBKT1NFIChhbmQgSeKAmXZlIGtl cHQgdGhlbSBmdWxseSBpbiBzeW5jKS4gIEF0IHRoaXMgcG9pbnQsIEkgZXhwZWN0IHRoZW0gcHJv Y2VlZCB0aHJvdWdoIHRoZSByZXN0IG9mIHRoZSBhcHByb3ZhbCBzdGVwcyBpbiBwYXJhbGxlbC4N Cg0KDQoNCjIuIFRoZSBKV1QgZG9jIHdvdWxkIGJlIHNvIG11Y2ggbW9yZSByZWFkYWJsZSBpZiBp dCBjb3VsZCByZWZlciB0byBhICJKT1NFIG1lc3NhZ2UiLCAiSk9TRSBoZWFkZXIiLCBhbmQgIkpP U0UgY29tcGFjdCBzZXJpYWxpemF0aW9uIjsgaW5zdGVhZCBvZiBoYXZpbmcgdG8gZXhwbGljaXRs eSB0YWxrIGFib3V0IEpXUyBhbmQgSldFIGV2ZXJ5IHRpbWUgZXZlbiB3aGVuIHRhbGtpbmcgYWJv dXQgYXNwZWN0cyBjb21tb24gdG8gYm90aC4gSXQgd291bGQgYWxzbyBhdm9pZCBpbnRyb2R1Y2lu ZyAiSldUIEhlYWRlciIsICJFbmNvZGVkIEpXVCBIZWFkZXIiLCAiTmVzdGVkIEpXVCIsICJQbGFp bnRleHQgSldUIiBldGMgYXMgdGhvdWdoIHRoZXNlIGFyZSBuZXcgaXRlbXMsIHdoZW4gaW4gZmFj dCB0aGV5IGFyZSBqdXN0IGFkZGl0aW9uYWwgbmFtZXMgZm9yIEpPU0UgaXRlbXMuIEZvciBpbnN0 YW5jZSwgIkpXVCBIZWFkZXIiIGlzIGVmZmVjdGl2ZWx5IHNob3J0aGFuZCBmb3IgIkpXUyBvciBK V0UgaGVhZGVyIiBidXQgaXQgaXMgcHJlc2VudGVkIGFzIGEgSldULXNwZWNpZmljIHRoaW5nLg0K DQoNCg0KSSB0aGluayB0aGlzIHJlYWxseSBvbmx5IHNob3dzIHVwIGluIGEgZmV3IHBsYWNlcyDi gJMgcHJpbWFyaWx5IHdoZW4gZGlzY3Vzc2luZyB0aGF0IHRoZSBKV1QgSGVhZGVyIGlzIGVpdGhl ciBhIEpXUyBIZWFkZXIgb3IgYSBKV0UgaGVhZGVyLiAgR2l2ZW4gdGhhdCB0aGVzZSBhcmUgYWN0 dWFsbHkgZGlzdGluY3QgYnV0IHJlbGF0ZWQgZGF0YSBzdHJ1Y3R1cmVzLCBtYWtpbmcgaXQgZXZp ZGVudCB0aGF0IHRoZXkgYXJlIGRpZmZlcmVudCBpcyBhcmd1YWJseSBhIGdvb2QgdGhpbmcuDQoN Cg0KDQozLiBUaGUgZG9jIHNob3VsZCBub3QgcmVwZWF0IGRlZmluaXRpb25zIGZyb20gSldTIGFu ZCBKV0UuDQoNCg0KDQpUaGUgZHVwbGljYXRpb24gaGFzIGJlZW4gc3Vic3RhbnRpYWxseSByZWR1 Y2VkLCBib3RoIHdpdGhpbiB0aGUgSk9TRSBkb2NzLCBhbmQgd2l0aGluIHRoaXMgZG9jLiAgVGhh dCBiZWluZyBzYWlkLCB0aGVyZeKAmXMgYSBzdHlsaXN0aWMgdGVuc2lvbiBiZXR3ZWVuIHNheWlu ZyB0aGluZ3MgaW4gZXhhY3RseSBvbmUgcGxhY2UgYW5kIG1ha2luZyBlYWNoIGRvY3VtZW50IGVh c2llciB0byByZWFkIHdpdGhvdXQgY29uc3RhbnRseSBoYXZpbmcgdG8gZmxpcCBiYWNrIGFuZCBm b3J0aCBiZXR3ZWVuIHRoZW0uICBJbiB0aGlzIGNhc2UsIEkgYmVsaWV2ZSB0aGF0IHRoZSBzbWFs bCBhbW91bnQgb2YgZHVwbGljYXRpb24gYWlkcyBkZXZlbG9wZXJzIHdobyBtaWdodCBub3QgcmVj dXJzaXZlbHkgcmVhZCBldmVyeXRoaW5nIHJlZmVyZW5jZWQgaW4gZnVsbCBkZXRhaWwuDQoNCg0K DQpGb3IgaW5zdGFuY2UsIHRoZSB3aG9sZSBmaXJzdCBwYXJhZ3JhcGggb2Ygc2VjdGlvbiA1ICJK V1QgSGVhZGVyIiAoSlNPTiBvYmplY3Q7IGRlc2NyaWJlcyBjcnlwdG8gb3BzOyB1bmlxdWUgbmFt ZXM7IHJlamVjdCBkdXBsaWNhdGVzIG9yIHVzZSBsYXN0KSBpcyBhbiBhbG1vc3QgaWRlbnRpY2Fs IGNvcHkgb2YgcGFyYWdyYXBocyBmcm9tIEpXUyBhbmQgSldFLiBUaGUgZHVwbGljYXRpb24gKG9m dGVuIHRyaXBsaWNhdGlvbikgYWRkcyBjb25mdXNpb24gKGVnIHdoYXQgaXMgdGhlIGRpZmZlcmVu Y2UgYmV0d2VlbiBhIEpXVCBIZWFkZXIgYW5kIEpXUyBIZWFkZXI/KSBhbmQgZ2V0cyBzdWJ0bHkg b3V0IG9mIHN5bmMgKGVnICJjdHkiIGVpdGhlciAiZGVjbGFyZXMgc3RydWN0dXJhbCBpbmZvcm1h dGlvbiBhYm91dCB0aGUgSldUIiBvciAiZGVjbGFyZXMgdGhlIHR5cGUgb2YgdGhlIHNlY3VyZWQv ZW5jcnlwdGVkIGNvbnRlbnQgKHRoZSBwYXlsb2FkL1BsYWludGV4dCkgaW4gYW4gYXBwbGljYXRp b24tc3BlY2lmaWMgbWFubmVyIikuDQoNCg0KDQpUaGUgZGVzY3JpcHRpb24gb2YgSldU4oCZcyB1 c2Ugb2Yg4oCcY3R54oCdIGlzIG5vdCBvdXQgb2Ygc3luYyDigJMgaXQgaXMgaW50ZW50aW9uYWxs eSBtb3JlIHNwZWNpZmljIHRoYW4gdGhlIGZ1bGx5IGdlbmVyYWwsIGFwcGxpY2F0aW9uLWluZGVw ZW5kZW50IGRlc2NyaXB0aW9ucyBpbiBKV1MgYW5kIEpXRS4gIEluIHRoaXMgY2FzZSwgSldUIGlz IHRoZSBhcHBsaWNhdGlvbiBvZiBKV1MgYW5kIEpXRSwgYW5kIG5lZWRzIHRvIHNwZWNpZnkgaXRz IHJlcXVpcmVtZW50cyBhYm91dCBob3cgaXQgdXNlcyB0aGlzIGhlYWRlciBwYXJhbWV0ZXIuDQoN Cg0KDQpPdGhlciBleGFtcGxlcyBvZiB1bm5lY2Vzc2FyaWx5IGR1cGxpY2F0ZWQgdGV4dCBpbmNs dWRlOiBzZWN0aW9uIDcgc3RlcHMgMyAmIDQgKGNyZWF0aW5nKSBhbmQgc3RlcHMgMS04ICh2YWxp ZGF0aW5nKTsgc2VjdGlvbiA3LjEgdGV4dCBhYm91dCBjb21wYXJpbmcgImFsZyIgdmFsdWVzOyBw YXJ0cyBvZiB0aGUgbGFzdCAyIHBhcmFncmFwaHMgb2Ygc2VjdGlvbiAzICJKV1Qgb3ZlcnZpZXci OyAxc3QgYW5kIDNyZCBwYXJhZ3JhcGhzIG9mIHNlY3Rpb24gNS4yICJjdHkiOyAxc3QsIDJuZCwg YW5kIDR0aCBzZW50ZW5jZSBvZiBzZWN0aW9uIDUuMSAidHlwIi4NCg0KDQoNClN0ZXAgNCBvZiBj cmVhdGlvbiB3YXMgcmVtb3ZlZCBiZWNhdXNlIGl0IHRydWx5IHdhcyBhIGR1cGxpY2F0ZS4gICgz IGlzIG1vcmUgc3BlY2lmaWMgdGhhbiB0aGUgY29ycmVzcG9uZGluZyBKV1MgYW5kIEpXRSBzdGVw cywgYW5kIHNvIHdhcyBub3QgcmVtb3ZlZC4pDQoNCg0KDQpUaGUgdmFsaWRhdGluZyBzdGVwcyBh cmUgbmVjZXNzYXJ5IGJlY2F1c2UgSldUIGFkZHMgdHdvIHRoaW5ncyBiZXlvbmQgSldTIGFuZCBK V0U6ICBGaXJzdCwgdGhlIGNvbnRlbnRzIGNhbiBiZSBlaXRoZXIgYSBKV1Mgb3IgSldFLCBhbmQg c28gdGhlcmXigJlzIGxvZ2ljIGRlc2NyaWJlZCBmb3IgdGhlIHNsaWdodGx5IGRpZmZlcmVudCBh Y3Rpb25zIHRha2VuIGluIHRoZSB0d28gY2FzZXMuICBTZWNvbmQsIHRoZSBKV1QgY2FuIGJlIG5l c3RlZCwgc28gdGhlIGxvZ2ljIGZvciBuZXN0aW5nIGFuZCBkZXRlY3RpbmcgbmVzdGVkIEpXVHMg aXMgZGVmaW5lZC4gIEl0ICpkb2VzKiBqdXN0IHJlbHkgb24gSldTIGFuZCBKV0UgZm9yIHRoZSBj cmVhdGlvbiBhbmQgdmVyaWZpY2F0aW9uIGFzcGVjdHMgb2YgdGhlIEpXUyBhbmQgSldFIGFzcGVj dHMgb2YgSldUcy4NCg0KDQoNCkJvdGgg4oCcdHlw4oCdIGFuZCDigJxjdHnigJ0gd2VyZSByZXdv cmtlZCB3aGVuIHRoZWlyIHZhbHVlcyB3aGVyZSBjaGFuZ2VkIHRvIE1JTUUgdHlwZXMsIHJlZHVj aW5nIGR1cGxpY2F0aW9uLg0KDQoNCg0KNC4gSGFyZGx5IGFueW9uZSBwcm9ub3VuY2VzIEpXVCBh cyAiam90IiAtLSBpdCBpcyB1c3VhbGx5IHNwZWx0IG91dCAtLSBzbyBkcm9wIHRoZSBzZW50ZW5j ZSBpbiB0aGUgYWJzdHJhY3Qgc3VnZ2VzdGluZyB0aGUgImpvdCIgcHJvbnVuY2lhdGlvbi4NCg0K DQoNCllvdXIgZXhwZXJpZW5jZSBtYXkgdmFyeSwgYnV0IGluIGluLXBlcnNvbiBjb252ZXJzYXRp b25zLCBpdOKAmXMgdXN1YWxseSBwcm9ub3VuY2VkIOKAnGpvdOKAnSBpbiBteSBleHBlcmllbmNl LiAgKEl04oCZcyBhIGxvdCBlYXNpZXIgdG8gc2F5IHRoYW4g4oCcSiBXIFTigJ0gb3Ig4oCcSlNP TiBXZWIgVG9rZW7igJ0gYW5kIHBlb3BsZSB0ZW5kIHRvIGxpa2Ugc2hvcnQgbmFtZXMgdG8gc2F5 LikNCg0KDQoNCjUuIENvbGxpc2lvbiBSZXNpc3RhbnQgTmFtZXNwYWNlIChzZWN0aW9uIDIgIlRl cm1pbm9sb2d5IikgbWVudGlvbnMgZG9tYWluIG5hbWVzLCBPSURzLCBhbmQgVVVJRHMgYXMgZXhh bXBsZXMsIGJ1dCBmYWlscyB0byBtZW50aW9uIFVSSXMsIHdoaWNoIGlzIGEgbGlrZWx5IGNob2lj ZS4gRG9tYWluIG5hbWVzIHdpbGwgc3RhcnQgY29sbGlkaW5nIHdpdGggInJlc2VydmVkIiBuYW1l cyBzb29uIHdpdGggYWxsIHRoZSBuZXcgdG9wLWxldmVsIGRvbWFpbnMuIFNob3VsZCBVVUlEcyB1 c2UgYSAidXJuOnV1aWQ6IiBwcmVmaXgsIG9yICJ1dWlkOiIsIG9yIG5vIHByZWZpeD8gU2hvdWxk IFVVSURzIG9ubHkgdXNlIGxvd2VyLWNhc2UgaGV4IGRpZ2l0cyAob3RoZXJ3aXNlIGR1cGxpY2F0 ZSBVVUlEcyB3aWxsIGxvb2sgbGlrZSBkaXN0aW5jdCBKU09OIG5hbWVzKT8gU2hvdWxkIGFuIE9J RCBiZSAiMi41LjQuMyIgb3IgIm9pZDoyLjUuNC4zIiBvciAiVVJOOk9JRDoyLjUuNC4zIiBvciAi Y29tbW9uTmFtZSIgb3IgImNuIj8gQ29sbGlzaW9uIHJlc2lzdGFudCBuYW1lc3BhY2VzIGxvc2Ug Y29sbGlzaW9uLXJlc2lzdGFuY2Ugd2hlbiB5b3UgY29tYmluZSBuYW1lc3BhY2VzIGFzIGlzIGRv bmUgaGVyZS4NCg0KDQoNCkFzIHlvdSBzdWdnZXN0ZWQsIGRvbWFpbiBuYW1lcyBhcmUgbm93IHRo ZSBmaXJzdCBleGFtcGxlIG1lbnRpb25lZC4gIFRoaXMgd2FzIGFsc28gcmV3cml0dGVuIHdpdGgg aW5wdXQgZnJvbSBKaW0gU2NoYWFkLg0KDQoNCg0KQ291bGQgdGhlIHJlc2VydmVkL3B1YmxpYy9w cml2YXRlIG1lc3MgYmUgc2ltcGxpZmllZCBieSBzYXlpbmcgKGF0IHRoZSBlbmQgb2Ygc2VjdGlv biA0ICJKV1QgQ2xhaW1zIik6DQoNCg0KDQogIEEgY2xhaW0gbmFtZSBjYW4gYmUgYW55IHN0cmlu Zy4gVXNpbmcgVVJJcyBhcyBjbGFpbSBuYW1lcyBpcyBvbmUNCg0KICB3YXkgdG8gZW5zdXJlIGNs YWltIG5hbWVzIGFyZSB1bmFtYmlndW91cy4gQ2xhaW0gbmFtZXMgdGhhdCBhcmUNCg0KICBub3Qg VVJJcyBTSE9VTEQgYmUgcmVnaXN0ZXJlZCBpbiB0aGUgSUFOQSBDbGFpbXMgcmVnaXN0cnkgW3Nl Y3Rpb24gOS4xXQ0KDQoNCg0KVGhlbiBkcm9wIHRoZSBsYXN0IHBhcmFncmFwaCBvZiBzZWN0aW9u IDQgIkpXVCBjbGFpbXMiIHRoYXQgc3RhcnRzICJ0aGVyZSBhcmUgdGhyZWUgY2xhc3NlcyBvZiBK VCBDbGFpbSBOYW1lcyI7IGRyb3Agc2VjdGlvbiA0LjIgIlB1YmxpYyBjbGFpbSBuYW1lcyI7IGRy b3Agc2VjdGlvbiA0LjMgIlByaXZhdGUgY2xhaW0gbmFtZXMiOyBkcm9wIHRoZSAiY29sbGlzaW9u IHJlc2lzdGFudCBuYW1lc3BhY2UiIHRlcm0uDQoNCg0KDQpDYWxsaW5nIG91dCB0aGF0IHRoZXJl IGFyZSB0aHJlZSBkaXN0aW5jdCBjbGFzc2VzIG9mIG5hbWVzIGhhcyBiZWVuIHZhbHVhYmxlIGlu IGhlbHBpbmcgZGV2ZWxvcGVycyB0aGluayBhYm91dCBob3cgdG8gdXNlIGNsYWltIG5hbWVzLCBp biBwcmFjdGljZS4gIEluIHBhcnRpY3VsYXIsIGl0IGxldHMgdXMgZGVzY3JpYmUgdGhlIGJlbmVm aXRzIGFuZCBkcmF3YmFja3Mgb2YgZWFjaCwgaGVscGluZyBkZXZlbG9wZXJzIGFuZCBkZXBsb3ll cnMgbWFrZSByZWFzb25hYmxlIGNob2ljZXMgZm9yIHRoZWlyIGFwcGxpY2F0aW9uIGNvbnRleHRz Lg0KDQoNCg0KQXQgSmltIFNjaGFhZOKAmXMgc3VnZ2VzdGlvbiwg4oCccHVibGlj4oCdIHdhcyBj aGFuZ2VkIHRvIOKAnHJlZ2lzdGVyZWTigJ0gYW5kIHRoZSBkZXNjcmlwdGlvbiBjaGFuZ2VkIHRv IHRhbGsgYWJvdXQgdGhpcyBjbGFzcyBvZiBuYW1lcyBiZWluZyBpbiB0aGUgSUFOQSByZWdpc3Ry eS4NCg0KDQoNCjYuIFRoZSBkb2NzIHNheXMgaW5jbHVkaW5nIGEgInR5cCIgZmllbGQgaXMgT1BU SU9OQUwuIEV2ZW4gd2hlbiBwcmVzZW50ICJ0eXAiIGNhbiBoYXZlIGFueSB2YWx1ZSBzaW5jZSB0 aGUgdHdvIHN1Z2dlc3Rpb25zIGluIHRoZSBkb2MgKCJKV1QiIG9yICJ1cm46aWV0ZjpwYXJhbXM6 b2F1dGg6dG9rZW4tdHlwZTpqd3QiKSBhcmUgb25seSBSRUNPTU1FTkRFRC4gR2l2ZW4gdGhpcywg dGhlcmUgZG9lc24ndCBzZWVtIHRvIGJlIGFueXRoaW5nIGEgSldUIHJlY2lwaWVudCBjYW4gdXNl ZnVsbHkgZG8gd2l0aCAidHlwIi4gSWYgaXQgdHJpZXMgdG8gdXNlICJ0eXAiIGl0IHdpbGwganVz dCBiZSBpbmNvbXBhdGlibGUgd2l0aCBjb21wbGlhbnQgSldUIHNlbmRlcnMgdGhhdCBlaXRoZXIg b21pdCAidHlwIiBvciB1c2UgYW5vdGhlciB2YWx1ZS4gSXQgd291bGQgYmUgYmV0dGVyIHRvIGRy b3Agc2VjdGlvbiA1LjEgIlR5cGUgSGVhZGVyIFBhcmFtZXRlciIgZW50aXJlbHkgLS0gbGVhdmlu ZyBhbnkgInR5cCIgdmFsdWUgZGVmaW5pdGlvbnMgdG8gcHJvZmlsZXMgdGhhdCBhY3R1YWxseSBk ZWZpbmUgcHJvY2Vzc2luZyBmb3Igc3VjaCB2YWx1ZXMuDQoNCg0KDQpUaGUgZGVzY3JpcHRpb24g aGFzIGJlZW4gcmV3b3JrZWQgdG8gbW9zdGx5IGp1c3QgcmVmZXIgdG8gdGhlIEpXUyBhbmQgSldF IGRlZmluaXRpb25zLiAgVGhlIFVSTiB1c2FnZSB3YXMgcmVtb3ZlZCB3aGVuIOKAnHR5cOKAnSBh bmQg4oCcY3R54oCdIHZhbHVlcyB3ZXJlIG1hZGUgTUlNRSB0eXBlIHZhbHVlcy4NCg0KDQoNCjcu IFRoZSBkb2MgcmVkZWZpbmVzIHRoZSAiY3R5IiBoZWFkZXIgcGFyYW1ldGVyLCB3aGljaCBpcyBh bHJlYWR5IGRlZmluZWQgaW4gSldTIGFuZCBKV0UgKHNsaWdodGx5IGRpZmZlcmVudGx5IGluIGFs bCAzIGNhc2VzIC0gYXJnaCkuIEpXVCB1c2VzICJjdHkiIHRvIGluZGljYXRlIG5lc3RlZCBKT1NF IG1lc3NhZ2VzLCB3aGljaCBzaG91bGQgYmUgYSBKT1NFIGZlYXR1cmUgYXMgaXQgaXMgbm90IHNw ZWNpZmljIHRvIEpXVCAoaGVuY2UgImN0eSI6Imp3dCIgaXMgYSBwb29yIGNob2ljZSkuDQoNCg0K DQpUaGUgZGVzY3JpcHRpb24gaGFzIGJlZW4gcmV3b3JrZWQgdG8gbW9zdGx5IGp1c3QgcmVmZXIg dG8gdGhlIEpXUyBhbmQgSldFIGRlZmluaXRpb25zLiAg4oCcY3R54oCdIGlzIG5vdCByZWRlZmlu ZWQ7IGl04oCZcyB1c2UgYnkgSldUIGlzIHNwZWNpZmllZC4NCg0KDQoNCjguIFtFZGl0b3JpYWxd ICJKV0Egc2lnbmluZyBhbGdvcml0aG0iIGFuZCAiSldBIGVuY3J5cHRpb24gYWxnb3JpdGhtcyIg YXJlIHRoZSB3cm9uZyBwaHJhc2VzLiBUaGVzZSBhcmUgSldTIHNpZ25pbmcgYWxncyBhbmQgSldF IGVuY3J5cHRpb24gYWxncyB0aGF0IGhhcHBlbiB0byBiZSBzcGVjaWZpZWQgaW4gSldBLg0KDQoN Cg0KVGhlIHBocmFzZXMgIkpXQSBzaWduaW5nIGFsZ29yaXRobXMiIGFuZCAiSldBIGVuY3J5cHRp b24gYWxnb3JpdGhtcyIgd2VyZSByZW1vdmVkLg0KDQoNCg0KOS4gSW5jbHVkaW5nIGEgc2hvcnQg ZGVzY3JpcHRpb24gZm9yIGVhY2ggY2xhaW0gbmFtZSBpbiB0aGUgcmVnaXN0cnkgd291bGQgYmUg dXNlZnVsLiBKdXN0IGEgMy1sZXR0ZXIgYWJicmV2aWF0aW9uIGlzIG5vdCBoZWxwZnVsIGVub3Vn aC4gRWcgYWRkIGEgQ2xhaW0gZGVzY3JpcHRpb24gZmllbGQ6DQoNCiAgQ2xhaW0gbmFtZTogIm5i ZiINCg0KICBDbGFpbSBkZXNjcmlwdGlvbjogbm90IGJlZm9yZQ0KDQogIENoYW5nZSBjb250cm9s bGVyOiBJRVRGDQoNCiAgU3BlY2lmaWNhdGlvbiBkb2N1bWVudDogc2VjdGlvbiA0LjEuNS4gb2Yg W1sgdGhpcyBkb2MgXV0NCg0KDQoNClRoaXMgd2FzIGRvbmUg4oCTIGJvdGggaGVyZSBhbmQgaW4g dGhlIEpPU0UgZG9jdW1lbnRzLiAgVGhhbmtzIGZvciB0aGUgdXNlZnVsIHN1Z2dlc3Rpb24uDQoN Cg0KDQoNCg0KDQoNCi0tDQoNCkphbWVzIE1hbmdlcg0KDQoNCg0KPiAtLS0tLS0tLS0tDQoNCj4g U2VudDogV2VkbmVzZGF5LCA3IEF1Z3VzdCAyMDEzIDc6MjAgUE0NCg0KPiBTdWJqZWN0OiBbT0FV VEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCkNCg0KPg0KDQo+IEhpIGFsbCwNCg0K Pg0KDQo+IHRoaXMgaXMgYSB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBmb3IgdGhlIEpTT04gV2Vi IFRva2VuIChKV1QpLg0KDQo+DQoNCj4gSGVyZSBpcyB0aGUgZG9jdW1lbnQ6DQoNCj4gaHR0cDov L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xMQ0K DQo+DQoNCj4gUGxlYXNlIHNlbmQgeW91IGNvbW1lbnRzIHRvIHRoZSBPQXV0aCBtYWlsaW5nIGxp c3QgYnkgQXVndXN0IDIxLCAyMDEzLg0KDQo+DQoNCj4gQ2lhbw0KDQo+IEhhbm5lcyAmIERlcmVr DQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0K DQpPQXV0aCBtYWlsaW5nIGxpc3QNCg0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYu b3JnPg0KDQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCg0K --_000_255B9BB34FB7D647A506DC292726F6E11540251D0AWSMSG3153Vsrv_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxMiAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0 aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQt ZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQt ZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30N CmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNv bG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4u TXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1 cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvUGxhaW5UZXh0LCBsaS5N c29QbGFpblRleHQsIGRpdi5Nc29QbGFpblRleHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CW1zby1zdHlsZS1saW5rOiJQbGFpbiBUZXh0IENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2lu LWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLCJzYW5zLXNlcmlmIjt9DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29B Y2V0YXRlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9v biBUZXh0IENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZv bnQtc2l6ZTo4LjBwdDsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KcC5N c29MaXN0UGFyYWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFw aA0KCXttc28tc3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowY207DQoJbWFyZ2luLXJp Z2h0OjBjbTsNCgltYXJnaW4tYm90dG9tOjBjbTsNCgltYXJnaW4tbGVmdDozNi4wcHQ7DQoJbWFy Z2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNh bGlicmkiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLlBsYWluVGV4dENoYXINCgl7bXNvLXN0eWxlLW5h bWU6IlBsYWluIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHls ZS1saW5rOiJQbGFpbiBUZXh0IjsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi O30NCnNwYW4uRW1haWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQt ZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkVt YWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29u VGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCI7DQoJZm9udC1m YW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rp b24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBw dCA3Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBM aXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDoxMjQ0MTQxNjQzOw0K CW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMjAyNzUyOTc3 NCAyMDE5MTY0MzEgMjAxOTE2NDQxIDIwMTkxNjQ0MyAyMDE5MTY0MzEgMjAxOTE2NDQxIDIwMTkx NjQ0MyAyMDE5MTY0MzEgMjAxOTE2NDQxIDIwMTkxNjQ0Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7 bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0KdWwN Cgl7bWFyZ2luLWJvdHRvbTowY207fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHht bD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3ht bD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6 ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBl bGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPjwvaGVhZD48Ym9keSBsYW5nPUVOLUFVIGxpbms9Ymx1 ZSB2bGluaz1wdXJwbGU+PGRpdiBjbGFzcz1Xb3JkU2VjdGlvbjE+PHAgY2xhc3M9TXNvTm9ybWFs PjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5UaGFua3MgZm9yIHRhbGtpbmcgdGhlIHRpbWUg dG8gcmVwbHkgdG8gdGhlIGluZGl2aWR1YWwgY29tbWVudHMsIE1pa2UuPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0n Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+VGhlIHN0cnVjdHVyZSBvZiB0aGUgSldU IGRvYyBpcyBzdGlsbCBmbGF3ZWQuIFRoZSByb290IGNhdXNlIGlzIHRoYXQgSldUIHRyaWVzIHRv IGRvIHRocmVlIHRhc2tzOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29MaXN0UGFy YWdyYXBoIHN0eWxlPSd0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0OmwwIGxldmVsMSBsZm8x Jz48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PHNwYW4g c3R5bGU9J21zby1saXN0Oklnbm9yZSc+MS48c3BhbiBzdHlsZT0nZm9udDo3LjBwdCAiVGltZXMg TmV3IFJvbWFuIic+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvc3Bhbj48 L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+RGVzY3Jp YmUgaG93IGEgSk9TRSBtZXNzYWdlIGNhbiBiZSBhIEpXRSBvciBhIEpXUy48bzpwPjwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTGlzdFBhcmFncmFwaCBzdHlsZT0ndGV4dC1pbmRlbnQ6LTE4 LjBwdDttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSc+PCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4g c3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxzcGFuIHN0eWxlPSdtc28tbGlzdDpJZ25vcmUnPjIuPHNw YW4gc3R5bGU9J2ZvbnQ6Ny4wcHQgIlRpbWVzIE5ldyBSb21hbiInPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyA8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4g c3R5bGU9J2NvbG9yOiMxRjQ5N0QnPkRlc2NyaWJlIGhvdyBKT1NFIG1lc3NhZ2VzIGNhbiBuZXN0 IChlZyBKV1MgaW4gYSBKV0U7IEpXRSBpbiBhIEpXUzsgSldTIGluIGEgSldFIGluIGEgSldTIGlu IGEgSldFKS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTGlzdFBhcmFncmFwaCBz dHlsZT0ndGV4dC1pbmRlbnQ6LTE4LjBwdDttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSc+PCFbaWYg IXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxzcGFuIHN0eWxlPSdt c28tbGlzdDpJZ25vcmUnPjMuPHNwYW4gc3R5bGU9J2ZvbnQ6Ny4wcHQgIlRpbWVzIE5ldyBSb21h biInPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8L3NwYW4+PC9zcGFuPjwv c3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPkRlc2NyaWJlIGEgSlNP TiBvYmplY3QgcmVwcmVzZW50aW5nIGEgY29sbGVjdGlvbiBvZiBjbGFpbXM7IGluY2x1ZGluZyBp c3MsIHN1YiwgYXVkLCBleHAsIG5iZiwgaWF0LCBqdGkgbWVtYmVycy48bzpwPjwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdj b2xvcjojMUY0OTdEJz4jMSBhbmQgIzIgYXJlIG5vdCBzcGVjaWZpYyB0byBKV1QuIFRoZXkgc2hv dWxkbuKAmXQgYmUgc3BlY2lmaWVkIGluIEpXVDsgdGhleSBjZXJ0YWlubHkgc2hvdWxkbuKAmXQg dXNlIGEgSldULXNwZWNpZmljIHZhbHVlICgmcXVvdDtjdHkmcXVvdDs6JnF1b3Q7SldUJnF1b3Q7 KSB0byBpbmRpY2F0ZSB3aGVuIG5lc3RpbmcgaXMgb2NjdXJyaW5nOyBhbmQgdGhleSBzaG91bGRu 4oCZdCByZXF1aXJlIGludHJvZHVjaW5nIEpXVC1zcGVjaWZpYyB0ZXJtaW5vbG9neSAoZWcg4oCc SldUIEhlYWRlcuKAnSkuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+VGhlIEpXVCBkb2MgaGFzIHRoaXMgcHJvYmxlbSBi ZWNhdXNlIHRoZSBKT1NFIHNwZWNzIGRvbuKAmXQgZGVmaW5lIGEgSk9TRSBtZXNzYWdlLCB0aGV5 IG9ubHkgc3BlY2lmeSBKV1MgYW5kIEpXRSBzZXBhcmF0ZWx5LiBUaGF0IEpPU0Ugb21pc3Npb24g aGFzIHByb3BhZ2F0ZWQgdXAgdGhlIHN0YWNrIHRvIHN1YnN0YW50aWFsbHkgY29tcGxpY2F0ZSB0 aGUgSldUIGRvYywgYW5kIHByZXN1bWFibHkgdGhhdCBjb21wbGljYXRpb24gaGFzIHRvIGJlIHJl cGVhdGVkIGZvciBldmVyeSBvdGhlciBzcGVjaWZpY2F0aW9uIG9mIGFuIGFwcGxpY2F0aW9uIGxp a2UgSldUIHRoYXQgd2FudCB0byB1c2UgSk9TRSBtZXNzYWdlcy48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xv cjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFs PjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5DdXJpb3VzbHksIGZvciBhbGwgdGhlIHRleHQg YWJvdXQgbmVzdGVkIEpPU0UgbWVzc2FnZXMsIHRoZSBKV1QgZG9jIHN0aWxsIGlzbuKAmXQgc3Bl Y2lmaWMgYWJvdXQgd2hhdCBjb21iaW5hdGlvbnMgTVVTVCBiZSBzdXBwb3J0ZWQgZm9yIGludGVy b3BlcmFiaWxpdHkuIEkgd291bGRu4oCZdCBleHBlY3QgbWFueSBKV1QtY29tcGxpYW50IHJlY2Vp dmVycyB0byBhY2NlcHQgY2xhaW1zLWluLWEtSldTLWluLWEtSldFLWluLWFub3RoZXItSldFLWlu LWFub3RoZXItSldTLCBidXQgSSBjYW5ub3QgdGVsbCB3aGljaCBuZXN0aW5nIHdpbGwgb3Igd2ls bCBub3Qgd29yayB3aWRlbHkuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1h bD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6 IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+VGhlIHRleHQgYWJvdXQgY29sbGlzaW9uLXJlc2lz dGFudCBuYW1lcyBpcyBzdGlsbCBzaWxseSBzaW5jZSB5b3UgbG9zZSB0aGUgY29sbGlzaW9uLXJl c2lzdGFuY2Ugd2hlbiB5b3UgY29tYmluZSBtdWx0aXBsZSBuYW1lc3BhY2VzIChkb21haW4gbmFt ZXMsIE9JRHMsIGV0YykuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxk aXY+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz4tLTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMx RjQ5N0QnPkphbWVzIE1hbmdlcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rpdj48cCBjbGFzcz1N c29Ob3JtYWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD48ZGl2IHN0eWxlPSdib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEu NXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQnPjxkaXY+PGRpdiBzdHlsZT0nYm9yZGVyOm5v bmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAw Y20nPjxwIGNsYXNzPU1zb05vcm1hbD48Yj48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+RnJvbTo8L3NwYW4+ PC9iPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 IlRhaG9tYSIsInNhbnMtc2VyaWYiJz4gTWlrZSBKb25lcyBbbWFpbHRvOk1pY2hhZWwuSm9uZXNA bWljcm9zb2Z0LmNvbV0gPGJyPjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCA0IE1hcmNoIDIwMTQgOToy MiBBTTxicj48Yj5Ubzo8L2I+IE1hbmdlciwgSmFtZXM7IG9hdXRoQGlldGYub3JnIFdHPGJyPjxi PlN1YmplY3Q6PC9iPiBSRTogW09BVVRILVdHXSBXR0xDIG9uIEpTT04gV2ViIFRva2VuIChKV1Qp PG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjwvZGl2PjxwIGNsYXNzPU1zb05vcm1hbD48bzpw PiZuYnNwOzwvbzpwPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBz dHlsZT0nY29sb3I6IzAwNzBDMCc+VGhhbmtzIGZvciB0YWtpbmcgdGhlIHRpbWUgdG8gc2VuZCBp biB0aGUgY29tbWVudHMsIEphbWVzLiZuYnNwOyBJIGFtIHNlbmRpbmcgeW91IHRoaXMgdG8gZGVz Y3JpYmUgdGhlIGNoYW5nZXMgdGhhdCB3ZXJlIG1hZGUgaW4gcmVzcG9uc2UgdG8geW91ciBjb21t ZW50cyAobW9zdGx5IGluIC0xMyBidXQgYWxzbyBhIGZldyBpbiAtMTgpLiZuYnNwOyBTZWUgaW5k aXZpZHVhbCByZXNwb25zZXMgaW5saW5lLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0n Y29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1Bs YWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tPGJyPkZy b206IDxhIGhyZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIj5vYXV0aC1ib3VuY2Vz QGlldGYub3JnPC9hPiBbPGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciPm1h aWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnPC9hPl0gT24gQmVoYWxmIE9mIE1hbmdlciwgSmFt ZXMgSDxicj5TZW50OiBUaHVyc2RheSwgQXVndXN0IDA4LCAyMDEzIDc6NTUgQU08YnI+VG86IDxh IGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+b2F1dGhAaWV0Zi5vcmc8L2E+IFdHPGJyPlN1 YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCk8bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5n PUVOLVVTPkNvbW1lbnRzIG9uIGRyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTE6PG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4g bGFuZz1FTi1VUz4xLiBTaG91bGQgSldUIHJlYWxseSBnbyB0byBXR0xDIGJlZm9yZSB0aGUgSk9T RSBkb2NzIHRoYXQgaXQgZGVwZW5kcyBvbiBzbyBoZWF2aWx5IChKV1MvSldFLy4uLik/IEV2ZW4g aWYgdGhlICZxdW90O2J5dGVzLW9uLXRoZS13aXJlJnF1b3Q7IGFyZSBmYWlybHkgc3RhYmxlLCBK V1QgcmVwZWF0cyBhIGxvdCBvZiB0ZXh0IGZyb20gSldTL0pXRSBzb21lIG9mIHdoaWNoIGlzIGxp a2VseSB0byBjaGFuZ2UuIEZpbmlzaGluZyBXR0xDIG5vdyBhbmQgcXVldWluZyB0aGUgZG9jIHRv IGJlIGF1dG8tcHVibGlzaGVkIHdoZW4gSldTL0pXRSBhcmUgcHVibGlzaGVkIHdvdWxkIGJlIGJh ZCAodW5sZXNzIHRoZSBkdXBsaWNhdGUgdGV4dCBpcyByZW1vdmVkKS48bzpwPjwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9y OiMwMDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRl eHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+SW4gcHJhY3RpY2UsIGl0 IHNlZW1zIHRoYXQgSldUIGhhcyB3YWl0ZWQgZm9yIEpPU0UgKGFuZCBJ4oCZdmUga2VwdCB0aGVt IGZ1bGx5IGluIHN5bmMpLiZuYnNwOyBBdCB0aGlzIHBvaW50LCBJIGV4cGVjdCB0aGVtIHByb2Nl ZWQgdGhyb3VnaCB0aGUgcmVzdCBvZiB0aGUgYXBwcm92YWwgc3RlcHMgaW4gcGFyYWxsZWwuPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT IHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Mi4gVGhlIEpXVCBkb2Mgd291bGQgYmUg c28gbXVjaCBtb3JlIHJlYWRhYmxlIGlmIGl0IGNvdWxkIHJlZmVyIHRvIGEgJnF1b3Q7Sk9TRSBt ZXNzYWdlJnF1b3Q7LCAmcXVvdDtKT1NFIGhlYWRlciZxdW90OywgYW5kICZxdW90O0pPU0UgY29t cGFjdCBzZXJpYWxpemF0aW9uJnF1b3Q7OyBpbnN0ZWFkIG9mIGhhdmluZyB0byBleHBsaWNpdGx5 IHRhbGsgYWJvdXQgSldTIGFuZCBKV0UgZXZlcnkgdGltZSBldmVuIHdoZW4gdGFsa2luZyBhYm91 dCBhc3BlY3RzIGNvbW1vbiB0byBib3RoLiBJdCB3b3VsZCBhbHNvIGF2b2lkIGludHJvZHVjaW5n ICZxdW90O0pXVCBIZWFkZXImcXVvdDssICZxdW90O0VuY29kZWQgSldUIEhlYWRlciZxdW90Oywg JnF1b3Q7TmVzdGVkIEpXVCZxdW90OywgJnF1b3Q7UGxhaW50ZXh0IEpXVCZxdW90OyBldGMgYXMg dGhvdWdoIHRoZXNlIGFyZSBuZXcgaXRlbXMsIHdoZW4gaW4gZmFjdCB0aGV5IGFyZSBqdXN0IGFk ZGl0aW9uYWwgbmFtZXMgZm9yIEpPU0UgaXRlbXMuIEZvciBpbnN0YW5jZSwgJnF1b3Q7SldUIEhl YWRlciZxdW90OyBpcyBlZmZlY3RpdmVseSBzaG9ydGhhbmQgZm9yICZxdW90O0pXUyBvciBKV0Ug aGVhZGVyJnF1b3Q7IGJ1dCBpdCBpcyBwcmVzZW50ZWQgYXMgYSBKV1Qtc3BlY2lmaWMgdGhpbmcu PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAg Y2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAn PkkgdGhpbmsgdGhpcyByZWFsbHkgb25seSBzaG93cyB1cCBpbiBhIGZldyBwbGFjZXMg4oCTIHBy aW1hcmlseSB3aGVuIGRpc2N1c3NpbmcgdGhhdCB0aGUgSldUIEhlYWRlciBpcyBlaXRoZXIgYSBK V1MgSGVhZGVyIG9yIGEgSldFIGhlYWRlci4mbmJzcDsgR2l2ZW4gdGhhdCB0aGVzZSBhcmUgYWN0 dWFsbHkgZGlzdGluY3QgYnV0IHJlbGF0ZWQgZGF0YSBzdHJ1Y3R1cmVzLCBtYWtpbmcgaXQgZXZp ZGVudCB0aGF0IHRoZXkgYXJlIGRpZmZlcmVudCBpcyBhcmd1YWJseSBhIGdvb2QgdGhpbmcuPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT IHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+My4gVGhlIGRvYyBzaG91bGQgbm90IHJl cGVhdCBkZWZpbml0aW9ucyBmcm9tIEpXUyBhbmQgSldFLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBD MCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3Bh biBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5UaGUgZHVwbGljYXRpb24gaGFzIGJl ZW4gc3Vic3RhbnRpYWxseSByZWR1Y2VkLCBib3RoIHdpdGhpbiB0aGUgSk9TRSBkb2NzLCBhbmQg d2l0aGluIHRoaXMgZG9jLiZuYnNwOyBUaGF0IGJlaW5nIHNhaWQsIHRoZXJl4oCZcyBhIHN0eWxp c3RpYyB0ZW5zaW9uIGJldHdlZW4gc2F5aW5nIHRoaW5ncyBpbiBleGFjdGx5IG9uZSBwbGFjZSBh bmQgbWFraW5nIGVhY2ggZG9jdW1lbnQgZWFzaWVyIHRvIHJlYWQgd2l0aG91dCBjb25zdGFudGx5 IGhhdmluZyB0byBmbGlwIGJhY2sgYW5kIGZvcnRoIGJldHdlZW4gdGhlbS4mbmJzcDsgSW4gdGhp cyBjYXNlLCBJIGJlbGlldmUgdGhhdCB0aGUgc21hbGwgYW1vdW50IG9mIGR1cGxpY2F0aW9uIGFp ZHMgZGV2ZWxvcGVycyB3aG8gbWlnaHQgbm90IHJlY3Vyc2l2ZWx5IHJlYWQgZXZlcnl0aGluZyBy ZWZlcmVuY2VkIGluIGZ1bGwgZGV0YWlsLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVO LVVTPkZvciBpbnN0YW5jZSwgdGhlIHdob2xlIGZpcnN0IHBhcmFncmFwaCBvZiBzZWN0aW9uIDUg JnF1b3Q7SldUIEhlYWRlciZxdW90OyAoSlNPTiBvYmplY3Q7IGRlc2NyaWJlcyBjcnlwdG8gb3Bz OyB1bmlxdWUgbmFtZXM7IHJlamVjdCBkdXBsaWNhdGVzIG9yIHVzZSBsYXN0KSBpcyBhbiBhbG1v c3QgaWRlbnRpY2FsIGNvcHkgb2YgcGFyYWdyYXBocyBmcm9tIEpXUyBhbmQgSldFLiBUaGUgZHVw bGljYXRpb24gKG9mdGVuIHRyaXBsaWNhdGlvbikgYWRkcyBjb25mdXNpb24gKGVnIHdoYXQgaXMg dGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBhIEpXVCBIZWFkZXIgYW5kIEpXUyBIZWFkZXI/KSBhbmQg Z2V0cyBzdWJ0bHkgb3V0IG9mIHN5bmMgKGVnICZxdW90O2N0eSZxdW90OyBlaXRoZXIgJnF1b3Q7 ZGVjbGFyZXMgc3RydWN0dXJhbCBpbmZvcm1hdGlvbiBhYm91dCB0aGUgSldUJnF1b3Q7IG9yICZx dW90O2RlY2xhcmVzIHRoZSB0eXBlIG9mIHRoZSBzZWN1cmVkL2VuY3J5cHRlZCBjb250ZW50ICh0 aGUgcGF5bG9hZC9QbGFpbnRleHQpIGluIGFuIGFwcGxpY2F0aW9uLXNwZWNpZmljIG1hbm5lciZx dW90OykuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4g bGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjoj MDA3MEMwJz5UaGUgZGVzY3JpcHRpb24gb2YgSldU4oCZcyB1c2Ugb2Yg4oCcY3R54oCdIGlzIG5v dCBvdXQgb2Ygc3luYyDigJMgaXQgaXMgaW50ZW50aW9uYWxseSBtb3JlIHNwZWNpZmljIHRoYW4g dGhlIGZ1bGx5IGdlbmVyYWwsIGFwcGxpY2F0aW9uLWluZGVwZW5kZW50IGRlc2NyaXB0aW9ucyBp biBKV1MgYW5kIEpXRS4mbmJzcDsgSW4gdGhpcyBjYXNlLCBKV1QgaXMgdGhlIGFwcGxpY2F0aW9u IG9mIEpXUyBhbmQgSldFLCBhbmQgbmVlZHMgdG8gc3BlY2lmeSBpdHMgcmVxdWlyZW1lbnRzIGFi b3V0IGhvdyBpdCB1c2VzIHRoaXMgaGVhZGVyIHBhcmFtZXRlci48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMw MDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+ PHNwYW4gbGFuZz1FTi1VUz5PdGhlciBleGFtcGxlcyBvZiB1bm5lY2Vzc2FyaWx5IGR1cGxpY2F0 ZWQgdGV4dCBpbmNsdWRlOiBzZWN0aW9uIDcgc3RlcHMgMyAmYW1wOyA0IChjcmVhdGluZykgYW5k IHN0ZXBzIDEtOCAodmFsaWRhdGluZyk7IHNlY3Rpb24gNy4xIHRleHQgYWJvdXQgY29tcGFyaW5n ICZxdW90O2FsZyZxdW90OyB2YWx1ZXM7IHBhcnRzIG9mIHRoZSBsYXN0IDIgcGFyYWdyYXBocyBv ZiBzZWN0aW9uIDMgJnF1b3Q7SldUIG92ZXJ2aWV3JnF1b3Q7OyAxc3QgYW5kIDNyZCBwYXJhZ3Jh cGhzIG9mIHNlY3Rpb24gNS4yICZxdW90O2N0eSZxdW90OzsgMXN0LCAybmQsIGFuZCA0dGggc2Vu dGVuY2Ugb2Ygc2VjdGlvbiA1LjEgJnF1b3Q7dHlwJnF1b3Q7LjxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAw NzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48 c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5TdGVwIDQgb2YgY3JlYXRpb24g d2FzIHJlbW92ZWQgYmVjYXVzZSBpdCB0cnVseSB3YXMgYSBkdXBsaWNhdGUuJm5ic3A7ICgzIGlz IG1vcmUgc3BlY2lmaWMgdGhhbiB0aGUgY29ycmVzcG9uZGluZyBKV1MgYW5kIEpXRSBzdGVwcywg YW5kIHNvIHdhcyBub3QgcmVtb3ZlZC4pIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5UaGUgdmFsaWRhdGluZyBzdGVwcyBhcmUgbmVjZXNz YXJ5IGJlY2F1c2UgSldUIGFkZHMgdHdvIHRoaW5ncyBiZXlvbmQgSldTIGFuZCBKV0U6Jm5ic3A7 IEZpcnN0LCB0aGUgY29udGVudHMgY2FuIGJlIGVpdGhlciBhIEpXUyBvciBKV0UsIGFuZCBzbyB0 aGVyZeKAmXMgbG9naWMgZGVzY3JpYmVkIGZvciB0aGUgc2xpZ2h0bHkgZGlmZmVyZW50IGFjdGlv bnMgdGFrZW4gaW4gdGhlIHR3byBjYXNlcy4mbmJzcDsgU2Vjb25kLCB0aGUgSldUIGNhbiBiZSBu ZXN0ZWQsIHNvIHRoZSBsb2dpYyBmb3IgbmVzdGluZyBhbmQgZGV0ZWN0aW5nIG5lc3RlZCBKV1Rz IGlzIGRlZmluZWQuJm5ic3A7IEl0ICo8Yj5kb2VzPC9iPioganVzdCByZWx5IG9uIEpXUyBhbmQg SldFIGZvciB0aGUgY3JlYXRpb24gYW5kIHZlcmlmaWNhdGlvbiBhc3BlY3RzIG9mIHRoZSBKV1Mg YW5kIEpXRSBhc3BlY3RzIG9mIEpXVHMuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4t VVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPkJvdGgg4oCcdHlw4oCdIGFuZCDigJxjdHnigJ0gd2Vy ZSByZXdvcmtlZCB3aGVuIHRoZWlyIHZhbHVlcyB3aGVyZSBjaGFuZ2VkIHRvIE1JTUUgdHlwZXMs IHJlZHVjaW5nIGR1cGxpY2F0aW9uLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Q bGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT PjQuIEhhcmRseSBhbnlvbmUgcHJvbm91bmNlcyBKV1QgYXMgJnF1b3Q7am90JnF1b3Q7IC0tIGl0 IGlzIHVzdWFsbHkgc3BlbHQgb3V0IC0tIHNvIGRyb3AgdGhlIHNlbnRlbmNlIGluIHRoZSBhYnN0 cmFjdCBzdWdnZXN0aW5nIHRoZSAmcXVvdDtqb3QmcXVvdDsgcHJvbnVuY2lhdGlvbi48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5 bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+WW91ciBl eHBlcmllbmNlIG1heSB2YXJ5LCBidXQgaW4gaW4tcGVyc29uIGNvbnZlcnNhdGlvbnMsIGl04oCZ cyB1c3VhbGx5IHByb25vdW5jZWQg4oCcam904oCdIGluIG15IGV4cGVyaWVuY2UuJm5ic3A7IChJ dOKAmXMgYSBsb3QgZWFzaWVyIHRvIHNheSB0aGFuIOKAnEogVyBU4oCdIG9yIOKAnEpTT04gV2Vi IFRva2Vu4oCdIGFuZCBwZW9wbGUgdGVuZCB0byBsaWtlIHNob3J0IG5hbWVzIHRvIHNheS4pPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT IHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+NS4gQ29sbGlzaW9uIFJlc2lzdGFudCBO YW1lc3BhY2UgKHNlY3Rpb24gMiAmcXVvdDtUZXJtaW5vbG9neSZxdW90OykgbWVudGlvbnMgZG9t YWluIG5hbWVzLCBPSURzLCBhbmQgVVVJRHMgYXMgZXhhbXBsZXMsIGJ1dCBmYWlscyB0byBtZW50 aW9uIFVSSXMsIHdoaWNoIGlzIGEgbGlrZWx5IGNob2ljZS4gRG9tYWluIG5hbWVzIHdpbGwgc3Rh cnQgY29sbGlkaW5nIHdpdGggJnF1b3Q7cmVzZXJ2ZWQmcXVvdDsgbmFtZXMgc29vbiB3aXRoIGFs bCB0aGUgbmV3IHRvcC1sZXZlbCBkb21haW5zLiBTaG91bGQgVVVJRHMgdXNlIGEgJnF1b3Q7dXJu OnV1aWQ6JnF1b3Q7IHByZWZpeCwgb3IgJnF1b3Q7dXVpZDomcXVvdDssIG9yIG5vIHByZWZpeD8g U2hvdWxkIFVVSURzIG9ubHkgdXNlIGxvd2VyLWNhc2UgaGV4IGRpZ2l0cyAob3RoZXJ3aXNlIGR1 cGxpY2F0ZSBVVUlEcyB3aWxsIGxvb2sgbGlrZSBkaXN0aW5jdCBKU09OIG5hbWVzKT8gU2hvdWxk IGFuIE9JRCBiZSAmcXVvdDsyLjUuNC4zJnF1b3Q7IG9yICZxdW90O29pZDoyLjUuNC4zJnF1b3Q7 IG9yICZxdW90O1VSTjpPSUQ6Mi41LjQuMyZxdW90OyBvciAmcXVvdDtjb21tb25OYW1lJnF1b3Q7 IG9yICZxdW90O2NuJnF1b3Q7PyBDb2xsaXNpb24gcmVzaXN0YW50IG5hbWVzcGFjZXMgbG9zZSBj b2xsaXNpb24tcmVzaXN0YW5jZSB3aGVuIHlvdSBjb21iaW5lIG5hbWVzcGFjZXMgYXMgaXMgZG9u ZSBoZXJlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4g bGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjoj MDA3MEMwJz5BcyB5b3Ugc3VnZ2VzdGVkLCBkb21haW4gbmFtZXMgYXJlIG5vdyB0aGUgZmlyc3Qg ZXhhbXBsZSBtZW50aW9uZWQuJm5ic3A7IFRoaXMgd2FzIGFsc28gcmV3cml0dGVuIHdpdGggaW5w dXQgZnJvbSBKaW0gU2NoYWFkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFp blRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPkNv dWxkIHRoZSByZXNlcnZlZC9wdWJsaWMvcHJpdmF0ZSBtZXNzIGJlIHNpbXBsaWZpZWQgYnkgc2F5 aW5nIChhdCB0aGUgZW5kIG9mIHNlY3Rpb24gNCAmcXVvdDtKV1QgQ2xhaW1zJnF1b3Q7KTo8bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBs YW5nPUVOLVVTPiZuYnNwOyBBIGNsYWltIG5hbWUgY2FuIGJlIGFueSBzdHJpbmcuIFVzaW5nIFVS SXMgYXMgY2xhaW0gbmFtZXMgaXMgb25lPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPiZuYnNwOyB3YXkgdG8gZW5zdXJlIGNsYWltIG5h bWVzIGFyZSB1bmFtYmlndW91cy4gQ2xhaW0gbmFtZXMgdGhhdCBhcmU8bzpwPjwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Jm5ic3A7IG5vdCBV UklzIFNIT1VMRCBiZSByZWdpc3RlcmVkIGluIHRoZSBJQU5BIENsYWltcyByZWdpc3RyeSBbc2Vj dGlvbiA5LjFdPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3Bh biBsYW5nPUVOLVVTPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFp blRleHQ+PHNwYW4gbGFuZz1FTi1VUz5UaGVuIGRyb3AgdGhlIGxhc3QgcGFyYWdyYXBoIG9mIHNl Y3Rpb24gNCAmcXVvdDtKV1QgY2xhaW1zJnF1b3Q7IHRoYXQgc3RhcnRzICZxdW90O3RoZXJlIGFy ZSB0aHJlZSBjbGFzc2VzIG9mIEpUIENsYWltIE5hbWVzJnF1b3Q7OyBkcm9wIHNlY3Rpb24gNC4y ICZxdW90O1B1YmxpYyBjbGFpbSBuYW1lcyZxdW90OzsgZHJvcCBzZWN0aW9uIDQuMyAmcXVvdDtQ cml2YXRlIGNsYWltIG5hbWVzJnF1b3Q7OyBkcm9wIHRoZSAmcXVvdDtjb2xsaXNpb24gcmVzaXN0 YW50IG5hbWVzcGFjZSZxdW90OyB0ZXJtLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5DYWxsaW5nIG91dCB0aGF0IHRoZXJlIGFyZSB0aHJl ZSBkaXN0aW5jdCBjbGFzc2VzIG9mIG5hbWVzIGhhcyBiZWVuIHZhbHVhYmxlIGluIGhlbHBpbmcg ZGV2ZWxvcGVycyB0aGluayBhYm91dCBob3cgdG8gdXNlIGNsYWltIG5hbWVzLCBpbiBwcmFjdGlj ZS4mbmJzcDsgSW4gcGFydGljdWxhciwgaXQgbGV0cyB1cyBkZXNjcmliZSB0aGUgYmVuZWZpdHMg YW5kIGRyYXdiYWNrcyBvZiBlYWNoLCBoZWxwaW5nIGRldmVsb3BlcnMgYW5kIGRlcGxveWVycyBt YWtlIHJlYXNvbmFibGUgY2hvaWNlcyBmb3IgdGhlaXIgYXBwbGljYXRpb24gY29udGV4dHMuPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT IHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPkF0 IEppbSBTY2hhYWTigJlzIHN1Z2dlc3Rpb24sIOKAnHB1YmxpY+KAnSB3YXMgY2hhbmdlZCB0byDi gJxyZWdpc3RlcmVk4oCdIGFuZCB0aGUgZGVzY3JpcHRpb24gY2hhbmdlZCB0byB0YWxrIGFib3V0 IHRoaXMgY2xhc3Mgb2YgbmFtZXMgYmVpbmcgaW4gdGhlIElBTkEgcmVnaXN0cnkuPG86cD48L286 cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTIHN0eWxl PSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv UGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Ni4gVGhlIGRvY3Mgc2F5cyBpbmNsdWRpbmcgYSAm cXVvdDt0eXAmcXVvdDsgZmllbGQgaXMgT1BUSU9OQUwuIEV2ZW4gd2hlbiBwcmVzZW50ICZxdW90 O3R5cCZxdW90OyBjYW4gaGF2ZSBhbnkgdmFsdWUgc2luY2UgdGhlIHR3byBzdWdnZXN0aW9ucyBp biB0aGUgZG9jICgmcXVvdDtKV1QmcXVvdDsgb3IgJnF1b3Q7dXJuOmlldGY6cGFyYW1zOm9hdXRo OnRva2VuLXR5cGU6and0JnF1b3Q7KSBhcmUgb25seSBSRUNPTU1FTkRFRC4gR2l2ZW4gdGhpcywg dGhlcmUgZG9lc24ndCBzZWVtIHRvIGJlIGFueXRoaW5nIGEgSldUIHJlY2lwaWVudCBjYW4gdXNl ZnVsbHkgZG8gd2l0aCAmcXVvdDt0eXAmcXVvdDsuIElmIGl0IHRyaWVzIHRvIHVzZSAmcXVvdDt0 eXAmcXVvdDsgaXQgd2lsbCBqdXN0IGJlIGluY29tcGF0aWJsZSB3aXRoIGNvbXBsaWFudCBKV1Qg c2VuZGVycyB0aGF0IGVpdGhlciBvbWl0ICZxdW90O3R5cCZxdW90OyBvciB1c2UgYW5vdGhlciB2 YWx1ZS4gSXQgd291bGQgYmUgYmV0dGVyIHRvIGRyb3Agc2VjdGlvbiA1LjEgJnF1b3Q7VHlwZSBI ZWFkZXIgUGFyYW1ldGVyJnF1b3Q7IGVudGlyZWx5IC0tIGxlYXZpbmcgYW55ICZxdW90O3R5cCZx dW90OyB2YWx1ZSBkZWZpbml0aW9ucyB0byBwcm9maWxlcyB0aGF0IGFjdHVhbGx5IGRlZmluZSBw cm9jZXNzaW5nIGZvciBzdWNoIHZhbHVlcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1F Ti1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+VGhlIGRlc2NyaXB0aW9uIGhhcyBiZWVuIHJld29y a2VkIHRvIG1vc3RseSBqdXN0IHJlZmVyIHRvIHRoZSBKV1MgYW5kIEpXRSBkZWZpbml0aW9ucy4m bmJzcDsgVGhlIFVSTiB1c2FnZSB3YXMgcmVtb3ZlZCB3aGVuIOKAnHR5cOKAnSBhbmQg4oCcY3R5 4oCdIHZhbHVlcyB3ZXJlIG1hZGUgTUlNRSB0eXBlIHZhbHVlcy48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMw MDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+ PHNwYW4gbGFuZz1FTi1VUz43LiBUaGUgZG9jIHJlZGVmaW5lcyB0aGUgJnF1b3Q7Y3R5JnF1b3Q7 IGhlYWRlciBwYXJhbWV0ZXIsIHdoaWNoIGlzIGFscmVhZHkgZGVmaW5lZCBpbiBKV1MgYW5kIEpX RSAoc2xpZ2h0bHkgZGlmZmVyZW50bHkgaW4gYWxsIDMgY2FzZXMgLSBhcmdoKS4gSldUIHVzZXMg JnF1b3Q7Y3R5JnF1b3Q7IHRvIGluZGljYXRlIG5lc3RlZCBKT1NFIG1lc3NhZ2VzLCB3aGljaCBz aG91bGQgYmUgYSBKT1NFIGZlYXR1cmUgYXMgaXQgaXMgbm90IHNwZWNpZmljIHRvIEpXVCAoaGVu Y2UgJnF1b3Q7Y3R5JnF1b3Q7OiZxdW90O2p3dCZxdW90OyBpcyBhIHBvb3IgY2hvaWNlKS48bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMg c3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+VGhl IGRlc2NyaXB0aW9uIGhhcyBiZWVuIHJld29ya2VkIHRvIG1vc3RseSBqdXN0IHJlZmVyIHRvIHRo ZSBKV1MgYW5kIEpXRSBkZWZpbml0aW9ucy4mbmJzcDsg4oCcY3R54oCdIGlzIG5vdCByZWRlZmlu ZWQ7IGl04oCZcyB1c2UgYnkgSldUIGlzIHNwZWNpZmllZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPjguIFtFZGl0 b3JpYWxdICZxdW90O0pXQSBzaWduaW5nIGFsZ29yaXRobSZxdW90OyBhbmQgJnF1b3Q7SldBIGVu Y3J5cHRpb24gYWxnb3JpdGhtcyZxdW90OyBhcmUgdGhlIHdyb25nIHBocmFzZXMuIFRoZXNlIGFy ZSBKV1Mgc2lnbmluZyBhbGdzIGFuZCBKV0UgZW5jcnlwdGlvbiBhbGdzIHRoYXQgaGFwcGVuIHRv IGJlIHNwZWNpZmllZCBpbiBKV0EuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1Bs YWluVGV4dD48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVMg c3R5bGU9J2NvbG9yOiMwMDcwQzAnPlRoZSBwaHJhc2VzICZxdW90O0pXQSBzaWduaW5nIGFsZ29y aXRobXMmcXVvdDsgYW5kICZxdW90O0pXQSBlbmNyeXB0aW9uIGFsZ29yaXRobXMmcXVvdDsgd2Vy ZSByZW1vdmVkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNw YW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPjkuIEluY2x1ZGlu ZyBhIHNob3J0IGRlc2NyaXB0aW9uIGZvciBlYWNoIGNsYWltIG5hbWUgaW4gdGhlIHJlZ2lzdHJ5 IHdvdWxkIGJlIHVzZWZ1bC4gSnVzdCBhIDMtbGV0dGVyIGFiYnJldmlhdGlvbiBpcyBub3QgaGVs cGZ1bCBlbm91Z2guIEVnIGFkZCBhIENsYWltIGRlc2NyaXB0aW9uIGZpZWxkOjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUz4mbmJzcDsg Q2xhaW0gbmFtZTogJnF1b3Q7bmJmJnF1b3Q7PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPiZuYnNwOyBDbGFpbSBkZXNjcmlwdGlvbjog bm90IGJlZm9yZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNw YW4gbGFuZz1FTi1VUz4mbmJzcDsgQ2hhbmdlIGNvbnRyb2xsZXI6IElFVEY8bzpwPjwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Jm5ic3A7IFNw ZWNpZmljYXRpb24gZG9jdW1lbnQ6IHNlY3Rpb24gNC4xLjUuIG9mIFtbIHRoaXMgZG9jIF1dPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVT PiZuYnNwOyA8c3BhbiBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD48L286cD48L3NwYW4+PC9z cGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29s b3I6IzAwNzBDMCc+VGhpcyB3YXMgZG9uZSDigJMgYm90aCBoZXJlIGFuZCBpbiB0aGUgSk9TRSBk b2N1bWVudHMuJm5ic3A7IFRoYW5rcyBmb3IgdGhlIHVzZWZ1bCBzdWdnZXN0aW9uLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUyBzdHls ZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+LS08bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+SmFt ZXMgTWFuZ2VyPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3Bh biBsYW5nPUVOLVVTPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFp blRleHQ+PHNwYW4gbGFuZz1FTi1VUz4mZ3Q7IC0tLS0tLS0tLS08bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Jmd0OyBTZW50OiBXZWRu ZXNkYXksIDcgQXVndXN0IDIwMTMgNzoyMCBQTTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUz4mZ3Q7IFN1YmplY3Q6IFtPQVVUSC1XR10g V0dMQyBvbiBKU09OIFdlYiBUb2tlbiAoSldUKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUz4mZ3Q7IDxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUz4mZ3Q7IEhpIGFsbCw8bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+ Jmd0OyA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxh bmc9RU4tVVM+Jmd0OyB0aGlzIGlzIGEgd29ya2luZyBncm91cCBsYXN0IGNhbGwgZm9yIHRoZSBK U09OIFdlYiBUb2tlbiAoSldUKS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxh aW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Jmd0OyA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Jmd0OyBIZXJlIGlzIHRoZSBkb2N1bWVu dDo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9 RU4tVVM+Jmd0OyA8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm LW9hdXRoLWpzb24td2ViLXRva2VuLTExIj48c3BhbiBzdHlsZT0nY29sb3I6d2luZG93dGV4dDt0 ZXh0LWRlY29yYXRpb246bm9uZSc+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0 Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xMTwvc3Bhbj48L2E+PG86cD48L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPiZndDsgPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPiZndDsgUGxl YXNlIHNlbmQgeW91IGNvbW1lbnRzIHRvIHRoZSBPQXV0aCBtYWlsaW5nIGxpc3QgYnkgQXVndXN0 IDIxLCAyMDEzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQ+PHNw YW4gbGFuZz1FTi1VUz4mZ3Q7IDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFp blRleHQ+PHNwYW4gbGFuZz1FTi1VUz4mZ3Q7IENpYW88bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAg Y2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+Jmd0OyBIYW5uZXMgJmFtcDsgRGVy ZWs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0PjxzcGFuIGxhbmc9 RU4tVVM+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48 c3BhbiBsYW5nPUVOLVVTPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dD48c3BhbiBs YW5nPUVOLVVTPk9BdXRoIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29QbGFpblRleHQ+PHNwYW4gbGFuZz1FTi1VUz48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0 Zi5vcmciPjxzcGFuIHN0eWxlPSdjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25l Jz5PQXV0aEBpZXRmLm9yZzwvc3Bhbj48L2E+PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb1BsYWluVGV4dD48c3BhbiBsYW5nPUVOLVVTPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPjxzcGFuIHN0eWxlPSdjb2xvcjp3aW5kb3d0ZXh0 O3RleHQtZGVjb3JhdGlvbjpub25lJz5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL29hdXRoPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxh aW5UZXh0PjxzcGFuIGxhbmc9RU4tVVM+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjwvZGl2 PjwvZGl2PjwvYm9keT48L2h0bWw+ --_000_255B9BB34FB7D647A506DC292726F6E11540251D0AWSMSG3153Vsrv_-- From nobody Wed Mar 12 00:09:13 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAAA61A08FA for ; Wed, 12 Mar 2014 00:09:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWs0lmHeTUzx for ; Wed, 12 Mar 2014 00:09:07 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 06EDE1A0659 for ; Wed, 12 Mar 2014 00:09:06 -0700 (PDT) Received: from IWINB07 ([178.191.195.241]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0M4nYT-1XMcnR0CB3-00z0zw for ; Wed, 12 Mar 2014 08:09:00 +0100 From: "Manfred Steyer" To: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> <003201cf3d60$09a4be20$1cee3a60$@gmx.net> <8523B6DF-C085-42F0-A02A-51F2A9AF0FFB@ve7jtb.com> In-Reply-To: <8523B6DF-C085-42F0-A02A-51F2A9AF0FFB@ve7jtb.com> Date: Wed, 12 Mar 2014 08:08:59 +0100 Message-ID: <006a01cf3dc1$f1333080$d3999180$@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQMQvuGC6nCHESWBhgEiO0rGzvkC2gFy0GcIAOtUr0cCG1yEnQJJqlGNAoka7XYCRvEc4gHzs00Vl+3Oa5A= Content-Language: de X-Provags-ID: V03:K0:4PY4H9XN2ntCKjnv71amyzcMa0GJ3kzU2digwOctUVH6+nTlst6 o1mmi7AW12C1BRuOASdV0yOO19v4+JalPcn54Fuu4R2VkO39ktKFPKXQQWO0OwuNXd7511e mu5IcRbvES4gnzsQe5XlJBnxRvQe0uoC+vzRbG+hvpxdbw6hkeRAygn7MD4Lssy5g7pbqNW aH4qeJwzipcj7YUwcYHCw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/lk9GmfiHJkIV3YaHHWcdZ5a39Dc Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2014 07:09:11 -0000 Hi John, thx for this explanation. It helps me to see, why this decision has been made. Wishes, Manfred -----Urspr=FCngliche Nachricht----- Von: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 Gesendet: Dienstag, 11. M=E4rz 2014 20:49 An: Manfred Steyer Cc: Hannes Tschofenig; Antonio Sanso; oauth@ietf.org Betreff: Re: [OAUTH-WG] JSON Web Token (JWT) Profile Company X will likely care about the subject being asserted by company A = for auditing and possible revocation. It may be that the extension claim accessLevel=3DAccounting is = sufficient to grant the access token. =20 By Policy A could make sub itself, or an identifier for the user of the client in it's namespace. =20 Yes there are some cases where it may be redundant or not disclosed for = a privacy reason, but the current decision is to keep the library = consistent and push that decision to the application logic. You can make the case the decision was wrong. =20 The other reason for it is that the JWT and SAML assertions are parallel = and in SAML subject is required. That was the other consistency reason for making it mandatory. =20 John B. On Mar 11, 2014, at 4:28 PM, Manfred Steyer = wrote: > Hi, >=20 > perhaps you can show that I'm wrong, but I still think, that there are > cases, where the subject is unknown cause it's not relevant. Let's consider > the following federation-scenario: >=20 > 1. Bob has a Token T1 that says, that he works for Company A on = Project B. > The Subject of this token is "Bob". > 2. Company X says, that everyone in Company A working for Project B = gets > access to Accounting-Information. > 3. Bob exchanges this Token T1 at Company X's AuthServer for another = Token > T2. T2 contains a claim AccessLevel=3DAccouting. T2 could also get a = copy of > the subj-claim, but Company X doesn't care about that, cause no one in > Company B knows Bob. >=20 > The only reason I can imagine, why the sub-claim should be copied into = T2 is > because of tracing and finding out, that there is a correlation = between T2 > und T1. But this could be accomplished with other mechanisms too. >=20 > Did I oversee something? If there is another reason, why sub is = mandatory, I > think, it would not hurt too much to copy the sub-claim from T1 to T2 = (and > from T2 to T3 etc.)... >=20 > Wishes > Manfred >=20 >=20 >=20 > -----Urspr=FCngliche Nachricht----- > Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Hannes Tschofenig > Gesendet: Dienstag, 11. M=E4rz 2014 16:05 > An: Antonio Sanso > Cc: oauth@ietf.org > Betreff: Re: [OAUTH-WG] JSON Web Token (JWT) Profile >=20 > Maintaining both information in the JWT is IMHO valuable since it = gives you > some information about the security properties. Needless to say that = there > is a substantial difference between a self-created JWT and a JWT from = a > third party the relying party has some confidence in. >=20 > Why Google has an old implementation and whether they are planning to update > their code remains to be seen. >=20 > More importantly, however, is why you argue that the subject claim has = to be > optional. >=20 > Ciao > Hannes >=20 > Ps: I also noticed in the examples that all URIs have their URI scheme > missing. While that might be OK I am not entirely sure... >=20 > On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>=20 >> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig > wrote: >>=20 >>> Thanks for clarifying. >>>=20 >>> I took a quick look at the Google API and it seems that in their use = >>> case the client creates the JWT and consequently the subject and the = >>> issue would actually be the same. I suspect that this is the reason=20 >>> why they omitted the subject. >>=20 >> agreed that is why in my mail I said the subject might overlap with = the > issuer. >> The subject in the google case is still called with its obsolete name > (prn) and it is actually listed as =91additional claims=92 hence not mandatory. >>=20 >> regards >>=20 >> antonio >>=20 >>>=20 >>> Could you explain why you would like to omit the subject claim in = the > JWT? >>>=20 >>> Ciao >>> Hannes >>>=20 >>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is=20 >>> timely since we are about to finish all three assertion specs. >>>=20 >>>=20 >>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>> hi Hannes, >>>>=20 >>>> I am aware of the 2 documents, >>>>=20 >>>> I might be wrong but > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also = about > Authorization Grant Processing (this is the part I do use in my > implementation ) and not only Client Authentication Processing. >>>>=20 >>>> Just my 0.02 $ but this seems to be a place where different=20 >>>> implementer have the same issue :) >>>>=20 >>>> regards >>>>=20 >>>> antonio >>>>=20 >>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig > wrote: >>>>=20 >>>>> Hi Manfred, Hi Antonio, >>>>>=20 >>>>> Note that there are two documents that talk about the JWT and you=20 >>>>> guys might be looking at the wrong document. >>>>>=20 >>>>> The main JWT document (see >>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18)=20 >>>>> defines the subject claim as optional (see Section 4.1.2). >>>>>=20 >>>>> The JWT bearer assertion document (see >>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does=20 >>>>> indeed define it as mandatory but that's intentional since the=20 >>>>> purpose of the spec is to authenticate the client (or the resource = >>>>> owner for an authorization grant). >>>>>=20 >>>>> The assertion documents are used for interworking with "legacy"=20 >>>>> identity infrastructure (such as SAML federations). >>>>>=20 >>>>> So, are you sure you are indeed looking at the right document? >>>>>=20 >>>>> Ciao >>>>> Hannes >>>>>=20 >>>>>=20 >>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>> hi *, >>>>>>=20 >>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says >>>>>>=20 >>>>>> The JWT MUST contain a "sub" (subject) claim >>>>>>=20 >>>>>>=20 >>>>>> Now IMHO there are cases where having the sub is either not = needed=20 >>>>>> or redundant (since it might overlap with the issuer).\ >>>>>>=20 >>>>>> As far as I can see =93even Google=94 currently violates this = spec [1]=20 >>>>>> ( I know that this doesn=92t matter, just wanted to bring a real = use=20 >>>>>> case scenario). >>>>>>=20 >>>>>> WDYT might the =93sub=94 be optional in some situation? >>>>>>=20 >>>>>> regards >>>>>>=20 >>>>>> antonio >>>>>>=20 >>>>>> [0]=20 >>>>>> = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section- >>>>>> 3 [1]=20 >>>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>=20 >>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Mar 12 02:44:45 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7029E1A0932 for ; Wed, 12 Mar 2014 02:44:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4PjonGClBSH5 for ; Wed, 12 Mar 2014 02:44:39 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) by ietfa.amsl.com (Postfix) with ESMTP id 729AA1A0930 for ; Wed, 12 Mar 2014 02:44:39 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by BL2PR02MB306.namprd02.prod.outlook.com (10.141.91.19) with Microsoft SMTP Server (TLS) id 15.0.893.10; Wed, 12 Mar 2014 09:44:31 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Wed, 12 Mar 2014 09:44:30 +0000 From: Antonio Sanso To: Manfred Steyer Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgD///7sAIAABF2A////FQCAAEllgIAABfqAgAC93ICAACt1gA== Date: Wed, 12 Mar 2014 09:44:29 +0000 Message-ID: References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <531F2632.2090204@gmx.net> <003201cf3d60$09a4be20$1cee3a60$@gmx.net> <8523B6DF-C085-42F0-A02A-51F2A9AF0FFB@ve7jtb.com> <006a01cf3dc1$f1333080$d3999180$@gmx.net> In-Reply-To: <006a01cf3dc1$f1333080$d3999180$@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.104.215.11] x-forefront-prvs: 01480965DA x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(377454003)(479174003)(24454002)(51704005)(199002)(189002)(77982001)(80022001)(92726001)(15202345003)(59766001)(69226001)(51856001)(76482001)(86362001)(83322001)(53806001)(54356001)(81686001)(74706001)(74366001)(47736001)(85852003)(65816001)(93136001)(93516002)(83072002)(66066001)(46102001)(76796001)(76786001)(50986001)(19580405001)(80976001)(56776001)(49866001)(19580395003)(33656001)(4396001)(77096001)(81342001)(15975445006)(81816001)(81542001)(47446002)(2656002)(92566001)(95666003)(74662001)(31966008)(94316002)(83716003)(97186001)(97336001)(79102001)(87266001)(94946001)(36756003)(95416001)(90146001)(54316002)(82746002)(56816005)(47976001)(74876001)(74502001)(63696002)(85306002)(87936001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR02MB306; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:193.104.215.11; FPR:EFBFF175.AFF25119.F8EB112B.8428C552.20619; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="iso-8859-1" Content-ID: <32DB87F74D9D724597C1E8CA372FC91C@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/H2IwBOFrXu0YuOtmViav446zetY Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2014 09:44:44 -0000 +1 thanks antonio On Mar 12, 2014, at 8:08 AM, Manfred Steyer wrote: > Hi John, >=20 > thx for this explanation. It helps me to see, why this decision has been > made. >=20 > Wishes, > Manfred >=20 >=20 > -----Urspr=FCngliche Nachricht----- > Von: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 > Gesendet: Dienstag, 11. M=E4rz 2014 20:49 > An: Manfred Steyer > Cc: Hannes Tschofenig; Antonio Sanso; oauth@ietf.org > Betreff: Re: [OAUTH-WG] JSON Web Token (JWT) Profile >=20 > Company X will likely care about the subject being asserted by company A = for > auditing and possible revocation. >=20 > It may be that the extension claim accessLevel=3DAccounting is sufficient= to > grant the access token. =20 >=20 > By Policy A could make sub itself, or an identifier for the user of the > client in it's namespace. =20 >=20 > Yes there are some cases where it may be redundant or not disclosed for a > privacy reason, but the current decision is to keep the library consisten= t > and push that decision to the application logic. >=20 > You can make the case the decision was wrong. =20 >=20 > The other reason for it is that the JWT and SAML assertions are parallel = and > in SAML subject is required. That was the other consistency reason for > making it mandatory. =20 >=20 > John B. >=20 >=20 > On Mar 11, 2014, at 4:28 PM, Manfred Steyer wrot= e: >=20 >> Hi, >>=20 >> perhaps you can show that I'm wrong, but I still think, that there are >> cases, where the subject is unknown cause it's not relevant. Let's > consider >> the following federation-scenario: >>=20 >> 1. Bob has a Token T1 that says, that he works for Company A on Project > B. >> The Subject of this token is "Bob". >> 2. Company X says, that everyone in Company A working for Project B gets >> access to Accounting-Information. >> 3. Bob exchanges this Token T1 at Company X's AuthServer for another Tok= en >> T2. T2 contains a claim AccessLevel=3DAccouting. T2 could also get a cop= y of >> the subj-claim, but Company X doesn't care about that, cause no one in >> Company B knows Bob. >>=20 >> The only reason I can imagine, why the sub-claim should be copied into T= 2 > is >> because of tracing and finding out, that there is a correlation between = T2 >> und T1. But this could be accomplished with other mechanisms too. >>=20 >> Did I oversee something? If there is another reason, why sub is mandator= y, > I >> think, it would not hurt too much to copy the sub-claim from T1 to T2 (a= nd >> from T2 to T3 etc.)... >>=20 >> Wishes >> Manfred >>=20 >>=20 >>=20 >> -----Urspr=FCngliche Nachricht----- >> Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Hannes > Tschofenig >> Gesendet: Dienstag, 11. M=E4rz 2014 16:05 >> An: Antonio Sanso >> Cc: oauth@ietf.org >> Betreff: Re: [OAUTH-WG] JSON Web Token (JWT) Profile >>=20 >> Maintaining both information in the JWT is IMHO valuable since it gives > you >> some information about the security properties. Needless to say that the= re >> is a substantial difference between a self-created JWT and a JWT from a >> third party the relying party has some confidence in. >>=20 >> Why Google has an old implementation and whether they are planning to > update >> their code remains to be seen. >>=20 >> More importantly, however, is why you argue that the subject claim has t= o > be >> optional. >>=20 >> Ciao >> Hannes >>=20 >> Ps: I also noticed in the examples that all URIs have their URI scheme >> missing. While that might be OK I am not entirely sure... >>=20 >> On 03/11/2014 04:08 PM, Antonio Sanso wrote: >>>=20 >>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig > >> wrote: >>>=20 >>>> Thanks for clarifying. >>>>=20 >>>> I took a quick look at the Google API and it seems that in their use=20 >>>> case the client creates the JWT and consequently the subject and the=20 >>>> issue would actually be the same. I suspect that this is the reason=20 >>>> why they omitted the subject. >>>=20 >>> agreed that is why in my mail I said the subject might overlap with the >> issuer. >>> The subject in the google case is still called with its obsolete name >> (prn) and it is actually listed as 'additional claims' hence not > mandatory. >>>=20 >>> regards >>>=20 >>> antonio >>>=20 >>>>=20 >>>> Could you explain why you would like to omit the subject claim in the >> JWT? >>>>=20 >>>> Ciao >>>> Hannes >>>>=20 >>>> PS: Your feedback on the draft-ietf-oauth-jwt-bearer-07 spec is=20 >>>> timely since we are about to finish all three assertion specs. >>>>=20 >>>>=20 >>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote: >>>>> hi Hannes, >>>>>=20 >>>>> I am aware of the 2 documents, >>>>>=20 >>>>> I might be wrong but >> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about >> Authorization Grant Processing (this is the part I do use in my >> implementation ) and not only Client Authentication Processing. >>>>>=20 >>>>> Just my 0.02 $ but this seems to be a place where different=20 >>>>> implementer have the same issue :) >>>>>=20 >>>>> regards >>>>>=20 >>>>> antonio >>>>>=20 >>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig >> wrote: >>>>>=20 >>>>>> Hi Manfred, Hi Antonio, >>>>>>=20 >>>>>> Note that there are two documents that talk about the JWT and you=20 >>>>>> guys might be looking at the wrong document. >>>>>>=20 >>>>>> The main JWT document (see >>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18)=20 >>>>>> defines the subject claim as optional (see Section 4.1.2). >>>>>>=20 >>>>>> The JWT bearer assertion document (see >>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does=20 >>>>>> indeed define it as mandatory but that's intentional since the=20 >>>>>> purpose of the spec is to authenticate the client (or the resource=20 >>>>>> owner for an authorization grant). >>>>>>=20 >>>>>> The assertion documents are used for interworking with "legacy"=20 >>>>>> identity infrastructure (such as SAML federations). >>>>>>=20 >>>>>> So, are you sure you are indeed looking at the right document? >>>>>>=20 >>>>>> Ciao >>>>>> Hannes >>>>>>=20 >>>>>>=20 >>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote: >>>>>>> hi *, >>>>>>>=20 >>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says >>>>>>>=20 >>>>>>> The JWT MUST contain a "sub" (subject) claim >>>>>>>=20 >>>>>>>=20 >>>>>>> Now IMHO there are cases where having the sub is either not needed= =20 >>>>>>> or redundant (since it might overlap with the issuer).\ >>>>>>>=20 >>>>>>> As far as I can see "even Google" currently violates this spec [1]= =20 >>>>>>> ( I know that this doesn't matter, just wanted to bring a real use= =20 >>>>>>> case scenario). >>>>>>>=20 >>>>>>> WDYT might the "sub" be optional in some situation? >>>>>>>=20 >>>>>>> regards >>>>>>>=20 >>>>>>> antonio >>>>>>>=20 >>>>>>> [0]=20 >>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section- >>>>>>> 3 [1]=20 >>>>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>>=20 >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Mon Mar 17 11:04:24 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70E91A0449 for ; Mon, 17 Mar 2014 11:04:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.901 X-Spam-Level: X-Spam-Status: No, score=-3.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hr9ZgXX7F2TW for ; Mon, 17 Mar 2014 11:04:14 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id 351AD1A02F2 for ; Mon, 17 Mar 2014 11:04:12 -0700 (PDT) Received: from BL2PR03CA020.namprd03.prod.outlook.com (10.141.66.28) by BL2PR03MB163.namprd03.prod.outlook.com (10.255.230.147) with Microsoft SMTP Server (TLS) id 15.0.898.11; Mon, 17 Mar 2014 18:04:03 +0000 Received: from BN1AFFO11FD043.protection.gbl (2a01:111:f400:7c10::158) by BL2PR03CA020.outlook.office365.com (2a01:111:e400:c1b::28) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Mon, 17 Mar 2014 18:04:03 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD043.mail.protection.outlook.com (10.58.52.190) with Microsoft SMTP Server (TLS) id 15.0.898.8 via Frontend Transport; Mon, 17 Mar 2014 18:04:02 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0181.007; Mon, 17 Mar 2014 18:03:17 +0000 From: Mike Jones To: "Manger, James" , "oauth@ietf.org WG" Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT) Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/ZmLZ98AgUVpnFCADWIk8IAIrL4w Date: Mon, 17 Mar 2014 18:03:16 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0EEC5E@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <5202113B.1020505@gmx.net> <255B9BB34FB7D647A506DC292726F6E1152869AC01@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739439A0A9521@TK5EX14MBXC286.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E11540251D0A@WSMSG3153V.srv.dir.telstra.com> In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11540251D0A@WSMSG3153V.srv.dir.telstra.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0EEC5ETK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(51914003)(199002)(189002)(52604005)(51704005)?= =?us-ascii?Q?(377454003)(53754006)(13464003)(15202345003)(97736001)(92726?= =?us-ascii?Q?001)(93516002)(94946001)(97336001)(87266001)(83072002)(93136?= =?us-ascii?Q?001)(16297215004)(77982001)(79102001)(74366001)(59766001)(74?= =?us-ascii?Q?876001)(74706001)(85852003)(81542001)(94316002)(86612001)(92?= =?us-ascii?Q?566001)(95416001)(97186001)(95666003)(2656002)(87936001)(193?= =?us-ascii?Q?00405004)(56816005)(90146001)(69226001)(81816001)(80976001)(?= =?us-ascii?Q?46102001)(6806004)(86362001)(77096001)(76796001)(76786001)(8?= =?us-ascii?Q?5306002)(20776003)(63696002)(85806002)(47446002)(84676001)(7?= =?us-ascii?Q?4662001)(84326002)(31966008)(76482001)(81686001)(19580395003?= =?us-ascii?Q?)(19580405001)(44976005)(74502001)(33656001)(83322001)(49866?= =?us-ascii?Q?001)(66066001)(54316002)(71186001)(55846006)(512874002)(5677?= =?us-ascii?Q?6001)(15975445006)(53806001)(54356001)(4396001)(50986001)(47?= =?us-ascii?Q?736001)(81342001)(16236675002)(47976001)(80022001)(65816001)?= =?us-ascii?Q?(579004);DIR:OUT;SFP:1101;SCL:1;SRVR:BL2PR03MB163;H:mail.mic?= =?us-ascii?Q?rosoft.com;FPR:ED3EFDE5.8CFA9345.39F3F17B.82AACA42.2091C;MLV?= =?us-ascii?Q?:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0153A8321A Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/OFIHPmhN7_FfdmlDx0ueX2hTgdw Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 18:04:20 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0EEC5ETK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgSmFtZXMsDQoNClBlciB5b3VyIHBvaW50IDEgYmVsb3csIGFjdHVhbGx5LCB0aGUgSk9TRSBk b2NzIGFscmVhZHkgKmRvKiBzcGVjaWZ5IHRoYXQgSk9TRSBvYmplY3RzIGNhbiBiZSBlaXRoZXIg SldTcyBvciBKV0VzIGFuZCBzYXkgaG93IHRvIGRpc3Rpbmd1aXNoIHRoZW0g4oCTIHNlZSBodHRw Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItZW5jcnlwdGlv bi0yMyNzZWN0aW9uLTkgb24gRGlzdGluZ3Vpc2hpbmcgYmV0d2VlbiBKV1MgYW5kIEpXRSBPYmpl Y3RzLg0KDQpQZXIgeW91ciBwb2ludCAyLCBKT1NFICpkb2VzKiBkZWZpbmUgdGhlIOKAnGN0eeKA nSAoY29udGVudCB0eXBlKSBoZWFkZXIgcGFyYW1ldGVyIHRvIGVuYWJsZSBkZXNjcmliaW5nIHRo ZSB0eXBlIG9mIHRoZSBwYXlsb2FkIG9mIGEgSk9TRSBvYmplY3QuICBOZXN0aW5nIGlzIHNpbXBs eSBhIHNwZWNpYWwgY2FzZSBvZiB0aGlzIG1vcmUgZ2VuZXJhbCBjYXBhYmlsaXR5IHRvIGRlc2Ny aWJlIHRoZSBjb250ZW50IHR5cGUgb2YgdGhlIHBheWxvYWQuICBUaGUgSldUIHNwZWMgZGVmaW5l cyBhIHNwZWNpZmljIGNvbnRlbnQgdHlwZSB2YWx1ZSB0byBiZSB1c2VkIHRvIGluZGljYXRlIHRo YXQgdGhlIHBheWxvYWQgaXMgYSBKV1QsIHdoaWNoIGlzIHVzZWQgYXMgdGhlIOKAnGN0eeKAnSB2 YWx1ZSBpbiB0aGlzIGNhc2UuICBPdGhlciBhcHBsaWNhdGlvbnMgd291bGQgc2ltaWxhcmx5IHVz ZSBvdGhlciBhcHBsaWNhdGlvbi1zcGVjaWZpYyBjb250ZW50IHR5cGVzIHRvIGluZGljYXRlIHRo YXQgdGhhdCBhcHBsaWNhdGlvbuKAmXMgZGF0YSBpcyB0aGUgSk9TRSBwYXlsb2FkLg0KDQpZb3Vy IHBvaW50IGFib3V0IHdoZXRoZXIgbmVzdGluZyBpcyBtYW5kYXRvcnktdG8taW1wbGVtZW50IGlz IHdlbGwgdGFrZW4uICAoSSBkb27igJl0IHRoaW5rIHRoYXQgaGFkIGJlZW4gcG9pbnRlZCBvdXQg YmVmb3JlLikgIEkgY2FuIGFkZCBhIHN0YXRlbWVudCBzYXlpbmcgdGhhdCBpdCBpcyBhcHBsaWNh dGlvbi1kZXBlbmRlbnQgd2hldGhlciBzdXBwb3J0IGZvciBuZXN0aW5nIGlzIHJlcXVpcmVkIG9y IG5vdC4gIChKdXN0IGxpa2UgZW5jcnlwdGlvbiBzdXBwb3J0IGlzIGFscmVhZHkgZXhwbGljaXRs eSBvcHRpb25hbCwgaXQgc2hvdWxkIG1hZGUgY2xlYXIgdGhhdCBzdXBwb3J0IGZvciBuZXN0aW5n IGlzIG9wdGlvbmFsLCB1bmxlc3MgdGhlIGFwcGxpY2F0aW9uIHNwZWNpZmllcyBvdGhlcndpc2Uu KQ0KDQpZb3UgbWF5IG5vdCBsb3ZlIHRoZSB0ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQg bmFtZXMsIGJ1dCB0aGUgYWx0ZXJuYXRpdmVzIHdvdWxkIGJlIHdvcnNlIGluIHByYWN0aWNlIOKA kyBmb3IgaW5zdGFuY2UsIHJlcXVpcmluZyB0aGF0IGFsbCBub24tcmVnaXN0ZXJlZCBuYW1lcyBj b21lIGZyb20gYSBzaW5nbGUgc3BlY2lmaWMgY29sbGlzaW9uLXJlc2lzdGFudCBuYW1lc3BhY2Us IHN1Y2ggYXMgT0lEUywgVVJMcywgVVJOcywgR1VJRHMsIElQIGFkZHJlc3NlcywgZXRjLiAgWWVz LCB0aGVyZeKAmXMgYSB0aGVvcmV0aWNhbCBwb3NzaWJpbGl0eSBvZiBhIGNvbGxpc2lvbiBiZXR3 ZWVuIGEgbmFtZSB0aGF04oCZcyBhbiBPSUQgd2l0aCBmb3VyIG51bWJlcnMgYW5kIGEgbnVtZXJp YyBJUHY0IGFkZHJlc3MgcmVwcmVzZW50YXRpb24sIGJ1dCBpcyB0aGF0IGFjdHVhbGx5IGEgcmVh bCBpc3N1ZT8gIERvIHlvdSByZWFsbHkgZXhwZWN0IHBlb3BsZSB0byB1c2UgYm90aCBudW1lcmlj IElQdjQgYWRkcmVzc2VzIGFuZCBPSURzIGluIHRoZSBzYW1lIGFwcGxpY2F0aW9uIGNvbnRleHQ/ ICBUaGVzZSBzcGVjcyBoYXZlIHRyaWVkIHRvIHRha2UgYSBwcmFnbWF0aWMgYW5kIHByYWN0aWNh bCBhcHByb2FjaCB0aHJvdWdob3V0LCBhbmQgYWxsb3dpbmcgdGhlIHVzZSBvZiBhcHBsaWNhdGlv bi1jaG9zZW4gY29sbGlzaW9uLXJlc2lzdGFudCBuYW1lcyB3aXRob3V0IHJlZ2lzdHJhdGlvbiBp cyBvbmUgc3VjaCBjYXNlLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE1hbmdlciwgSmFtZXMgW21h aWx0bzpKYW1lcy5ILk1hbmdlckB0ZWFtLnRlbHN0cmEuY29tXQ0KU2VudDogVHVlc2RheSwgTWFy Y2ggMTEsIDIwMTQgMTA6NDIgUE0NClRvOiBNaWtlIEpvbmVzOyBvYXV0aEBpZXRmLm9yZyBXRzsg SGFubmVzIFRzY2hvZmVuaWcNClN1YmplY3Q6IFJFOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBX ZWIgVG9rZW4gKEpXVCkNCg0KVGhhbmtzIGZvciB0YWxraW5nIHRoZSB0aW1lIHRvIHJlcGx5IHRv IHRoZSBpbmRpdmlkdWFsIGNvbW1lbnRzLCBNaWtlLg0KDQoNClRoZSBzdHJ1Y3R1cmUgb2YgdGhl IEpXVCBkb2MgaXMgc3RpbGwgZmxhd2VkLiBUaGUgcm9vdCBjYXVzZSBpcyB0aGF0IEpXVCB0cmll cyB0byBkbyB0aHJlZSB0YXNrczoNCg0KMS4gICAgICBEZXNjcmliZSBob3cgYSBKT1NFIG1lc3Nh Z2UgY2FuIGJlIGEgSldFIG9yIGEgSldTLg0KDQoyLiAgICAgIERlc2NyaWJlIGhvdyBKT1NFIG1l c3NhZ2VzIGNhbiBuZXN0IChlZyBKV1MgaW4gYSBKV0U7IEpXRSBpbiBhIEpXUzsgSldTIGluIGEg SldFIGluIGEgSldTIGluIGEgSldFKS4NCg0KMy4gICAgICBEZXNjcmliZSBhIEpTT04gb2JqZWN0 IHJlcHJlc2VudGluZyBhIGNvbGxlY3Rpb24gb2YgY2xhaW1zOyBpbmNsdWRpbmcgaXNzLCBzdWIs IGF1ZCwgZXhwLCBuYmYsIGlhdCwganRpIG1lbWJlcnMuDQoNCiMxIGFuZCAjMiBhcmUgbm90IHNw ZWNpZmljIHRvIEpXVC4gVGhleSBzaG91bGRu4oCZdCBiZSBzcGVjaWZpZWQgaW4gSldUOyB0aGV5 IGNlcnRhaW5seSBzaG91bGRu4oCZdCB1c2UgYSBKV1Qtc3BlY2lmaWMgdmFsdWUgKCJjdHkiOiJK V1QiKSB0byBpbmRpY2F0ZSB3aGVuIG5lc3RpbmcgaXMgb2NjdXJyaW5nOyBhbmQgdGhleSBzaG91 bGRu4oCZdCByZXF1aXJlIGludHJvZHVjaW5nIEpXVC1zcGVjaWZpYyB0ZXJtaW5vbG9neSAoZWcg 4oCcSldUIEhlYWRlcuKAnSkuDQpUaGUgSldUIGRvYyBoYXMgdGhpcyBwcm9ibGVtIGJlY2F1c2Ug dGhlIEpPU0Ugc3BlY3MgZG9u4oCZdCBkZWZpbmUgYSBKT1NFIG1lc3NhZ2UsIHRoZXkgb25seSBz cGVjaWZ5IEpXUyBhbmQgSldFIHNlcGFyYXRlbHkuIFRoYXQgSk9TRSBvbWlzc2lvbiBoYXMgcHJv cGFnYXRlZCB1cCB0aGUgc3RhY2sgdG8gc3Vic3RhbnRpYWxseSBjb21wbGljYXRlIHRoZSBKV1Qg ZG9jLCBhbmQgcHJlc3VtYWJseSB0aGF0IGNvbXBsaWNhdGlvbiBoYXMgdG8gYmUgcmVwZWF0ZWQg Zm9yIGV2ZXJ5IG90aGVyIHNwZWNpZmljYXRpb24gb2YgYW4gYXBwbGljYXRpb24gbGlrZSBKV1Qg dGhhdCB3YW50IHRvIHVzZSBKT1NFIG1lc3NhZ2VzLg0KDQoNCkN1cmlvdXNseSwgZm9yIGFsbCB0 aGUgdGV4dCBhYm91dCBuZXN0ZWQgSk9TRSBtZXNzYWdlcywgdGhlIEpXVCBkb2Mgc3RpbGwgaXNu 4oCZdCBzcGVjaWZpYyBhYm91dCB3aGF0IGNvbWJpbmF0aW9ucyBNVVNUIGJlIHN1cHBvcnRlZCBm b3IgaW50ZXJvcGVyYWJpbGl0eS4gSSB3b3VsZG7igJl0IGV4cGVjdCBtYW55IEpXVC1jb21wbGlh bnQgcmVjZWl2ZXJzIHRvIGFjY2VwdCBjbGFpbXMtaW4tYS1KV1MtaW4tYS1KV0UtaW4tYW5vdGhl ci1KV0UtaW4tYW5vdGhlci1KV1MsIGJ1dCBJIGNhbm5vdCB0ZWxsIHdoaWNoIG5lc3Rpbmcgd2ls bCBvciB3aWxsIG5vdCB3b3JrIHdpZGVseS4NCg0KDQoNClRoZSB0ZXh0IGFib3V0IGNvbGxpc2lv bi1yZXNpc3RhbnQgbmFtZXMgaXMgc3RpbGwgc2lsbHkgc2luY2UgeW91IGxvc2UgdGhlIGNvbGxp c2lvbi1yZXNpc3RhbmNlIHdoZW4geW91IGNvbWJpbmUgbXVsdGlwbGUgbmFtZXNwYWNlcyAoZG9t YWluIG5hbWVzLCBPSURzLCBldGMpLg0KDQotLQ0KSmFtZXMgTWFuZ2VyDQoNCkZyb206IE1pa2Ug Sm9uZXMgW21haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb21dDQpTZW50OiBUdWVzZGF5 LCA0IE1hcmNoIDIwMTQgOToyMiBBTQ0KVG86IE1hbmdlciwgSmFtZXM7IG9hdXRoQGlldGYub3Jn PG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gV0cNClN1YmplY3Q6IFJFOiBbT0FVVEgtV0ddIFdHTEMg b24gSlNPTiBXZWIgVG9rZW4gKEpXVCkNCg0KDQpUaGFua3MgZm9yIHRha2luZyB0aGUgdGltZSB0 byBzZW5kIGluIHRoZSBjb21tZW50cywgSmFtZXMuICBJIGFtIHNlbmRpbmcgeW91IHRoaXMgdG8g ZGVzY3JpYmUgdGhlIGNoYW5nZXMgdGhhdCB3ZXJlIG1hZGUgaW4gcmVzcG9uc2UgdG8geW91ciBj b21tZW50cyAobW9zdGx5IGluIC0xMyBidXQgYWxzbyBhIGZldyBpbiAtMTgpLiAgU2VlIGluZGl2 aWR1YWwgcmVzcG9uc2VzIGlubGluZS4NCg0KDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KDQoNCi0tLS0tT3Jp Z2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBvYXV0aC1ib3VuY2VzQGlldGYub3JnPG1haWx0bzpv YXV0aC1ib3VuY2VzQGlldGYub3JnPiBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9u IEJlaGFsZiBPZiBNYW5nZXIsIEphbWVzIEgNClNlbnQ6IFRodXJzZGF5LCBBdWd1c3QgMDgsIDIw MTMgNzo1NSBBTQ0KVG86IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gV0cN ClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCkNCg0K DQoNCkNvbW1lbnRzIG9uIGRyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTE6DQoNCg0K DQoxLiBTaG91bGQgSldUIHJlYWxseSBnbyB0byBXR0xDIGJlZm9yZSB0aGUgSk9TRSBkb2NzIHRo YXQgaXQgZGVwZW5kcyBvbiBzbyBoZWF2aWx5IChKV1MvSldFLy4uLik/IEV2ZW4gaWYgdGhlICJi eXRlcy1vbi10aGUtd2lyZSIgYXJlIGZhaXJseSBzdGFibGUsIEpXVCByZXBlYXRzIGEgbG90IG9m IHRleHQgZnJvbSBKV1MvSldFIHNvbWUgb2Ygd2hpY2ggaXMgbGlrZWx5IHRvIGNoYW5nZS4gRmlu aXNoaW5nIFdHTEMgbm93IGFuZCBxdWV1aW5nIHRoZSBkb2MgdG8gYmUgYXV0by1wdWJsaXNoZWQg d2hlbiBKV1MvSldFIGFyZSBwdWJsaXNoZWQgd291bGQgYmUgYmFkICh1bmxlc3MgdGhlIGR1cGxp Y2F0ZSB0ZXh0IGlzIHJlbW92ZWQpLg0KDQoNCg0KSW4gcHJhY3RpY2UsIGl0IHNlZW1zIHRoYXQg SldUIGhhcyB3YWl0ZWQgZm9yIEpPU0UgKGFuZCBJ4oCZdmUga2VwdCB0aGVtIGZ1bGx5IGluIHN5 bmMpLiAgQXQgdGhpcyBwb2ludCwgSSBleHBlY3QgdGhlbSBwcm9jZWVkIHRocm91Z2ggdGhlIHJl c3Qgb2YgdGhlIGFwcHJvdmFsIHN0ZXBzIGluIHBhcmFsbGVsLg0KDQoNCg0KMi4gVGhlIEpXVCBk b2Mgd291bGQgYmUgc28gbXVjaCBtb3JlIHJlYWRhYmxlIGlmIGl0IGNvdWxkIHJlZmVyIHRvIGEg IkpPU0UgbWVzc2FnZSIsICJKT1NFIGhlYWRlciIsIGFuZCAiSk9TRSBjb21wYWN0IHNlcmlhbGl6 YXRpb24iOyBpbnN0ZWFkIG9mIGhhdmluZyB0byBleHBsaWNpdGx5IHRhbGsgYWJvdXQgSldTIGFu ZCBKV0UgZXZlcnkgdGltZSBldmVuIHdoZW4gdGFsa2luZyBhYm91dCBhc3BlY3RzIGNvbW1vbiB0 byBib3RoLiBJdCB3b3VsZCBhbHNvIGF2b2lkIGludHJvZHVjaW5nICJKV1QgSGVhZGVyIiwgIkVu Y29kZWQgSldUIEhlYWRlciIsICJOZXN0ZWQgSldUIiwgIlBsYWludGV4dCBKV1QiIGV0YyBhcyB0 aG91Z2ggdGhlc2UgYXJlIG5ldyBpdGVtcywgd2hlbiBpbiBmYWN0IHRoZXkgYXJlIGp1c3QgYWRk aXRpb25hbCBuYW1lcyBmb3IgSk9TRSBpdGVtcy4gRm9yIGluc3RhbmNlLCAiSldUIEhlYWRlciIg aXMgZWZmZWN0aXZlbHkgc2hvcnRoYW5kIGZvciAiSldTIG9yIEpXRSBoZWFkZXIiIGJ1dCBpdCBp cyBwcmVzZW50ZWQgYXMgYSBKV1Qtc3BlY2lmaWMgdGhpbmcuDQoNCg0KDQpJIHRoaW5rIHRoaXMg cmVhbGx5IG9ubHkgc2hvd3MgdXAgaW4gYSBmZXcgcGxhY2VzIOKAkyBwcmltYXJpbHkgd2hlbiBk aXNjdXNzaW5nIHRoYXQgdGhlIEpXVCBIZWFkZXIgaXMgZWl0aGVyIGEgSldTIEhlYWRlciBvciBh IEpXRSBoZWFkZXIuICBHaXZlbiB0aGF0IHRoZXNlIGFyZSBhY3R1YWxseSBkaXN0aW5jdCBidXQg cmVsYXRlZCBkYXRhIHN0cnVjdHVyZXMsIG1ha2luZyBpdCBldmlkZW50IHRoYXQgdGhleSBhcmUg ZGlmZmVyZW50IGlzIGFyZ3VhYmx5IGEgZ29vZCB0aGluZy4NCg0KDQoNCjMuIFRoZSBkb2Mgc2hv dWxkIG5vdCByZXBlYXQgZGVmaW5pdGlvbnMgZnJvbSBKV1MgYW5kIEpXRS4NCg0KDQoNClRoZSBk dXBsaWNhdGlvbiBoYXMgYmVlbiBzdWJzdGFudGlhbGx5IHJlZHVjZWQsIGJvdGggd2l0aGluIHRo ZSBKT1NFIGRvY3MsIGFuZCB3aXRoaW4gdGhpcyBkb2MuICBUaGF0IGJlaW5nIHNhaWQsIHRoZXJl 4oCZcyBhIHN0eWxpc3RpYyB0ZW5zaW9uIGJldHdlZW4gc2F5aW5nIHRoaW5ncyBpbiBleGFjdGx5 IG9uZSBwbGFjZSBhbmQgbWFraW5nIGVhY2ggZG9jdW1lbnQgZWFzaWVyIHRvIHJlYWQgd2l0aG91 dCBjb25zdGFudGx5IGhhdmluZyB0byBmbGlwIGJhY2sgYW5kIGZvcnRoIGJldHdlZW4gdGhlbS4g IEluIHRoaXMgY2FzZSwgSSBiZWxpZXZlIHRoYXQgdGhlIHNtYWxsIGFtb3VudCBvZiBkdXBsaWNh dGlvbiBhaWRzIGRldmVsb3BlcnMgd2hvIG1pZ2h0IG5vdCByZWN1cnNpdmVseSByZWFkIGV2ZXJ5 dGhpbmcgcmVmZXJlbmNlZCBpbiBmdWxsIGRldGFpbC4NCg0KDQoNCkZvciBpbnN0YW5jZSwgdGhl IHdob2xlIGZpcnN0IHBhcmFncmFwaCBvZiBzZWN0aW9uIDUgIkpXVCBIZWFkZXIiIChKU09OIG9i amVjdDsgZGVzY3JpYmVzIGNyeXB0byBvcHM7IHVuaXF1ZSBuYW1lczsgcmVqZWN0IGR1cGxpY2F0 ZXMgb3IgdXNlIGxhc3QpIGlzIGFuIGFsbW9zdCBpZGVudGljYWwgY29weSBvZiBwYXJhZ3JhcGhz IGZyb20gSldTIGFuZCBKV0UuIFRoZSBkdXBsaWNhdGlvbiAob2Z0ZW4gdHJpcGxpY2F0aW9uKSBh ZGRzIGNvbmZ1c2lvbiAoZWcgd2hhdCBpcyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGEgSldUIEhl YWRlciBhbmQgSldTIEhlYWRlcj8pIGFuZCBnZXRzIHN1YnRseSBvdXQgb2Ygc3luYyAoZWcgImN0 eSIgZWl0aGVyICJkZWNsYXJlcyBzdHJ1Y3R1cmFsIGluZm9ybWF0aW9uIGFib3V0IHRoZSBKV1Qi IG9yICJkZWNsYXJlcyB0aGUgdHlwZSBvZiB0aGUgc2VjdXJlZC9lbmNyeXB0ZWQgY29udGVudCAo dGhlIHBheWxvYWQvUGxhaW50ZXh0KSBpbiBhbiBhcHBsaWNhdGlvbi1zcGVjaWZpYyBtYW5uZXIi KS4NCg0KDQoNClRoZSBkZXNjcmlwdGlvbiBvZiBKV1TigJlzIHVzZSBvZiDigJxjdHnigJ0gaXMg bm90IG91dCBvZiBzeW5jIOKAkyBpdCBpcyBpbnRlbnRpb25hbGx5IG1vcmUgc3BlY2lmaWMgdGhh biB0aGUgZnVsbHkgZ2VuZXJhbCwgYXBwbGljYXRpb24taW5kZXBlbmRlbnQgZGVzY3JpcHRpb25z IGluIEpXUyBhbmQgSldFLiAgSW4gdGhpcyBjYXNlLCBKV1QgaXMgdGhlIGFwcGxpY2F0aW9uIG9m IEpXUyBhbmQgSldFLCBhbmQgbmVlZHMgdG8gc3BlY2lmeSBpdHMgcmVxdWlyZW1lbnRzIGFib3V0 IGhvdyBpdCB1c2VzIHRoaXMgaGVhZGVyIHBhcmFtZXRlci4NCg0KDQoNCk90aGVyIGV4YW1wbGVz IG9mIHVubmVjZXNzYXJpbHkgZHVwbGljYXRlZCB0ZXh0IGluY2x1ZGU6IHNlY3Rpb24gNyBzdGVw cyAzICYgNCAoY3JlYXRpbmcpIGFuZCBzdGVwcyAxLTggKHZhbGlkYXRpbmcpOyBzZWN0aW9uIDcu MSB0ZXh0IGFib3V0IGNvbXBhcmluZyAiYWxnIiB2YWx1ZXM7IHBhcnRzIG9mIHRoZSBsYXN0IDIg cGFyYWdyYXBocyBvZiBzZWN0aW9uIDMgIkpXVCBvdmVydmlldyI7IDFzdCBhbmQgM3JkIHBhcmFn cmFwaHMgb2Ygc2VjdGlvbiA1LjIgImN0eSI7IDFzdCwgMm5kLCBhbmQgNHRoIHNlbnRlbmNlIG9m IHNlY3Rpb24gNS4xICJ0eXAiLg0KDQoNCg0KU3RlcCA0IG9mIGNyZWF0aW9uIHdhcyByZW1vdmVk IGJlY2F1c2UgaXQgdHJ1bHkgd2FzIGEgZHVwbGljYXRlLiAgKDMgaXMgbW9yZSBzcGVjaWZpYyB0 aGFuIHRoZSBjb3JyZXNwb25kaW5nIEpXUyBhbmQgSldFIHN0ZXBzLCBhbmQgc28gd2FzIG5vdCBy ZW1vdmVkLikNCg0KDQoNClRoZSB2YWxpZGF0aW5nIHN0ZXBzIGFyZSBuZWNlc3NhcnkgYmVjYXVz ZSBKV1QgYWRkcyB0d28gdGhpbmdzIGJleW9uZCBKV1MgYW5kIEpXRTogIEZpcnN0LCB0aGUgY29u dGVudHMgY2FuIGJlIGVpdGhlciBhIEpXUyBvciBKV0UsIGFuZCBzbyB0aGVyZeKAmXMgbG9naWMg ZGVzY3JpYmVkIGZvciB0aGUgc2xpZ2h0bHkgZGlmZmVyZW50IGFjdGlvbnMgdGFrZW4gaW4gdGhl IHR3byBjYXNlcy4gIFNlY29uZCwgdGhlIEpXVCBjYW4gYmUgbmVzdGVkLCBzbyB0aGUgbG9naWMg Zm9yIG5lc3RpbmcgYW5kIGRldGVjdGluZyBuZXN0ZWQgSldUcyBpcyBkZWZpbmVkLiAgSXQgKmRv ZXMqIGp1c3QgcmVseSBvbiBKV1MgYW5kIEpXRSBmb3IgdGhlIGNyZWF0aW9uIGFuZCB2ZXJpZmlj YXRpb24gYXNwZWN0cyBvZiB0aGUgSldTIGFuZCBKV0UgYXNwZWN0cyBvZiBKV1RzLg0KDQoNCg0K Qm90aCDigJx0eXDigJ0gYW5kIOKAnGN0eeKAnSB3ZXJlIHJld29ya2VkIHdoZW4gdGhlaXIgdmFs dWVzIHdoZXJlIGNoYW5nZWQgdG8gTUlNRSB0eXBlcywgcmVkdWNpbmcgZHVwbGljYXRpb24uDQoN Cg0KDQo0LiBIYXJkbHkgYW55b25lIHByb25vdW5jZXMgSldUIGFzICJqb3QiIC0tIGl0IGlzIHVz dWFsbHkgc3BlbHQgb3V0IC0tIHNvIGRyb3AgdGhlIHNlbnRlbmNlIGluIHRoZSBhYnN0cmFjdCBz dWdnZXN0aW5nIHRoZSAiam90IiBwcm9udW5jaWF0aW9uLg0KDQoNCg0KWW91ciBleHBlcmllbmNl IG1heSB2YXJ5LCBidXQgaW4gaW4tcGVyc29uIGNvbnZlcnNhdGlvbnMsIGl04oCZcyB1c3VhbGx5 IHByb25vdW5jZWQg4oCcam904oCdIGluIG15IGV4cGVyaWVuY2UuICAoSXTigJlzIGEgbG90IGVh c2llciB0byBzYXkgdGhhbiDigJxKIFcgVOKAnSBvciDigJxKU09OIFdlYiBUb2tlbuKAnSBhbmQg cGVvcGxlIHRlbmQgdG8gbGlrZSBzaG9ydCBuYW1lcyB0byBzYXkuKQ0KDQoNCg0KNS4gQ29sbGlz aW9uIFJlc2lzdGFudCBOYW1lc3BhY2UgKHNlY3Rpb24gMiAiVGVybWlub2xvZ3kiKSBtZW50aW9u cyBkb21haW4gbmFtZXMsIE9JRHMsIGFuZCBVVUlEcyBhcyBleGFtcGxlcywgYnV0IGZhaWxzIHRv IG1lbnRpb24gVVJJcywgd2hpY2ggaXMgYSBsaWtlbHkgY2hvaWNlLiBEb21haW4gbmFtZXMgd2ls bCBzdGFydCBjb2xsaWRpbmcgd2l0aCAicmVzZXJ2ZWQiIG5hbWVzIHNvb24gd2l0aCBhbGwgdGhl IG5ldyB0b3AtbGV2ZWwgZG9tYWlucy4gU2hvdWxkIFVVSURzIHVzZSBhICJ1cm46dXVpZDoiIHBy ZWZpeCwgb3IgInV1aWQ6Iiwgb3Igbm8gcHJlZml4PyBTaG91bGQgVVVJRHMgb25seSB1c2UgbG93 ZXItY2FzZSBoZXggZGlnaXRzIChvdGhlcndpc2UgZHVwbGljYXRlIFVVSURzIHdpbGwgbG9vayBs aWtlIGRpc3RpbmN0IEpTT04gbmFtZXMpPyBTaG91bGQgYW4gT0lEIGJlICIyLjUuNC4zIiBvciAi b2lkOjIuNS40LjMiIG9yICJVUk46T0lEOjIuNS40LjMiIG9yICJjb21tb25OYW1lIiBvciAiY24i PyBDb2xsaXNpb24gcmVzaXN0YW50IG5hbWVzcGFjZXMgbG9zZSBjb2xsaXNpb24tcmVzaXN0YW5j ZSB3aGVuIHlvdSBjb21iaW5lIG5hbWVzcGFjZXMgYXMgaXMgZG9uZSBoZXJlLg0KDQoNCg0KQXMg eW91IHN1Z2dlc3RlZCwgZG9tYWluIG5hbWVzIGFyZSBub3cgdGhlIGZpcnN0IGV4YW1wbGUgbWVu dGlvbmVkLiAgVGhpcyB3YXMgYWxzbyByZXdyaXR0ZW4gd2l0aCBpbnB1dCBmcm9tIEppbSBTY2hh YWQuDQoNCg0KDQpDb3VsZCB0aGUgcmVzZXJ2ZWQvcHVibGljL3ByaXZhdGUgbWVzcyBiZSBzaW1w bGlmaWVkIGJ5IHNheWluZyAoYXQgdGhlIGVuZCBvZiBzZWN0aW9uIDQgIkpXVCBDbGFpbXMiKToN Cg0KDQoNCiAgQSBjbGFpbSBuYW1lIGNhbiBiZSBhbnkgc3RyaW5nLiBVc2luZyBVUklzIGFzIGNs YWltIG5hbWVzIGlzIG9uZQ0KDQogIHdheSB0byBlbnN1cmUgY2xhaW0gbmFtZXMgYXJlIHVuYW1i aWd1b3VzLiBDbGFpbSBuYW1lcyB0aGF0IGFyZQ0KDQogIG5vdCBVUklzIFNIT1VMRCBiZSByZWdp c3RlcmVkIGluIHRoZSBJQU5BIENsYWltcyByZWdpc3RyeSBbc2VjdGlvbiA5LjFdDQoNCg0KDQpU aGVuIGRyb3AgdGhlIGxhc3QgcGFyYWdyYXBoIG9mIHNlY3Rpb24gNCAiSldUIGNsYWltcyIgdGhh dCBzdGFydHMgInRoZXJlIGFyZSB0aHJlZSBjbGFzc2VzIG9mIEpUIENsYWltIE5hbWVzIjsgZHJv cCBzZWN0aW9uIDQuMiAiUHVibGljIGNsYWltIG5hbWVzIjsgZHJvcCBzZWN0aW9uIDQuMyAiUHJp dmF0ZSBjbGFpbSBuYW1lcyI7IGRyb3AgdGhlICJjb2xsaXNpb24gcmVzaXN0YW50IG5hbWVzcGFj ZSIgdGVybS4NCg0KDQoNCkNhbGxpbmcgb3V0IHRoYXQgdGhlcmUgYXJlIHRocmVlIGRpc3RpbmN0 IGNsYXNzZXMgb2YgbmFtZXMgaGFzIGJlZW4gdmFsdWFibGUgaW4gaGVscGluZyBkZXZlbG9wZXJz IHRoaW5rIGFib3V0IGhvdyB0byB1c2UgY2xhaW0gbmFtZXMsIGluIHByYWN0aWNlLiAgSW4gcGFy dGljdWxhciwgaXQgbGV0cyB1cyBkZXNjcmliZSB0aGUgYmVuZWZpdHMgYW5kIGRyYXdiYWNrcyBv ZiBlYWNoLCBoZWxwaW5nIGRldmVsb3BlcnMgYW5kIGRlcGxveWVycyBtYWtlIHJlYXNvbmFibGUg Y2hvaWNlcyBmb3IgdGhlaXIgYXBwbGljYXRpb24gY29udGV4dHMuDQoNCg0KDQpBdCBKaW0gU2No YWFk4oCZcyBzdWdnZXN0aW9uLCDigJxwdWJsaWPigJ0gd2FzIGNoYW5nZWQgdG8g4oCccmVnaXN0 ZXJlZOKAnSBhbmQgdGhlIGRlc2NyaXB0aW9uIGNoYW5nZWQgdG8gdGFsayBhYm91dCB0aGlzIGNs YXNzIG9mIG5hbWVzIGJlaW5nIGluIHRoZSBJQU5BIHJlZ2lzdHJ5Lg0KDQoNCg0KNi4gVGhlIGRv Y3Mgc2F5cyBpbmNsdWRpbmcgYSAidHlwIiBmaWVsZCBpcyBPUFRJT05BTC4gRXZlbiB3aGVuIHBy ZXNlbnQgInR5cCIgY2FuIGhhdmUgYW55IHZhbHVlIHNpbmNlIHRoZSB0d28gc3VnZ2VzdGlvbnMg aW4gdGhlIGRvYyAoIkpXVCIgb3IgInVybjppZXRmOnBhcmFtczpvYXV0aDp0b2tlbi10eXBlOmp3 dCIpIGFyZSBvbmx5IFJFQ09NTUVOREVELiBHaXZlbiB0aGlzLCB0aGVyZSBkb2Vzbid0IHNlZW0g dG8gYmUgYW55dGhpbmcgYSBKV1QgcmVjaXBpZW50IGNhbiB1c2VmdWxseSBkbyB3aXRoICJ0eXAi LiBJZiBpdCB0cmllcyB0byB1c2UgInR5cCIgaXQgd2lsbCBqdXN0IGJlIGluY29tcGF0aWJsZSB3 aXRoIGNvbXBsaWFudCBKV1Qgc2VuZGVycyB0aGF0IGVpdGhlciBvbWl0ICJ0eXAiIG9yIHVzZSBh bm90aGVyIHZhbHVlLiBJdCB3b3VsZCBiZSBiZXR0ZXIgdG8gZHJvcCBzZWN0aW9uIDUuMSAiVHlw ZSBIZWFkZXIgUGFyYW1ldGVyIiBlbnRpcmVseSAtLSBsZWF2aW5nIGFueSAidHlwIiB2YWx1ZSBk ZWZpbml0aW9ucyB0byBwcm9maWxlcyB0aGF0IGFjdHVhbGx5IGRlZmluZSBwcm9jZXNzaW5nIGZv ciBzdWNoIHZhbHVlcy4NCg0KDQoNClRoZSBkZXNjcmlwdGlvbiBoYXMgYmVlbiByZXdvcmtlZCB0 byBtb3N0bHkganVzdCByZWZlciB0byB0aGUgSldTIGFuZCBKV0UgZGVmaW5pdGlvbnMuICBUaGUg VVJOIHVzYWdlIHdhcyByZW1vdmVkIHdoZW4g4oCcdHlw4oCdIGFuZCDigJxjdHnigJ0gdmFsdWVz IHdlcmUgbWFkZSBNSU1FIHR5cGUgdmFsdWVzLg0KDQoNCg0KNy4gVGhlIGRvYyByZWRlZmluZXMg dGhlICJjdHkiIGhlYWRlciBwYXJhbWV0ZXIsIHdoaWNoIGlzIGFscmVhZHkgZGVmaW5lZCBpbiBK V1MgYW5kIEpXRSAoc2xpZ2h0bHkgZGlmZmVyZW50bHkgaW4gYWxsIDMgY2FzZXMgLSBhcmdoKS4g SldUIHVzZXMgImN0eSIgdG8gaW5kaWNhdGUgbmVzdGVkIEpPU0UgbWVzc2FnZXMsIHdoaWNoIHNo b3VsZCBiZSBhIEpPU0UgZmVhdHVyZSBhcyBpdCBpcyBub3Qgc3BlY2lmaWMgdG8gSldUIChoZW5j ZSAiY3R5Ijoiand0IiBpcyBhIHBvb3IgY2hvaWNlKS4NCg0KDQoNClRoZSBkZXNjcmlwdGlvbiBo YXMgYmVlbiByZXdvcmtlZCB0byBtb3N0bHkganVzdCByZWZlciB0byB0aGUgSldTIGFuZCBKV0Ug ZGVmaW5pdGlvbnMuICDigJxjdHnigJ0gaXMgbm90IHJlZGVmaW5lZDsgaXTigJlzIHVzZSBieSBK V1QgaXMgc3BlY2lmaWVkLg0KDQoNCg0KOC4gW0VkaXRvcmlhbF0gIkpXQSBzaWduaW5nIGFsZ29y aXRobSIgYW5kICJKV0EgZW5jcnlwdGlvbiBhbGdvcml0aG1zIiBhcmUgdGhlIHdyb25nIHBocmFz ZXMuIFRoZXNlIGFyZSBKV1Mgc2lnbmluZyBhbGdzIGFuZCBKV0UgZW5jcnlwdGlvbiBhbGdzIHRo YXQgaGFwcGVuIHRvIGJlIHNwZWNpZmllZCBpbiBKV0EuDQoNCg0KDQpUaGUgcGhyYXNlcyAiSldB IHNpZ25pbmcgYWxnb3JpdGhtcyIgYW5kICJKV0EgZW5jcnlwdGlvbiBhbGdvcml0aG1zIiB3ZXJl IHJlbW92ZWQuDQoNCg0KDQo5LiBJbmNsdWRpbmcgYSBzaG9ydCBkZXNjcmlwdGlvbiBmb3IgZWFj aCBjbGFpbSBuYW1lIGluIHRoZSByZWdpc3RyeSB3b3VsZCBiZSB1c2VmdWwuIEp1c3QgYSAzLWxl dHRlciBhYmJyZXZpYXRpb24gaXMgbm90IGhlbHBmdWwgZW5vdWdoLiBFZyBhZGQgYSBDbGFpbSBk ZXNjcmlwdGlvbiBmaWVsZDoNCg0KICBDbGFpbSBuYW1lOiAibmJmIg0KDQogIENsYWltIGRlc2Ny aXB0aW9uOiBub3QgYmVmb3JlDQoNCiAgQ2hhbmdlIGNvbnRyb2xsZXI6IElFVEYNCg0KICBTcGVj aWZpY2F0aW9uIGRvY3VtZW50OiBzZWN0aW9uIDQuMS41LiBvZiBbWyB0aGlzIGRvYyBdXQ0KDQoN Cg0KVGhpcyB3YXMgZG9uZSDigJMgYm90aCBoZXJlIGFuZCBpbiB0aGUgSk9TRSBkb2N1bWVudHMu ICBUaGFua3MgZm9yIHRoZSB1c2VmdWwgc3VnZ2VzdGlvbi4NCg0KDQoNCg0KDQoNCg0KLS0NCg0K SmFtZXMgTWFuZ2VyDQoNCg0KDQo+IC0tLS0tLS0tLS0NCg0KPiBTZW50OiBXZWRuZXNkYXksIDcg QXVndXN0IDIwMTMgNzoyMCBQTQ0KDQo+IFN1YmplY3Q6IFtPQVVUSC1XR10gV0dMQyBvbiBKU09O IFdlYiBUb2tlbiAoSldUKQ0KDQo+DQoNCj4gSGkgYWxsLA0KDQo+DQoNCj4gdGhpcyBpcyBhIHdv cmtpbmcgZ3JvdXAgbGFzdCBjYWxsIGZvciB0aGUgSlNPTiBXZWIgVG9rZW4gKEpXVCkuDQoNCj4N Cg0KPiBIZXJlIGlzIHRoZSBkb2N1bWVudDoNCg0KPiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRt bC9kcmFmdC1pZXRmLW9hdXRoLWpzb24td2ViLXRva2VuLTExDQoNCj4NCg0KPiBQbGVhc2Ugc2Vu ZCB5b3UgY29tbWVudHMgdG8gdGhlIE9BdXRoIG1haWxpbmcgbGlzdCBieSBBdWd1c3QgMjEsIDIw MTMuDQoNCj4NCg0KPiBDaWFvDQoNCj4gSGFubmVzICYgRGVyZWsNCg0KDQoNCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQoNCk9BdXRoIG1haWxpbmcgbGlz dA0KDQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQoNCmh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0KDQo= --_000_4E1F6AAD24975D4BA5B16804296739439A0EEC5ETK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KYTpsaW5r LCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1 ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBl cmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0K CXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxpLk1zb1BsYWlu VGV4dCwgZGl2Lk1zb1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0 eWxlLWxpbms6IlBsYWluIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNh bnMtc2VyaWYiO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUN Cgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQg Q2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXpl OjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpwLk1zb0xpc3RQ YXJhZ3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29MaXN0UGFyYWdyYXBoDQoJe21z by1zdHlsZS1wcmlvcml0eTozNDsNCgltYXJnaW4tdG9wOjBpbjsNCgltYXJnaW4tcmlnaHQ6MGlu Ow0KCW1hcmdpbi1ib3R0b206MGluOw0KCW1hcmdpbi1sZWZ0Oi41aW47DQoJbWFyZ2luLWJvdHRv bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJz YW5zLXNlcmlmIjt9DQpzcGFuLlBsYWluVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IlBsYWlu IFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJQ bGFpbiBUZXh0IjsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCnNwYW4u QmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJ bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0K CWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUyMg0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt c2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxl LXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCglj b2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTI0DQoJe21zby1zdHlsZS10eXBlOnBlcnNv bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6 IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsN Cglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDEx LjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9u MQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBs MA0KCXttc28tbGlzdC1pZDoxMjQ0MTQxNjQzOw0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1z by1saXN0LXRlbXBsYXRlLWlkczotMjAyNzUyOTc3NCAyMDE5MTY0MzEgMjAxOTE2NDQxIDIwMTkx NjQ0MyAyMDE5MTY0MzEgMjAxOTE2NDQxIDIwMTkxNjQ0MyAyMDE5MTY0MzEgMjAxOTE2NDQxIDIw MTkxNjQ0Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJ bXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjt9DQpA bGlzdCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLXRhYi1zdG9wOjEuMGluOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47fQ0KQGxpc3QgbDA6bGV2 ZWwzDQoJe21zby1sZXZlbC10YWItc3RvcDoxLjVpbjsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0 aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28t bGV2ZWwtdGFiLXN0b3A6Mi4waW47DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K CXRleHQtaW5kZW50Oi0uMjVpbjt9DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLXRhYi1z dG9wOjIuNWluOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVu dDotLjI1aW47fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC10YWItc3RvcDozLjBpbjsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluO30N CkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtdGFiLXN0b3A6My41aW47DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjt9DQpAbGlzdCBsMDps ZXZlbDgNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjQuMGluOw0KCW1zby1sZXZlbC1udW1iZXItcG9z aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21z by1sZXZlbC10YWItc3RvcDo0LjVpbjsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LS4yNWluO30NCm9sDQoJe21hcmdpbi1ib3R0b206MGluO30NCnVsDQoJ e21hcmdpbi1ib3R0b206MGluO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+ DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+ PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4 dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxh eW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5r PSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+SGkgSmFtZXMsPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5QZXIgeW91ciBwb2ludCAxIGJlbG93 LCBhY3R1YWxseSwgdGhlIEpPU0UgZG9jcyBhbHJlYWR5ICo8Yj5kbzwvYj4qIHNwZWNpZnkgdGhh dCBKT1NFIG9iamVjdHMgY2FuIGJlIGVpdGhlciBKV1NzIG9yIEpXRXMgYW5kIHNheSBob3cgdG8g ZGlzdGluZ3Vpc2ggdGhlbSDigJMgc2VlDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcv aHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItZW5jcnlwdGlvbi0yMyNzZWN0aW9uLTkiPg0K aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWVuY3J5 cHRpb24tMjMjc2VjdGlvbi05PC9hPiBvbiBEaXN0aW5ndWlzaGluZyBiZXR3ZWVuIEpXUyBhbmQg SldFIE9iamVjdHMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5QZXIgeW91 ciBwb2ludCAyLCBKT1NFICo8Yj5kb2VzPC9iPiogZGVmaW5lIHRoZSDigJxjdHnigJ0gKGNvbnRl bnQgdHlwZSkgaGVhZGVyIHBhcmFtZXRlciB0byBlbmFibGUgZGVzY3JpYmluZyB0aGUgdHlwZSBv ZiB0aGUgcGF5bG9hZCBvZiBhIEpPU0Ugb2JqZWN0LiZuYnNwOyBOZXN0aW5nIGlzIHNpbXBseSBh IHNwZWNpYWwgY2FzZSBvZiB0aGlzIG1vcmUgZ2VuZXJhbCBjYXBhYmlsaXR5DQogdG8gZGVzY3Jp YmUgdGhlIGNvbnRlbnQgdHlwZSBvZiB0aGUgcGF5bG9hZC4mbmJzcDsgVGhlIEpXVCBzcGVjIGRl ZmluZXMgYSBzcGVjaWZpYyBjb250ZW50IHR5cGUgdmFsdWUgdG8gYmUgdXNlZCB0byBpbmRpY2F0 ZSB0aGF0IHRoZSBwYXlsb2FkIGlzIGEgSldULCB3aGljaCBpcyB1c2VkIGFzIHRoZSDigJxjdHni gJ0gdmFsdWUgaW4gdGhpcyBjYXNlLiZuYnNwOyBPdGhlciBhcHBsaWNhdGlvbnMgd291bGQgc2lt aWxhcmx5IHVzZSBvdGhlciBhcHBsaWNhdGlvbi1zcGVjaWZpYw0KIGNvbnRlbnQgdHlwZXMgdG8g aW5kaWNhdGUgdGhhdCB0aGF0IGFwcGxpY2F0aW9u4oCZcyBkYXRhIGlzIHRoZSBKT1NFIHBheWxv YWQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5Zb3VyIHBvaW50IGFib3V0 IHdoZXRoZXIgbmVzdGluZyBpcyBtYW5kYXRvcnktdG8taW1wbGVtZW50IGlzIHdlbGwgdGFrZW4u Jm5ic3A7IChJIGRvbuKAmXQgdGhpbmsgdGhhdCBoYWQgYmVlbiBwb2ludGVkIG91dCBiZWZvcmUu KSZuYnNwOyBJIGNhbiBhZGQgYSBzdGF0ZW1lbnQgc2F5aW5nIHRoYXQgaXQgaXMgYXBwbGljYXRp b24tZGVwZW5kZW50IHdoZXRoZXIgc3VwcG9ydCBmb3INCiBuZXN0aW5nIGlzIHJlcXVpcmVkIG9y IG5vdC4mbmJzcDsgKEp1c3QgbGlrZSBlbmNyeXB0aW9uIHN1cHBvcnQgaXMgYWxyZWFkeSBleHBs aWNpdGx5IG9wdGlvbmFsLCBpdCBzaG91bGQgbWFkZSBjbGVhciB0aGF0IHN1cHBvcnQgZm9yIG5l c3RpbmcgaXMgb3B0aW9uYWwsIHVubGVzcyB0aGUgYXBwbGljYXRpb24gc3BlY2lmaWVzIG90aGVy d2lzZS4pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5Zb3UgbWF5IG5vdCBs b3ZlIHRoZSB0ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMsIGJ1dCB0aGUgYWx0 ZXJuYXRpdmVzIHdvdWxkIGJlIHdvcnNlIGluIHByYWN0aWNlIOKAkyBmb3IgaW5zdGFuY2UsIHJl cXVpcmluZyB0aGF0IGFsbCBub24tcmVnaXN0ZXJlZCBuYW1lcyBjb21lIGZyb20gYSBzaW5nbGUg c3BlY2lmaWMgY29sbGlzaW9uLXJlc2lzdGFudA0KIG5hbWVzcGFjZSwgc3VjaCBhcyBPSURTLCBV UkxzLCBVUk5zLCBHVUlEcywgSVAgYWRkcmVzc2VzLCBldGMuJm5ic3A7IFllcywgdGhlcmXigJlz IGEgdGhlb3JldGljYWwgcG9zc2liaWxpdHkgb2YgYSBjb2xsaXNpb24gYmV0d2VlbiBhIG5hbWUg dGhhdOKAmXMgYW4gT0lEIHdpdGggZm91ciBudW1iZXJzIGFuZCBhIG51bWVyaWMgSVB2NCBhZGRy ZXNzIHJlcHJlc2VudGF0aW9uLCBidXQgaXMgdGhhdCBhY3R1YWxseSBhIHJlYWwgaXNzdWU/Jm5i c3A7IERvIHlvdSByZWFsbHkNCiBleHBlY3QgcGVvcGxlIHRvIHVzZSBib3RoIG51bWVyaWMgSVB2 NCBhZGRyZXNzZXMgYW5kIE9JRHMgaW4gdGhlIHNhbWUgYXBwbGljYXRpb24gY29udGV4dD8mbmJz cDsgVGhlc2Ugc3BlY3MgaGF2ZSB0cmllZCB0byB0YWtlIGEgcHJhZ21hdGljIGFuZCBwcmFjdGlj YWwgYXBwcm9hY2ggdGhyb3VnaG91dCwgYW5kIGFsbG93aW5nIHRoZSB1c2Ugb2YgYXBwbGljYXRp b24tY2hvc2VuIGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMgd2l0aG91dCByZWdpc3RyYXRpb24N CiBpcyBvbmUgc3VjaCBjYXNlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQg I0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBNYW5nZXIsIEphbWVzIFttYWlsdG86SmFtZXMuSC5N YW5nZXJAdGVhbS50ZWxzdHJhLmNvbV0NCjxicj4NCjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCBNYXJj aCAxMSwgMjAxNCAxMDo0MiBQTTxicj4NCjxiPlRvOjwvYj4gTWlrZSBKb25lczsgb2F1dGhAaWV0 Zi5vcmcgV0c7IEhhbm5lcyBUc2Nob2ZlbmlnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbT0FV VEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1BVSIgc3R5bGU9ImNvbG9y OiMxRjQ5N0QiPlRoYW5rcyBmb3IgdGFsa2luZyB0aGUgdGltZSB0byByZXBseSB0byB0aGUgaW5k aXZpZHVhbCBjb21tZW50cywgTWlrZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1BVSIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9 IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQVUiIHN0eWxlPSJjb2xvcjoj MUY0OTdEIj5UaGUgc3RydWN0dXJlIG9mIHRoZSBKV1QgZG9jIGlzIHN0aWxsIGZsYXdlZC4gVGhl IHJvb3QgY2F1c2UgaXMgdGhhdCBKV1QgdHJpZXMgdG8gZG8gdGhyZWUgdGFza3M6PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0LWlu ZGVudDotLjI1aW47bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBwb3J0TGlzdHNd PjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PHNwYW4gc3R5bGU9Im1z by1saXN0Oklnbm9yZSI+MS48c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bh bj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3 RCI+RGVzY3JpYmUgaG93IGEgSk9TRSBtZXNzYWdlIGNhbiBiZSBhIEpXRSBvciBhIEpXUy48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRl eHQtaW5kZW50Oi0uMjVpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMiI+PCFbaWYgIXN1cHBvcnRM aXN0c10+PHNwYW4gbGFuZz0iRU4tQVUiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48c3BhbiBzdHls ZT0ibXNvLWxpc3Q6SWdub3JlIj4yLjxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+ PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gbGFuZz0iRU4tQVUiIHN0eWxlPSJjb2xvcjoj MUY0OTdEIj5EZXNjcmliZSBob3cgSk9TRSBtZXNzYWdlcyBjYW4gbmVzdCAoZWcgSldTIGluIGEg SldFOyBKV0UgaW4gYSBKV1M7IEpXUyBpbiBhIEpXRSBpbiBhIEpXUyBpbiBhIEpXRSkuPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJ0ZXh0 LWluZGVudDotLjI1aW47bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzIiPjwhW2lmICFzdXBwb3J0TGlz dHNdPjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PHNwYW4gc3R5bGU9 Im1zby1saXN0Oklnbm9yZSI+My48c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwv c3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+RGVzY3JpYmUgYSBKU09OIG9iamVjdCByZXByZXNlbnRpbmcgYSBjb2xsZWN0aW9uIG9m IGNsYWltczsgaW5jbHVkaW5nIGlzcywgc3ViLCBhdWQsIGV4cCwgbmJmLCBpYXQsIGp0aSBtZW1i ZXJzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh bmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQVUiIHN0eWxlPSJjb2xv cjojMUY0OTdEIj4jMSBhbmQgIzIgYXJlIG5vdCBzcGVjaWZpYyB0byBKV1QuIFRoZXkgc2hvdWxk buKAmXQgYmUgc3BlY2lmaWVkIGluIEpXVDsgdGhleSBjZXJ0YWlubHkgc2hvdWxkbuKAmXQgdXNl IGEgSldULXNwZWNpZmljIHZhbHVlICgmcXVvdDtjdHkmcXVvdDs6JnF1b3Q7SldUJnF1b3Q7KSB0 byBpbmRpY2F0ZSB3aGVuIG5lc3RpbmcgaXMgb2NjdXJyaW5nOyBhbmQgdGhleSBzaG91bGRu4oCZ dCByZXF1aXJlDQogaW50cm9kdWNpbmcgSldULXNwZWNpZmljIHRlcm1pbm9sb2d5IChlZyDigJxK V1QgSGVhZGVy4oCdKS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1BVSIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPlRoZSBKV1QgZG9jIGhh cyB0aGlzIHByb2JsZW0gYmVjYXVzZSB0aGUgSk9TRSBzcGVjcyBkb27igJl0IGRlZmluZSBhIEpP U0UgbWVzc2FnZSwgdGhleSBvbmx5IHNwZWNpZnkgSldTIGFuZCBKV0Ugc2VwYXJhdGVseS4gVGhh dCBKT1NFIG9taXNzaW9uIGhhcyBwcm9wYWdhdGVkIHVwIHRoZSBzdGFjayB0byBzdWJzdGFudGlh bGx5IGNvbXBsaWNhdGUNCiB0aGUgSldUIGRvYywgYW5kIHByZXN1bWFibHkgdGhhdCBjb21wbGlj YXRpb24gaGFzIHRvIGJlIHJlcGVhdGVkIGZvciBldmVyeSBvdGhlciBzcGVjaWZpY2F0aW9uIG9m IGFuIGFwcGxpY2F0aW9uIGxpa2UgSldUIHRoYXQgd2FudCB0byB1c2UgSk9TRSBtZXNzYWdlcy48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJF Ti1BVSIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tQVUiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5DdXJpb3VzbHksIGZvciBh bGwgdGhlIHRleHQgYWJvdXQgbmVzdGVkIEpPU0UgbWVzc2FnZXMsIHRoZSBKV1QgZG9jIHN0aWxs IGlzbuKAmXQgc3BlY2lmaWMgYWJvdXQgd2hhdCBjb21iaW5hdGlvbnMgTVVTVCBiZSBzdXBwb3J0 ZWQgZm9yIGludGVyb3BlcmFiaWxpdHkuIEkgd291bGRu4oCZdCBleHBlY3QgbWFueSBKV1QtY29t cGxpYW50IHJlY2VpdmVycw0KIHRvIGFjY2VwdCBjbGFpbXMtaW4tYS1KV1MtaW4tYS1KV0UtaW4t YW5vdGhlci1KV0UtaW4tYW5vdGhlci1KV1MsIGJ1dCBJIGNhbm5vdCB0ZWxsIHdoaWNoIG5lc3Rp bmcgd2lsbCBvciB3aWxsIG5vdCB3b3JrIHdpZGVseS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1BVSIgc3R5bGU9ImNvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQVUiIHN0eWxl PSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1BVSIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPlRoZSB0 ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMgaXMgc3RpbGwgc2lsbHkgc2luY2Ug eW91IGxvc2UgdGhlIGNvbGxpc2lvbi1yZXNpc3RhbmNlIHdoZW4geW91IGNvbWJpbmUgbXVsdGlw bGUgbmFtZXNwYWNlcyAoZG9tYWluIG5hbWVzLCBPSURzLCBldGMpLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUFVIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+LS08 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJF Ti1BVSIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkphbWVzIE1hbmdlcjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQVUiIHN0 eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGlu IDBpbiAwaW4gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10 b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFo b21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBNaWtlIEpvbmVzIFs8YSBocmVmPSJt YWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIj5tYWlsdG86TWljaGFlbC5Kb25lc0Bt aWNyb3NvZnQuY29tPC9hPl0NCjxicj4NCjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCA0IE1hcmNoIDIw MTQgOToyMiBBTTxicj4NCjxiPlRvOjwvYj4gTWFuZ2VyLCBKYW1lczsgPGEgaHJlZj0ibWFpbHRv Om9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9yZzwvYT4gV0c8YnI+DQo8Yj5TdWJqZWN0Ojwv Yj4gUkU6IFtPQVVUSC1XR10gV0dMQyBvbiBKU09OIFdlYiBUb2tlbiAoSldUKTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs YW5nPSJFTi1BVSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPlRoYW5rcyBmb3IgdGFraW5nIHRo ZSB0aW1lIHRvIHNlbmQgaW4gdGhlIGNvbW1lbnRzLCBKYW1lcy4mbmJzcDsgSSBhbSBzZW5kaW5n IHlvdSB0aGlzIHRvIGRlc2NyaWJlIHRoZSBjaGFuZ2VzIHRoYXQgd2VyZSBtYWRlIGluIHJlc3Bv bnNlIHRvIHlvdXIgY29tbWVudHMgKG1vc3RseSBpbiAtMTMgYnV0IGFsc28gYSBmZXcgaW4gLTE4 KS4mbmJzcDsgU2VlIGluZGl2aWR1YWwNCiByZXNwb25zZXMgaW5saW5lLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3 MEMwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29s b3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08YnI+DQpGcm9tOiA8YSBocmVmPSJt YWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZyI+b2F1dGgtYm91bmNlc0BpZXRmLm9yZzwvYT4g WzxhIGhyZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIj5tYWlsdG86b2F1dGgtYm91 bmNlc0BpZXRmLm9yZzwvYT5dIE9uIEJlaGFsZiBPZiBNYW5nZXIsIEphbWVzIEg8YnI+DQpTZW50 OiBUaHVyc2RheSwgQXVndXN0IDA4LCAyMDEzIDc6NTUgQU08YnI+DQpUbzogPGEgaHJlZj0ibWFp bHRvOm9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9yZzwvYT4gV0c8YnI+DQpTdWJqZWN0OiBS ZTogW09BVVRILVdHXSBXR0xDIG9uIEpTT04gV2ViIFRva2VuIChKV1QpPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPkNvbW1lbnRzIG9uIGRyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9r ZW4tMTE6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjEuIFNob3VsZCBKV1QgcmVhbGx5 IGdvIHRvIFdHTEMgYmVmb3JlIHRoZSBKT1NFIGRvY3MgdGhhdCBpdCBkZXBlbmRzIG9uIHNvIGhl YXZpbHkgKEpXUy9KV0UvLi4uKT8gRXZlbiBpZiB0aGUgJnF1b3Q7Ynl0ZXMtb24tdGhlLXdpcmUm cXVvdDsgYXJlIGZhaXJseSBzdGFibGUsIEpXVCByZXBlYXRzIGEgbG90IG9mIHRleHQgZnJvbSBK V1MvSldFIHNvbWUgb2Ygd2hpY2ggaXMgbGlrZWx5IHRvIGNoYW5nZS4gRmluaXNoaW5nDQogV0dM QyBub3cgYW5kIHF1ZXVpbmcgdGhlIGRvYyB0byBiZSBhdXRvLXB1Ymxpc2hlZCB3aGVuIEpXUy9K V0UgYXJlIHB1Ymxpc2hlZCB3b3VsZCBiZSBiYWQgKHVubGVzcyB0aGUgZHVwbGljYXRlIHRleHQg aXMgcmVtb3ZlZCkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3Bh biBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPkluIHByYWN0 aWNlLCBpdCBzZWVtcyB0aGF0IEpXVCBoYXMgd2FpdGVkIGZvciBKT1NFIChhbmQgSeKAmXZlIGtl cHQgdGhlbSBmdWxseSBpbiBzeW5jKS4mbmJzcDsgQXQgdGhpcyBwb2ludCwgSSBleHBlY3QgdGhl bSBwcm9jZWVkIHRocm91Z2ggdGhlIHJlc3Qgb2YgdGhlIGFwcHJvdmFsIHN0ZXBzIGluIHBhcmFs bGVsLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFu IHN0eWxlPSJjb2xvcjojMDA3MEMwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4yLiBUaGUgSldUIGRvYyB3b3VsZCBiZSBzbyBtdWNoIG1vcmUg cmVhZGFibGUgaWYgaXQgY291bGQgcmVmZXIgdG8gYSAmcXVvdDtKT1NFIG1lc3NhZ2UmcXVvdDss ICZxdW90O0pPU0UgaGVhZGVyJnF1b3Q7LCBhbmQgJnF1b3Q7Sk9TRSBjb21wYWN0IHNlcmlhbGl6 YXRpb24mcXVvdDs7IGluc3RlYWQgb2YgaGF2aW5nIHRvIGV4cGxpY2l0bHkgdGFsayBhYm91dCBK V1MgYW5kIEpXRSBldmVyeSB0aW1lIGV2ZW4gd2hlbiB0YWxraW5nIGFib3V0IGFzcGVjdHMgY29t bW9uDQogdG8gYm90aC4gSXQgd291bGQgYWxzbyBhdm9pZCBpbnRyb2R1Y2luZyAmcXVvdDtKV1Qg SGVhZGVyJnF1b3Q7LCAmcXVvdDtFbmNvZGVkIEpXVCBIZWFkZXImcXVvdDssICZxdW90O05lc3Rl ZCBKV1QmcXVvdDssICZxdW90O1BsYWludGV4dCBKV1QmcXVvdDsgZXRjIGFzIHRob3VnaCB0aGVz ZSBhcmUgbmV3IGl0ZW1zLCB3aGVuIGluIGZhY3QgdGhleSBhcmUganVzdCBhZGRpdGlvbmFsIG5h bWVzIGZvciBKT1NFIGl0ZW1zLiBGb3IgaW5zdGFuY2UsICZxdW90O0pXVCBIZWFkZXImcXVvdDsg aXMgZWZmZWN0aXZlbHkgc2hvcnRoYW5kIGZvcg0KICZxdW90O0pXUyBvciBKV0UgaGVhZGVyJnF1 b3Q7IGJ1dCBpdCBpcyBwcmVzZW50ZWQgYXMgYSBKV1Qtc3BlY2lmaWMgdGhpbmcuPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBD MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPkkgdGhpbmsgdGhpcyByZWFsbHkgb25seSBzaG93 cyB1cCBpbiBhIGZldyBwbGFjZXMg4oCTIHByaW1hcmlseSB3aGVuIGRpc2N1c3NpbmcgdGhhdCB0 aGUgSldUIEhlYWRlciBpcyBlaXRoZXIgYSBKV1MgSGVhZGVyIG9yIGEgSldFIGhlYWRlci4mbmJz cDsgR2l2ZW4gdGhhdCB0aGVzZSBhcmUgYWN0dWFsbHkgZGlzdGluY3QgYnV0IHJlbGF0ZWQgZGF0 YSBzdHJ1Y3R1cmVzLA0KIG1ha2luZyBpdCBldmlkZW50IHRoYXQgdGhleSBhcmUgZGlmZmVyZW50 IGlzIGFyZ3VhYmx5IGEgZ29vZCB0aGluZy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+My4gVGhlIGRvYyBzaG91 bGQgbm90IHJlcGVhdCBkZWZpbml0aW9ucyBmcm9tIEpXUyBhbmQgSldFLjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxv OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFu IHN0eWxlPSJjb2xvcjojMDA3MEMwIj5UaGUgZHVwbGljYXRpb24gaGFzIGJlZW4gc3Vic3RhbnRp YWxseSByZWR1Y2VkLCBib3RoIHdpdGhpbiB0aGUgSk9TRSBkb2NzLCBhbmQgd2l0aGluIHRoaXMg ZG9jLiZuYnNwOyBUaGF0IGJlaW5nIHNhaWQsIHRoZXJl4oCZcyBhIHN0eWxpc3RpYyB0ZW5zaW9u IGJldHdlZW4gc2F5aW5nIHRoaW5ncyBpbiBleGFjdGx5IG9uZSBwbGFjZSBhbmQgbWFraW5nIGVh Y2ggZG9jdW1lbnQNCiBlYXNpZXIgdG8gcmVhZCB3aXRob3V0IGNvbnN0YW50bHkgaGF2aW5nIHRv IGZsaXAgYmFjayBhbmQgZm9ydGggYmV0d2VlbiB0aGVtLiZuYnNwOyBJbiB0aGlzIGNhc2UsIEkg YmVsaWV2ZSB0aGF0IHRoZSBzbWFsbCBhbW91bnQgb2YgZHVwbGljYXRpb24gYWlkcyBkZXZlbG9w ZXJzIHdobyBtaWdodCBub3QgcmVjdXJzaXZlbHkgcmVhZCBldmVyeXRoaW5nIHJlZmVyZW5jZWQg aW4gZnVsbCBkZXRhaWwuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkZvciBpbnN0YW5jZSwgdGhlIHdob2xlIGZp cnN0IHBhcmFncmFwaCBvZiBzZWN0aW9uIDUgJnF1b3Q7SldUIEhlYWRlciZxdW90OyAoSlNPTiBv YmplY3Q7IGRlc2NyaWJlcyBjcnlwdG8gb3BzOyB1bmlxdWUgbmFtZXM7IHJlamVjdCBkdXBsaWNh dGVzIG9yIHVzZSBsYXN0KSBpcyBhbiBhbG1vc3QgaWRlbnRpY2FsIGNvcHkgb2YgcGFyYWdyYXBo cyBmcm9tIEpXUyBhbmQgSldFLiBUaGUgZHVwbGljYXRpb24gKG9mdGVuIHRyaXBsaWNhdGlvbikN CiBhZGRzIGNvbmZ1c2lvbiAoZWcgd2hhdCBpcyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGEgSldU IEhlYWRlciBhbmQgSldTIEhlYWRlcj8pIGFuZCBnZXRzIHN1YnRseSBvdXQgb2Ygc3luYyAoZWcg JnF1b3Q7Y3R5JnF1b3Q7IGVpdGhlciAmcXVvdDtkZWNsYXJlcyBzdHJ1Y3R1cmFsIGluZm9ybWF0 aW9uIGFib3V0IHRoZSBKV1QmcXVvdDsgb3IgJnF1b3Q7ZGVjbGFyZXMgdGhlIHR5cGUgb2YgdGhl IHNlY3VyZWQvZW5jcnlwdGVkIGNvbnRlbnQgKHRoZSBwYXlsb2FkL1BsYWludGV4dCkgaW4gYW4N CiBhcHBsaWNhdGlvbi1zcGVjaWZpYyBtYW5uZXImcXVvdDspLiA8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHls ZT0iY29sb3I6IzAwNzBDMCI+VGhlIGRlc2NyaXB0aW9uIG9mIEpXVOKAmXMgdXNlIG9mIOKAnGN0 eeKAnSBpcyBub3Qgb3V0IG9mIHN5bmMg4oCTIGl0IGlzIGludGVudGlvbmFsbHkgbW9yZSBzcGVj aWZpYyB0aGFuIHRoZSBmdWxseSBnZW5lcmFsLCBhcHBsaWNhdGlvbi1pbmRlcGVuZGVudCBkZXNj cmlwdGlvbnMgaW4gSldTIGFuZCBKV0UuJm5ic3A7IEluIHRoaXMgY2FzZSwgSldUIGlzIHRoZSBh cHBsaWNhdGlvbg0KIG9mIEpXUyBhbmQgSldFLCBhbmQgbmVlZHMgdG8gc3BlY2lmeSBpdHMgcmVx dWlyZW1lbnRzIGFib3V0IGhvdyBpdCB1c2VzIHRoaXMgaGVhZGVyIHBhcmFtZXRlci48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29s b3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+T3RoZXIgZXhhbXBsZXMgb2YgdW5uZWNlc3NhcmlseSBkdXBsaWNhdGVkIHRleHQg aW5jbHVkZTogc2VjdGlvbiA3IHN0ZXBzIDMgJmFtcDsgNCAoY3JlYXRpbmcpIGFuZCBzdGVwcyAx LTggKHZhbGlkYXRpbmcpOyBzZWN0aW9uIDcuMSB0ZXh0IGFib3V0IGNvbXBhcmluZyAmcXVvdDth bGcmcXVvdDsgdmFsdWVzOyBwYXJ0cyBvZiB0aGUgbGFzdCAyIHBhcmFncmFwaHMgb2Ygc2VjdGlv biAzICZxdW90O0pXVCBvdmVydmlldyZxdW90OzsgMXN0IGFuZA0KIDNyZCBwYXJhZ3JhcGhzIG9m IHNlY3Rpb24gNS4yICZxdW90O2N0eSZxdW90OzsgMXN0LCAybmQsIGFuZCA0dGggc2VudGVuY2Ug b2Ygc2VjdGlvbiA1LjEgJnF1b3Q7dHlwJnF1b3Q7LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xv cjojMDA3MEMwIj5TdGVwIDQgb2YgY3JlYXRpb24gd2FzIHJlbW92ZWQgYmVjYXVzZSBpdCB0cnVs eSB3YXMgYSBkdXBsaWNhdGUuJm5ic3A7ICgzIGlzIG1vcmUgc3BlY2lmaWMgdGhhbiB0aGUgY29y cmVzcG9uZGluZyBKV1MgYW5kIEpXRSBzdGVwcywgYW5kIHNvIHdhcyBub3QgcmVtb3ZlZC4pDQo8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHls ZT0iY29sb3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPlRoZSB2YWxpZGF0aW5n IHN0ZXBzIGFyZSBuZWNlc3NhcnkgYmVjYXVzZSBKV1QgYWRkcyB0d28gdGhpbmdzIGJleW9uZCBK V1MgYW5kIEpXRTombmJzcDsgRmlyc3QsIHRoZSBjb250ZW50cyBjYW4gYmUgZWl0aGVyIGEgSldT IG9yIEpXRSwgYW5kIHNvIHRoZXJl4oCZcyBsb2dpYyBkZXNjcmliZWQgZm9yIHRoZSBzbGlnaHRs eSBkaWZmZXJlbnQgYWN0aW9ucyB0YWtlbiBpbg0KIHRoZSB0d28gY2FzZXMuJm5ic3A7IFNlY29u ZCwgdGhlIEpXVCBjYW4gYmUgbmVzdGVkLCBzbyB0aGUgbG9naWMgZm9yIG5lc3RpbmcgYW5kIGRl dGVjdGluZyBuZXN0ZWQgSldUcyBpcyBkZWZpbmVkLiZuYnNwOyBJdCAqPGI+ZG9lczwvYj4qIGp1 c3QgcmVseSBvbiBKV1MgYW5kIEpXRSBmb3IgdGhlIGNyZWF0aW9uIGFuZCB2ZXJpZmljYXRpb24g YXNwZWN0cyBvZiB0aGUgSldTIGFuZCBKV0UgYXNwZWN0cyBvZiBKV1RzLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3 MEMwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+Qm90aCDigJx0eXDigJ0gYW5kIOKAnGN0eeKA nSB3ZXJlIHJld29ya2VkIHdoZW4gdGhlaXIgdmFsdWVzIHdoZXJlIGNoYW5nZWQgdG8gTUlNRSB0 eXBlcywgcmVkdWNpbmcgZHVwbGljYXRpb24uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjQuIEhhcmRseSBhbnlv bmUgcHJvbm91bmNlcyBKV1QgYXMgJnF1b3Q7am90JnF1b3Q7IC0tIGl0IGlzIHVzdWFsbHkgc3Bl bHQgb3V0IC0tIHNvIGRyb3AgdGhlIHNlbnRlbmNlIGluIHRoZSBhYnN0cmFjdCBzdWdnZXN0aW5n IHRoZSAmcXVvdDtqb3QmcXVvdDsgcHJvbnVuY2lhdGlvbi48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0i Y29sb3I6IzAwNzBDMCI+WW91ciBleHBlcmllbmNlIG1heSB2YXJ5LCBidXQgaW4gaW4tcGVyc29u IGNvbnZlcnNhdGlvbnMsIGl04oCZcyB1c3VhbGx5IHByb25vdW5jZWQg4oCcam904oCdIGluIG15 IGV4cGVyaWVuY2UuJm5ic3A7IChJdOKAmXMgYSBsb3QgZWFzaWVyIHRvIHNheSB0aGFuIOKAnEog VyBU4oCdIG9yIOKAnEpTT04gV2ViIFRva2Vu4oCdIGFuZCBwZW9wbGUgdGVuZCB0byBsaWtlIHNo b3J0IG5hbWVzIHRvDQogc2F5Lik8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+NS4gQ29sbGlzaW9uIFJlc2lzdGFu dCBOYW1lc3BhY2UgKHNlY3Rpb24gMiAmcXVvdDtUZXJtaW5vbG9neSZxdW90OykgbWVudGlvbnMg ZG9tYWluIG5hbWVzLCBPSURzLCBhbmQgVVVJRHMgYXMgZXhhbXBsZXMsIGJ1dCBmYWlscyB0byBt ZW50aW9uIFVSSXMsIHdoaWNoIGlzIGEgbGlrZWx5IGNob2ljZS4gRG9tYWluIG5hbWVzIHdpbGwg c3RhcnQgY29sbGlkaW5nIHdpdGggJnF1b3Q7cmVzZXJ2ZWQmcXVvdDsgbmFtZXMgc29vbiB3aXRo IGFsbA0KIHRoZSBuZXcgdG9wLWxldmVsIGRvbWFpbnMuIFNob3VsZCBVVUlEcyB1c2UgYSAmcXVv dDt1cm46dXVpZDomcXVvdDsgcHJlZml4LCBvciAmcXVvdDt1dWlkOiZxdW90Oywgb3Igbm8gcHJl Zml4PyBTaG91bGQgVVVJRHMgb25seSB1c2UgbG93ZXItY2FzZSBoZXggZGlnaXRzIChvdGhlcndp c2UgZHVwbGljYXRlIFVVSURzIHdpbGwgbG9vayBsaWtlIGRpc3RpbmN0IEpTT04gbmFtZXMpPyBT aG91bGQgYW4gT0lEIGJlICZxdW90OzIuNS40LjMmcXVvdDsgb3IgJnF1b3Q7b2lkOjIuNS40LjMm cXVvdDsgb3IgJnF1b3Q7VVJOOk9JRDoyLjUuNC4zJnF1b3Q7DQogb3IgJnF1b3Q7Y29tbW9uTmFt ZSZxdW90OyBvciAmcXVvdDtjbiZxdW90Oz8gQ29sbGlzaW9uIHJlc2lzdGFudCBuYW1lc3BhY2Vz IGxvc2UgY29sbGlzaW9uLXJlc2lzdGFuY2Ugd2hlbiB5b3UgY29tYmluZSBuYW1lc3BhY2VzIGFz IGlzIGRvbmUgaGVyZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxz cGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+QXMgeW91 IHN1Z2dlc3RlZCwgZG9tYWluIG5hbWVzIGFyZSBub3cgdGhlIGZpcnN0IGV4YW1wbGUgbWVudGlv bmVkLiZuYnNwOyBUaGlzIHdhcyBhbHNvIHJld3JpdHRlbiB3aXRoIGlucHV0IGZyb20gSmltIFNj aGFhZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3Bh biBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Q291bGQgdGhlIHJlc2VydmVkL3B1YmxpYy9wcml2YXRlIG1l c3MgYmUgc2ltcGxpZmllZCBieSBzYXlpbmcgKGF0IHRoZSBlbmQgb2Ygc2VjdGlvbiA0ICZxdW90 O0pXVCBDbGFpbXMmcXVvdDspOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsg QSBjbGFpbSBuYW1lIGNhbiBiZSBhbnkgc3RyaW5nLiBVc2luZyBVUklzIGFzIGNsYWltIG5hbWVz IGlzIG9uZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7IHdh eSB0byBlbnN1cmUgY2xhaW0gbmFtZXMgYXJlIHVuYW1iaWd1b3VzLiBDbGFpbSBuYW1lcyB0aGF0 IGFyZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7IG5vdCBV UklzIFNIT1VMRCBiZSByZWdpc3RlcmVkIGluIHRoZSBJQU5BIENsYWltcyByZWdpc3RyeSBbc2Vj dGlvbiA5LjFdPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlRoZW4gZHJvcCB0aGUgbGFz dCBwYXJhZ3JhcGggb2Ygc2VjdGlvbiA0ICZxdW90O0pXVCBjbGFpbXMmcXVvdDsgdGhhdCBzdGFy dHMgJnF1b3Q7dGhlcmUgYXJlIHRocmVlIGNsYXNzZXMgb2YgSlQgQ2xhaW0gTmFtZXMmcXVvdDs7 IGRyb3Agc2VjdGlvbiA0LjIgJnF1b3Q7UHVibGljIGNsYWltIG5hbWVzJnF1b3Q7OyBkcm9wIHNl Y3Rpb24gNC4zICZxdW90O1ByaXZhdGUgY2xhaW0gbmFtZXMmcXVvdDs7IGRyb3AgdGhlICZxdW90 O2NvbGxpc2lvbiByZXNpc3RhbnQgbmFtZXNwYWNlJnF1b3Q7IHRlcm0uPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMwMDcwQzAiPkNhbGxpbmcgb3V0IHRoYXQgdGhlcmUgYXJlIHRocmVlIGRp c3RpbmN0IGNsYXNzZXMgb2YgbmFtZXMgaGFzIGJlZW4gdmFsdWFibGUgaW4gaGVscGluZyBkZXZl bG9wZXJzIHRoaW5rIGFib3V0IGhvdyB0byB1c2UgY2xhaW0gbmFtZXMsIGluIHByYWN0aWNlLiZu YnNwOyBJbiBwYXJ0aWN1bGFyLCBpdCBsZXRzIHVzIGRlc2NyaWJlIHRoZSBiZW5lZml0cyBhbmQg ZHJhd2JhY2tzDQogb2YgZWFjaCwgaGVscGluZyBkZXZlbG9wZXJzIGFuZCBkZXBsb3llcnMgbWFr ZSByZWFzb25hYmxlIGNob2ljZXMgZm9yIHRoZWlyIGFwcGxpY2F0aW9uIGNvbnRleHRzLjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJj b2xvcjojMDA3MEMwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+QXQgSmltIFNjaGFhZOKAmXMg c3VnZ2VzdGlvbiwg4oCccHVibGlj4oCdIHdhcyBjaGFuZ2VkIHRvIOKAnHJlZ2lzdGVyZWTigJ0g YW5kIHRoZSBkZXNjcmlwdGlvbiBjaGFuZ2VkIHRvIHRhbGsgYWJvdXQgdGhpcyBjbGFzcyBvZiBu YW1lcyBiZWluZyBpbiB0aGUgSUFOQSByZWdpc3RyeS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Ni4gVGhlIGRv Y3Mgc2F5cyBpbmNsdWRpbmcgYSAmcXVvdDt0eXAmcXVvdDsgZmllbGQgaXMgT1BUSU9OQUwuIEV2 ZW4gd2hlbiBwcmVzZW50ICZxdW90O3R5cCZxdW90OyBjYW4gaGF2ZSBhbnkgdmFsdWUgc2luY2Ug dGhlIHR3byBzdWdnZXN0aW9ucyBpbiB0aGUgZG9jICgmcXVvdDtKV1QmcXVvdDsgb3IgJnF1b3Q7 dXJuOmlldGY6cGFyYW1zOm9hdXRoOnRva2VuLXR5cGU6and0JnF1b3Q7KSBhcmUgb25seSBSRUNP TU1FTkRFRC4gR2l2ZW4gdGhpcywgdGhlcmUgZG9lc24ndCBzZWVtDQogdG8gYmUgYW55dGhpbmcg YSBKV1QgcmVjaXBpZW50IGNhbiB1c2VmdWxseSBkbyB3aXRoICZxdW90O3R5cCZxdW90Oy4gSWYg aXQgdHJpZXMgdG8gdXNlICZxdW90O3R5cCZxdW90OyBpdCB3aWxsIGp1c3QgYmUgaW5jb21wYXRp YmxlIHdpdGggY29tcGxpYW50IEpXVCBzZW5kZXJzIHRoYXQgZWl0aGVyIG9taXQgJnF1b3Q7dHlw JnF1b3Q7IG9yIHVzZSBhbm90aGVyIHZhbHVlLiBJdCB3b3VsZCBiZSBiZXR0ZXIgdG8gZHJvcCBz ZWN0aW9uIDUuMSAmcXVvdDtUeXBlIEhlYWRlciBQYXJhbWV0ZXImcXVvdDsgZW50aXJlbHkNCiAt LSBsZWF2aW5nIGFueSAmcXVvdDt0eXAmcXVvdDsgdmFsdWUgZGVmaW5pdGlvbnMgdG8gcHJvZmls ZXMgdGhhdCBhY3R1YWxseSBkZWZpbmUgcHJvY2Vzc2luZyBmb3Igc3VjaCB2YWx1ZXMuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAw NzBDMCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPlRoZSBkZXNjcmlwdGlvbiBoYXMgYmVlbiBy ZXdvcmtlZCB0byBtb3N0bHkganVzdCByZWZlciB0byB0aGUgSldTIGFuZCBKV0UgZGVmaW5pdGlv bnMuJm5ic3A7IFRoZSBVUk4gdXNhZ2Ugd2FzIHJlbW92ZWQgd2hlbiDigJx0eXDigJ0gYW5kIOKA nGN0eeKAnSB2YWx1ZXMgd2VyZSBtYWRlIE1JTUUgdHlwZSB2YWx1ZXMuPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcw QzAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PjcuIFRoZSBkb2MgcmVkZWZpbmVzIHRoZSAmcXVvdDtjdHkmcXVvdDsgaGVhZGVyIHBhcmFtZXRl ciwgd2hpY2ggaXMgYWxyZWFkeSBkZWZpbmVkIGluIEpXUyBhbmQgSldFIChzbGlnaHRseSBkaWZm ZXJlbnRseSBpbiBhbGwgMyBjYXNlcyAtIGFyZ2gpLiBKV1QgdXNlcyAmcXVvdDtjdHkmcXVvdDsg dG8gaW5kaWNhdGUgbmVzdGVkIEpPU0UgbWVzc2FnZXMsIHdoaWNoIHNob3VsZCBiZSBhIEpPU0Ug ZmVhdHVyZSBhcyBpdCBpcyBub3Qgc3BlY2lmaWMNCiB0byBKV1QgKGhlbmNlICZxdW90O2N0eSZx dW90OzomcXVvdDtqd3QmcXVvdDsgaXMgYSBwb29yIGNob2ljZSkuPG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMwMDcwQzAiPlRoZSBkZXNjcmlwdGlvbiBoYXMgYmVlbiByZXdvcmtlZCB0byBt b3N0bHkganVzdCByZWZlciB0byB0aGUgSldTIGFuZCBKV0UgZGVmaW5pdGlvbnMuJm5ic3A7IOKA nGN0eeKAnSBpcyBub3QgcmVkZWZpbmVkOyBpdOKAmXMgdXNlIGJ5IEpXVCBpcyBzcGVjaWZpZWQu PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij44LiBbRWRpdG9yaWFsXSAmcXVv dDtKV0Egc2lnbmluZyBhbGdvcml0aG0mcXVvdDsgYW5kICZxdW90O0pXQSBlbmNyeXB0aW9uIGFs Z29yaXRobXMmcXVvdDsgYXJlIHRoZSB3cm9uZyBwaHJhc2VzLiBUaGVzZSBhcmUgSldTIHNpZ25p bmcgYWxncyBhbmQgSldFIGVuY3J5cHRpb24gYWxncyB0aGF0IGhhcHBlbiB0byBiZSBzcGVjaWZp ZWQgaW4gSldBLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj5UaGUgcGhyYXNl cyAmcXVvdDtKV0Egc2lnbmluZyBhbGdvcml0aG1zJnF1b3Q7IGFuZCAmcXVvdDtKV0EgZW5jcnlw dGlvbiBhbGdvcml0aG1zJnF1b3Q7IHdlcmUgcmVtb3ZlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+OS4gSW5j bHVkaW5nIGEgc2hvcnQgZGVzY3JpcHRpb24gZm9yIGVhY2ggY2xhaW0gbmFtZSBpbiB0aGUgcmVn aXN0cnkgd291bGQgYmUgdXNlZnVsLiBKdXN0IGEgMy1sZXR0ZXIgYWJicmV2aWF0aW9uIGlzIG5v dCBoZWxwZnVsIGVub3VnaC4gRWcgYWRkIGEgQ2xhaW0gZGVzY3JpcHRpb24gZmllbGQ6PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsgQ2xhaW0gbmFtZTogJnF1 b3Q7bmJmJnF1b3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJz cDsgQ2xhaW0gZGVzY3JpcHRpb246IG5vdCBiZWZvcmU8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZuYnNwOyBDaGFuZ2UgY29udHJvbGxlcjogSUVURjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7IFNwZWNpZmljYXRpb24gZG9jdW1l bnQ6IHNlY3Rpb24gNC4xLjUuIG9mIFtbIHRoaXMgZG9jIF1dPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsgPHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxl PSJjb2xvcjojMDA3MEMwIj5UaGlzIHdhcyBkb25lIOKAkyBib3RoIGhlcmUgYW5kIGluIHRoZSBK T1NFIGRvY3VtZW50cy4mbmJzcDsgVGhhbmtzIGZvciB0aGUgdXNlZnVsIHN1Z2dlc3Rpb24uPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLTxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+SmFtZXMgTWFuZ2VyPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgLS0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBTZW50OiBXZWRuZXNkYXksIDcgQXVndXN0IDIwMTMg NzoyMCBQTTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBTdWJq ZWN0OiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCk8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEhpIGFsbCw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mZ3Q7IHRoaXMgaXMgYSB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBmb3IgdGhlIEpTT04gV2Vi IFRva2VuIChKV1QpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgSGVyZSBpcyB0 aGUgZG9jdW1lbnQ6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 IDxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtanNv bi13ZWItdG9rZW4tMTEiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNv cmF0aW9uOm5vbmUiPmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgt anNvbi13ZWItdG9rZW4tMTE8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgUGxlYXNlIHNlbmQgeW91IGNvbW1lbnRzIHRvIHRoZSBPQXV0aCBtYWlsaW5nIGxpc3Qg YnkgQXVndXN0IDIxLCAyMDEzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgQ2lh bzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBIYW5uZXMgJmFt cDsgRGVyZWs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+X19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPk9BdXRoIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj48c3BhbiBzdHls ZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+T0F1dGhAaWV0Zi5vcmc8 L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PGEgaHJl Zj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCI+PHNwYW4gc3R5 bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_4E1F6AAD24975D4BA5B16804296739439A0EEC5ETK5EX14MBXC286r_-- From nobody Mon Mar 17 20:06:25 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A6E1A04F8 for ; Mon, 17 Mar 2014 20:06:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.201 X-Spam-Level: X-Spam-Status: No, score=-2.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_dYynAnX_ob for ; Mon, 17 Mar 2014 20:06:13 -0700 (PDT) Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) by ietfa.amsl.com (Postfix) with ESMTP id 26AC71A036C for ; Mon, 17 Mar 2014 20:06:09 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.97,674,1389704400"; d="scan'208,217";a="192725479" Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipoani.tcif.telstra.com.au with ESMTP; 18 Mar 2014 14:06:00 +1100 X-IronPort-AV: E=McAfee;i="5400,1158,7380"; a="208011113" Received: from wsmsg3707.srv.dir.telstra.com ([172.49.40.81]) by ipcbni.tcif.telstra.com.au with ESMTP; 18 Mar 2014 14:06:00 +1100 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3707.srv.dir.telstra.com ([172.49.40.81]) with mapi; Tue, 18 Mar 2014 14:05:59 +1100 From: "Manger, James" To: Mike Jones , "oauth@ietf.org WG" Date: Tue, 18 Mar 2014 14:05:58 +1100 Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT) Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/ZmLZ98AgUVpnFCADWIk8IAIrL4wgABonJA= Message-ID: <255B9BB34FB7D647A506DC292726F6E11540596326@WSMSG3153V.srv.dir.telstra.com> References: <5202113B.1020505@gmx.net> <255B9BB34FB7D647A506DC292726F6E1152869AC01@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739439A0A9521@TK5EX14MBXC286.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E11540251D0A@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B16804296739439A0EEC5E@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A0EEC5E@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E11540596326WSMSG3153Vsrv_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2QWzGn-0_-BpdUG62NToCFfzoX4 Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 03:06:21 -0000 --_000_255B9BB34FB7D647A506DC292726F6E11540596326WSMSG3153Vsrv_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TWlrZSwNCg0KQXMgYSB0aG91Z2h0IGV4cGVyaW1lbnQsIGltYWdpbmcgeW91IGhhdmUgYSBwcm90 b2NvbCB3aGVyZSB5b3Ugd2FudCB0byBleGNoYW5nZSBhdmF0YXJzIGZvciB1c2VycyBzZWN1cmVs eTogdGhleSBjYW4gYmUgUE5HIG9yIEpQRUcgaW1hZ2VzOyB5b3UgY2hvb3NlIEpPU0UgdG8gcHJv dGVjdCB0aGVtLiBZb3Ugd2FudCB0byBzcGVjaWZ5IHNlY3VyZSBhdmF0YXJzLCBqdXN0IGxpa2Ug SldUIGRvZXMgZm9yIHNldHMgb2YgY2xhaW1zLiBIb3cgbXVjaCBvZiB0aGUgMzEtcGFnZSBKV1Qg ZG9jIHdvdWxkIHlvdSBoYXZlIHRvIHJlcGVhdD8NCg0KV291bGQgeW91IG5lZWQgdG8gZGVmaW5l IOKAnFNlY3VyZUF2YXRhciBIZWFkZXLigJ0sIOKAnEVuY29kZWQgU2VjdXJlQXZhdGFyIEhlYWRl cuKAnSwg4oCcTmVzdGVkIFNlY3VyZUF2YXRhcuKAnT8NCldvdWxkIHlvdSBuZWVkIGEgbmV3IG1l ZGlhIHR5cGUgKHNheSBhcHBsaWNhdGlvbi9zZWMtYXZhdGFyKSB0byB1c2UgaW4gdGhlIOKAnGN0 eeKAnSBmaWVsZCBqdXN0IHRvIHN1cHBvcnQgSldFKEpXUyhhdmF0YXIpKSBuZXN0aW5nPyBFdmVu IHRob3VnaCB0aGVyZSBhcmUgZXhpc3RpbmcgbWVkaWEgdHlwZXMgZm9yIEpQRUcsIFBORywgYW5k IEpPU0U/IEV2ZW4gaWYgdGhlIG1lZGlhIHR5cGUgd291bGQgbm90IGJlIHVzZWQgZXh0ZXJuYWxs eSBhcyB5b3VyIHByb3RvY29sIGRvZXNu4oCZdCB1c2UgYSBtZWRpYSB0eXBlIHRvIGxhYmVsIHRo ZSBmaWVsZCB3aGVyZSBhdmF0YXJzIGFyZSBleGNoYW5nZWQ/DQoNCg0KVGhlIGFuc3dlcnMgc2hv dWxkIGJlIE5vLg0KSldUIHdvdWxkIG5vdCBiZSBhIGdvb2QgZXhhbXBsZSB0byBlbXVsYXRlLg0K DQoNCj4gWW91IG1heSBub3QgbG92ZSB0aGUgdGV4dCBhYm91dCBjb2xsaXNpb24tcmVzaXN0YW50 IG5hbWVzLCBidXQgdGhlIGFsdGVybmF0aXZlcyB3b3VsZCBiZSB3b3JzZSBpbiBwcmFjdGljZSDi gJMgZm9yIGluc3RhbmNlLCByZXF1aXJpbmcgdGhhdCBhbGwgbm9uLXJlZ2lzdGVyZWQgbmFtZXMg Y29tZSBmcm9tIGEgc2luZ2xlIHNwZWNpZmljIGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXNwYWNl LCBzdWNoIGFzIE9JRFMsIFVSTHMsIFVSTnMsIEdVSURzLCBJUCBhZGRyZXNzZXMsIGV0Yy4gIFll cywgdGhlcmXigJlzIGEgdGhlb3JldGljYWwgcG9zc2liaWxpdHkgb2YgYSBjb2xsaXNpb24gYmV0 d2VlbiBhIG5hbWUgdGhhdOKAmXMgYW4gT0lEIHdpdGggZm91ciBudW1iZXJzIGFuZCBhIG51bWVy aWMgSVB2NCBhZGRyZXNzIHJlcHJlc2VudGF0aW9uLCBidXQgaXMgdGhhdCBhY3R1YWxseSBhIHJl YWwgaXNzdWU/ICBEbyB5b3UgcmVhbGx5IGV4cGVjdCBwZW9wbGUgdG8gdXNlIGJvdGggbnVtZXJp YyBJUHY0IGFkZHJlc3NlcyBhbmQgT0lEcyBpbiB0aGUgc2FtZSBhcHBsaWNhdGlvbiBjb250ZXh0 PyAgVGhlc2Ugc3BlY3MgaGF2ZSB0cmllZCB0byB0YWtlIGEgcHJhZ21hdGljIGFuZCBwcmFjdGlj YWwgYXBwcm9hY2ggdGhyb3VnaG91dCwgYW5kIGFsbG93aW5nIHRoZSB1c2Ugb2YgYXBwbGljYXRp b24tY2hvc2VuIGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMgd2l0aG91dCByZWdpc3RyYXRpb24g aXMgb25lIHN1Y2ggY2FzZS4NCg0KSXQgc291bmRzIGxpa2UgeW91IHdhbnQgdG8gZ2l2ZSBwZW9w bGUgbWF4aW11bSBmbGV4aWJpbGl0eSB0byBjaG9vc2UgY2xhaW0gbmFtZXMgYXMgdGhleSB3aXNo LCBidXQgdG8gbWluaW1pemUgdGhlIGNoYW5jZSBvZiBhbWJpZ3VpdHkgeW91IHdhbnQgdG8gcHJv dmlkZSBhIHJlZ2lzdHJ5IChwYXJ0aWN1bGFybHkgZm9yIHNob3J0IG5hbWVzKSBhbmQgZW5jb3Vy YWdlIG5hbWVzIHRoYXQgYXJlIGxpa2VseSB0byBiZSB1bmFtYmlndW91cyBpbiBwcmFjdGljZS4g R3JlYXQuDQpNeSBvYmplY3Rpb24gd2l0aCB0aGUgdGV4dCBpcyB0aGF0IGl0IGRvZXNu4oCZdCBz aW1wbHkgc3RhdGUgdGhpcyBwcmFnbWF0aWMgYW5kIHByYWN0aWNhbCBhcHByb2FjaC4gSW5zdGVh ZCwgaXQgaW52ZW50cyB0aGUgdGVybXMg4oCcUmVnaXN0ZXJlZCBDbGFpbSBOYW1l4oCdLCDigJxQ dWJsaWMgQ2xhaW0gTmFtZeKAnSwg4oCcUHJpdmF0ZSBDbGFpbSBOYW1l4oCdLCDigJxDb2xsaXNp b24tUmVzaXN0YW50IE5hbWXigJ0uIFRoZSB0ZXh0IGFkZHMgYWxsIHRoaXMgZm9ybWFsaXNtIHRo YXQgaXMgbWVyZWx5IGEgc21va2Utc2NyZWVuIG92ZXIgdGhlIGZhY3QgdGhhdCBpdCBtZXJlbHkg c2F5aW5nIOKAnHBsZWFzZSBiZSBzZW5zaWJsZSBpbiBjaG9vc2luZyBuYW1lcyBzbyB0aGV5IGFy ZSB1bmxpa2VseSB0byBjbGFzaOKAnS4gSXQgbWFrZSBpdCBsb29rIGxpa2UgdGhlIGF1dGhvcnMg KFdHL0lFVEYpIGZhaWxlZCB0byBhcHByZWNpYXRlIHRoYXQgY29tYmluaW5nIG5hbWVzIGZyb20g YXJiaXRyYXJ5IG5hbWVzcGFjZXMgY291bGQgY2F1c2UgY29sbGlzaW9ucyAoZXZlbiBpZiBpdCBp cyB1bmxpa2VseSksIGFuZCBoZW5jZSBmYWlsZWQgdG8gY29uc2lkZXIgaWYgdGhhdCBjb3VsZCBi ZSBhIHNlY3VyaXR5IG9yIGludGVyb3AgcHJvYmxlbS4NCg0KDQoNClAuUy4gTWlrZSwgeW91IHdl cmUgdG9vIHF1aWNrIGluIHVwZGF0aW5nIHRoZSBKU09OIHJlZmVyZW5jZXMgaW4gSldUICYgSk9T RSB0byBSRkMgNzE1OC4gVGhlIG5ldyBKU09OIHNwZWMgaXMgYWN0dWFsbHkgUkZDIDcxNTkuIFJG QyA3MTU4IHdhcyBvYnNvbGV0ZSB0aGUgZGF5IGFmdGVyIGl0IHdhcyBwdWJsaXNoZWQgZHVlIHRv IGEgdHlwby4NCg0KLS0NCkphbWVzIE1hbmdlcg0KDQpGcm9tOiBNaWtlIEpvbmVzIFttYWlsdG86 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tXQ0KU2VudDogVHVlc2RheSwgMTggTWFyY2ggMjAx NCA1OjAzIEFNDQpUbzogTWFuZ2VyLCBKYW1lczsgb2F1dGhAaWV0Zi5vcmcgV0cNClN1YmplY3Q6 IFJFOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCkNCg0KSGkgSmFtZXMs DQoNClBlciB5b3VyIHBvaW50IDEgYmVsb3csIGFjdHVhbGx5LCB0aGUgSk9TRSBkb2NzIGFscmVh ZHkgKmRvKiBzcGVjaWZ5IHRoYXQgSk9TRSBvYmplY3RzIGNhbiBiZSBlaXRoZXIgSldTcyBvciBK V0VzIGFuZCBzYXkgaG93IHRvIGRpc3Rpbmd1aXNoIHRoZW0g4oCTIHNlZSBodHRwOi8vdG9vbHMu aWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItZW5jcnlwdGlvbi0yMyNzZWN0 aW9uLTkgb24gRGlzdGluZ3Vpc2hpbmcgYmV0d2VlbiBKV1MgYW5kIEpXRSBPYmplY3RzLg0KDQpQ ZXIgeW91ciBwb2ludCAyLCBKT1NFICpkb2VzKiBkZWZpbmUgdGhlIOKAnGN0eeKAnSAoY29udGVu dCB0eXBlKSBoZWFkZXIgcGFyYW1ldGVyIHRvIGVuYWJsZSBkZXNjcmliaW5nIHRoZSB0eXBlIG9m IHRoZSBwYXlsb2FkIG9mIGEgSk9TRSBvYmplY3QuICBOZXN0aW5nIGlzIHNpbXBseSBhIHNwZWNp YWwgY2FzZSBvZiB0aGlzIG1vcmUgZ2VuZXJhbCBjYXBhYmlsaXR5IHRvIGRlc2NyaWJlIHRoZSBj b250ZW50IHR5cGUgb2YgdGhlIHBheWxvYWQuICBUaGUgSldUIHNwZWMgZGVmaW5lcyBhIHNwZWNp ZmljIGNvbnRlbnQgdHlwZSB2YWx1ZSB0byBiZSB1c2VkIHRvIGluZGljYXRlIHRoYXQgdGhlIHBh eWxvYWQgaXMgYSBKV1QsIHdoaWNoIGlzIHVzZWQgYXMgdGhlIOKAnGN0eeKAnSB2YWx1ZSBpbiB0 aGlzIGNhc2UuICBPdGhlciBhcHBsaWNhdGlvbnMgd291bGQgc2ltaWxhcmx5IHVzZSBvdGhlciBh cHBsaWNhdGlvbi1zcGVjaWZpYyBjb250ZW50IHR5cGVzIHRvIGluZGljYXRlIHRoYXQgdGhhdCBh cHBsaWNhdGlvbuKAmXMgZGF0YSBpcyB0aGUgSk9TRSBwYXlsb2FkLg0KDQpZb3VyIHBvaW50IGFi b3V0IHdoZXRoZXIgbmVzdGluZyBpcyBtYW5kYXRvcnktdG8taW1wbGVtZW50IGlzIHdlbGwgdGFr ZW4uICAoSSBkb27igJl0IHRoaW5rIHRoYXQgaGFkIGJlZW4gcG9pbnRlZCBvdXQgYmVmb3JlLikg IEkgY2FuIGFkZCBhIHN0YXRlbWVudCBzYXlpbmcgdGhhdCBpdCBpcyBhcHBsaWNhdGlvbi1kZXBl bmRlbnQgd2hldGhlciBzdXBwb3J0IGZvciBuZXN0aW5nIGlzIHJlcXVpcmVkIG9yIG5vdC4gIChK dXN0IGxpa2UgZW5jcnlwdGlvbiBzdXBwb3J0IGlzIGFscmVhZHkgZXhwbGljaXRseSBvcHRpb25h bCwgaXQgc2hvdWxkIG1hZGUgY2xlYXIgdGhhdCBzdXBwb3J0IGZvciBuZXN0aW5nIGlzIG9wdGlv bmFsLCB1bmxlc3MgdGhlIGFwcGxpY2F0aW9uIHNwZWNpZmllcyBvdGhlcndpc2UuKQ0KDQpZb3Ug bWF5IG5vdCBsb3ZlIHRoZSB0ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMsIGJ1 dCB0aGUgYWx0ZXJuYXRpdmVzIHdvdWxkIGJlIHdvcnNlIGluIHByYWN0aWNlIOKAkyBmb3IgaW5z dGFuY2UsIHJlcXVpcmluZyB0aGF0IGFsbCBub24tcmVnaXN0ZXJlZCBuYW1lcyBjb21lIGZyb20g YSBzaW5nbGUgc3BlY2lmaWMgY29sbGlzaW9uLXJlc2lzdGFudCBuYW1lc3BhY2UsIHN1Y2ggYXMg T0lEUywgVVJMcywgVVJOcywgR1VJRHMsIElQIGFkZHJlc3NlcywgZXRjLiAgWWVzLCB0aGVyZeKA mXMgYSB0aGVvcmV0aWNhbCBwb3NzaWJpbGl0eSBvZiBhIGNvbGxpc2lvbiBiZXR3ZWVuIGEgbmFt ZSB0aGF04oCZcyBhbiBPSUQgd2l0aCBmb3VyIG51bWJlcnMgYW5kIGEgbnVtZXJpYyBJUHY0IGFk ZHJlc3MgcmVwcmVzZW50YXRpb24sIGJ1dCBpcyB0aGF0IGFjdHVhbGx5IGEgcmVhbCBpc3N1ZT8g IERvIHlvdSByZWFsbHkgZXhwZWN0IHBlb3BsZSB0byB1c2UgYm90aCBudW1lcmljIElQdjQgYWRk cmVzc2VzIGFuZCBPSURzIGluIHRoZSBzYW1lIGFwcGxpY2F0aW9uIGNvbnRleHQ/ICBUaGVzZSBz cGVjcyBoYXZlIHRyaWVkIHRvIHRha2UgYSBwcmFnbWF0aWMgYW5kIHByYWN0aWNhbCBhcHByb2Fj aCB0aHJvdWdob3V0LCBhbmQgYWxsb3dpbmcgdGhlIHVzZSBvZiBhcHBsaWNhdGlvbi1jaG9zZW4g Y29sbGlzaW9uLXJlc2lzdGFudCBuYW1lcyB3aXRob3V0IHJlZ2lzdHJhdGlvbiBpcyBvbmUgc3Vj aCBjYXNlLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE1hbmdlciwgSmFtZXMgW21haWx0bzpKYW1l cy5ILk1hbmdlckB0ZWFtLnRlbHN0cmEuY29tXQ0KU2VudDogVHVlc2RheSwgTWFyY2ggMTEsIDIw MTQgMTA6NDIgUE0NClRvOiBNaWtlIEpvbmVzOyBvYXV0aEBpZXRmLm9yZyBXRzsgSGFubmVzIFRz Y2hvZmVuaWcNClN1YmplY3Q6IFJFOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4g KEpXVCkNCg0KVGhhbmtzIGZvciB0YWxraW5nIHRoZSB0aW1lIHRvIHJlcGx5IHRvIHRoZSBpbmRp dmlkdWFsIGNvbW1lbnRzLCBNaWtlLg0KDQoNClRoZSBzdHJ1Y3R1cmUgb2YgdGhlIEpXVCBkb2Mg aXMgc3RpbGwgZmxhd2VkLiBUaGUgcm9vdCBjYXVzZSBpcyB0aGF0IEpXVCB0cmllcyB0byBkbyB0 aHJlZSB0YXNrczoNCg0KMS4gICAgICAgRGVzY3JpYmUgaG93IGEgSk9TRSBtZXNzYWdlIGNhbiBi ZSBhIEpXRSBvciBhIEpXUy4NCg0KMi4gICAgICAgRGVzY3JpYmUgaG93IEpPU0UgbWVzc2FnZXMg Y2FuIG5lc3QgKGVnIEpXUyBpbiBhIEpXRTsgSldFIGluIGEgSldTOyBKV1MgaW4gYSBKV0UgaW4g YSBKV1MgaW4gYSBKV0UpLg0KDQozLiAgICAgICBEZXNjcmliZSBhIEpTT04gb2JqZWN0IHJlcHJl c2VudGluZyBhIGNvbGxlY3Rpb24gb2YgY2xhaW1zOyBpbmNsdWRpbmcgaXNzLCBzdWIsIGF1ZCwg ZXhwLCBuYmYsIGlhdCwganRpIG1lbWJlcnMuDQoNCiMxIGFuZCAjMiBhcmUgbm90IHNwZWNpZmlj IHRvIEpXVC4gVGhleSBzaG91bGRu4oCZdCBiZSBzcGVjaWZpZWQgaW4gSldUOyB0aGV5IGNlcnRh aW5seSBzaG91bGRu4oCZdCB1c2UgYSBKV1Qtc3BlY2lmaWMgdmFsdWUgKCJjdHkiOiJKV1QiKSB0 byBpbmRpY2F0ZSB3aGVuIG5lc3RpbmcgaXMgb2NjdXJyaW5nOyBhbmQgdGhleSBzaG91bGRu4oCZ dCByZXF1aXJlIGludHJvZHVjaW5nIEpXVC1zcGVjaWZpYyB0ZXJtaW5vbG9neSAoZWcg4oCcSldU IEhlYWRlcuKAnSkuDQpUaGUgSldUIGRvYyBoYXMgdGhpcyBwcm9ibGVtIGJlY2F1c2UgdGhlIEpP U0Ugc3BlY3MgZG9u4oCZdCBkZWZpbmUgYSBKT1NFIG1lc3NhZ2UsIHRoZXkgb25seSBzcGVjaWZ5 IEpXUyBhbmQgSldFIHNlcGFyYXRlbHkuIFRoYXQgSk9TRSBvbWlzc2lvbiBoYXMgcHJvcGFnYXRl ZCB1cCB0aGUgc3RhY2sgdG8gc3Vic3RhbnRpYWxseSBjb21wbGljYXRlIHRoZSBKV1QgZG9jLCBh bmQgcHJlc3VtYWJseSB0aGF0IGNvbXBsaWNhdGlvbiBoYXMgdG8gYmUgcmVwZWF0ZWQgZm9yIGV2 ZXJ5IG90aGVyIHNwZWNpZmljYXRpb24gb2YgYW4gYXBwbGljYXRpb24gbGlrZSBKV1QgdGhhdCB3 YW50IHRvIHVzZSBKT1NFIG1lc3NhZ2VzLg0KDQoNCkN1cmlvdXNseSwgZm9yIGFsbCB0aGUgdGV4 dCBhYm91dCBuZXN0ZWQgSk9TRSBtZXNzYWdlcywgdGhlIEpXVCBkb2Mgc3RpbGwgaXNu4oCZdCBz cGVjaWZpYyBhYm91dCB3aGF0IGNvbWJpbmF0aW9ucyBNVVNUIGJlIHN1cHBvcnRlZCBmb3IgaW50 ZXJvcGVyYWJpbGl0eS4gSSB3b3VsZG7igJl0IGV4cGVjdCBtYW55IEpXVC1jb21wbGlhbnQgcmVj ZWl2ZXJzIHRvIGFjY2VwdCBjbGFpbXMtaW4tYS1KV1MtaW4tYS1KV0UtaW4tYW5vdGhlci1KV0Ut aW4tYW5vdGhlci1KV1MsIGJ1dCBJIGNhbm5vdCB0ZWxsIHdoaWNoIG5lc3Rpbmcgd2lsbCBvciB3 aWxsIG5vdCB3b3JrIHdpZGVseS4NCg0KDQoNClRoZSB0ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNp c3RhbnQgbmFtZXMgaXMgc3RpbGwgc2lsbHkgc2luY2UgeW91IGxvc2UgdGhlIGNvbGxpc2lvbi1y ZXNpc3RhbmNlIHdoZW4geW91IGNvbWJpbmUgbXVsdGlwbGUgbmFtZXNwYWNlcyAoZG9tYWluIG5h bWVzLCBPSURzLCBldGMpLg0KDQotLQ0KSmFtZXMgTWFuZ2VyDQoNCkZyb206IE1pa2UgSm9uZXMg W21haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb21dDQpTZW50OiBUdWVzZGF5LCA0IE1h cmNoIDIwMTQgOToyMiBBTQ0KVG86IE1hbmdlciwgSmFtZXM7IG9hdXRoQGlldGYub3JnPG1haWx0 bzpvYXV0aEBpZXRmLm9yZz4gV0cNClN1YmplY3Q6IFJFOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNP TiBXZWIgVG9rZW4gKEpXVCkNCg0KDQpUaGFua3MgZm9yIHRha2luZyB0aGUgdGltZSB0byBzZW5k IGluIHRoZSBjb21tZW50cywgSmFtZXMuICBJIGFtIHNlbmRpbmcgeW91IHRoaXMgdG8gZGVzY3Jp YmUgdGhlIGNoYW5nZXMgdGhhdCB3ZXJlIG1hZGUgaW4gcmVzcG9uc2UgdG8geW91ciBjb21tZW50 cyAobW9zdGx5IGluIC0xMyBidXQgYWxzbyBhIGZldyBpbiAtMTgpLiAgU2VlIGluZGl2aWR1YWwg cmVzcG9uc2VzIGlubGluZS4NCg0KDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KDQoNCi0tLS0tT3JpZ2luYWwg TWVzc2FnZS0tLS0tDQpGcm9tOiBvYXV0aC1ib3VuY2VzQGlldGYub3JnPG1haWx0bzpvYXV0aC1i b3VuY2VzQGlldGYub3JnPiBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFs ZiBPZiBNYW5nZXIsIEphbWVzIEgNClNlbnQ6IFRodXJzZGF5LCBBdWd1c3QgMDgsIDIwMTMgNzo1 NSBBTQ0KVG86IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gV0cNClN1Ympl Y3Q6IFJlOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBXZWIgVG9rZW4gKEpXVCkNCg0KDQoNCkNv bW1lbnRzIG9uIGRyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTE6DQoNCg0KDQoxLiBT aG91bGQgSldUIHJlYWxseSBnbyB0byBXR0xDIGJlZm9yZSB0aGUgSk9TRSBkb2NzIHRoYXQgaXQg ZGVwZW5kcyBvbiBzbyBoZWF2aWx5IChKV1MvSldFLy4uLik/IEV2ZW4gaWYgdGhlICJieXRlcy1v bi10aGUtd2lyZSIgYXJlIGZhaXJseSBzdGFibGUsIEpXVCByZXBlYXRzIGEgbG90IG9mIHRleHQg ZnJvbSBKV1MvSldFIHNvbWUgb2Ygd2hpY2ggaXMgbGlrZWx5IHRvIGNoYW5nZS4gRmluaXNoaW5n IFdHTEMgbm93IGFuZCBxdWV1aW5nIHRoZSBkb2MgdG8gYmUgYXV0by1wdWJsaXNoZWQgd2hlbiBK V1MvSldFIGFyZSBwdWJsaXNoZWQgd291bGQgYmUgYmFkICh1bmxlc3MgdGhlIGR1cGxpY2F0ZSB0 ZXh0IGlzIHJlbW92ZWQpLg0KDQoNCg0KSW4gcHJhY3RpY2UsIGl0IHNlZW1zIHRoYXQgSldUIGhh cyB3YWl0ZWQgZm9yIEpPU0UgKGFuZCBJ4oCZdmUga2VwdCB0aGVtIGZ1bGx5IGluIHN5bmMpLiAg QXQgdGhpcyBwb2ludCwgSSBleHBlY3QgdGhlbSBwcm9jZWVkIHRocm91Z2ggdGhlIHJlc3Qgb2Yg dGhlIGFwcHJvdmFsIHN0ZXBzIGluIHBhcmFsbGVsLg0KDQoNCg0KMi4gVGhlIEpXVCBkb2Mgd291 bGQgYmUgc28gbXVjaCBtb3JlIHJlYWRhYmxlIGlmIGl0IGNvdWxkIHJlZmVyIHRvIGEgIkpPU0Ug bWVzc2FnZSIsICJKT1NFIGhlYWRlciIsIGFuZCAiSk9TRSBjb21wYWN0IHNlcmlhbGl6YXRpb24i OyBpbnN0ZWFkIG9mIGhhdmluZyB0byBleHBsaWNpdGx5IHRhbGsgYWJvdXQgSldTIGFuZCBKV0Ug ZXZlcnkgdGltZSBldmVuIHdoZW4gdGFsa2luZyBhYm91dCBhc3BlY3RzIGNvbW1vbiB0byBib3Ro LiBJdCB3b3VsZCBhbHNvIGF2b2lkIGludHJvZHVjaW5nICJKV1QgSGVhZGVyIiwgIkVuY29kZWQg SldUIEhlYWRlciIsICJOZXN0ZWQgSldUIiwgIlBsYWludGV4dCBKV1QiIGV0YyBhcyB0aG91Z2gg dGhlc2UgYXJlIG5ldyBpdGVtcywgd2hlbiBpbiBmYWN0IHRoZXkgYXJlIGp1c3QgYWRkaXRpb25h bCBuYW1lcyBmb3IgSk9TRSBpdGVtcy4gRm9yIGluc3RhbmNlLCAiSldUIEhlYWRlciIgaXMgZWZm ZWN0aXZlbHkgc2hvcnRoYW5kIGZvciAiSldTIG9yIEpXRSBoZWFkZXIiIGJ1dCBpdCBpcyBwcmVz ZW50ZWQgYXMgYSBKV1Qtc3BlY2lmaWMgdGhpbmcuDQoNCg0KDQpJIHRoaW5rIHRoaXMgcmVhbGx5 IG9ubHkgc2hvd3MgdXAgaW4gYSBmZXcgcGxhY2VzIOKAkyBwcmltYXJpbHkgd2hlbiBkaXNjdXNz aW5nIHRoYXQgdGhlIEpXVCBIZWFkZXIgaXMgZWl0aGVyIGEgSldTIEhlYWRlciBvciBhIEpXRSBo ZWFkZXIuICBHaXZlbiB0aGF0IHRoZXNlIGFyZSBhY3R1YWxseSBkaXN0aW5jdCBidXQgcmVsYXRl ZCBkYXRhIHN0cnVjdHVyZXMsIG1ha2luZyBpdCBldmlkZW50IHRoYXQgdGhleSBhcmUgZGlmZmVy ZW50IGlzIGFyZ3VhYmx5IGEgZ29vZCB0aGluZy4NCg0KDQoNCjMuIFRoZSBkb2Mgc2hvdWxkIG5v dCByZXBlYXQgZGVmaW5pdGlvbnMgZnJvbSBKV1MgYW5kIEpXRS4NCg0KDQoNClRoZSBkdXBsaWNh dGlvbiBoYXMgYmVlbiBzdWJzdGFudGlhbGx5IHJlZHVjZWQsIGJvdGggd2l0aGluIHRoZSBKT1NF IGRvY3MsIGFuZCB3aXRoaW4gdGhpcyBkb2MuICBUaGF0IGJlaW5nIHNhaWQsIHRoZXJl4oCZcyBh IHN0eWxpc3RpYyB0ZW5zaW9uIGJldHdlZW4gc2F5aW5nIHRoaW5ncyBpbiBleGFjdGx5IG9uZSBw bGFjZSBhbmQgbWFraW5nIGVhY2ggZG9jdW1lbnQgZWFzaWVyIHRvIHJlYWQgd2l0aG91dCBjb25z dGFudGx5IGhhdmluZyB0byBmbGlwIGJhY2sgYW5kIGZvcnRoIGJldHdlZW4gdGhlbS4gIEluIHRo aXMgY2FzZSwgSSBiZWxpZXZlIHRoYXQgdGhlIHNtYWxsIGFtb3VudCBvZiBkdXBsaWNhdGlvbiBh aWRzIGRldmVsb3BlcnMgd2hvIG1pZ2h0IG5vdCByZWN1cnNpdmVseSByZWFkIGV2ZXJ5dGhpbmcg cmVmZXJlbmNlZCBpbiBmdWxsIGRldGFpbC4NCg0KDQoNCkZvciBpbnN0YW5jZSwgdGhlIHdob2xl IGZpcnN0IHBhcmFncmFwaCBvZiBzZWN0aW9uIDUgIkpXVCBIZWFkZXIiIChKU09OIG9iamVjdDsg ZGVzY3JpYmVzIGNyeXB0byBvcHM7IHVuaXF1ZSBuYW1lczsgcmVqZWN0IGR1cGxpY2F0ZXMgb3Ig dXNlIGxhc3QpIGlzIGFuIGFsbW9zdCBpZGVudGljYWwgY29weSBvZiBwYXJhZ3JhcGhzIGZyb20g SldTIGFuZCBKV0UuIFRoZSBkdXBsaWNhdGlvbiAob2Z0ZW4gdHJpcGxpY2F0aW9uKSBhZGRzIGNv bmZ1c2lvbiAoZWcgd2hhdCBpcyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGEgSldUIEhlYWRlciBh bmQgSldTIEhlYWRlcj8pIGFuZCBnZXRzIHN1YnRseSBvdXQgb2Ygc3luYyAoZWcgImN0eSIgZWl0 aGVyICJkZWNsYXJlcyBzdHJ1Y3R1cmFsIGluZm9ybWF0aW9uIGFib3V0IHRoZSBKV1QiIG9yICJk ZWNsYXJlcyB0aGUgdHlwZSBvZiB0aGUgc2VjdXJlZC9lbmNyeXB0ZWQgY29udGVudCAodGhlIHBh eWxvYWQvUGxhaW50ZXh0KSBpbiBhbiBhcHBsaWNhdGlvbi1zcGVjaWZpYyBtYW5uZXIiKS4NCg0K DQoNClRoZSBkZXNjcmlwdGlvbiBvZiBKV1TigJlzIHVzZSBvZiDigJxjdHnigJ0gaXMgbm90IG91 dCBvZiBzeW5jIOKAkyBpdCBpcyBpbnRlbnRpb25hbGx5IG1vcmUgc3BlY2lmaWMgdGhhbiB0aGUg ZnVsbHkgZ2VuZXJhbCwgYXBwbGljYXRpb24taW5kZXBlbmRlbnQgZGVzY3JpcHRpb25zIGluIEpX UyBhbmQgSldFLiAgSW4gdGhpcyBjYXNlLCBKV1QgaXMgdGhlIGFwcGxpY2F0aW9uIG9mIEpXUyBh bmQgSldFLCBhbmQgbmVlZHMgdG8gc3BlY2lmeSBpdHMgcmVxdWlyZW1lbnRzIGFib3V0IGhvdyBp dCB1c2VzIHRoaXMgaGVhZGVyIHBhcmFtZXRlci4NCg0KDQoNCk90aGVyIGV4YW1wbGVzIG9mIHVu bmVjZXNzYXJpbHkgZHVwbGljYXRlZCB0ZXh0IGluY2x1ZGU6IHNlY3Rpb24gNyBzdGVwcyAzICYg NCAoY3JlYXRpbmcpIGFuZCBzdGVwcyAxLTggKHZhbGlkYXRpbmcpOyBzZWN0aW9uIDcuMSB0ZXh0 IGFib3V0IGNvbXBhcmluZyAiYWxnIiB2YWx1ZXM7IHBhcnRzIG9mIHRoZSBsYXN0IDIgcGFyYWdy YXBocyBvZiBzZWN0aW9uIDMgIkpXVCBvdmVydmlldyI7IDFzdCBhbmQgM3JkIHBhcmFncmFwaHMg b2Ygc2VjdGlvbiA1LjIgImN0eSI7IDFzdCwgMm5kLCBhbmQgNHRoIHNlbnRlbmNlIG9mIHNlY3Rp b24gNS4xICJ0eXAiLg0KDQoNCg0KU3RlcCA0IG9mIGNyZWF0aW9uIHdhcyByZW1vdmVkIGJlY2F1 c2UgaXQgdHJ1bHkgd2FzIGEgZHVwbGljYXRlLiAgKDMgaXMgbW9yZSBzcGVjaWZpYyB0aGFuIHRo ZSBjb3JyZXNwb25kaW5nIEpXUyBhbmQgSldFIHN0ZXBzLCBhbmQgc28gd2FzIG5vdCByZW1vdmVk LikNCg0KDQoNClRoZSB2YWxpZGF0aW5nIHN0ZXBzIGFyZSBuZWNlc3NhcnkgYmVjYXVzZSBKV1Qg YWRkcyB0d28gdGhpbmdzIGJleW9uZCBKV1MgYW5kIEpXRTogIEZpcnN0LCB0aGUgY29udGVudHMg Y2FuIGJlIGVpdGhlciBhIEpXUyBvciBKV0UsIGFuZCBzbyB0aGVyZeKAmXMgbG9naWMgZGVzY3Jp YmVkIGZvciB0aGUgc2xpZ2h0bHkgZGlmZmVyZW50IGFjdGlvbnMgdGFrZW4gaW4gdGhlIHR3byBj YXNlcy4gIFNlY29uZCwgdGhlIEpXVCBjYW4gYmUgbmVzdGVkLCBzbyB0aGUgbG9naWMgZm9yIG5l c3RpbmcgYW5kIGRldGVjdGluZyBuZXN0ZWQgSldUcyBpcyBkZWZpbmVkLiAgSXQgKmRvZXMqIGp1 c3QgcmVseSBvbiBKV1MgYW5kIEpXRSBmb3IgdGhlIGNyZWF0aW9uIGFuZCB2ZXJpZmljYXRpb24g YXNwZWN0cyBvZiB0aGUgSldTIGFuZCBKV0UgYXNwZWN0cyBvZiBKV1RzLg0KDQoNCg0KQm90aCDi gJx0eXDigJ0gYW5kIOKAnGN0eeKAnSB3ZXJlIHJld29ya2VkIHdoZW4gdGhlaXIgdmFsdWVzIHdo ZXJlIGNoYW5nZWQgdG8gTUlNRSB0eXBlcywgcmVkdWNpbmcgZHVwbGljYXRpb24uDQoNCg0KDQo0 LiBIYXJkbHkgYW55b25lIHByb25vdW5jZXMgSldUIGFzICJqb3QiIC0tIGl0IGlzIHVzdWFsbHkg c3BlbHQgb3V0IC0tIHNvIGRyb3AgdGhlIHNlbnRlbmNlIGluIHRoZSBhYnN0cmFjdCBzdWdnZXN0 aW5nIHRoZSAiam90IiBwcm9udW5jaWF0aW9uLg0KDQoNCg0KWW91ciBleHBlcmllbmNlIG1heSB2 YXJ5LCBidXQgaW4gaW4tcGVyc29uIGNvbnZlcnNhdGlvbnMsIGl04oCZcyB1c3VhbGx5IHByb25v dW5jZWQg4oCcam904oCdIGluIG15IGV4cGVyaWVuY2UuICAoSXTigJlzIGEgbG90IGVhc2llciB0 byBzYXkgdGhhbiDigJxKIFcgVOKAnSBvciDigJxKU09OIFdlYiBUb2tlbuKAnSBhbmQgcGVvcGxl IHRlbmQgdG8gbGlrZSBzaG9ydCBuYW1lcyB0byBzYXkuKQ0KDQoNCg0KNS4gQ29sbGlzaW9uIFJl c2lzdGFudCBOYW1lc3BhY2UgKHNlY3Rpb24gMiAiVGVybWlub2xvZ3kiKSBtZW50aW9ucyBkb21h aW4gbmFtZXMsIE9JRHMsIGFuZCBVVUlEcyBhcyBleGFtcGxlcywgYnV0IGZhaWxzIHRvIG1lbnRp b24gVVJJcywgd2hpY2ggaXMgYSBsaWtlbHkgY2hvaWNlLiBEb21haW4gbmFtZXMgd2lsbCBzdGFy dCBjb2xsaWRpbmcgd2l0aCAicmVzZXJ2ZWQiIG5hbWVzIHNvb24gd2l0aCBhbGwgdGhlIG5ldyB0 b3AtbGV2ZWwgZG9tYWlucy4gU2hvdWxkIFVVSURzIHVzZSBhICJ1cm46dXVpZDoiIHByZWZpeCwg b3IgInV1aWQ6Iiwgb3Igbm8gcHJlZml4PyBTaG91bGQgVVVJRHMgb25seSB1c2UgbG93ZXItY2Fz ZSBoZXggZGlnaXRzIChvdGhlcndpc2UgZHVwbGljYXRlIFVVSURzIHdpbGwgbG9vayBsaWtlIGRp c3RpbmN0IEpTT04gbmFtZXMpPyBTaG91bGQgYW4gT0lEIGJlICIyLjUuNC4zIiBvciAib2lkOjIu NS40LjMiIG9yICJVUk46T0lEOjIuNS40LjMiIG9yICJjb21tb25OYW1lIiBvciAiY24iPyBDb2xs aXNpb24gcmVzaXN0YW50IG5hbWVzcGFjZXMgbG9zZSBjb2xsaXNpb24tcmVzaXN0YW5jZSB3aGVu IHlvdSBjb21iaW5lIG5hbWVzcGFjZXMgYXMgaXMgZG9uZSBoZXJlLg0KDQoNCg0KQXMgeW91IHN1 Z2dlc3RlZCwgZG9tYWluIG5hbWVzIGFyZSBub3cgdGhlIGZpcnN0IGV4YW1wbGUgbWVudGlvbmVk LiAgVGhpcyB3YXMgYWxzbyByZXdyaXR0ZW4gd2l0aCBpbnB1dCBmcm9tIEppbSBTY2hhYWQuDQoN Cg0KDQpDb3VsZCB0aGUgcmVzZXJ2ZWQvcHVibGljL3ByaXZhdGUgbWVzcyBiZSBzaW1wbGlmaWVk IGJ5IHNheWluZyAoYXQgdGhlIGVuZCBvZiBzZWN0aW9uIDQgIkpXVCBDbGFpbXMiKToNCg0KDQoN CiAgQSBjbGFpbSBuYW1lIGNhbiBiZSBhbnkgc3RyaW5nLiBVc2luZyBVUklzIGFzIGNsYWltIG5h bWVzIGlzIG9uZQ0KDQogIHdheSB0byBlbnN1cmUgY2xhaW0gbmFtZXMgYXJlIHVuYW1iaWd1b3Vz LiBDbGFpbSBuYW1lcyB0aGF0IGFyZQ0KDQogIG5vdCBVUklzIFNIT1VMRCBiZSByZWdpc3RlcmVk IGluIHRoZSBJQU5BIENsYWltcyByZWdpc3RyeSBbc2VjdGlvbiA5LjFdDQoNCg0KDQpUaGVuIGRy b3AgdGhlIGxhc3QgcGFyYWdyYXBoIG9mIHNlY3Rpb24gNCAiSldUIGNsYWltcyIgdGhhdCBzdGFy dHMgInRoZXJlIGFyZSB0aHJlZSBjbGFzc2VzIG9mIEpUIENsYWltIE5hbWVzIjsgZHJvcCBzZWN0 aW9uIDQuMiAiUHVibGljIGNsYWltIG5hbWVzIjsgZHJvcCBzZWN0aW9uIDQuMyAiUHJpdmF0ZSBj bGFpbSBuYW1lcyI7IGRyb3AgdGhlICJjb2xsaXNpb24gcmVzaXN0YW50IG5hbWVzcGFjZSIgdGVy bS4NCg0KDQoNCkNhbGxpbmcgb3V0IHRoYXQgdGhlcmUgYXJlIHRocmVlIGRpc3RpbmN0IGNsYXNz ZXMgb2YgbmFtZXMgaGFzIGJlZW4gdmFsdWFibGUgaW4gaGVscGluZyBkZXZlbG9wZXJzIHRoaW5r IGFib3V0IGhvdyB0byB1c2UgY2xhaW0gbmFtZXMsIGluIHByYWN0aWNlLiAgSW4gcGFydGljdWxh ciwgaXQgbGV0cyB1cyBkZXNjcmliZSB0aGUgYmVuZWZpdHMgYW5kIGRyYXdiYWNrcyBvZiBlYWNo LCBoZWxwaW5nIGRldmVsb3BlcnMgYW5kIGRlcGxveWVycyBtYWtlIHJlYXNvbmFibGUgY2hvaWNl cyBmb3IgdGhlaXIgYXBwbGljYXRpb24gY29udGV4dHMuDQoNCg0KDQpBdCBKaW0gU2NoYWFk4oCZ cyBzdWdnZXN0aW9uLCDigJxwdWJsaWPigJ0gd2FzIGNoYW5nZWQgdG8g4oCccmVnaXN0ZXJlZOKA nSBhbmQgdGhlIGRlc2NyaXB0aW9uIGNoYW5nZWQgdG8gdGFsayBhYm91dCB0aGlzIGNsYXNzIG9m IG5hbWVzIGJlaW5nIGluIHRoZSBJQU5BIHJlZ2lzdHJ5Lg0KDQoNCg0KNi4gVGhlIGRvY3Mgc2F5 cyBpbmNsdWRpbmcgYSAidHlwIiBmaWVsZCBpcyBPUFRJT05BTC4gRXZlbiB3aGVuIHByZXNlbnQg InR5cCIgY2FuIGhhdmUgYW55IHZhbHVlIHNpbmNlIHRoZSB0d28gc3VnZ2VzdGlvbnMgaW4gdGhl IGRvYyAoIkpXVCIgb3IgInVybjppZXRmOnBhcmFtczpvYXV0aDp0b2tlbi10eXBlOmp3dCIpIGFy ZSBvbmx5IFJFQ09NTUVOREVELiBHaXZlbiB0aGlzLCB0aGVyZSBkb2Vzbid0IHNlZW0gdG8gYmUg YW55dGhpbmcgYSBKV1QgcmVjaXBpZW50IGNhbiB1c2VmdWxseSBkbyB3aXRoICJ0eXAiLiBJZiBp dCB0cmllcyB0byB1c2UgInR5cCIgaXQgd2lsbCBqdXN0IGJlIGluY29tcGF0aWJsZSB3aXRoIGNv bXBsaWFudCBKV1Qgc2VuZGVycyB0aGF0IGVpdGhlciBvbWl0ICJ0eXAiIG9yIHVzZSBhbm90aGVy IHZhbHVlLiBJdCB3b3VsZCBiZSBiZXR0ZXIgdG8gZHJvcCBzZWN0aW9uIDUuMSAiVHlwZSBIZWFk ZXIgUGFyYW1ldGVyIiBlbnRpcmVseSAtLSBsZWF2aW5nIGFueSAidHlwIiB2YWx1ZSBkZWZpbml0 aW9ucyB0byBwcm9maWxlcyB0aGF0IGFjdHVhbGx5IGRlZmluZSBwcm9jZXNzaW5nIGZvciBzdWNo IHZhbHVlcy4NCg0KDQoNClRoZSBkZXNjcmlwdGlvbiBoYXMgYmVlbiByZXdvcmtlZCB0byBtb3N0 bHkganVzdCByZWZlciB0byB0aGUgSldTIGFuZCBKV0UgZGVmaW5pdGlvbnMuICBUaGUgVVJOIHVz YWdlIHdhcyByZW1vdmVkIHdoZW4g4oCcdHlw4oCdIGFuZCDigJxjdHnigJ0gdmFsdWVzIHdlcmUg bWFkZSBNSU1FIHR5cGUgdmFsdWVzLg0KDQoNCg0KNy4gVGhlIGRvYyByZWRlZmluZXMgdGhlICJj dHkiIGhlYWRlciBwYXJhbWV0ZXIsIHdoaWNoIGlzIGFscmVhZHkgZGVmaW5lZCBpbiBKV1MgYW5k IEpXRSAoc2xpZ2h0bHkgZGlmZmVyZW50bHkgaW4gYWxsIDMgY2FzZXMgLSBhcmdoKS4gSldUIHVz ZXMgImN0eSIgdG8gaW5kaWNhdGUgbmVzdGVkIEpPU0UgbWVzc2FnZXMsIHdoaWNoIHNob3VsZCBi ZSBhIEpPU0UgZmVhdHVyZSBhcyBpdCBpcyBub3Qgc3BlY2lmaWMgdG8gSldUIChoZW5jZSAiY3R5 Ijoiand0IiBpcyBhIHBvb3IgY2hvaWNlKS4NCg0KDQoNClRoZSBkZXNjcmlwdGlvbiBoYXMgYmVl biByZXdvcmtlZCB0byBtb3N0bHkganVzdCByZWZlciB0byB0aGUgSldTIGFuZCBKV0UgZGVmaW5p dGlvbnMuICDigJxjdHnigJ0gaXMgbm90IHJlZGVmaW5lZDsgaXTigJlzIHVzZSBieSBKV1QgaXMg c3BlY2lmaWVkLg0KDQoNCg0KOC4gW0VkaXRvcmlhbF0gIkpXQSBzaWduaW5nIGFsZ29yaXRobSIg YW5kICJKV0EgZW5jcnlwdGlvbiBhbGdvcml0aG1zIiBhcmUgdGhlIHdyb25nIHBocmFzZXMuIFRo ZXNlIGFyZSBKV1Mgc2lnbmluZyBhbGdzIGFuZCBKV0UgZW5jcnlwdGlvbiBhbGdzIHRoYXQgaGFw cGVuIHRvIGJlIHNwZWNpZmllZCBpbiBKV0EuDQoNCg0KDQpUaGUgcGhyYXNlcyAiSldBIHNpZ25p bmcgYWxnb3JpdGhtcyIgYW5kICJKV0EgZW5jcnlwdGlvbiBhbGdvcml0aG1zIiB3ZXJlIHJlbW92 ZWQuDQoNCg0KDQo5LiBJbmNsdWRpbmcgYSBzaG9ydCBkZXNjcmlwdGlvbiBmb3IgZWFjaCBjbGFp bSBuYW1lIGluIHRoZSByZWdpc3RyeSB3b3VsZCBiZSB1c2VmdWwuIEp1c3QgYSAzLWxldHRlciBh YmJyZXZpYXRpb24gaXMgbm90IGhlbHBmdWwgZW5vdWdoLiBFZyBhZGQgYSBDbGFpbSBkZXNjcmlw dGlvbiBmaWVsZDoNCg0KICBDbGFpbSBuYW1lOiAibmJmIg0KDQogIENsYWltIGRlc2NyaXB0aW9u OiBub3QgYmVmb3JlDQoNCiAgQ2hhbmdlIGNvbnRyb2xsZXI6IElFVEYNCg0KICBTcGVjaWZpY2F0 aW9uIGRvY3VtZW50OiBzZWN0aW9uIDQuMS41LiBvZiBbWyB0aGlzIGRvYyBdXQ0KDQoNCg0KVGhp cyB3YXMgZG9uZSDigJMgYm90aCBoZXJlIGFuZCBpbiB0aGUgSk9TRSBkb2N1bWVudHMuICBUaGFu a3MgZm9yIHRoZSB1c2VmdWwgc3VnZ2VzdGlvbi4NCg0KDQoNCg0KDQoNCg0KLS0NCg0KSmFtZXMg TWFuZ2VyDQoNCg0K --_000_255B9BB34FB7D647A506DC292726F6E11540596326WSMSG3153Vsrv_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxMiAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0 aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQt ZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQt ZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30N CmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNv bG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4u TXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1 cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvUGxhaW5UZXh0LCBsaS5N c29QbGFpblRleHQsIGRpdi5Nc29QbGFpblRleHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CW1zby1zdHlsZS1saW5rOiJQbGFpbiBUZXh0IENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2lu LWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLCJzYW5zLXNlcmlmIjt9DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29B Y2V0YXRlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9v biBUZXh0IENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZv bnQtc2l6ZTo4LjBwdDsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KcC5N c29MaXN0UGFyYWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFw aA0KCXttc28tc3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowY207DQoJbWFyZ2luLXJp Z2h0OjBjbTsNCgltYXJnaW4tYm90dG9tOjBjbTsNCgltYXJnaW4tbGVmdDozNi4wcHQ7DQoJbWFy Z2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNh bGlicmkiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLlBsYWluVGV4dENoYXINCgl7bXNvLXN0eWxlLW5h bWU6IlBsYWluIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHls ZS1saW5rOiJQbGFpbiBUZXh0IjsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi O30NCnNwYW4uQmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQg Q2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29u IFRleHQiOw0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWls U3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJy aSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7 bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNl cmlmIjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTI0DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29s b3I6IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25h bC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMx RjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJ Zm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5 Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNl Y3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBs aXN0IGwwDQoJe21zby1saXN0LWlkOjEyNDQxNDE2NDM7DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7 DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi0yMDI3NTI5Nzc0IDIwMTkxNjQzMSAyMDE5MTY0NDEg MjAxOTE2NDQzIDIwMTkxNjQzMSAyMDE5MTY0NDEgMjAxOTE2NDQzIDIwMTkxNjQzMSAyMDE5MTY0 NDEgMjAxOTE2NDQzO30NCkBsaXN0IGwwOmxldmVsMQ0KCXttc28tbGV2ZWwtdGFiLXN0b3A6bm9u ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBw dDt9DQpAbGlzdCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLXRhYi1zdG9wOjcyLjBwdDsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlz dCBsMDpsZXZlbDMNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjEwOC4wcHQ7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2 ZWw0DQoJe21zby1sZXZlbC10YWItc3RvcDoxNDQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9z aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVsNQ0KCXtt c28tbGV2ZWwtdGFiLXN0b3A6MTgwLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl ZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDYNCgl7bXNvLWxldmVs LXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRl eHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC10YWItc3Rv cDoyNTIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVu dDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtdGFiLXN0b3A6Mjg4LjBw dDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBw dDt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7bXNvLWxldmVsLXRhYi1zdG9wOjMyNC4wcHQ7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0Kb2wN Cgl7bWFyZ2luLWJvdHRvbTowY207fQ0KdWwNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0KLS0+PC9z dHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVk aXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28g OV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJl ZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPjwvaGVh ZD48Ym9keSBsYW5nPUVOLUFVIGxpbms9Ymx1ZSB2bGluaz1wdXJwbGU+PGRpdiBjbGFzcz1Xb3Jk U2VjdGlvbjE+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5N aWtlLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9 J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29O b3JtYWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPkFzIGEgdGhvdWdodCBleHBlcmltZW50 LCBpbWFnaW5nIHlvdSBoYXZlIGEgcHJvdG9jb2wgd2hlcmUgeW91IHdhbnQgdG8gZXhjaGFuZ2Ug YXZhdGFycyBmb3IgdXNlcnMgc2VjdXJlbHk6IHRoZXkgY2FuIGJlIFBORyBvciBKUEVHIGltYWdl czsgeW91IGNob29zZSBKT1NFIHRvIHByb3RlY3QgdGhlbS4gWW91IHdhbnQgdG8gc3BlY2lmeSBz ZWN1cmUgYXZhdGFycywganVzdCBsaWtlIEpXVCBkb2VzIGZvciBzZXRzIG9mIGNsYWltcy4gSG93 IG11Y2ggb2YgdGhlIDMxLXBhZ2UgSldUIGRvYyB3b3VsZCB5b3UgaGF2ZSB0byByZXBlYXQ/PG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6 IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+V291bGQgeW91IG5lZWQgdG8gZGVmaW5lIOKAnFNl Y3VyZUF2YXRhciBIZWFkZXLigJ0sIOKAnEVuY29kZWQgU2VjdXJlQXZhdGFyIEhlYWRlcuKAnSwg 4oCcTmVzdGVkIFNlY3VyZUF2YXRhcuKAnT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5Xb3VsZCB5b3UgbmVlZCBhIG5l dyBtZWRpYSB0eXBlIChzYXkgYXBwbGljYXRpb24vc2VjLWF2YXRhcikgdG8gdXNlIGluIHRoZSDi gJxjdHnigJ0gZmllbGQganVzdCB0byBzdXBwb3J0IEpXRShKV1MoYXZhdGFyKSkgbmVzdGluZz8g RXZlbiB0aG91Z2ggdGhlcmUgYXJlIGV4aXN0aW5nIG1lZGlhIHR5cGVzIGZvciBKUEVHLCBQTkcs IGFuZCBKT1NFPyBFdmVuIGlmIHRoZSBtZWRpYSB0eXBlIHdvdWxkIG5vdCBiZSB1c2VkIGV4dGVy bmFsbHkgYXMgeW91ciBwcm90b2NvbCBkb2VzbuKAmXQgdXNlIGEgbWVkaWEgdHlwZSB0byBsYWJl bCB0aGUgZmllbGQgd2hlcmUgYXZhdGFycyBhcmUgZXhjaGFuZ2VkPzxvOnA+PC9vOnA+PC9zcGFu PjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2Nv bG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3Jt YWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPlRoZSBhbnN3ZXJzIHNob3VsZCBiZSBOby48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdjb2xv cjojMUY0OTdEJz5KV1Qgd291bGQgbm90IGJlIGEgZ29vZCBleGFtcGxlIHRvIGVtdWxhdGUuPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6 IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxw IGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdjb2xvcjojMUY0OTdEJz4mZ3Q7IFlvdSBtYXkgbm90IGxvdmUgdGhlIHRleHQg YWJvdXQgY29sbGlzaW9uLXJlc2lzdGFudCBuYW1lcywgYnV0IHRoZSBhbHRlcm5hdGl2ZXMgd291 bGQgYmUgd29yc2UgaW4gcHJhY3RpY2Ug4oCTIGZvciBpbnN0YW5jZSwgcmVxdWlyaW5nIHRoYXQg YWxsIG5vbi1yZWdpc3RlcmVkIG5hbWVzIGNvbWUgZnJvbSBhIHNpbmdsZSBzcGVjaWZpYyBjb2xs aXNpb24tcmVzaXN0YW50IG5hbWVzcGFjZSwgc3VjaCBhcyBPSURTLCBVUkxzLCBVUk5zLCBHVUlE cywgSVAgYWRkcmVzc2VzLCBldGMuJm5ic3A7IFllcywgdGhlcmXigJlzIGEgdGhlb3JldGljYWwg cG9zc2liaWxpdHkgb2YgYSBjb2xsaXNpb24gYmV0d2VlbiBhIG5hbWUgdGhhdOKAmXMgYW4gT0lE IHdpdGggZm91ciBudW1iZXJzIGFuZCBhIG51bWVyaWMgSVB2NCBhZGRyZXNzIHJlcHJlc2VudGF0 aW9uLCBidXQgaXMgdGhhdCBhY3R1YWxseSBhIHJlYWwgaXNzdWU/Jm5ic3A7IERvIHlvdSByZWFs bHkgZXhwZWN0IHBlb3BsZSB0byB1c2UgYm90aCBudW1lcmljIElQdjQgYWRkcmVzc2VzIGFuZCBP SURzIGluIHRoZSBzYW1lIGFwcGxpY2F0aW9uIGNvbnRleHQ/Jm5ic3A7IFRoZXNlIHNwZWNzIGhh dmUgdHJpZWQgdG8gdGFrZSBhIHByYWdtYXRpYyBhbmQgcHJhY3RpY2FsIGFwcHJvYWNoIHRocm91 Z2hvdXQsIGFuZCBhbGxvd2luZyB0aGUgdXNlIG9mIGFwcGxpY2F0aW9uLWNob3NlbiBjb2xsaXNp b24tcmVzaXN0YW50IG5hbWVzIHdpdGhvdXQgcmVnaXN0cmF0aW9uIGlzIG9uZSBzdWNoIGNhc2Uu PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBsYW5nPUVOLVVT IHN0eWxlPSdjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPkl0IHNv dW5kcyBsaWtlIHlvdSB3YW50IHRvIGdpdmUgcGVvcGxlIG1heGltdW0gZmxleGliaWxpdHkgdG8g Y2hvb3NlIGNsYWltIG5hbWVzIGFzIHRoZXkgd2lzaCwgYnV0IHRvIG1pbmltaXplIHRoZSBjaGFu Y2Ugb2YgYW1iaWd1aXR5IHlvdSB3YW50IHRvIHByb3ZpZGUgYSByZWdpc3RyeSAocGFydGljdWxh cmx5IGZvciBzaG9ydCBuYW1lcykgYW5kIGVuY291cmFnZSBuYW1lcyB0aGF0IGFyZSBsaWtlbHkg dG8gYmUgdW5hbWJpZ3VvdXMgaW4gcHJhY3RpY2UuIEdyZWF0LjxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzFGNDk3 RCc+TXkgb2JqZWN0aW9uIHdpdGggdGhlIHRleHQgaXMgdGhhdCBpdCBkb2VzbuKAmXQgc2ltcGx5 IHN0YXRlIHRoaXMgcHJhZ21hdGljIGFuZCBwcmFjdGljYWwgYXBwcm9hY2guIEluc3RlYWQsIGl0 IGludmVudHMgdGhlIHRlcm1zIOKAnFJlZ2lzdGVyZWQgQ2xhaW0gTmFtZeKAnSwg4oCcUHVibGlj IENsYWltIE5hbWXigJ0sIOKAnFByaXZhdGUgQ2xhaW0gTmFtZeKAnSwg4oCcQ29sbGlzaW9uLVJl c2lzdGFudCBOYW1l4oCdLiBUaGUgdGV4dCBhZGRzIGFsbCB0aGlzIGZvcm1hbGlzbSB0aGF0IGlz IG1lcmVseSBhIHNtb2tlLXNjcmVlbiBvdmVyIHRoZSBmYWN0IHRoYXQgaXQgbWVyZWx5IHNheWlu ZyDigJxwbGVhc2UgYmUgc2Vuc2libGUgaW4gY2hvb3NpbmcgbmFtZXMgc28gdGhleSBhcmUgdW5s aWtlbHkgdG8gY2xhc2jigJ0uIEl0IG1ha2UgaXQgbG9vayBsaWtlIHRoZSBhdXRob3JzIChXRy9J RVRGKSBmYWlsZWQgdG8gYXBwcmVjaWF0ZSB0aGF0IGNvbWJpbmluZyBuYW1lcyBmcm9tIGFyYml0 cmFyeSBuYW1lc3BhY2VzIGNvdWxkIGNhdXNlIGNvbGxpc2lvbnMgKGV2ZW4gaWYgaXQgaXMgdW5s aWtlbHkpLCBhbmQgaGVuY2UgZmFpbGVkIHRvIGNvbnNpZGVyIGlmIHRoYXQgY291bGQgYmUgYSBz ZWN1cml0eSBvciBpbnRlcm9wIHByb2JsZW0uPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHls ZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+UC5TLiBNaWtlLCB5b3Ugd2VyZSB0 b28gcXVpY2sgaW4gdXBkYXRpbmcgdGhlIEpTT04gcmVmZXJlbmNlcyBpbiBKV1QgJmFtcDsgSk9T RSB0byBSRkMgNzE1OC4gVGhlIG5ldyBKU09OIHNwZWMgaXMgYWN0dWFsbHkgUkZDIDcxNTkuIFJG QyA3MTU4IHdhcyBvYnNvbGV0ZSB0aGUgZGF5IGFmdGVyIGl0IHdhcyBwdWJsaXNoZWQgZHVlIHRv IGEgdHlwby48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0 eWxlPSdjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PGRpdj48cCBj bGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPi0tPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+ SmFtZXMgTWFuZ2VyPG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjxwIGNsYXNzPU1zb05vcm1h bD48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w PjxkaXY+PGRpdiBzdHlsZT0nYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEu MHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20nPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0n bWFyZ2luLWxlZnQ6MzYuMHB0Jz48Yj48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+RnJvbTo8L3NwYW4+PC9i PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IlRh aG9tYSIsInNhbnMtc2VyaWYiJz4gTWlrZSBKb25lcyBbbWFpbHRvOk1pY2hhZWwuSm9uZXNAbWlj cm9zb2Z0LmNvbV0gPGJyPjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCAxOCBNYXJjaCAyMDE0IDU6MDMg QU08YnI+PGI+VG86PC9iPiBNYW5nZXIsIEphbWVzOyBvYXV0aEBpZXRmLm9yZyBXRzxicj48Yj5T dWJqZWN0OjwvYj4gUkU6IFtPQVVUSC1XR10gV0dMQyBvbiBKU09OIFdlYiBUb2tlbiAoSldUKTxv OnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rpdj48L2Rpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9 J21hcmdpbi1sZWZ0OjM2LjBwdCc+PG86cD4mbmJzcDs8L286cD48L3A+PHAgY2xhc3M9TXNvTm9y bWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2Nv bG9yOiMxRjQ5N0QnPkhpIEphbWVzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0n Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdj b2xvcjojMUY0OTdEJz5QZXIgeW91ciBwb2ludCAxIGJlbG93LCBhY3R1YWxseSwgdGhlIEpPU0Ug ZG9jcyBhbHJlYWR5ICo8Yj5kbzwvYj4qIHNwZWNpZnkgdGhhdCBKT1NFIG9iamVjdHMgY2FuIGJl IGVpdGhlciBKV1NzIG9yIEpXRXMgYW5kIHNheSBob3cgdG8gZGlzdGluZ3Vpc2ggdGhlbSDigJMg c2VlIDxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtam9zZS1q c29uLXdlYi1lbmNyeXB0aW9uLTIzI3NlY3Rpb24tOSI+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0 bWwvZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWVuY3J5cHRpb24tMjMjc2VjdGlvbi05PC9hPiBv biBEaXN0aW5ndWlzaGluZyBiZXR3ZWVuIEpXUyBhbmQgSldFIE9iamVjdHMuPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48 c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxz cGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPlBlciB5b3VyIHBvaW50IDIsIEpP U0UgKjxiPmRvZXM8L2I+KiBkZWZpbmUgdGhlIOKAnGN0eeKAnSAoY29udGVudCB0eXBlKSBoZWFk ZXIgcGFyYW1ldGVyIHRvIGVuYWJsZSBkZXNjcmliaW5nIHRoZSB0eXBlIG9mIHRoZSBwYXlsb2Fk IG9mIGEgSk9TRSBvYmplY3QuJm5ic3A7IE5lc3RpbmcgaXMgc2ltcGx5IGEgc3BlY2lhbCBjYXNl IG9mIHRoaXMgbW9yZSBnZW5lcmFsIGNhcGFiaWxpdHkgdG8gZGVzY3JpYmUgdGhlIGNvbnRlbnQg dHlwZSBvZiB0aGUgcGF5bG9hZC4mbmJzcDsgVGhlIEpXVCBzcGVjIGRlZmluZXMgYSBzcGVjaWZp YyBjb250ZW50IHR5cGUgdmFsdWUgdG8gYmUgdXNlZCB0byBpbmRpY2F0ZSB0aGF0IHRoZSBwYXls b2FkIGlzIGEgSldULCB3aGljaCBpcyB1c2VkIGFzIHRoZSDigJxjdHnigJ0gdmFsdWUgaW4gdGhp cyBjYXNlLiZuYnNwOyBPdGhlciBhcHBsaWNhdGlvbnMgd291bGQgc2ltaWxhcmx5IHVzZSBvdGhl ciBhcHBsaWNhdGlvbi1zcGVjaWZpYyBjb250ZW50IHR5cGVzIHRvIGluZGljYXRlIHRoYXQgdGhh dCBhcHBsaWNhdGlvbuKAmXMgZGF0YSBpcyB0aGUgSk9TRSBwYXlsb2FkLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNw YW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3Bh biBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5Zb3VyIHBvaW50IGFib3V0IHdoZXRo ZXIgbmVzdGluZyBpcyBtYW5kYXRvcnktdG8taW1wbGVtZW50IGlzIHdlbGwgdGFrZW4uJm5ic3A7 IChJIGRvbuKAmXQgdGhpbmsgdGhhdCBoYWQgYmVlbiBwb2ludGVkIG91dCBiZWZvcmUuKSZuYnNw OyBJIGNhbiBhZGQgYSBzdGF0ZW1lbnQgc2F5aW5nIHRoYXQgaXQgaXMgYXBwbGljYXRpb24tZGVw ZW5kZW50IHdoZXRoZXIgc3VwcG9ydCBmb3IgbmVzdGluZyBpcyByZXF1aXJlZCBvciBub3QuJm5i c3A7IChKdXN0IGxpa2UgZW5jcnlwdGlvbiBzdXBwb3J0IGlzIGFscmVhZHkgZXhwbGljaXRseSBv cHRpb25hbCwgaXQgc2hvdWxkIG1hZGUgY2xlYXIgdGhhdCBzdXBwb3J0IGZvciBuZXN0aW5nIGlz IG9wdGlvbmFsLCB1bmxlc3MgdGhlIGFwcGxpY2F0aW9uIHNwZWNpZmllcyBvdGhlcndpc2UuKTxv OnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6 MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5Zb3UgbWF5IG5v dCBsb3ZlIHRoZSB0ZXh0IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMsIGJ1dCB0aGUg YWx0ZXJuYXRpdmVzIHdvdWxkIGJlIHdvcnNlIGluIHByYWN0aWNlIOKAkyBmb3IgaW5zdGFuY2Us IHJlcXVpcmluZyB0aGF0IGFsbCBub24tcmVnaXN0ZXJlZCBuYW1lcyBjb21lIGZyb20gYSBzaW5n bGUgc3BlY2lmaWMgY29sbGlzaW9uLXJlc2lzdGFudCBuYW1lc3BhY2UsIHN1Y2ggYXMgT0lEUywg VVJMcywgVVJOcywgR1VJRHMsIElQIGFkZHJlc3NlcywgZXRjLiZuYnNwOyBZZXMsIHRoZXJl4oCZ cyBhIHRoZW9yZXRpY2FsIHBvc3NpYmlsaXR5IG9mIGEgY29sbGlzaW9uIGJldHdlZW4gYSBuYW1l IHRoYXTigJlzIGFuIE9JRCB3aXRoIGZvdXIgbnVtYmVycyBhbmQgYSBudW1lcmljIElQdjQgYWRk cmVzcyByZXByZXNlbnRhdGlvbiwgYnV0IGlzIHRoYXQgYWN0dWFsbHkgYSByZWFsIGlzc3VlPyZu YnNwOyBEbyB5b3UgcmVhbGx5IGV4cGVjdCBwZW9wbGUgdG8gdXNlIGJvdGggbnVtZXJpYyBJUHY0 IGFkZHJlc3NlcyBhbmQgT0lEcyBpbiB0aGUgc2FtZSBhcHBsaWNhdGlvbiBjb250ZXh0PyZuYnNw OyBUaGVzZSBzcGVjcyBoYXZlIHRyaWVkIHRvIHRha2UgYSBwcmFnbWF0aWMgYW5kIHByYWN0aWNh bCBhcHByb2FjaCB0aHJvdWdob3V0LCBhbmQgYWxsb3dpbmcgdGhlIHVzZSBvZiBhcHBsaWNhdGlv bi1jaG9zZW4gY29sbGlzaW9uLXJlc2lzdGFudCBuYW1lcyB3aXRob3V0IHJlZ2lzdHJhdGlvbiBp cyBvbmUgc3VjaCBjYXNlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwg c3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6 IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBz dHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjoj MUY0OTdEJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBz dHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxkaXY+PGRp diBzdHlsZT0nYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRp bmc6My4wcHQgMGNtIDBjbSAwY20nPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxl ZnQ6MzYuMHB0Jz48Yj48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxh bmc9RU4tVVMgc3R5bGU9J2ZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6IlRhaG9tYSIsInNh bnMtc2VyaWYiJz4gTWFuZ2VyLCBKYW1lcyBbbWFpbHRvOkphbWVzLkguTWFuZ2VyQHRlYW0udGVs c3RyYS5jb21dIDxicj48Yj5TZW50OjwvYj4gVHVlc2RheSwgTWFyY2ggMTEsIDIwMTQgMTA6NDIg UE08YnI+PGI+VG86PC9iPiBNaWtlIEpvbmVzOyBvYXV0aEBpZXRmLm9yZyBXRzsgSGFubmVzIFRz Y2hvZmVuaWc8YnI+PGI+U3ViamVjdDo8L2I+IFJFOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBX ZWIgVG9rZW4gKEpXVCk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PC9kaXY+PHAgY2xhc3M9 TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2lu LWxlZnQ6MzYuMHB0Jz48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+VGhhbmtzIGZvciB0YWxr aW5nIHRoZSB0aW1lIHRvIHJlcGx5IHRvIHRoZSBpbmRpdmlkdWFsIGNvbW1lbnRzLCBNaWtlLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNw YW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBj bGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gc3R5bGU9J2Nv bG9yOiMxRjQ5N0QnPlRoZSBzdHJ1Y3R1cmUgb2YgdGhlIEpXVCBkb2MgaXMgc3RpbGwgZmxhd2Vk LiBUaGUgcm9vdCBjYXVzZSBpcyB0aGF0IEpXVCB0cmllcyB0byBkbyB0aHJlZSB0YXNrczo8bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTGlzdFBhcmFncmFwaCBzdHlsZT0nbWFyZ2lu LWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzIn PjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz48c3BhbiBz dHlsZT0nbXNvLWxpc3Q6SWdub3JlJz4xLjxzcGFuIHN0eWxlPSdmb250OjcuMHB0ICJUaW1lcyBO ZXcgUm9tYW4iJz4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9zcGFuPjwv c3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5EZXNjcmli ZSBob3cgYSBKT1NFIG1lc3NhZ2UgY2FuIGJlIGEgSldFIG9yIGEgSldTLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD48cCBjbGFzcz1Nc29MaXN0UGFyYWdyYXBoIHN0eWxlPSdtYXJnaW4tbGVmdDo3Mi4w cHQ7dGV4dC1pbmRlbnQ6LTE4LjBwdDttc28tbGlzdDpsMCBsZXZlbDEgbGZvMic+PCFbaWYgIXN1 cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxzcGFuIHN0eWxlPSdtc28t bGlzdDpJZ25vcmUnPjIuPHNwYW4gc3R5bGU9J2ZvbnQ6Ny4wcHQgIlRpbWVzIE5ldyBSb21hbiIn PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8L3NwYW4+PC9zcGFuPjwvc3Bh bj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPkRlc2NyaWJlIGhvdyBKT1NF IG1lc3NhZ2VzIGNhbiBuZXN0IChlZyBKV1MgaW4gYSBKV0U7IEpXRSBpbiBhIEpXUzsgSldTIGlu IGEgSldFIGluIGEgSldTIGluIGEgSldFKS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvTGlzdFBhcmFncmFwaCBzdHlsZT0nbWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0x OC4wcHQ7bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzInPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFu IHN0eWxlPSdjb2xvcjojMUY0OTdEJz48c3BhbiBzdHlsZT0nbXNvLWxpc3Q6SWdub3JlJz4zLjxz cGFuIHN0eWxlPSdmb250OjcuMHB0ICJUaW1lcyBOZXcgUm9tYW4iJz4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFu IHN0eWxlPSdjb2xvcjojMUY0OTdEJz5EZXNjcmliZSBhIEpTT04gb2JqZWN0IHJlcHJlc2VudGlu ZyBhIGNvbGxlY3Rpb24gb2YgY2xhaW1zOyBpbmNsdWRpbmcgaXNzLCBzdWIsIGF1ZCwgZXhwLCBu YmYsIGlhdCwganRpIG1lbWJlcnMuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3 RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0n bWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+IzEgYW5kICMy IGFyZSBub3Qgc3BlY2lmaWMgdG8gSldULiBUaGV5IHNob3VsZG7igJl0IGJlIHNwZWNpZmllZCBp biBKV1Q7IHRoZXkgY2VydGFpbmx5IHNob3VsZG7igJl0IHVzZSBhIEpXVC1zcGVjaWZpYyB2YWx1 ZSAoJnF1b3Q7Y3R5JnF1b3Q7OiZxdW90O0pXVCZxdW90OykgdG8gaW5kaWNhdGUgd2hlbiBuZXN0 aW5nIGlzIG9jY3VycmluZzsgYW5kIHRoZXkgc2hvdWxkbuKAmXQgcmVxdWlyZSBpbnRyb2R1Y2lu ZyBKV1Qtc3BlY2lmaWMgdGVybWlub2xvZ3kgKGVnIOKAnEpXVCBIZWFkZXLigJ0pLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBw dCc+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPlRoZSBKV1QgZG9jIGhhcyB0aGlzIHByb2Js ZW0gYmVjYXVzZSB0aGUgSk9TRSBzcGVjcyBkb27igJl0IGRlZmluZSBhIEpPU0UgbWVzc2FnZSwg dGhleSBvbmx5IHNwZWNpZnkgSldTIGFuZCBKV0Ugc2VwYXJhdGVseS4gVGhhdCBKT1NFIG9taXNz aW9uIGhhcyBwcm9wYWdhdGVkIHVwIHRoZSBzdGFjayB0byBzdWJzdGFudGlhbGx5IGNvbXBsaWNh dGUgdGhlIEpXVCBkb2MsIGFuZCBwcmVzdW1hYmx5IHRoYXQgY29tcGxpY2F0aW9uIGhhcyB0byBi ZSByZXBlYXRlZCBmb3IgZXZlcnkgb3RoZXIgc3BlY2lmaWNhdGlvbiBvZiBhbiBhcHBsaWNhdGlv biBsaWtlIEpXVCB0aGF0IHdhbnQgdG8gdXNlIEpPU0UgbWVzc2FnZXMuPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3Bh biBzdHlsZT0nY29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNs YXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBzdHlsZT0nY29s b3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1h bCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+ Q3VyaW91c2x5LCBmb3IgYWxsIHRoZSB0ZXh0IGFib3V0IG5lc3RlZCBKT1NFIG1lc3NhZ2VzLCB0 aGUgSldUIGRvYyBzdGlsbCBpc27igJl0IHNwZWNpZmljIGFib3V0IHdoYXQgY29tYmluYXRpb25z IE1VU1QgYmUgc3VwcG9ydGVkIGZvciBpbnRlcm9wZXJhYmlsaXR5LiBJIHdvdWxkbuKAmXQgZXhw ZWN0IG1hbnkgSldULWNvbXBsaWFudCByZWNlaXZlcnMgdG8gYWNjZXB0IGNsYWltcy1pbi1hLUpX Uy1pbi1hLUpXRS1pbi1hbm90aGVyLUpXRS1pbi1hbm90aGVyLUpXUywgYnV0IEkgY2Fubm90IHRl bGwgd2hpY2ggbmVzdGluZyB3aWxsIG9yIHdpbGwgbm90IHdvcmsgd2lkZWx5LjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+ PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gc3R5bGU9 J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5 N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9 J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPlRoZSB0ZXh0 IGFib3V0IGNvbGxpc2lvbi1yZXNpc3RhbnQgbmFtZXMgaXMgc3RpbGwgc2lsbHkgc2luY2UgeW91 IGxvc2UgdGhlIGNvbGxpc2lvbi1yZXNpc3RhbmNlIHdoZW4geW91IGNvbWJpbmUgbXVsdGlwbGUg bmFtZXNwYWNlcyAoZG9tYWluIG5hbWVzLCBPSURzLCBldGMpLjxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gc3R5 bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48ZGl2PjxwIGNs YXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBzdHlsZT0nY29s b3I6IzFGNDk3RCc+LS08bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsIHN0 eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5KYW1l cyBNYW5nZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0 eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIHN0eWxlPSdjb2xvcjojMUY0OTdEJz48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PGRpdiBzdHlsZT0nYm9yZGVyOm5vbmU7Ym9yZGVyLWxl ZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Jz48ZGl2PjxkaXYg c3R5bGU9J2JvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5n OjMuMHB0IDBjbSAwY20gMGNtJz48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PGI+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5n PUVOLVVTIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5z LXNlcmlmIic+IE1pa2UgSm9uZXMgWzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jv c29mdC5jb20iPm1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+XSA8YnI+PGI+ U2VudDo8L2I+IFR1ZXNkYXksIDQgTWFyY2ggMjAxNCA5OjIyIEFNPGJyPjxiPlRvOjwvYj4gTWFu Z2VyLCBKYW1lczsgPGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9y ZzwvYT4gV0c8YnI+PGI+U3ViamVjdDo8L2I+IFJFOiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBX ZWIgVG9rZW4gKEpXVCk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PC9kaXY+PHAgY2xhc3M9 TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxvOnA+Jm5ic3A7PC9vOnA+PC9w PjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBs YW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5UaGFua3MgZm9yIHRha2luZyB0aGUgdGlt ZSB0byBzZW5kIGluIHRoZSBjb21tZW50cywgSmFtZXMuJm5ic3A7IEkgYW0gc2VuZGluZyB5b3Ug dGhpcyB0byBkZXNjcmliZSB0aGUgY2hhbmdlcyB0aGF0IHdlcmUgbWFkZSBpbiByZXNwb25zZSB0 byB5b3VyIGNvbW1lbnRzIChtb3N0bHkgaW4gLTEzIGJ1dCBhbHNvIGEgZmV3IGluIC0xOCkuJm5i c3A7IFNlZSBpbmRpdmlkdWFsIHJlc3BvbnNlcyBpbmxpbmUuPG86cD48L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBs YW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFu IGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxl ZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4t bGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08 YnI+RnJvbTogPGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciPm9hdXRoLWJv dW5jZXNAaWV0Zi5vcmc8L2E+IFs8YSBocmVmPSJtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9y ZyI+bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XSBPbiBCZWhhbGYgT2YgTWFuZ2Vy LCBKYW1lcyBIPGJyPlNlbnQ6IFRodXJzZGF5LCBBdWd1c3QgMDgsIDIwMTMgNzo1NSBBTTxicj5U bzogPGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9yZzwvYT4gV0c8 YnI+U3ViamVjdDogUmU6IFtPQVVUSC1XR10gV0dMQyBvbiBKU09OIFdlYiBUb2tlbiAoSldUKTxv OnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1s ZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxh bmc9RU4tVVM+Q29tbWVudHMgb24gZHJhZnQtaWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xMTo8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4t bGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBs YW5nPUVOLVVTPjEuIFNob3VsZCBKV1QgcmVhbGx5IGdvIHRvIFdHTEMgYmVmb3JlIHRoZSBKT1NF IGRvY3MgdGhhdCBpdCBkZXBlbmRzIG9uIHNvIGhlYXZpbHkgKEpXUy9KV0UvLi4uKT8gRXZlbiBp ZiB0aGUgJnF1b3Q7Ynl0ZXMtb24tdGhlLXdpcmUmcXVvdDsgYXJlIGZhaXJseSBzdGFibGUsIEpX VCByZXBlYXRzIGEgbG90IG9mIHRleHQgZnJvbSBKV1MvSldFIHNvbWUgb2Ygd2hpY2ggaXMgbGlr ZWx5IHRvIGNoYW5nZS4gRmluaXNoaW5nIFdHTEMgbm93IGFuZCBxdWV1aW5nIHRoZSBkb2MgdG8g YmUgYXV0by1wdWJsaXNoZWQgd2hlbiBKV1MvSldFIGFyZSBwdWJsaXNoZWQgd291bGQgYmUgYmFk ICh1bmxlc3MgdGhlIGR1cGxpY2F0ZSB0ZXh0IGlzIHJlbW92ZWQpLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNw YW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48 c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5JbiBwcmFjdGljZSwgaXQgc2Vl bXMgdGhhdCBKV1QgaGFzIHdhaXRlZCBmb3IgSk9TRSAoYW5kIEnigJl2ZSBrZXB0IHRoZW0gZnVs bHkgaW4gc3luYykuJm5ic3A7IEF0IHRoaXMgcG9pbnQsIEkgZXhwZWN0IHRoZW0gcHJvY2VlZCB0 aHJvdWdoIHRoZSByZXN0IG9mIHRoZSBhcHByb3ZhbCBzdGVwcyBpbiBwYXJhbGxlbC48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz4yLiBUaGUgSldUIGRvYyB3b3VsZCBiZSBzbyBtdWNo IG1vcmUgcmVhZGFibGUgaWYgaXQgY291bGQgcmVmZXIgdG8gYSAmcXVvdDtKT1NFIG1lc3NhZ2Um cXVvdDssICZxdW90O0pPU0UgaGVhZGVyJnF1b3Q7LCBhbmQgJnF1b3Q7Sk9TRSBjb21wYWN0IHNl cmlhbGl6YXRpb24mcXVvdDs7IGluc3RlYWQgb2YgaGF2aW5nIHRvIGV4cGxpY2l0bHkgdGFsayBh Ym91dCBKV1MgYW5kIEpXRSBldmVyeSB0aW1lIGV2ZW4gd2hlbiB0YWxraW5nIGFib3V0IGFzcGVj dHMgY29tbW9uIHRvIGJvdGguIEl0IHdvdWxkIGFsc28gYXZvaWQgaW50cm9kdWNpbmcgJnF1b3Q7 SldUIEhlYWRlciZxdW90OywgJnF1b3Q7RW5jb2RlZCBKV1QgSGVhZGVyJnF1b3Q7LCAmcXVvdDtO ZXN0ZWQgSldUJnF1b3Q7LCAmcXVvdDtQbGFpbnRleHQgSldUJnF1b3Q7IGV0YyBhcyB0aG91Z2gg dGhlc2UgYXJlIG5ldyBpdGVtcywgd2hlbiBpbiBmYWN0IHRoZXkgYXJlIGp1c3QgYWRkaXRpb25h bCBuYW1lcyBmb3IgSk9TRSBpdGVtcy4gRm9yIGluc3RhbmNlLCAmcXVvdDtKV1QgSGVhZGVyJnF1 b3Q7IGlzIGVmZmVjdGl2ZWx5IHNob3J0aGFuZCBmb3IgJnF1b3Q7SldTIG9yIEpXRSBoZWFkZXIm cXVvdDsgYnV0IGl0IGlzIHByZXNlbnRlZCBhcyBhIEpXVC1zcGVjaWZpYyB0aGluZy48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+SSB0aGluayB0 aGlzIHJlYWxseSBvbmx5IHNob3dzIHVwIGluIGEgZmV3IHBsYWNlcyDigJMgcHJpbWFyaWx5IHdo ZW4gZGlzY3Vzc2luZyB0aGF0IHRoZSBKV1QgSGVhZGVyIGlzIGVpdGhlciBhIEpXUyBIZWFkZXIg b3IgYSBKV0UgaGVhZGVyLiZuYnNwOyBHaXZlbiB0aGF0IHRoZXNlIGFyZSBhY3R1YWxseSBkaXN0 aW5jdCBidXQgcmVsYXRlZCBkYXRhIHN0cnVjdHVyZXMsIG1ha2luZyBpdCBldmlkZW50IHRoYXQg dGhleSBhcmUgZGlmZmVyZW50IGlzIGFyZ3VhYmx5IGEgZ29vZCB0aGluZy48bzpwPjwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQn PjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBw dCc+PHNwYW4gbGFuZz1FTi1VUz4zLiBUaGUgZG9jIHNob3VsZCBub3QgcmVwZWF0IGRlZmluaXRp b25zIGZyb20gSldTIGFuZCBKV0UuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1Bs YWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxl PSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv UGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5 bGU9J2NvbG9yOiMwMDcwQzAnPlRoZSBkdXBsaWNhdGlvbiBoYXMgYmVlbiBzdWJzdGFudGlhbGx5 IHJlZHVjZWQsIGJvdGggd2l0aGluIHRoZSBKT1NFIGRvY3MsIGFuZCB3aXRoaW4gdGhpcyBkb2Mu Jm5ic3A7IFRoYXQgYmVpbmcgc2FpZCwgdGhlcmXigJlzIGEgc3R5bGlzdGljIHRlbnNpb24gYmV0 d2VlbiBzYXlpbmcgdGhpbmdzIGluIGV4YWN0bHkgb25lIHBsYWNlIGFuZCBtYWtpbmcgZWFjaCBk b2N1bWVudCBlYXNpZXIgdG8gcmVhZCB3aXRob3V0IGNvbnN0YW50bHkgaGF2aW5nIHRvIGZsaXAg YmFjayBhbmQgZm9ydGggYmV0d2VlbiB0aGVtLiZuYnNwOyBJbiB0aGlzIGNhc2UsIEkgYmVsaWV2 ZSB0aGF0IHRoZSBzbWFsbCBhbW91bnQgb2YgZHVwbGljYXRpb24gYWlkcyBkZXZlbG9wZXJzIHdo byBtaWdodCBub3QgcmVjdXJzaXZlbHkgcmVhZCBldmVyeXRoaW5nIHJlZmVyZW5jZWQgaW4gZnVs bCBkZXRhaWwuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHls ZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3 MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0 eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+Rm9yIGluc3RhbmNlLCB0 aGUgd2hvbGUgZmlyc3QgcGFyYWdyYXBoIG9mIHNlY3Rpb24gNSAmcXVvdDtKV1QgSGVhZGVyJnF1 b3Q7IChKU09OIG9iamVjdDsgZGVzY3JpYmVzIGNyeXB0byBvcHM7IHVuaXF1ZSBuYW1lczsgcmVq ZWN0IGR1cGxpY2F0ZXMgb3IgdXNlIGxhc3QpIGlzIGFuIGFsbW9zdCBpZGVudGljYWwgY29weSBv ZiBwYXJhZ3JhcGhzIGZyb20gSldTIGFuZCBKV0UuIFRoZSBkdXBsaWNhdGlvbiAob2Z0ZW4gdHJp cGxpY2F0aW9uKSBhZGRzIGNvbmZ1c2lvbiAoZWcgd2hhdCBpcyB0aGUgZGlmZmVyZW5jZSBiZXR3 ZWVuIGEgSldUIEhlYWRlciBhbmQgSldTIEhlYWRlcj8pIGFuZCBnZXRzIHN1YnRseSBvdXQgb2Yg c3luYyAoZWcgJnF1b3Q7Y3R5JnF1b3Q7IGVpdGhlciAmcXVvdDtkZWNsYXJlcyBzdHJ1Y3R1cmFs IGluZm9ybWF0aW9uIGFib3V0IHRoZSBKV1QmcXVvdDsgb3IgJnF1b3Q7ZGVjbGFyZXMgdGhlIHR5 cGUgb2YgdGhlIHNlY3VyZWQvZW5jcnlwdGVkIGNvbnRlbnQgKHRoZSBwYXlsb2FkL1BsYWludGV4 dCkgaW4gYW4gYXBwbGljYXRpb24tc3BlY2lmaWMgbWFubmVyJnF1b3Q7KS4gPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0 Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4w cHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPlRoZSBkZXNjcmlwdGlv biBvZiBKV1TigJlzIHVzZSBvZiDigJxjdHnigJ0gaXMgbm90IG91dCBvZiBzeW5jIOKAkyBpdCBp cyBpbnRlbnRpb25hbGx5IG1vcmUgc3BlY2lmaWMgdGhhbiB0aGUgZnVsbHkgZ2VuZXJhbCwgYXBw bGljYXRpb24taW5kZXBlbmRlbnQgZGVzY3JpcHRpb25zIGluIEpXUyBhbmQgSldFLiZuYnNwOyBJ biB0aGlzIGNhc2UsIEpXVCBpcyB0aGUgYXBwbGljYXRpb24gb2YgSldTIGFuZCBKV0UsIGFuZCBu ZWVkcyB0byBzcGVjaWZ5IGl0cyByZXF1aXJlbWVudHMgYWJvdXQgaG93IGl0IHVzZXMgdGhpcyBo ZWFkZXIgcGFyYW1ldGVyLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRl eHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29s b3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWlu VGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTPk90aGVyIGV4 YW1wbGVzIG9mIHVubmVjZXNzYXJpbHkgZHVwbGljYXRlZCB0ZXh0IGluY2x1ZGU6IHNlY3Rpb24g NyBzdGVwcyAzICZhbXA7IDQgKGNyZWF0aW5nKSBhbmQgc3RlcHMgMS04ICh2YWxpZGF0aW5nKTsg c2VjdGlvbiA3LjEgdGV4dCBhYm91dCBjb21wYXJpbmcgJnF1b3Q7YWxnJnF1b3Q7IHZhbHVlczsg cGFydHMgb2YgdGhlIGxhc3QgMiBwYXJhZ3JhcGhzIG9mIHNlY3Rpb24gMyAmcXVvdDtKV1Qgb3Zl cnZpZXcmcXVvdDs7IDFzdCBhbmQgM3JkIHBhcmFncmFwaHMgb2Ygc2VjdGlvbiA1LjIgJnF1b3Q7 Y3R5JnF1b3Q7OyAxc3QsIDJuZCwgYW5kIDR0aCBzZW50ZW5jZSBvZiBzZWN0aW9uIDUuMSAmcXVv dDt0eXAmcXVvdDsuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBz dHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjoj MDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0 IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9y OiMwMDcwQzAnPlN0ZXAgNCBvZiBjcmVhdGlvbiB3YXMgcmVtb3ZlZCBiZWNhdXNlIGl0IHRydWx5 IHdhcyBhIGR1cGxpY2F0ZS4mbmJzcDsgKDMgaXMgbW9yZSBzcGVjaWZpYyB0aGFuIHRoZSBjb3Jy ZXNwb25kaW5nIEpXUyBhbmQgSldFIHN0ZXBzLCBhbmQgc28gd2FzIG5vdCByZW1vdmVkLikgPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxl ZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4t bGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPlRoZSB2 YWxpZGF0aW5nIHN0ZXBzIGFyZSBuZWNlc3NhcnkgYmVjYXVzZSBKV1QgYWRkcyB0d28gdGhpbmdz IGJleW9uZCBKV1MgYW5kIEpXRTombmJzcDsgRmlyc3QsIHRoZSBjb250ZW50cyBjYW4gYmUgZWl0 aGVyIGEgSldTIG9yIEpXRSwgYW5kIHNvIHRoZXJl4oCZcyBsb2dpYyBkZXNjcmliZWQgZm9yIHRo ZSBzbGlnaHRseSBkaWZmZXJlbnQgYWN0aW9ucyB0YWtlbiBpbiB0aGUgdHdvIGNhc2VzLiZuYnNw OyBTZWNvbmQsIHRoZSBKV1QgY2FuIGJlIG5lc3RlZCwgc28gdGhlIGxvZ2ljIGZvciBuZXN0aW5n IGFuZCBkZXRlY3RpbmcgbmVzdGVkIEpXVHMgaXMgZGVmaW5lZC4mbmJzcDsgSXQgKjxiPmRvZXM8 L2I+KiBqdXN0IHJlbHkgb24gSldTIGFuZCBKV0UgZm9yIHRoZSBjcmVhdGlvbiBhbmQgdmVyaWZp Y2F0aW9uIGFzcGVjdHMgb2YgdGhlIEpXUyBhbmQgSldFIGFzcGVjdHMgb2YgSldUcy48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+Qm90aCDigJx0 eXDigJ0gYW5kIOKAnGN0eeKAnSB3ZXJlIHJld29ya2VkIHdoZW4gdGhlaXIgdmFsdWVzIHdoZXJl IGNoYW5nZWQgdG8gTUlNRSB0eXBlcywgcmVkdWNpbmcgZHVwbGljYXRpb24uPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0 Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4w cHQnPjxzcGFuIGxhbmc9RU4tVVM+NC4gSGFyZGx5IGFueW9uZSBwcm9ub3VuY2VzIEpXVCBhcyAm cXVvdDtqb3QmcXVvdDsgLS0gaXQgaXMgdXN1YWxseSBzcGVsdCBvdXQgLS0gc28gZHJvcCB0aGUg c2VudGVuY2UgaW4gdGhlIGFic3RyYWN0IHN1Z2dlc3RpbmcgdGhlICZxdW90O2pvdCZxdW90OyBw cm9udW5jaWF0aW9uLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQg c3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6 IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4 dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xv cjojMDA3MEMwJz5Zb3VyIGV4cGVyaWVuY2UgbWF5IHZhcnksIGJ1dCBpbiBpbi1wZXJzb24gY29u dmVyc2F0aW9ucywgaXTigJlzIHVzdWFsbHkgcHJvbm91bmNlZCDigJxqb3TigJ0gaW4gbXkgZXhw ZXJpZW5jZS4mbmJzcDsgKEl04oCZcyBhIGxvdCBlYXNpZXIgdG8gc2F5IHRoYW4g4oCcSiBXIFTi gJ0gb3Ig4oCcSlNPTiBXZWIgVG9rZW7igJ0gYW5kIHBlb3BsZSB0ZW5kIHRvIGxpa2Ugc2hvcnQg bmFtZXMgdG8gc2F5Lik8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0 IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9y OiMwMDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRl eHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz41LiBDb2xsaXNp b24gUmVzaXN0YW50IE5hbWVzcGFjZSAoc2VjdGlvbiAyICZxdW90O1Rlcm1pbm9sb2d5JnF1b3Q7 KSBtZW50aW9ucyBkb21haW4gbmFtZXMsIE9JRHMsIGFuZCBVVUlEcyBhcyBleGFtcGxlcywgYnV0 IGZhaWxzIHRvIG1lbnRpb24gVVJJcywgd2hpY2ggaXMgYSBsaWtlbHkgY2hvaWNlLiBEb21haW4g bmFtZXMgd2lsbCBzdGFydCBjb2xsaWRpbmcgd2l0aCAmcXVvdDtyZXNlcnZlZCZxdW90OyBuYW1l cyBzb29uIHdpdGggYWxsIHRoZSBuZXcgdG9wLWxldmVsIGRvbWFpbnMuIFNob3VsZCBVVUlEcyB1 c2UgYSAmcXVvdDt1cm46dXVpZDomcXVvdDsgcHJlZml4LCBvciAmcXVvdDt1dWlkOiZxdW90Oywg b3Igbm8gcHJlZml4PyBTaG91bGQgVVVJRHMgb25seSB1c2UgbG93ZXItY2FzZSBoZXggZGlnaXRz IChvdGhlcndpc2UgZHVwbGljYXRlIFVVSURzIHdpbGwgbG9vayBsaWtlIGRpc3RpbmN0IEpTT04g bmFtZXMpPyBTaG91bGQgYW4gT0lEIGJlICZxdW90OzIuNS40LjMmcXVvdDsgb3IgJnF1b3Q7b2lk OjIuNS40LjMmcXVvdDsgb3IgJnF1b3Q7VVJOOk9JRDoyLjUuNC4zJnF1b3Q7IG9yICZxdW90O2Nv bW1vbk5hbWUmcXVvdDsgb3IgJnF1b3Q7Y24mcXVvdDs/IENvbGxpc2lvbiByZXNpc3RhbnQgbmFt ZXNwYWNlcyBsb3NlIGNvbGxpc2lvbi1yZXNpc3RhbmNlIHdoZW4geW91IGNvbWJpbmUgbmFtZXNw YWNlcyBhcyBpcyBkb25lIGhlcmUuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1Bs YWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxl PSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv UGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5 bGU9J2NvbG9yOiMwMDcwQzAnPkFzIHlvdSBzdWdnZXN0ZWQsIGRvbWFpbiBuYW1lcyBhcmUgbm93 IHRoZSBmaXJzdCBleGFtcGxlIG1lbnRpb25lZC4mbmJzcDsgVGhpcyB3YXMgYWxzbyByZXdyaXR0 ZW4gd2l0aCBpbnB1dCBmcm9tIEppbSBTY2hhYWQuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNs YXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAg Y2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9 RU4tVVM+Q291bGQgdGhlIHJlc2VydmVkL3B1YmxpYy9wcml2YXRlIG1lc3MgYmUgc2ltcGxpZmll ZCBieSBzYXlpbmcgKGF0IHRoZSBlbmQgb2Ygc2VjdGlvbiA0ICZxdW90O0pXVCBDbGFpbXMmcXVv dDspOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21h cmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxz cGFuIGxhbmc9RU4tVVM+Jm5ic3A7IEEgY2xhaW0gbmFtZSBjYW4gYmUgYW55IHN0cmluZy4gVXNp bmcgVVJJcyBhcyBjbGFpbSBuYW1lcyBpcyBvbmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4t VVM+Jm5ic3A7IHdheSB0byBlbnN1cmUgY2xhaW0gbmFtZXMgYXJlIHVuYW1iaWd1b3VzLiBDbGFp bSBuYW1lcyB0aGF0IGFyZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRl eHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz4mbmJzcDsgbm90 IFVSSXMgU0hPVUxEIGJlIHJlZ2lzdGVyZWQgaW4gdGhlIElBTkEgQ2xhaW1zIHJlZ2lzdHJ5IFtz ZWN0aW9uIDkuMV08bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0 eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYu MHB0Jz48c3BhbiBsYW5nPUVOLVVTPlRoZW4gZHJvcCB0aGUgbGFzdCBwYXJhZ3JhcGggb2Ygc2Vj dGlvbiA0ICZxdW90O0pXVCBjbGFpbXMmcXVvdDsgdGhhdCBzdGFydHMgJnF1b3Q7dGhlcmUgYXJl IHRocmVlIGNsYXNzZXMgb2YgSlQgQ2xhaW0gTmFtZXMmcXVvdDs7IGRyb3Agc2VjdGlvbiA0LjIg JnF1b3Q7UHVibGljIGNsYWltIG5hbWVzJnF1b3Q7OyBkcm9wIHNlY3Rpb24gNC4zICZxdW90O1By aXZhdGUgY2xhaW0gbmFtZXMmcXVvdDs7IGRyb3AgdGhlICZxdW90O2NvbGxpc2lvbiByZXNpc3Rh bnQgbmFtZXNwYWNlJnF1b3Q7IHRlcm0uPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0 eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMg c3R5bGU9J2NvbG9yOiMwMDcwQzAnPkNhbGxpbmcgb3V0IHRoYXQgdGhlcmUgYXJlIHRocmVlIGRp c3RpbmN0IGNsYXNzZXMgb2YgbmFtZXMgaGFzIGJlZW4gdmFsdWFibGUgaW4gaGVscGluZyBkZXZl bG9wZXJzIHRoaW5rIGFib3V0IGhvdyB0byB1c2UgY2xhaW0gbmFtZXMsIGluIHByYWN0aWNlLiZu YnNwOyBJbiBwYXJ0aWN1bGFyLCBpdCBsZXRzIHVzIGRlc2NyaWJlIHRoZSBiZW5lZml0cyBhbmQg ZHJhd2JhY2tzIG9mIGVhY2gsIGhlbHBpbmcgZGV2ZWxvcGVycyBhbmQgZGVwbG95ZXJzIG1ha2Ug cmVhc29uYWJsZSBjaG9pY2VzIGZvciB0aGVpciBhcHBsaWNhdGlvbiBjb250ZXh0cy48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0 OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+QXQgSmltIFNj aGFhZOKAmXMgc3VnZ2VzdGlvbiwg4oCccHVibGlj4oCdIHdhcyBjaGFuZ2VkIHRvIOKAnHJlZ2lz dGVyZWTigJ0gYW5kIHRoZSBkZXNjcmlwdGlvbiBjaGFuZ2VkIHRvIHRhbGsgYWJvdXQgdGhpcyBj bGFzcyBvZiBuYW1lcyBiZWluZyBpbiB0aGUgSUFOQSByZWdpc3RyeS48bzpwPjwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxz cGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+ PHNwYW4gbGFuZz1FTi1VUz42LiBUaGUgZG9jcyBzYXlzIGluY2x1ZGluZyBhICZxdW90O3R5cCZx dW90OyBmaWVsZCBpcyBPUFRJT05BTC4gRXZlbiB3aGVuIHByZXNlbnQgJnF1b3Q7dHlwJnF1b3Q7 IGNhbiBoYXZlIGFueSB2YWx1ZSBzaW5jZSB0aGUgdHdvIHN1Z2dlc3Rpb25zIGluIHRoZSBkb2Mg KCZxdW90O0pXVCZxdW90OyBvciAmcXVvdDt1cm46aWV0ZjpwYXJhbXM6b2F1dGg6dG9rZW4tdHlw ZTpqd3QmcXVvdDspIGFyZSBvbmx5IFJFQ09NTUVOREVELiBHaXZlbiB0aGlzLCB0aGVyZSBkb2Vz bid0IHNlZW0gdG8gYmUgYW55dGhpbmcgYSBKV1QgcmVjaXBpZW50IGNhbiB1c2VmdWxseSBkbyB3 aXRoICZxdW90O3R5cCZxdW90Oy4gSWYgaXQgdHJpZXMgdG8gdXNlICZxdW90O3R5cCZxdW90OyBp dCB3aWxsIGp1c3QgYmUgaW5jb21wYXRpYmxlIHdpdGggY29tcGxpYW50IEpXVCBzZW5kZXJzIHRo YXQgZWl0aGVyIG9taXQgJnF1b3Q7dHlwJnF1b3Q7IG9yIHVzZSBhbm90aGVyIHZhbHVlLiBJdCB3 b3VsZCBiZSBiZXR0ZXIgdG8gZHJvcCBzZWN0aW9uIDUuMSAmcXVvdDtUeXBlIEhlYWRlciBQYXJh bWV0ZXImcXVvdDsgZW50aXJlbHkgLS0gbGVhdmluZyBhbnkgJnF1b3Q7dHlwJnF1b3Q7IHZhbHVl IGRlZmluaXRpb25zIHRvIHByb2ZpbGVzIHRoYXQgYWN0dWFsbHkgZGVmaW5lIHByb2Nlc3Npbmcg Zm9yIHN1Y2ggdmFsdWVzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRl eHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29s b3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWlu VGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdj b2xvcjojMDA3MEMwJz5UaGUgZGVzY3JpcHRpb24gaGFzIGJlZW4gcmV3b3JrZWQgdG8gbW9zdGx5 IGp1c3QgcmVmZXIgdG8gdGhlIEpXUyBhbmQgSldFIGRlZmluaXRpb25zLiZuYnNwOyBUaGUgVVJO IHVzYWdlIHdhcyByZW1vdmVkIHdoZW4g4oCcdHlw4oCdIGFuZCDigJxjdHnigJ0gdmFsdWVzIHdl cmUgbWFkZSBNSU1FIHR5cGUgdmFsdWVzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBz dHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVT PjcuIFRoZSBkb2MgcmVkZWZpbmVzIHRoZSAmcXVvdDtjdHkmcXVvdDsgaGVhZGVyIHBhcmFtZXRl ciwgd2hpY2ggaXMgYWxyZWFkeSBkZWZpbmVkIGluIEpXUyBhbmQgSldFIChzbGlnaHRseSBkaWZm ZXJlbnRseSBpbiBhbGwgMyBjYXNlcyAtIGFyZ2gpLiBKV1QgdXNlcyAmcXVvdDtjdHkmcXVvdDsg dG8gaW5kaWNhdGUgbmVzdGVkIEpPU0UgbWVzc2FnZXMsIHdoaWNoIHNob3VsZCBiZSBhIEpPU0Ug ZmVhdHVyZSBhcyBpdCBpcyBub3Qgc3BlY2lmaWMgdG8gSldUIChoZW5jZSAmcXVvdDtjdHkmcXVv dDs6JnF1b3Q7and0JnF1b3Q7IGlzIGEgcG9vciBjaG9pY2UpLjxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4g bGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3Bh biBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5UaGUgZGVzY3JpcHRpb24gaGFzIGJl ZW4gcmV3b3JrZWQgdG8gbW9zdGx5IGp1c3QgcmVmZXIgdG8gdGhlIEpXUyBhbmQgSldFIGRlZmlu aXRpb25zLiZuYnNwOyDigJxjdHnigJ0gaXMgbm90IHJlZGVmaW5lZDsgaXTigJlzIHVzZSBieSBK V1QgaXMgc3BlY2lmaWVkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRl eHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVm dDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+OC4gW0VkaXRvcmlhbF0gJnF1b3Q7SldBIHNpZ25p bmcgYWxnb3JpdGhtJnF1b3Q7IGFuZCAmcXVvdDtKV0EgZW5jcnlwdGlvbiBhbGdvcml0aG1zJnF1 b3Q7IGFyZSB0aGUgd3JvbmcgcGhyYXNlcy4gVGhlc2UgYXJlIEpXUyBzaWduaW5nIGFsZ3MgYW5k IEpXRSBlbmNyeXB0aW9uIGFsZ3MgdGhhdCBoYXBwZW4gdG8gYmUgc3BlY2lmaWVkIGluIEpXQS48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4t bGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMwMDcwQzAnPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdp bi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nY29sb3I6IzAwNzBDMCc+VGhl IHBocmFzZXMgJnF1b3Q7SldBIHNpZ25pbmcgYWxnb3JpdGhtcyZxdW90OyBhbmQgJnF1b3Q7SldB IGVuY3J5cHRpb24gYWxnb3JpdGhtcyZxdW90OyB3ZXJlIHJlbW92ZWQuPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48 c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQn PjxzcGFuIGxhbmc9RU4tVVM+OS4gSW5jbHVkaW5nIGEgc2hvcnQgZGVzY3JpcHRpb24gZm9yIGVh Y2ggY2xhaW0gbmFtZSBpbiB0aGUgcmVnaXN0cnkgd291bGQgYmUgdXNlZnVsLiBKdXN0IGEgMy1s ZXR0ZXIgYWJicmV2aWF0aW9uIGlzIG5vdCBoZWxwZnVsIGVub3VnaC4gRWcgYWRkIGEgQ2xhaW0g ZGVzY3JpcHRpb24gZmllbGQ6PG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWlu VGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTPiZuYnNwOyBD bGFpbSBuYW1lOiAmcXVvdDtuYmYmcXVvdDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+ Jm5ic3A7IENsYWltIGRlc2NyaXB0aW9uOiBub3QgYmVmb3JlPG86cD48L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBs YW5nPUVOLVVTPiZuYnNwOyBDaGFuZ2UgY29udHJvbGxlcjogSUVURjxvOnA+PC9vOnA+PC9zcGFu PjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNw YW4gbGFuZz1FTi1VUz4mbmJzcDsgU3BlY2lmaWNhdGlvbiBkb2N1bWVudDogc2VjdGlvbiA0LjEu NS4gb2YgW1sgdGhpcyBkb2MgXV08bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxh aW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+Jm5ic3A7 IDxzcGFuIHN0eWxlPSdjb2xvcjojMDA3MEMwJz48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBs YW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMDA3MEMwJz5UaGlzIHdhcyBkb25lIOKAkyBib3RoIGhl cmUgYW5kIGluIHRoZSBKT1NFIGRvY3VtZW50cy4mbmJzcDsgVGhhbmtzIGZvciB0aGUgdXNlZnVs IHN1Z2dlc3Rpb24uPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBz dHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjoj MDA3MEMwJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0 IHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb1BsYWluVGV4dCBzdHlsZT0nbWFyZ2luLWxlZnQ6 MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBj bGFzcz1Nc29QbGFpblRleHQgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1F Ti1VUz4tLTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29QbGFpblRleHQgc3R5bGU9 J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz5KYW1lcyBNYW5nZXI8bzpwPjwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjwvZGl2 PjwvZGl2PjwvYm9keT48L2h0bWw+ --_000_255B9BB34FB7D647A506DC292726F6E11540596326WSMSG3153Vsrv_-- From nobody Tue Mar 18 07:00:52 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 152A31A043E for ; Tue, 18 Mar 2014 07:00:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUDtnzpUmXyT for ; Tue, 18 Mar 2014 07:00:48 -0700 (PDT) Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) by ietfa.amsl.com (Postfix) with ESMTP id CE1BD1A040A for ; Tue, 18 Mar 2014 07:00:47 -0700 (PDT) Received: by mail-wi0-f182.google.com with SMTP id d1so3721347wiv.9 for ; Tue, 18 Mar 2014 07:00:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=UvNWTKD08gqAVWWJG9tRoOGRXE3Pgwd38rvE7A2m12M=; b=V84WHrvi0tMZk7VVzNFVPAObAzM0tkzVUBsXdzJxwu+TsR1AYaQH4S9NMVJ5LUFNMq L8X5+2W6SbytZkYEXNLksS5YTaNhwI2FB7SbOr5rjPKwdJYMzFCsyefyO/ErIdENkKBW bIpNH6zQ4UObYN3bViK2gx+PAsF46YlQjDZon2J3c9973g/Nb4dZ4M9+bb2k66NfYC4Q dIfzudiL+Z5VhZ07bQKiVNhu8iUq15WopnnSDErYv60PNNjt5a1oTGIj+nx/OjuJCNI9 Mgz49zA1tuZ0DiLisaOheFNoHn6qERd9XNMRScU49vn6c2JCJLbmdOnYKpd7CcHlaSZv kifQ== X-Received: by 10.180.19.138 with SMTP id f10mr14542253wie.11.1395151237877; Tue, 18 Mar 2014 07:00:37 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.42]) by mx.google.com with ESMTPSA id ga10sm47492392wjb.23.2014.03.18.07.00.36 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Mar 2014 07:00:36 -0700 (PDT) Message-ID: <53285183.6010406@gmail.com> Date: Tue, 18 Mar 2014 14:00:35 +0000 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: "" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Y237hDnmw650F_fp2vTwPb7xZi4 Subject: [OAUTH-WG] Signature calculation in JWS JSON Serialization X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 14:00:50 -0000 Hi It's not clear to me how a signature is calculated in [1]. Specifically, given Protected and Unprotected headers, the text recommends that the union of the values referred to as JWS Header is signed: "The Header Parameter values used when creating or validating individual signature or MAC values are the union of the two sets of Header Parameter values that may be present". but if so why differentiate between Protected and Unprotected headers in a given signature element ? How do the unprotected header values affect the signature/MAC calculation ? Thanks, Sergey [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-23#section-7.2 From nobody Tue Mar 18 18:12:55 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8230F1A0335; Tue, 18 Mar 2014 18:12:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QI1pUMMbOOsV; Tue, 18 Mar 2014 18:12:49 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 920261A04C1; Tue, 18 Mar 2014 18:12:47 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.1.0p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140319011247.13641.37519.idtracker@ietfa.amsl.com> Date: Tue, 18 Mar 2014 18:12:47 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GgfwmkJnhZvOT2FyCcp-l6gr7No Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-json-web-token-19.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2014 01:12:50 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Authors : Michael B. Jones John Bradley Nat Sakimura Filename : draft-ietf-oauth-json-web-token-19.txt Pages : 31 Date : 2014-03-18 Abstract: JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted. The suggested pronunciation of JWT is the same as the English word "jot". The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-json-web-token-19 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Mar 18 18:18:07 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 101EB1A0535; Tue, 18 Mar 2014 18:18:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UGfbdqf-HYEn; Tue, 18 Mar 2014 18:18:04 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0182.outbound.protection.outlook.com [207.46.163.182]) by ietfa.amsl.com (Postfix) with ESMTP id 8E9071A04B7; Tue, 18 Mar 2014 18:18:03 -0700 (PDT) Received: from BY2PR03CA038.namprd03.prod.outlook.com (10.141.249.11) by BY2PR03MB174.namprd03.prod.outlook.com (10.242.36.142) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 19 Mar 2014 01:17:53 +0000 Received: from BN1AFFO11FD031.protection.gbl (2a01:111:f400:7c10::156) by BY2PR03CA038.outlook.office365.com (2a01:111:e400:2c5d::11) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Wed, 19 Mar 2014 01:17:53 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD031.mail.protection.outlook.com (10.58.52.185) with Microsoft SMTP Server (TLS) id 15.0.898.8 via Frontend Transport; Wed, 19 Mar 2014 01:17:52 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0181.007; Wed, 19 Mar 2014 01:17:11 +0000 From: Mike Jones To: "jose@ietf.org" , "oauth@ietf.org" Thread-Topic: JOSE -24 and JWT -19 drafts fixing errors found in examples Thread-Index: Ac9DEPLImJHxvELlTQOI1yIvpcdFfA== Date: Wed, 19 Mar 2014 01:17:10 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0F5527@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.71] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0F5527TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(189002)(199002)(20776003)(81542001)(63696002)?= =?us-ascii?Q?(19300405004)(33656001)(84326002)(85306002)(97736001)(747060?= =?us-ascii?Q?01)(94946001)(77982001)(59766001)(74876001)(49866001)(477360?= =?us-ascii?Q?01)(97186001)(85806002)(81686001)(84676001)(97336001)(818160?= =?us-ascii?Q?01)(79102001)(55846006)(31966008)(74662001)(76786001)(764820?= =?us-ascii?Q?01)(83072002)(76176001)(16236675002)(74366001)(69226001)(567?= =?us-ascii?Q?76001)(4396001)(56816005)(92566001)(66066001)(47446002)(5431?= =?us-ascii?Q?6002)(90146001)(80022001)(46102001)(15202345003)(93516002)(7?= =?us-ascii?Q?6796001)(81342001)(93136001)(15975445006)(92726001)(95666003?= =?us-ascii?Q?)(87266001)(94316002)(95416001)(50986001)(77096001)(6806004)?= =?us-ascii?Q?(47976001)(71186001)(74502001)(65816001)(512954002)(44976005?= =?us-ascii?Q?)(86612001)(87936001)(86362001)(2656002)(51856001)(195803950?= =?us-ascii?Q?03)(80976001)(53806001)(54356001)(85852003)(83322001)(660629?= =?us-ascii?Q?5002);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR03MB174;H:mail.micros?= =?us-ascii?Q?oft.com;FPR:B60598BE.8031CCD1.20F4377A.44EC25D0.20111;MLV:sf?= =?us-ascii?Q?v;PTR:InfoDomainNonexistent;MX:1;A:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01559F388D Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-jhcP01kcTy5g9B88f4-8OsSYEE Subject: [OAUTH-WG] JOSE -24 and JWT -19 drafts fixing errors found in examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2014 01:18:06 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0F5527TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable JOSE -24 drafts have been released that fix two errors found in example val= ues. The JWT -19 draft clarifies that support for Nested JWTs is optional.= The JSON reference was also updated to RFC 7159 in all drafts. The specifications are available at: * http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-24 * http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24 * http://tools.ietf.org/html/draft-ietf-jose-json-web-key-24 * http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-24 * http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19 HTML formatted versions are also available at: * http://self-issued.info/docs/draft-ietf-jose-json-web-signature-2= 4.html * http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-= 24.html * http://self-issued.info/docs/draft-ietf-jose-json-web-key-24.html * http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-= 24.html * http://self-issued.info/docs/draft-ietf-oauth-json-web-token-19.h= tml Thanks to Edmund Jay and Hideki Nara for finding the bugs in the examples. -- Mike --_000_4E1F6AAD24975D4BA5B16804296739439A0F5527TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

JOSE -24 drafts have been released that fix two erro= rs found in example values.  The JWT -19 draft clarifies that support = for Nested JWTs is optional.  The JSON reference was also updated to R= FC 7159 in all drafts.

 

The specifications are available at:

·         http://tools.ietf.org/html/draft-ietf-jose= -json-web-signature-24

·         http://tools.ietf.org/html/draft-ietf-jos= e-json-web-encryption-24

·         http://tools.ietf.org/html/draft-ietf-jose-json-= web-key-24

·         http://tools.ietf.org/html/draft-ietf-jos= e-json-web-algorithms-24

·         http://tools.ietf.org/html/draft-ietf-oauth-j= son-web-token-19

 

HTML formatted versions are also available at:<= /o:p>

·         http://self-issued.info/docs/draft-= ietf-jose-json-web-signature-24.html

·         http://self-issued.info/docs/draft= -ietf-jose-json-web-encryption-24.html

·         http://self-issued.info/docs/draft-ietf-j= ose-json-web-key-24.html

·         http://self-issued.info/docs/draft= -ietf-jose-json-web-algorithms-24.html

·         http://self-issued.info/docs/draft-iet= f-oauth-json-web-token-19.html

 

Thanks to Edmund Jay and Hideki Nara for finding the= bugs in the examples.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;     -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0F5527TK5EX14MBXC286r_-- From nobody Wed Mar 19 16:43:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66EC81A0803; Wed, 19 Mar 2014 16:43:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17IgDRVMANMo; Wed, 19 Mar 2014 16:43:23 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BF01A0811; Wed, 19 Mar 2014 16:43:22 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.1.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140319234322.15545.29794.idtracker@ietfa.amsl.com> Date: Wed, 19 Mar 2014 16:43:22 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/snL6nv7LB8ap5JhBkmANjY3L2qA Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-assertions-15.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2014 23:43:26 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants Authors : Brian Campbell Chuck Mortimore Michael B. Jones Yaron Y. Goland Filename : draft-ietf-oauth-assertions-15.txt Pages : 24 Date : 2014-03-19 Abstract: This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint, as well as general processing rules. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions, and to provide alternative client authentication mechanisms. Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-assertions-15 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Mar 19 16:59:12 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489B51A0811; Wed, 19 Mar 2014 16:59:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8xpGIEv6TCO; Wed, 19 Mar 2014 16:59:04 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 308491A0818; Wed, 19 Mar 2014 16:59:03 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.1.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140319235903.23889.34028.idtracker@ietfa.amsl.com> Date: Wed, 19 Mar 2014 16:59:03 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/dAcdYOqOITMCjwp71NOL4ZQbur0 Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-saml2-bearer-19.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2014 23:59:06 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants Authors : Brian Campbell Chuck Mortimore Michael B. Jones Filename : draft-ietf-oauth-saml2-bearer-19.txt Pages : 20 Date : 2014-03-19 Abstract: This specification defines the use of a SAML 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-saml2-bearer-19 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Mar 19 17:00:28 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567411A0817; Wed, 19 Mar 2014 17:00:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrLty4NxxkVY; Wed, 19 Mar 2014 17:00:22 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 47A3B1A0827; Wed, 19 Mar 2014 17:00:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.1.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140320000021.14927.53897.idtracker@ietfa.amsl.com> Date: Wed, 19 Mar 2014 17:00:21 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/EniDmNRgcPuqJFGdMFDrTeQMCzU Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bearer-08.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 00:00:24 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants Authors : Michael B. Jones Brian Campbell Chuck Mortimore Filename : draft-ietf-oauth-jwt-bearer-08.txt Pages : 14 Date : 2014-03-19 Abstract: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bearer-08 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Mar 19 17:07:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 196291A0827 for ; Wed, 19 Mar 2014 17:07:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgKIFUEBo0ov for ; Wed, 19 Mar 2014 17:07:39 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id ABF491A0821 for ; Wed, 19 Mar 2014 17:07:39 -0700 (PDT) Received: from DM2PR03CA008.namprd03.prod.outlook.com (10.141.52.156) by BN1PR03MB169.namprd03.prod.outlook.com (10.255.200.142) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 20 Mar 2014 00:07:30 +0000 Received: from BN1BFFO11FD048.protection.gbl (2a01:111:f400:7c10::1:171) by DM2PR03CA008.outlook.office365.com (2a01:111:e400:2414::28) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Thu, 20 Mar 2014 00:07:29 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD048.mail.protection.outlook.com (10.58.145.3) with Microsoft SMTP Server (TLS) id 15.0.898.8 via Frontend Transport; Thu, 20 Mar 2014 00:07:29 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.240]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.03.0181.007; Thu, 20 Mar 2014 00:06:50 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: OAuth Assertions drafts updating spec references Thread-Index: Ac9D0EjtcajgPrQjQPOq9bzfsAXzzQ== Date: Thu, 20 Mar 2014 00:06:49 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A0F71FB@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.71] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0F71FBTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(199002)(189002)(31966008)(512954002)(79102001?= =?us-ascii?Q?)(15202345003)(16236675002)(74366001)(63696002)(20776003)(74?= =?us-ascii?Q?706001)(74876001)(46102001)(81342001)(55846006)(71186001)(47?= =?us-ascii?Q?446002)(74502001)(69226001)(4396001)(65816001)(74662001)(800?= =?us-ascii?Q?22001)(59766001)(66066001)(53806001)(77982001)(51856001)(543?= =?us-ascii?Q?56001)(49866001)(47736001)(50986001)(47976001)(76482001)(336?= =?us-ascii?Q?56001)(81542001)(54316002)(84676001)(56776001)(92726001)(973?= =?us-ascii?Q?36001)(92566001)(95666003)(97186001)(86362001)(90146001)(568?= =?us-ascii?Q?16005)(83072002)(85852003)(93136001)(93516002)(19300405004)(?= =?us-ascii?Q?85806002)(2656002)(87936001)(87266001)(84326002)(85306002)(6?= =?us-ascii?Q?806004)(44976005)(80976001)(95416001)(19580395003)(86612001)?= =?us-ascii?Q?(83322001)(15975445006)(94316002)(94946001)(81686001)(818160?= =?us-ascii?Q?01)(76796001)(76786001)(76176001)(77096001)(97736001)(660629?= =?us-ascii?Q?5002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN1PR03MB169;H:mail.micros?= =?us-ascii?Q?oft.com;FPR:BE00FCB6.90354CD5.61E83FB3.C4E835C1.2010C;MLV:sf?= =?us-ascii?Q?v;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01565FED4C Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/b41VykQY6mBbNMSuwTzD4sYfRgA Subject: [OAUTH-WG] OAuth Assertions drafts updating spec references X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 00:07:44 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A0F71FBTK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I've released updated versions of the OAuth Assertions, OAuth SAML Assertio= n Profile, and OAuth JWT Assertion Profile specs that use current citations= for the other specs they reference, including the JSON, JWT, OAuth Dynamic= Registration, and OpenID Connect specs. I also improved the formatting of= hanging lists. There were no content changes. The specifications are available at: * http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 * http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19 * http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08 HTML formatted versions are also available at: * http://self-issued.info/docs/draft-ietf-oauth-assertions-15.html * http://self-issued.info/docs/draft-ietf-oauth-saml2-bearer-19.htm= l * http://self-issued.info/docs/draft-ietf-oauth-jwt-bearer-08.html -- Mike --_000_4E1F6AAD24975D4BA5B16804296739439A0F71FBTK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I’ve released updated versions of the OAuth As= sertions, OAuth SAML Assertion Profile, and OAuth JWT Assertion Profile spe= cs that use current citations for the other specs they reference, including= the JSON, JWT, OAuth Dynamic Registration, and OpenID Connect specs.  I also improved the formatting of hanging = lists.  There were no content changes.

 

The specifications are available at:

·         http://tools.ietf.org/html/draft-ietf-oauth-asser= tions-15

·         http://tools.ietf.org/html/draft-ietf-oauth-sam= l2-bearer-19

·         http://tools.ietf.org/html/draft-ietf-oauth-jwt-b= earer-08

 

HTML formatted versions are also available at:<= /o:p>

·         http://self-issued.info/docs/draft-ietf-oa= uth-assertions-15.html

·         http://self-issued.info/docs/draft-ietf-= oauth-saml2-bearer-19.html

·         http://self-issued.info/docs/draft-ietf-oa= uth-jwt-bearer-08.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;     -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739439A0F71FBTK5EX14MBXC286r_-- From nobody Mon Mar 24 12:34:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688AC1A0293 for ; Mon, 24 Mar 2014 12:34:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YzVnxcxxr1Vn for ; Mon, 24 Mar 2014 12:34:05 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 693DD1A02D4 for ; Mon, 24 Mar 2014 12:34:04 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6133CBE57 for ; Mon, 24 Mar 2014 19:34:03 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EwtjmkBhUE3Z for ; Mon, 24 Mar 2014 19:34:03 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3B9B7BE49 for ; Mon, 24 Mar 2014 19:34:03 +0000 (GMT) Message-ID: <533088AB.203@cs.tcd.ie> Date: Mon, 24 Mar 2014 19:34:03 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" References: <53308872.9030305@cs.tcd.ie> In-Reply-To: <53308872.9030305@cs.tcd.ie> X-Enigmail-Version: 1.6 X-Forwarded-Message-Id: <53308872.9030305@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/xPGARvWL16qns0-m6E8TlWXNlCQ Subject: [OAUTH-WG] Fwd: [kitten] [IANA #731918] SASL mechanism not listed X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 19:34:08 -0000 See below. I think (not quite sure) that this is better discussed on the kitten list. Ta, S. -------- Original Message -------- Subject: [kitten] [IANA #731918] SASL mechanism not listed Date: Mon, 24 Mar 2014 19:33:06 +0000 From: Stephen Farrell To: kitten@ietf.org CC: iana-questions@iana.org Hiya, IANA were asked the following question a while back, but I dropped the ball;-) I'd appreciate your thoughts on the matter. I'm not quite sure which registries are meant exactly though. (I'll also forward to the oauth WG, but not cross-post) Thanks, S. The following draft describes a SASL mechanism that is in use on GMail and should not therefore be allocated to another scheme unless we want bad things to happen. http://tools.ietf.org/id/draft-murchison-sasl-login-00.txt The strings XOAUTH and XOAUTH2 are also being used for a preliminary version of the OAUTH spec as well. The reason Google is using this particular mechanism rather than PLAIN is that it is the one that has the widest client support: http://www.fehcom.de/qmail/smtpauth.html So it would be a real disaster if this particular code point was re-issued. It would probably be a good idea if every registry had a list of 'dirty' code points that must not be reused because there are existing applications. _______________________________________________ Kitten mailing list Kitten@ietf.org https://www.ietf.org/mailman/listinfo/kitten From nobody Mon Mar 24 13:06:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A361A02EE for ; Mon, 24 Mar 2014 13:06:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.508 X-Spam-Level: X-Spam-Status: No, score=-1.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlYbiyDxkQ9f for ; Mon, 24 Mar 2014 13:06:54 -0700 (PDT) Received: from nm47-vm7.bullet.mail.bf1.yahoo.com (nm47-vm7.bullet.mail.bf1.yahoo.com [216.109.115.142]) by ietfa.amsl.com (Postfix) with ESMTP id 598151A02EB for ; Mon, 24 Mar 2014 13:06:54 -0700 (PDT) Received: from [98.139.212.153] by nm47.bullet.mail.bf1.yahoo.com with NNFMP; 24 Mar 2014 20:06:53 -0000 Received: from [98.139.212.241] by tm10.bullet.mail.bf1.yahoo.com with NNFMP; 24 Mar 2014 20:06:53 -0000 Received: from [127.0.0.1] by omp1050.mail.bf1.yahoo.com with NNFMP; 24 Mar 2014 20:06:53 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 379690.6690.bm@omp1050.mail.bf1.yahoo.com Received: (qmail 12795 invoked by uid 60001); 24 Mar 2014 20:06:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1395691613; bh=jXaF9w7ON79g3GEpLfW+kBt6jteUmI5bTL0+CdlyavU=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=PRgKNzoX7O+ak6EiXTVYJ3XNxSgIsSw1RC/OSmaq6j2V5SiRlrBTRS8JVCNa7KY+LWrPONEwdWSDvbHL9yZ3aAxf5kSwM7RBPdNpHY4qyevD+YXewM841Nbsg53y35gn/ZoiTU5u7Mpg0c9a4qj4I9rHNEKigXjm6ERd7oUxSOU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=sV2vnKKr9gCcLRZnNYFxuZdtP9powyC/kaP4b+gFZxIjzLmZq4jM1R4gGB9IuDDIuoaBvlpzialgVQYww+hTJ6CF0jI623XB1tn6LMFIiOTGG037taQAU8q87N1VePEGeRPbiu5N+/5B6MroihTW0LbCfX/MNslj6csB+/J5c40=; X-YMail-OSG: NXKbMRQVM1kJEUv1xVM1fhlVgv93HHmIaNE7e1OOxaoaYcB ywtr3oRyD0X8e.deEZvtK4g34Wpv3m.zgE8QiF3m21SDGDnvqHAMtonqkR8O 3VHyzKQym75L2hdUDHsNT_ngTUgnUM5RPbzUndhxd.jL5oKSsj8xY81731pd TEOwtS2M1yiJRd4Kv9qOABP2EjjJSD3J36WR0rTOJ6UKLRjwupsWtX2KIGzK UhFRgm36_OXbIrnmr4HiLQ0tPrOrPwsuFaltMfuoZUOpEFDqmYKGxdL0N149 FSDCBa0bjRpdFO5DMzwGEUfgq0SWKBXz4nybLMkBmX5sefYvHVvYJeieR0G6 eZAE.TPNh8Bvh_bgfTQLLv_UCx6AkC2VBvVo7QIFSRqbW8HoLj_C8S2Gf5QY WwneuWI6S2tHU_DEtMcSRjWmLS7Ix82VzqMrocG.x3nv9meh8HkbCpwKCpFB fLjTl8arA0pl4MNfj_LMIp8QcEPLUdogiCvkvYzxpzCx2TQPuH6c2ofulrga JbnM2djAJGwI6VtG.nEVH.zEO0yOq41TWn_lMakBgDsvdGU_Ig59X4yOKWrz wkmfPP1DvUANNK6OSjHn4r_mZK3vwbMVZF9QQugTZaqt5Yl2GcSXu2t8jLNU czh4_PzvtElqumBkfpuU- Received: from [66.228.162.52] by web142803.mail.bf1.yahoo.com via HTTP; Mon, 24 Mar 2014 13:06:53 PDT X-Rocket-MIMEInfo: 002.001, R29vZ2xlIHVzZWQgWE9BVVRIIGZvciBpdCdzIG9yaWdpbmFsIE9BdXRoIDEuMGEgYmFzZWQgbWVjaGFuaXNtLiDCoFRoZXkgdXNlZCBYT0FVVEgyIHRvIHNwZWNpZmljYWxseSBub3QgY29uZmxpY3Qgd2l0aCB3aGF0ZXZlciBuYW1lIHdlIHN0YW5kYXJkaXplZCBvbiBmb3IgdGhlIG1lY2hhbmlzbSBhcyBzdGFuZGFyZGl6ZWQuCgpUaGV5IHBsYW4sIGFjY29yZGluZyB0byBSeWFuIHdobydzIGJlZW4gcGFydGljaXBhdGluZyBvbiBsaXN0LCB0byBpbXBsZW1lbnQgdGhlIHN0YW5kYXJkaXplZCBtZWNoYW5pc20BMAEBAQE- X-Mailer: YahooMailWebService/0.8.181.645 References: <53308872.9030305@cs.tcd.ie> <533088AB.203@cs.tcd.ie> Message-ID: <1395691613.66133.YahooMailNeo@web142803.mail.bf1.yahoo.com> Date: Mon, 24 Mar 2014 13:06:53 -0700 (PDT) From: Bill Mills To: Stephen Farrell , "oauth@ietf.org" , "kitten@ietf.org" , "iana-questions@ietf.corg" In-Reply-To: <533088AB.203@cs.tcd.ie> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="905790552-1643390876-1395691613=:66133" Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/D12wQ8LViwhLV8o6H0H9z-hA0SY Subject: Re: [OAUTH-WG] Fwd: [kitten] [IANA #731918] SASL mechanism not listed X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 20:06:56 -0000 --905790552-1643390876-1395691613=:66133 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Google used XOAUTH for it's original OAuth 1.0a based mechanism. =A0They us= ed XOAUTH2 to specifically not conflict with whatever name we standardized = on for the mechanism as standardized.=0A=0AThey plan, according to Ryan who= 's been participating on list, to implement the standardized mechanism defi= nition under the OAUTHBEARER mechanism name so there should be no conflict.= =0A=0ARegards,=0A=0A-bill=0A=0A=0A=0AOn Monday, March 24, 2014 12:34 PM, St= ephen Farrell wrote:=0A =0A=0ASee below. I thin= k (not quite sure) that this is better=0Adiscussed on the kitten list.=0A= =0ATa,=0AS.=0A=0A=0A=0A-------- Original Message --------=0ASubject: [kitte= n] [IANA #731918] SASL mechanism not listed=0ADate: Mon, 24 Mar 2014 19:33:= 06 +0000=0AFrom: Stephen Farrell =0ATo: kitten@i= etf.org =0ACC: iana-questions@iana.org =0A=0A=0AHiya,=0A=0AIANA were asked the following question a while ba= ck, but I=0Adropped the ball;-)=0A=0AI'd appreciate your thoughts on the ma= tter. I'm not quite=0Asure which registries are meant exactly though.=0A=0A= (I'll also forward to the oauth WG, but not cross-post)=0A=0AThanks,=0AS.= =0A=0A=0A=0AThe following draft describes a SASL mechanism that is i= n use on=0AGMail and should not therefore be allocated to another scheme un= less=0Awe want bad things to happen.=0A=0Ahttp://tools.ietf.org/id/draft-mu= rchison-sasl-login-00.txt=0A=0AThe strings XOAUTH and XOAUTH2 are also bein= g used for a preliminary=0Aversion of the OAUTH spec as well.=0A=0AThe reas= on Google is using this particular mechanism rather than=0APLAIN is that it= is the one that has the widest client support:=0A=0Ahttp://www.fehcom.de/q= mail/smtpauth.html=0A=0ASo it would be a real disaster if this particular c= ode point was re-issued.=0A=0AIt would probably be a good idea if every reg= istry had a list of 'dirty'=0Acode points that must not be reused because t= here are existing applications.=0A=0A=0A=0A___________________________= ____________________=0AKitten mailing list=0AKitten@ietf.org=0Ahttps://www.= ietf.org/mailman/listinfo/kitten=0A=0A=0A=0A=0A____________________________= ___________________=0AOAuth mailing list=0AOAuth@ietf.org=0Ahttps://www.iet= f.org/mailman/listinfo/oauth --905790552-1643390876-1395691613=:66133 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
Google used XOAUTH for it's original OAuth 1.0a ba= sed mechanism.  They used XOAUTH2 to specifically not conflict with wh= atever name we standardized on for the mechanism as standardized.

They plan, according to Ryan w= ho's been participating on list, to implement the standardized mechanism de= finition under the OAUTHBEARER mechanism name so there should be no conflict.

Regards,

-bill


On Monday, March 24, 2014 12:34 PM, Stephen Farrell <= stephen.farrell@cs.tcd.ie> wrote:

See below. I think (not quite sure) that th= is is better
discussed on the kitten list.

Ta,
S.


-------- Original Message --------
Subject: [kitten] [IA= NA #731918] SASL mechanism not listed
Date: Mon, 24 Mar 2= 014 19:33:06 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>= ;
To: kitten@ietf.org <kitten@= ietf.org>
CC: iana-quest= ions@iana.org <iana-questions@iana.org= >


Hiya,

IANA were asked the following question a while= back, but I
dropped the ball;-)

I'd appreciate your thoughts on the matter. I'm not quite
sure which registries are meant exactly though.

(I'll also forward to the oauth WG, but not cross-post)

Tha= nks,
S.

<start>= ;

The following draft describes a SASL= mechanism that is in use on
GMail and should not therefo= re be allocated to another scheme unless
we want bad thin= gs to happen.

http://tools.ietf.org/id/draft-murchison-sasl-login-00.txt

The strings XOAUTH and XOAUTH2 are also bei= ng used for a preliminary
version of the OAUTH spec as we= ll.

The reason Google is using this pa= rticular mechanism rather than
PLAIN is that it is the on= e that has the widest client support:

= http:/= /www.fehcom.de/qmail/smtpauth.html

So it would be a real disaster if this particular code point was re-issued= .

It would probably be a good idea if = every registry had a list of 'dirty'
code points that mus= t not be reused because there are existing applications.
=
<end>

_______= ________________________________________
Kitten mailing l= ist
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=


--905790552-1643390876-1395691613=:66133-- From nobody Tue Mar 25 10:18:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 008391A01F8 for ; Tue, 25 Mar 2014 10:18:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.088 X-Spam-Level: X-Spam-Status: No, score=-1.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsQIUA0aqgsX for ; Tue, 25 Mar 2014 10:18:37 -0700 (PDT) Received: from mail-ve0-x22e.google.com (mail-ve0-x22e.google.com [IPv6:2607:f8b0:400c:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id AD9CA1A0201 for ; Tue, 25 Mar 2014 10:18:32 -0700 (PDT) Received: by mail-ve0-f174.google.com with SMTP id oz11so897443veb.19 for ; Tue, 25 Mar 2014 10:18:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=SvOljOaYPsnYJ5UJjsU3YWth77S6B0z3vWZ2lFM7+o8=; b=J9Lu1Eba6MwOkYtw+3c56j36agC8oNEoESoJjnZIdrA+FofXS7Cw8ecnpO8wOFPnpW 1i/LBr1wsPZWxxDdlXfDa4IF/OvL9dmU3MNz0qFGQX/InsGTmBuTk9WgcyGUu7fnXvg+ regaVdZQjWgZlrM3ZAGgraEGUHNHMhUEK2wmGwdq3ByQgjZlk+4BPchGaNDokEO6nUuM Cza9oV/jDSfiTa/UjkRNa3k8u1DerMUL1yKwfDIEDHAaf2Gwhji72arxegD6F6REi2lS 8r0eHUzxnRbuBoYgI/YHKHga+/SfG99ImzjJ5DmfA97Io4uGC8fNyBikq6xHvgrpwKk3 DSFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SvOljOaYPsnYJ5UJjsU3YWth77S6B0z3vWZ2lFM7+o8=; b=aDJzmh2u+6OobligYZJICKUY+e4J2/YoRm89R4+nveEK3JKW74N480ghtdcwgGh3lI aPKj/zNTluFzsZv4llXAlBoocQQ8sv9nedQOkc5d7E7IHxev8OMRzdj5WoHbCTMSiYMU cpcC81qzmTYR7BJ4PKdo3LJRpkZzb/xswpgk5a+PO8Gm6ebKws6l9fALH4KtkTAwo9CF PdB9a2FyGcnyEe78/zFOGGEe9NkmfhkQtdyup9wD6j90XdedDplwUGFi9oJgS9RtLEjC yQAy6zJnp+DHE4jm9vI50erc3/HBMBB0Sox/8BLp0iMtC72/bQGgSsXgexIoe5SmwBl5 UQEg== X-Gm-Message-State: ALoCoQk2f+2T1q97Xmg+cLx3Dg2ZRxg31X5DzCu+LilSe9lgM38uKqJOgdwMXWpXrjpC9ivGeIn2xeKXXQAksMQjLwCuRK4lUf7SDdt4sH2jz8o+7eSwwsGcge9UvzwPJkfbY3alZ7MbZ2AU8A2Qw7LFtq2AnGtweLp3h4kgFO7DVdp9w90aykqldoYd4ET2qMSO9R1vpGT6 X-Received: by 10.220.88.204 with SMTP id b12mr55724373vcm.3.1395767911287; Tue, 25 Mar 2014 10:18:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.74.168 with HTTP; Tue, 25 Mar 2014 10:18:00 -0700 (PDT) In-Reply-To: <1395691613.66133.YahooMailNeo@web142803.mail.bf1.yahoo.com> References: <53308872.9030305@cs.tcd.ie> <533088AB.203@cs.tcd.ie> <1395691613.66133.YahooMailNeo@web142803.mail.bf1.yahoo.com> From: =?UTF-8?B?SmFtaWUgTmljb2xzb24gKOWAquW/l+aYjik=?= Date: Tue, 25 Mar 2014 10:18:00 -0700 Message-ID: To: Bill Mills Content-Type: multipart/alternative; boundary=047d7b3a92ee8ab34304f5718a57 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/uCaVWT48LXxY5TiPujwB9KvdDr4 Cc: "kitten@ietf.org" , "iana-questions@ietf.corg" , "oauth@ietf.org" Subject: Re: [OAUTH-WG] [kitten] Fwd: [IANA #731918] SASL mechanism not listed X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2014 17:18:39 -0000 --047d7b3a92ee8ab34304f5718a57 Content-Type: text/plain; charset=UTF-8 To be clear, Google will continue to support XOAUTH and XOAUTH2 for some time, along with OAUTHBEARER, in order to support existing clients. On Mon, Mar 24, 2014 at 1:06 PM, Bill Mills wrote: > Google used XOAUTH for it's original OAuth 1.0a based mechanism. They > used XOAUTH2 to specifically not conflict with whatever name we > standardized on for the mechanism as standardized. > > They plan, according to Ryan who's been participating on list, to > implement the standardized mechanism definition under the OAUTHBEARER > mechanism name so there should be no conflict. > > Regards, > > -bill > > > On Monday, March 24, 2014 12:34 PM, Stephen Farrell < > stephen.farrell@cs.tcd.ie> wrote: > > See below. I think (not quite sure) that this is better > discussed on the kitten list. > > Ta, > S. > > > > -------- Original Message -------- > Subject: [kitten] [IANA #731918] SASL mechanism not listed > Date: Mon, 24 Mar 2014 19:33:06 +0000 > From: Stephen Farrell > To: kitten@ietf.org > CC: iana-questions@iana.org > > > Hiya, > > IANA were asked the following question a while back, but I > dropped the ball;-) > > I'd appreciate your thoughts on the matter. I'm not quite > sure which registries are meant exactly though. > > (I'll also forward to the oauth WG, but not cross-post) > > Thanks, > S. > > > > The following draft describes a SASL mechanism that is in use on > GMail and should not therefore be allocated to another scheme unless > we want bad things to happen. > > http://tools.ietf.org/id/draft-murchison-sasl-login-00.txt > > The strings XOAUTH and XOAUTH2 are also being used for a preliminary > version of the OAUTH spec as well. > > The reason Google is using this particular mechanism rather than > PLAIN is that it is the one that has the widest client support: > > http://www.fehcom.de/qmail/smtpauth.html > > So it would be a real disaster if this particular code point was re-issued. > > It would probably be a good idea if every registry had a list of 'dirty' > code points that must not be reused because there are existing > applications. > > > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > > --047d7b3a92ee8ab34304f5718a57 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
To be clear, Google will continue to support XOAUTH and XO= AUTH2 for some time, along with OAUTHBEARER, in order to support existing c= lients.


= On Mon, Mar 24, 2014 at 1:06 PM, Bill Mills <wmills_92105@yahoo.com= > wrote:
Google used XOAUTH for it's original OAuth 1.0a based mechanism. = =C2=A0They used XOAUTH2 to specifically not conflict with whatever name we = standardized on for the mechanism as standardized.

They plan, according to= Ryan who's been participating on list, to implement the standardized m= echanism definition under the OAUTHBEARER mechanism name so there should be= no conflict.

Regards,

-bill


On Monday, March 24, 2014 12:34 PM= , Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

See below. I think (not quite sure) that this is better
d= iscussed on the kitten list.

Ta,
S.



-------- Original Message --------
Subject: [kitten] [IAN= A #731918] SASL mechanism not listed
Date: Mon, 24 Mar 20= 14 19:33:06 +0000
From: Stephen Farrell <stephen.fa= rrell@cs.tcd.ie>
To: kit= ten@ietf.org <kitten@ietf.org>
CC: iana-questions= @iana.org <iana-questions@iana.org>


Hiya,

IANA were asked the following question a while back, but I
dropped the ball;-)

I'd = appreciate your thoughts on the matter. I'm not quite
sure which registries are meant exactly though.

(I'll also forward to the oauth WG, but not cross-post)

Tha= nks,
S.

<start>= ;

The following draft describes a SASL= mechanism that is in use on
GMail and should not therefore be allocated to another scheme unless
we want bad things to happen.

http://tools.ietf.org/id/draft-murchison-s= asl-login-00.txt

The strings XOAUTH and XOAUTH2 are also being used for a= preliminary
version of the OAUTH spec as well.

The reason Google is using this particular mec= hanism rather than
PLAIN is that it is the one that has the widest client support:

http://www.fehcom.de/qmail/smtpauth.ht= ml

So it would be a real disaster if this particular code p= oint was re-issued.

It would probably = be a good idea if every registry had a list of 'dirty'
code points that must not be reused because there are existing applications= .

<end>

_______________________________________________
Kitten mailing list
Kitten@= ietf.org
https://www.ietf.org/mailman/= listinfo/kitten





___________________________________________= ____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_____= __________________________________________
Kitten mailing list
Kitten@ietf.org
= https://www.ietf.org/mailman/listinfo/kitten


--047d7b3a92ee8ab34304f5718a57-- From nobody Tue Mar 25 13:04:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F0BE1A00ED for ; Tue, 25 Mar 2014 13:04:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.51 X-Spam-Level: X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T99DRii-N0Mr for ; Tue, 25 Mar 2014 13:04:38 -0700 (PDT) Received: from e23smtp03.au.ibm.com (e23smtp03.au.ibm.com [202.81.31.145]) by ietfa.amsl.com (Postfix) with ESMTP id DB8271A00BE for ; Tue, 25 Mar 2014 13:04:37 -0700 (PDT) Received: from /spool/local by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 26 Mar 2014 06:04:34 +1000 Received: from d23dlp02.au.ibm.com (202.81.31.213) by e23smtp03.au.ibm.com (202.81.31.209) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 26 Mar 2014 06:04:32 +1000 Received: from d23relay05.au.ibm.com (d23relay05.au.ibm.com [9.190.235.152]) by d23dlp02.au.ibm.com (Postfix) with ESMTP id 950902BB004A for ; Wed, 26 Mar 2014 07:04:32 +1100 (EST) Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s2PJi4Qa6619504 for ; Wed, 26 Mar 2014 06:44:05 +1100 Received: from d23av02.au.ibm.com (localhost [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s2PK4VdV005633 for ; Wed, 26 Mar 2014 07:04:31 +1100 Received: from d23ml125.sg.ibm.com (d23ml125.sg.ibm.com [9.127.37.179]) by d23av02.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s2PK4Uj4005627 for ; Wed, 26 Mar 2014 07:04:31 +1100 Auto-Submitted: auto-generated From: Codur Sreedhar Pranam To: oauth@ietf.org Message-ID: Date: Wed, 26 Mar 2014 04:01:08 +0800 X-MIMETrack: Serialize by Router on d23ml125/23/M/IBM(Release 8.5.3FP2HF29 | July 24, 2012) at 03/26/2014 04:01:10 MIME-Version: 1.0 Content-type: multipart/alternative; Boundary="0__=C7BBF635DFFE715F8f9e8a93df938690918cC7BBF635DFFE715F" Content-Disposition: inline X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14032520-6102-0000-0000-000005324B6B Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/saqIsp4U2N10y-oRdrPAjtI24w4 Subject: [OAUTH-WG] AUTO: Codur Sreedhar Pranam is out of the office (returning 03/26/2014) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2014 20:04:40 -0000 --0__=C7BBF635DFFE715F8f9e8a93df938690918cC7BBF635DFFE715F Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable I am out of the office until 03/26/2014. Note: This is an automated response to your message "OAuth Digest, Vol= 65, Issue 27" sent on 03/26/2014 1:18:54. This is the only notification you will receive while this person is awa= y.= --0__=C7BBF635DFFE715F8f9e8a93df938690918cC7BBF635DFFE715F Content-type: text/html; charset=US-ASCII Content-Disposition: inline Content-transfer-encoding: quoted-printable

I am out of the office until 03= /26/2014.




Note: Thi= s is an automated response to your message  "OAuth Digest, Vol 65, Issue 27"=  sen= t on 03/26/2014 1:18:54<= /b>.
=
This is t= he only notification you will receive while this person is away.= = --0__=C7BBF635DFFE715F8f9e8a93df938690918cC7BBF635DFFE715F-- From nobody Thu Mar 27 06:07:16 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0F71A06D2 for ; Thu, 27 Mar 2014 06:07:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.348 X-Spam-Level: X-Spam-Status: No, score=-1.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dciTViN78R2b for ; Thu, 27 Mar 2014 06:07:11 -0700 (PDT) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe003.messaging.microsoft.com [216.32.181.183]) by ietfa.amsl.com (Postfix) with ESMTP id A8A121A06E5 for ; Thu, 27 Mar 2014 06:07:10 -0700 (PDT) Received: from mail122-ch1-R.bigfish.com (10.43.68.241) by CH1EHSOBE007.bigfish.com (10.43.70.57) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 13:07:07 +0000 Received: from mail122-ch1 (localhost [127.0.0.1]) by mail122-ch1-R.bigfish.com (Postfix) with ESMTP id CC4B14801EE for ; Thu, 27 Mar 2014 13:07:07 +0000 (UTC) X-Forefront-Antispam-Report: CIP:192.160.210.20; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg01.am.mot-solutions.com; RD:ct11msg01.mot-solutions.com; EFVD:NLI X-SpamScore: 2 X-BigFish: VPS2(zzc85fhzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1d7338h17326ah8275bh8275dh18c673h1c8fb4h1de097h186068hz2fh109h2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1dc1h1de9h1dfeh1dffh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24d7h2516h2545h255eh25f6h2605h268bh9a9j1155h) Received-SPF: pass (mail122-ch1: domain of motorolasolutions.com designates 192.160.210.20 as permitted sender) client-ip=192.160.210.20; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg01.am.mot-solutions.com ; olutions.com ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.85; KIP:(null); UIP:(null); (null); H:BL2PRD0410HT004.namprd04.prod.outlook.com; R:internal; EFV:INT Received: from mail122-ch1 (localhost.localdomain [127.0.0.1]) by mail122-ch1 (MessageSwitch) id 1395925626611890_2982; Thu, 27 Mar 2014 13:07:06 +0000 (UTC) Received: from CH1EHSMHS040.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252]) by mail122-ch1.bigfish.com (Postfix) with ESMTP id 870372A00D8 for ; Thu, 27 Mar 2014 13:07:06 +0000 (UTC) Received: from ct11msg01.am.mot-solutions.com (192.160.210.20) by CH1EHSMHS040.bigfish.com (10.43.69.249) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 13:07:02 +0000 Received: from ct11msg01.am.mot-solutions.com (ct11vts02.am.mot.com [10.177.16.160]) by ct11msg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RD71Dp026490 for ; Thu, 27 Mar 2014 08:07:01 -0500 (CDT) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ct11msg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RD71fY026487 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 27 Mar 2014 08:07:01 -0500 (CDT) Received: from mail92-tx2-R.bigfish.com (10.9.14.253) by TX2EHSOBE003.bigfish.com (10.9.40.23) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 13:07:00 +0000 Received: from mail92-tx2 (localhost [127.0.0.1]) by mail92-tx2-R.bigfish.com (Postfix) with ESMTP id 926601A0081 for ; Thu, 27 Mar 2014 13:07:00 +0000 (UTC) X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(428001)(199002)(189002)(53806001)(46102001)(74366001)(87266001)(94946001)(54356001)(85306002)(81542001)(86362001)(54316002)(56776001)(18717965001)(87936001)(2656002)(74876001)(51856001)(33646001)(94316002)(74706001)(15975445006)(97336001)(69226001)(81342001)(93136001)(81816001)(93516002)(95416001)(76482001)(76576001)(19609705001)(63696002)(76786001)(76796001)(79102001)(83072002)(74502001)(47446002)(92566001)(50986001)(47976001)(49866001)(47736001)(4396001)(74662001)(90146001)(31966008)(98676001)(81686001)(74316001)(16236675002)(15202345003)(20776003)(77982001)(66066001)(19300405004)(95666003)(80022001)(97186001)(56816005)(85852003)(76176001)(80976001)(65816001)(59766001)(83322001)(19580395003)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR04MB733; H:DM2PR04MB735.namprd04.prod.outlook.com; FPR:AC047219.95269403.B2F37DBB.46E0B871.2035B; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received: from mail92-tx2 (localhost.localdomain [127.0.0.1]) by mail92-tx2 (MessageSwitch) id 139592561875401_18726; Thu, 27 Mar 2014 13:06:58 +0000 (UTC) Received: from TX2EHSMHS035.bigfish.com (unknown [10.9.14.235]) by mail92-tx2.bigfish.com (Postfix) with ESMTP id 0C14CC0075 for ; Thu, 27 Mar 2014 13:06:58 +0000 (UTC) Received: from BL2PRD0410HT004.namprd04.prod.outlook.com (157.56.240.85) by TX2EHSMHS035.bigfish.com (10.9.99.135) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 13:06:56 +0000 Received: from DM2PR04MB733.namprd04.prod.outlook.com (10.141.177.14) by BL2PRD0410HT004.namprd04.prod.outlook.com (10.255.99.39) with Microsoft SMTP Server (TLS) id 14.16.423.0; Thu, 27 Mar 2014 13:06:48 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) by DM2PR04MB733.namprd04.prod.outlook.com (10.141.177.14) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 27 Mar 2014 13:06:46 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) by DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) with mapi id 15.00.0898.005; Thu, 27 Mar 2014 13:06:46 +0000 From: Lewis Adam-CAL022 To: "oauth@ietf.org" Thread-Topic: OAuth & Enteprise federation ... 5 years from now Thread-Index: Ac9JvWeAW+r7N2YsS96k1esZSJ97mA== Date: Thu, 27 Mar 2014 13:06:45 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.179.150.36] x-forefront-prvs: 01630974C0 Content-Type: multipart/alternative; boundary="_000_c174791bb42e462d813b62a952ded267DM2PR04MB735namprd04pro_" MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-CFilter-Loop: Reflected X-OriginatorOrg: motorolasolutions.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/V4a3DbArh-hAjX89VBl0khiUzRE Subject: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 13:07:15 -0000 --_000_c174791bb42e462d813b62a952ded267DM2PR04MB735namprd04pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am curious it ping the thoughts of others on the list of how OAuth is goi= ng to continue to mature, especially with respect to enterprise federation = scenarios. This is something that I spend a whole lot of time thinking abo= ut. Specifically, consider the following use case: An end user in domain 1 downloads a native application to access an API exp= osed by domain 2, to access a protected resource in domain 2, under the adm= inistrative control of the domain 2 enterprise. There are in my mind three basic means by which OAuth can federate, which I= know I have discussed with some of you in the past: 1. First option ... End user in domain 1 requests a JWT-structured ac= cess_token from the OAuth provider in domain 1, and sends it in the HTTP he= ader directly to the RS in domain 2. The JWT access_token looks a whole l= ot like a OIDC id_token (maybe it even is one?). The RS in domain 2 is abl= e to make attributed-based access control decisions based on the contents o= f the JWT. This is architecturally the simplest approach, but enterprises = aren't exactly setting up OAuth providers these days for the intent of acce= ssing protected resources in foreign domains. Anybody think this might be = the case 5 years from now? 2. Second option ... similar to the first, but the JWT-structured acc= ess_token from domain 1 is sent to the OAuth provider in domain 2, ala the = JWT assertion profile. Domain 1 access token is exchanged for a domain 2 a= ccess token, and the native client uses the domain 2 access token to send t= o the protected resource in domain 2. I like this slightly more than the f= irst option, because the resources servers in domain 2 only need to underst= and the token format of their own AS. But it still suffers from the same b= asic challenge of option 1, that enterprises don't' setup OAuth providers t= oday for the purpose of federating, the way that setup SAML providers for W= ebSSO. 3. Third option. Native client contacts the OAuth provider in domain= 2 directly. The authorization endpoint is federation enabled (NASCAR or o= ther) and the user in domain 1 selects their home IdP (SAML or OIDC) and do= es WebSSO to federated into the domain 2 OAuth provider. I believe this is= the model that Salesforce supports today, and it the most tactical, since = enterprise that want to federate today run out and buy a SAML provider. So option 3 is the most obvious approach today. Does anybody foresee enter= prises setting up an STS in the future to federate to foreign RS's (the way= they setup SAML providers today)? Anybody think we will see options 1 or = 2 in the future? adam --_000_c174791bb42e462d813b62a952ded267DM2PR04MB735namprd04pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I am curious it ping the thoughts of others on the l= ist of how OAuth is going to continue to mature, especially with respect to= enterprise federation scenarios.  This is something that I spend a wh= ole lot of time thinking about.  Specifically, consider the following use case:

 

An end user in domain 1 downloads a native applicati= on to access an API exposed by domain 2, to access a protected resource in = domain 2, under the administrative control of the domain 2 enterprise.=

 

 

There are in my mind three basic means by which OAut= h can federate, which I know I have discussed with some of you in the past:=

1.     &= nbsp; First option … End user in domain 1 requests = a JWT-structured access_token from the OAuth provider in domain 1, and send= s it in the HTTP header directly to the RS in domain 2.   The JWT= access_token looks a whole lot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attribut= ed-based access control decisions based on the contents of the JWT.  T= his is architecturally the simplest approach, but enterprises aren’t = exactly setting up OAuth providers these days for the intent of accessing protected resources in foreign domains.  Anyb= ody think this might be the case 5 years from now?

2.     &= nbsp; Second option … similar to the first, but the= JWT-structured access_token from domain 1 is sent to the OAuth provider in= domain 2, ala the JWT assertion profile.  Domain 1 access token is ex= changed for a domain 2 access token, and the native client uses the domain 2 access token to send to the protected reso= urce in domain 2.  I like this slightly more than the first option, be= cause the resources servers in domain 2 only need to understand the token f= ormat of their own AS.  But it still suffers from the same basic challenge of option 1, that enterprises don= 217;t’ setup OAuth providers today for the purpose of federating, the= way that setup SAML providers for WebSSO.

3.     &= nbsp; Third option.  Native client contacts the OAut= h provider in domain 2 directly.  The authorization endpoint is federa= tion enabled (NASCAR or other) and the user in domain 1 selects their home = IdP (SAML or OIDC) and does WebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that S= alesforce supports today, and it the most tactical, since enterprise that w= ant to federate today run out and buy a SAML provider.

 

So option 3 is the most obvious approach today. = ; Does anybody foresee enterprises setting up an STS in the future to feder= ate to foreign RS’s (the way they setup SAML providers today)?  = Anybody think we will see options 1 or 2 in the future?

 

 

adam

--_000_c174791bb42e462d813b62a952ded267DM2PR04MB735namprd04pro_-- From nobody Thu Mar 27 06:29:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92741A00F8 for ; Thu, 27 Mar 2014 06:29:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1G_NquW_jqm for ; Thu, 27 Mar 2014 06:29:53 -0700 (PDT) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) by ietfa.amsl.com (Postfix) with ESMTP id CF9D51A00B4 for ; Thu, 27 Mar 2014 06:29:52 -0700 (PDT) Received: by mail-ig0-f170.google.com with SMTP id uq10so1457731igb.3 for ; Thu, 27 Mar 2014 06:29:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=kVjWvD1aM6Dj0/JziMamIsMhh9CU0TOsnjzZggqnYx8=; b=I7StJCjknzTALhnmJfeqEiv/qicd6k4VDUgynkHozYcQAYGOgy+CivKv35i8ZL395w vMvnq1VmQa9LOGBfo4P/4SFR92+XhoxPCQ9lO/olYkaeapMdjFHEOFwxUHLGCkiCCuoZ VcQi3kAlduNjTI89DuKGzxyneu5nLCWraldyBbyIMt4mMMW26UeZc6t5G+wQXpfP4tc8 nudbu/h2Csp9v0zmYSP4cYCaPnpSi0dpm4o7kxHlYgC0Qx6HSEfpEbJMqhcLJYIsJQSh QFmYiqlaJSpBHUyOFRzPEG5H5lqTvxk/7M9535oUrCQKe6sfhm3kQuPnT4zI2/ySXX5F sDCA== X-Received: by 10.43.61.206 with SMTP id wx14mr1853342icb.43.1395926990921; Thu, 27 Mar 2014 06:29:50 -0700 (PDT) Received: from [192.168.0.191] (CPE0022b0cb82b4-CMbc1401e98fa0.cpe.net.cable.rogers.com. [99.224.82.58]) by mx.google.com with ESMTPSA id bf7sm5307107igb.9.2014.03.27.06.29.48 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 06:29:50 -0700 (PDT) Message-ID: <533427CC.90800@gmail.com> Date: Thu, 27 Mar 2014 09:29:48 -0400 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Lewis Adam-CAL022 , "oauth@ietf.org" References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------070002090302070101080009" Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zceqPUrKRpJparDmZfOhvSgFTHY Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 13:29:56 -0000 This is a multi-part message in MIME format. --------------070002090302070101080009 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Adam, we are confronting this issue in the NAPPS effort and are exploring a model that resembles your Option 2 The Token Agent (TA) obtains an id-token from the first AS1, this targetted at the second AS2 (the one local to the target RS). The TA then exchanges that id_token at AS2 for an access token that the RS will be able to validate Option 3 is indeed today's default for layering federation onto OAuth paul On 3/27/14, 9:06 AM, Lewis Adam-CAL022 wrote: > > I am curious it ping the thoughts of others on the list of how OAuth > is going to continue to mature, especially with respect to enterprise > federation scenarios. This is something that I spend a whole lot of > time thinking about. Specifically, consider the following use case: > > An end user in domain 1 downloads a native application to access an > API exposed by domain 2, to access a protected resource in domain 2, > under the administrative control of the domain 2 enterprise. > > There are in my mind three basic means by which OAuth can federate, > which I know I have discussed with some of you in the past: > > 1.First option ... End user in domain 1 requests a JWT-structured > access_token from the OAuth provider in domain 1, and sends it in the > HTTP header directly to the RS in domain 2. The JWT access_token > looks a whole lot like a OIDC id_token (maybe it even is one?). The > RS in domain 2 is able to make attributed-based access control > decisions based on the contents of the JWT. This is architecturally > the simplest approach, but enterprises aren't exactly setting up OAuth > providers these days for the intent of accessing protected resources > in foreign domains. Anybody think this might be the case 5 years from > now? > > 2.Second option ... similar to the first, but the JWT-structured > access_token from domain 1 is sent to the OAuth provider in domain 2, > ala the JWT assertion profile. Domain 1 access token is exchanged for > a domain 2 access token, and the native client uses the domain 2 > access token to send to the protected resource in domain 2. I like > this slightly more than the first option, because the resources > servers in domain 2 only need to understand the token format of their > own AS. But it still suffers from the same basic challenge of option > 1, that enterprises don't' setup OAuth providers today for the purpose > of federating, the way that setup SAML providers for WebSSO. > > 3.Third option. Native client contacts the OAuth provider in domain 2 > directly. The authorization endpoint is federation enabled (NASCAR or > other) and the user in domain 1 selects their home IdP (SAML or OIDC) > and does WebSSO to federated into the domain 2 OAuth provider. I > believe this is the model that Salesforce supports today, and it the > most tactical, since enterprise that want to federate today run out > and buy a SAML provider. > > So option 3 is the most obvious approach today. Does anybody foresee > enterprises setting up an STS in the future to federate to foreign > RS's (the way they setup SAML providers today)? Anybody think we will > see options 1 or 2 in the future? > > adam > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------070002090302070101080009 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi Adam, we are confronting this issue in the NAPPS effort and are exploring a model that resembles your Option 2

The Token Agent (TA) obtains an id-token from the first AS1, this targetted at the second AS2 (the one local to the target RS). The TA then exchanges that id_token at AS2 for an access token that the RS will be able to validate

Option 3 is indeed today's default for layering federation onto OAuth

paul
On 3/27/14, 9:06 AM, Lewis Adam-CAL022 wrote:

I am curious it ping the thoughts of others on the list of how OAuth is going to continue to mature, especially with respect to enterprise federation scenarios.  This is something that I spend a whole lot of time thinking about.  Specifically, consider the following use case:

 

An end user in domain 1 downloads a native application to access an API exposed by domain 2, to access a protected resource in domain 2, under the administrative control of the domain 2 enterprise.

 

 

There are in my mind three basic means by which OAuth can federate, which I know I have discussed with some of you in the past:

1.       First option … End user in domain 1 requests a JWT-structured access_token from the OAuth provider in domain 1, and sends it in the HTTP header directly to the RS in domain 2.   The JWT access_token looks a whole lot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attributed-based access control decisions based on the contents of the JWT.  This is architecturally the simplest approach, but enterprises aren’t exactly setting up OAuth providers these days for the intent of accessing protected resources in foreign domains.  Anybody think this might be the case 5 years from now?

2.       Second option … similar to the first, but the JWT-structured access_token from domain 1 is sent to the OAuth provider in domain 2, ala the JWT assertion profile.  Domain 1 access token is exchanged for a domain 2 access token, and the native client uses the domain 2 access token to send to the protected resource in domain 2.  I like this slightly more than the first option, because the resources servers in domain 2 only need to understand the token format of their own AS.  But it still suffers from the same basic challenge of option 1, that enterprises don’t’ setup OAuth providers today for the purpose of federating, the way that setup SAML providers for WebSSO.

3.       Third option.  Native client contacts the OAuth provider in domain 2 directly.  The authorization endpoint is federation enabled (NASCAR or other) and the user in domain 1 selects their home IdP (SAML or OIDC) and does WebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that Salesforce supports today, and it the most tactical, since enterprise that want to federate today run out and buy a SAML provider.

 

So option 3 is the most obvious approach today.  Does anybody foresee enterprises setting up an STS in the future to federate to foreign RS’s (the way they setup SAML providers today)?  Anybody think we will see options 1 or 2 in the future?

 

 

adam



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------070002090302070101080009-- From nobody Thu Mar 27 07:10:40 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756081A0716 for ; Thu, 27 Mar 2014 07:10:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1GBLjf9JVzn for ; Thu, 27 Mar 2014 07:10:30 -0700 (PDT) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by ietfa.amsl.com (Postfix) with ESMTP id 7DC1C1A070A for ; Thu, 27 Mar 2014 07:10:30 -0700 (PDT) Received: by mail-qc0-f182.google.com with SMTP id e16so4338159qcx.13 for ; Thu, 27 Mar 2014 07:10:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=DTePdMbwQApSOus9C2IOp+TikkSo21jkpUkppHbPqr4=; b=GQUKplMyaS248b8mmFWHlv+e4DSVFZ04jc8shzhcDJj0WvCqQAuvdFslURnNrOiXYY orw3EooP3dad8Te96xlDRHNEOZzbT6aTdNN9ayF3WzdI6y7M+RdHuBY7mOLbCHQaSByT t6yS5AdQ6CTcsgnH1KiWL7vm6SYG9Vz+tl8drA42KaAUO9GdooPFwbidCxGwVvsPNlBx VSNPoNUpFog/PUpj+UlcLt5mb26EGCTfxlf1/uW19RPSyh5AQHEjHWOWs+semOLJcKVW Nh4CP591eOvyxXNb7No2GwRALz00YRKfAAutb41VqqYBsXI5JhwykQMW1jzNMteh6mUI oCjQ== X-Gm-Message-State: ALoCoQls4QSRR112siNyt+5mf+DTpe7FrDcZqI3uG6akZ+lYURQFBAjn0/37e7fjzsLfn0zlonte X-Received: by 10.224.128.138 with SMTP id k10mr2387241qas.68.1395929428356; Thu, 27 Mar 2014 07:10:28 -0700 (PDT) Received: from [192.168.1.216] (190-20-12-213.baf.movistar.cl. [190.20.12.213]) by mx.google.com with ESMTPSA id a7sm4058147qay.29.2014.03.27.07.10.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 07:10:27 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_3B9DB8BE-509B-4E33-854A-8209A71856D2" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Thu, 27 Mar 2014 11:06:48 -0300 Message-Id: References: To: Adam Lewis X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2OXjcsJjKS-G39cRrNNpovnnoRg Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 14:10:37 -0000 --Apple-Mail=_3B9DB8BE-509B-4E33-854A-8209A71856D2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi Adam, 3 is the most common today. In the Salesforce case it has the = additional benefit that when Domain 1 is federating to SalesForce via = OpenID Connect it can provide access tokens for it's API to sales force = scoped for that user for use in the SalesForce custom logic. 1 and 2 are similar and likely it is more of a deployment choice between = them. We do see examples of this currently with the Android play store = providing third-party id_tokens/JWT assertions to OAuth clients. The reason for doing 1 or 2 vs 3 probably comes down to connivence and = security if there is an agent for the user's IdP on the device that = can act as a confidential client to the IdP for security and provide a = more consistent UI for the user. That is what we are working on in the = NAPPS WG at OIDF. We have examples of 1/2 now, the problem is that they are not as = universally applicable as 3 but hopefully with standardization for = developers we will se more in the next year or so. John B. On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 = wrote: > I am curious it ping the thoughts of others on the list of how OAuth = is going to continue to mature, especially with respect to enterprise = federation scenarios. This is something that I spend a whole lot of = time thinking about. Specifically, consider the following use case: > =20 > An end user in domain 1 downloads a native application to access an = API exposed by domain 2, to access a protected resource in domain 2, = under the administrative control of the domain 2 enterprise. > =20 > =20 > There are in my mind three basic means by which OAuth can federate, = which I know I have discussed with some of you in the past: >=20 > 1. First option =85 End user in domain 1 requests a = JWT-structured access_token from the OAuth provider in domain 1, and = sends it in the HTTP header directly to the RS in domain 2. The JWT = access_token looks a whole lot like a OIDC id_token (maybe it even is = one?). The RS in domain 2 is able to make attributed-based access = control decisions based on the contents of the JWT. This is = architecturally the simplest approach, but enterprises aren=92t exactly = setting up OAuth providers these days for the intent of accessing = protected resources in foreign domains. Anybody think this might be the = case 5 years from now? >=20 > 2. Second option =85 similar to the first, but the = JWT-structured access_token from domain 1 is sent to the OAuth provider = in domain 2, ala the JWT assertion profile. Domain 1 access token is = exchanged for a domain 2 access token, and the native client uses the = domain 2 access token to send to the protected resource in domain 2. I = like this slightly more than the first option, because the resources = servers in domain 2 only need to understand the token format of their = own AS. But it still suffers from the same basic challenge of option 1, = that enterprises don=92t=92 setup OAuth providers today for the purpose = of federating, the way that setup SAML providers for WebSSO. >=20 > 3. Third option. Native client contacts the OAuth provider in = domain 2 directly. The authorization endpoint is federation enabled = (NASCAR or other) and the user in domain 1 selects their home IdP (SAML = or OIDC) and does WebSSO to federated into the domain 2 OAuth provider. = I believe this is the model that Salesforce supports today, and it the = most tactical, since enterprise that want to federate today run out and = buy a SAML provider. > =20 > So option 3 is the most obvious approach today. Does anybody foresee = enterprises setting up an STS in the future to federate to foreign RS=92s = (the way they setup SAML providers today)? Anybody think we will see = options 1 or 2 in the future? > =20 > =20 > adam > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_3B9DB8BE-509B-4E33-854A-8209A71856D2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Hi = Adam,

3 is the most common today.  In the = Salesforce case it has the additional benefit that when Domain 1 is = federating to SalesForce via OpenID Connect it can provide access tokens = for it's API to sales force scoped for that user for use in the = SalesForce custom logic.

1 and 2 are similar = and likely it is more of a deployment choice between them.
We = do see examples of this currently with the Android play store providing = third-party id_tokens/JWT assertions to OAuth = clients.

The reason for doing 1 or 2 vs 3 = probably comes down to connivence and security if  there is an = agent for the user's  IdP on the device that can act as a = confidential client to the IdP for security and provide a more = consistent UI for the user.   That is what we are working on in the = NAPPS WG at OIDF.

We have examples of 1/2 now, = the problem is that they are not as universally applicable as 3 but = hopefully with standardization for developers we will se more in the = next year or so.

John = B.

On Mar 27, 2014, at 10:06 AM, Lewis = Adam-CAL022 <Adam.Lewis@motorolasoluti= ons.com> wrote:

I am curious it ping = the thoughts of others on the list of how OAuth is going to continue to = mature, especially with respect to enterprise federation = scenarios.  This is something that I spend a whole lot of time = thinking about.  Specifically, consider the following use = case:
 
An end user in domain 1 downloads a native = application to access an API exposed by domain 2, to access a protected = resource in domain 2, under the administrative control of the domain 2 = enterprise.
 
 
There are = in my mind three basic means by which OAuth can federate, which I know I = have discussed with some of you in the = past:

1.       First option = =85 End user in domain 1 requests a JWT-structured access_token from the = OAuth provider in domain 1, and sends it in the HTTP header directly to = the RS in domain 2.   The JWT access_token looks a whole lot = like a OIDC id_token (maybe it even is one?).  The RS in domain 2 = is able to make attributed-based access control decisions based on the = contents of the JWT.  This is architecturally the simplest = approach, but enterprises aren=92t exactly setting up OAuth providers = these days for the intent of accessing protected resources in foreign = domains.  Anybody think this might be the case 5 years from = now?

2.       Second option = =85 similar to the first, but the JWT-structured access_token from = domain 1 is sent to the OAuth provider in domain 2, ala the JWT = assertion profile.  Domain 1 access token is exchanged for a domain = 2 access token, and the native client uses the domain 2 access token to = send to the protected resource in domain 2.  I like this slightly = more than the first option, because the resources servers in domain 2 = only need to understand the token format of their own AS.  But it = still suffers from the same basic challenge of option 1, that = enterprises don=92t=92 setup OAuth providers today for the purpose of = federating, the way that setup SAML providers for = WebSSO.

3.       Third = option.  Native client contacts the OAuth provider in domain 2 = directly.  The authorization endpoint is federation enabled (NASCAR = or other) and the user in domain 1 selects their home IdP (SAML or OIDC) = and does WebSSO to federated into the domain 2 OAuth provider.  I = believe this is the model that Salesforce supports today, and it the = most tactical, since enterprise that want to federate today run out and = buy a SAML provider.
 
So option = 3 is the most obvious approach today.  Does anybody foresee = enterprises setting up an STS in the future to federate to foreign RS=92s = (the way they setup SAML providers today)?  Anybody think we will = see options 1 or 2 in the future?
 
 
adam
__________________________________= _____________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_3B9DB8BE-509B-4E33-854A-8209A71856D2-- From nobody Thu Mar 27 07:15:04 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC45A1A0715 for ; Thu, 27 Mar 2014 07:15:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvALuVdm8mZI for ; Thu, 27 Mar 2014 07:14:58 -0700 (PDT) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 77C551A032B for ; Thu, 27 Mar 2014 07:14:58 -0700 (PDT) Received: by mail-ig0-f170.google.com with SMTP id uq10so1510855igb.3 for ; Thu, 27 Mar 2014 07:14:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=I05jpVTlJhRlk2kPDXJnEyAKFyfQG+KeqzPhSrJJHRQ=; b=sw1TZ8yWkCFiya+IGSRdMMTDFgdrIuRSZKqX8ESsIdlooWdJVkuyVoYnkVDVkdBaOs nnL/wQjg5pw5g/Kueuc+lA1XEzg4+gGW70SDLU9tZItKT+wfNf9we3CeN/TaCliGqxH1 rB2ltbgfsavCb7OyI4CMJLnQ+viUhaNblpLT8mvna1PfPDrxtyNsPsq8dOOT3j3aLxLQ ub3on4FUE3chHkTi6kWgoXc9U7m42AN1hkQv8MTlqrzb5v32gh2Gq1To37OiTei99e21 BgefekNWKWghYKzW/EWMruTgUWPl0h2cprISBWLEpVpLAJTSIkNZT+f2St2RNZReKQ7a ckqQ== X-Received: by 10.50.143.34 with SMTP id sb2mr4683379igb.11.1395929695581; Thu, 27 Mar 2014 07:14:55 -0700 (PDT) Received: from [192.168.0.191] (CPE0022b0cb82b4-CMbc1401e98fa0.cpe.net.cable.rogers.com. [99.224.82.58]) by mx.google.com with ESMTPSA id b8sm5194471igx.3.2014.03.27.07.14.54 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 07:14:55 -0700 (PDT) Message-ID: <53343260.3030009@gmail.com> Date: Thu, 27 Mar 2014 10:14:56 -0400 From: Paul Madsen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: John Bradley , Adam Lewis References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------010104050901040008030807" Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/QWo6OuwrMi3HjhP1Duf2IY9tjXQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 14:15:02 -0000 This is a multi-part message in MIME format. --------------010104050901040008030807 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit a variant I've seen proposed is to to have 1) the native app obtain tokens from AS1 2) the RS only accept tokens from AS2 3) have AS1 request tokens of AS2 on back-channel to meet reqs of #1 & #2 lots of ways to 'close the loop' paul On 3/27/14, 10:06 AM, John Bradley wrote: > Hi Adam, > > 3 is the most common today. In the Salesforce case it has the > additional benefit that when Domain 1 is federating to SalesForce via > OpenID Connect it can provide access tokens for it's API to sales > force scoped for that user for use in the SalesForce custom logic. > > 1 and 2 are similar and likely it is more of a deployment choice > between them. > We do see examples of this currently with the Android play store > providing third-party id_tokens/JWT assertions to OAuth clients. > > The reason for doing 1 or 2 vs 3 probably comes down to connivence and > security if there is an agent for the user's IdP on the device that > can act as a confidential client to the IdP for security and provide a > more consistent UI for the user. That is what we are working on in > the NAPPS WG at OIDF. > > We have examples of 1/2 now, the problem is that they are not as > universally applicable as 3 but hopefully with standardization for > developers we will se more in the next year or so. > > John B. > > On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 > > wrote: > >> I am curious it ping the thoughts of others on the list of how OAuth >> is going to continue to mature, especially with respect to enterprise >> federation scenarios. This is something that I spend a whole lot of >> time thinking about. Specifically, consider the following use case: >> An end user in domain 1 downloads a native application to access an >> API exposed by domain 2, to access a protected resource in domain 2, >> under the administrative control of the domain 2 enterprise. >> There are in my mind three basic means by which OAuth can federate, >> which I know I have discussed with some of you in the past: >> >> 1.First option ... End user in domain 1 requests a JWT-structured >> access_token from the OAuth provider in domain 1, and sends it in the >> HTTP header directly to the RS in domain 2. The JWT access_token >> looks a whole lot like a OIDC id_token (maybe it even is one?). The >> RS in domain 2 is able to make attributed-based access control >> decisions based on the contents of the JWT. This is architecturally >> the simplest approach, but enterprises aren't exactly setting up >> OAuth providers these days for the intent of accessing protected >> resources in foreign domains. Anybody think this might be the case 5 >> years from now? >> >> 2.Second option ... similar to the first, but the JWT-structured >> access_token from domain 1 is sent to the OAuth provider in domain 2, >> ala the JWT assertion profile. Domain 1 access token is exchanged for >> a domain 2 access token, and the native client uses the domain 2 >> access token to send to the protected resource in domain 2. I like >> this slightly more than the first option, because the resources >> servers in domain 2 only need to understand the token format of their >> own AS. But it still suffers from the same basic challenge of option >> 1, that enterprises don't' setup OAuth providers today for the >> purpose of federating, the way that setup SAML providers for WebSSO. >> >> 3.Third option. Native client contacts the OAuth provider in domain >> 2 directly. The authorization endpoint is federation enabled (NASCAR >> or other) and the user in domain 1 selects their home IdP (SAML or >> OIDC) and does WebSSO to federated into the domain 2 OAuth provider. >> I believe this is the model that Salesforce supports today, and it >> the most tactical, since enterprise that want to federate today run >> out and buy a SAML provider. >> So option 3 is the most obvious approach today. Does anybody foresee >> enterprises setting up an STS in the future to federate to foreign >> RS's (the way they setup SAML providers today)? Anybody think we >> will see options 1 or 2 in the future? >> adam >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------010104050901040008030807 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit a variant I've seen proposed is to to have

1) the native app obtain tokens from AS1
2) the RS only accept tokens from AS2
3) have AS1 request tokens of AS2 on back-channel to meet reqs of #1 & #2

lots of ways to 'close the loop'

paul
On 3/27/14, 10:06 AM, John Bradley wrote:
Hi Adam,

3 is the most common today.  In the Salesforce case it has the additional benefit that when Domain 1 is federating to SalesForce via OpenID Connect it can provide access tokens for it's API to sales force scoped for that user for use in the SalesForce custom logic.

1 and 2 are similar and likely it is more of a deployment choice between them.
We do see examples of this currently with the Android play store providing third-party id_tokens/JWT assertions to OAuth clients.

The reason for doing 1 or 2 vs 3 probably comes down to connivence and security if  there is an agent for the user's  IdP on the device that can act as a confidential client to the IdP for security and provide a more consistent UI for the user.   That is what we are working on in the NAPPS WG at OIDF.

We have examples of 1/2 now, the problem is that they are not as universally applicable as 3 but hopefully with standardization for developers we will se more in the next year or so.

John B.

On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> wrote:

I am curious it ping the thoughts of others on the list of how OAuth is going to continue to mature, especially with respect to enterprise federation scenarios.  This is something that I spend a whole lot of time thinking about.  Specifically, consider the following use case:
 
An end user in domain 1 downloads a native application to access an API exposed by domain 2, to access a protected resource in domain 2, under the administrative control of the domain 2 enterprise.
 
 
There are in my mind three basic means by which OAuth can federate, which I know I have discussed with some of you in the past:

1.       First option … End user in domain 1 requests a JWT-structured access_token from the OAuth provider in domain 1, and sends it in the HTTP header directly to the RS in domain 2.   The JWT access_token looks a whole lot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attributed-based access control decisions based on the contents of the JWT.  This is architecturally the simplest approach, but enterprises aren’t exactly setting up OAuth providers these days for the intent of accessing protected resources in foreign domains.  Anybody think this might be the case 5 years from now?

2.       Second option … similar to the first, but the JWT-structured access_token from domain 1 is sent to the OAuth provider in domain 2, ala the JWT assertion profile.  Domain 1 access token is exchanged for a domain 2 access token, and the native client uses the domain 2 access token to send to the protected resource in domain 2.  I like this slightly more than the first option, because the resources servers in domain 2 only need to understand the token format of their own AS.  But it still suffers from the same basic challenge of option 1, that enterprises don’t’ setup OAuth providers today for the purpose of federating, the way that setup SAML providers for WebSSO.

3.       Third option.  Native client contacts the OAuth provider in domain 2 directly.  The authorization endpoint is federation enabled (NASCAR or other) and the user in domain 1 selects their home IdP (SAML or OIDC) and does WebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that Salesforce supports today, and it the most tactical, since enterprise that want to federate today run out and buy a SAML provider.
 
So option 3 is the most obvious approach today.  Does anybody foresee enterprises setting up an STS in the future to federate to foreign RS’s (the way they setup SAML providers today)?  Anybody think we will see options 1 or 2 in the future?
 
 
adam
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------010104050901040008030807-- From nobody Thu Mar 27 08:53:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EF581A0645 for ; Thu, 27 Mar 2014 08:53:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.912 X-Spam-Level: X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-YbBgKr8UI6 for ; Thu, 27 Mar 2014 08:53:04 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 2A0D91A0326 for ; Thu, 27 Mar 2014 08:53:04 -0700 (PDT) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2RFr2Gc001275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 27 Mar 2014 11:53:02 -0400 Received: from [10.10.61.120] (vpn-61-120.rdu2.redhat.com [10.10.61.120]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s2RFUDcT020340 for ; Thu, 27 Mar 2014 11:30:13 -0400 Message-ID: <53344407.1050802@redhat.com> Date: Thu, 27 Mar 2014 11:30:15 -0400 From: Bill Burke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/14wlRfkjMBATfbdoOrQ0zeKNka8 Subject: [OAUTH-WG] CORS and public vs. confidential clients X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 15:53:06 -0000 I'm still trying to wrap my head around the differences between public and confidential clients. In our IDP impl, we check redirect uris and associate a lot of private metadata to the access code to ensure there is no client_id swapping. My understanding was that confidential clients made sure that only an authenticated client could obtain an access token. What if you throw CORS in the mix where your browser needs the access token (and the ability to refresh it) to make cross-domain requests? Doesn't this remove a large benefit of confidential clients? Anybody know a good document that describes the difference and pros/cons of public vs. confidential clients beyond the actual OAUTH spec itself? Thanks -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nobody Thu Mar 27 10:47:11 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5B61A0720 for ; Thu, 27 Mar 2014 10:47:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.348 X-Spam-Level: X-Spam-Status: No, score=-1.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wGTY_raecbVW for ; Thu, 27 Mar 2014 10:47:02 -0700 (PDT) Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe003.messaging.microsoft.com [213.199.154.206]) by ietfa.amsl.com (Postfix) with ESMTP id 81BA21A0709 for ; Thu, 27 Mar 2014 10:46:58 -0700 (PDT) Received: from mail37-am1-R.bigfish.com (10.3.201.239) by AM1EHSOBE009.bigfish.com (10.3.204.29) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 17:46:56 +0000 Received: from mail37-am1 (localhost [127.0.0.1]) by mail37-am1-R.bigfish.com (Postfix) with ESMTP id 123A1404FF for ; Thu, 27 Mar 2014 17:46:56 +0000 (UTC) X-Forefront-Antispam-Report: CIP:129.188.136.17; KIP:(null); UIP:(null); IPV:NLI; H:il06msg01.mot-solutions.com; RD:none; EFVD:NLI X-SpamScore: -20 X-BigFish: VPS-20(zz98dI9371Ic85fhzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1c8fb4h1de097h186068hz2fh109h2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh1bceh224fh1fb3h1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h268bh9a9j1155h) Received-SPF: pass (mail37-am1: domain of motorolasolutions.com designates 129.188.136.17 as permitted sender) client-ip=129.188.136.17; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06msg01.mot-solutions.com ; olutions.com ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.85; KIP:(null); UIP:(null); (null); H:BL2PRD0410HT004.namprd04.prod.outlook.com; R:internal; EFV:INT Received: from mail37-am1 (localhost.localdomain [127.0.0.1]) by mail37-am1 (MessageSwitch) id 1395942413430574_3212; Thu, 27 Mar 2014 17:46:53 +0000 (UTC) Received: from AM1EHSMHS008.bigfish.com (unknown [10.3.201.243]) by mail37-am1.bigfish.com (Postfix) with ESMTP id 5B378100088 for ; Thu, 27 Mar 2014 17:46:53 +0000 (UTC) Received: from il06msg01.mot-solutions.com (129.188.136.17) by AM1EHSMHS008.bigfish.com (10.3.207.108) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 17:46:51 +0000 Received: from il06msg01.mot-solutions.com (il06vts01.mot.com [129.188.137.141]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RHkoSr011356 for ; Thu, 27 Mar 2014 12:46:50 -0500 (CDT) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe001.messaging.microsoft.com [65.55.88.11]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RHkncV011353 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 27 Mar 2014 12:46:50 -0500 (CDT) Received: from mail19-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE011.bigfish.com (10.9.40.31) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 17:46:49 +0000 Received: from mail19-tx2 (localhost [127.0.0.1]) by mail19-tx2-R.bigfish.com (Postfix) with ESMTP id 80B2F140227 for ; Thu, 27 Mar 2014 17:46:49 +0000 (UTC) X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(24454002)(377454003)(199002)(189002)(19580405001)(83322001)(81816001)(4396001)(49866001)(19580395003)(77982001)(97186001)(79102001)(47976001)(81686001)(50986001)(69226001)(80976001)(47736001)(95666003)(81342001)(81542001)(97336001)(74502001)(47446002)(59766001)(18717965001)(76576001)(76796001)(33646001)(51856001)(76786001)(53806001)(95416001)(93136001)(74876001)(2656002)(63696002)(74316001)(65816001)(74662001)(54316002)(31966008)(20776003)(76482001)(80022001)(93516002)(19300405004)(66066001)(85852003)(56776001)(83072002)(74706001)(74366001)(87266001)(92566001)(94946001)(86362001)(94316002)(46102001)(54356001)(15975445006)(98676001)(56816005)(15202345003)(19609705001)(87936001)(85306002)(16236675002)(90146001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR04MB734; H:DM2PR04MB735.namprd04.prod.outlook.com; FPR:ACFC5139.972658C3.B1F371BB.4AE4B871.204EE; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received: from mail19-tx2 (localhost.localdomain [127.0.0.1]) by mail19-tx2 (MessageSwitch) id 1395942407822524_20690; Thu, 27 Mar 2014 17:46:47 +0000 (UTC) Received: from TX2EHSMHS027.bigfish.com (unknown [10.9.14.236]) by mail19-tx2.bigfish.com (Postfix) with ESMTP id B31F01C009C; Thu, 27 Mar 2014 17:46:47 +0000 (UTC) Received: from BL2PRD0410HT004.namprd04.prod.outlook.com (157.56.240.85) by TX2EHSMHS027.bigfish.com (10.9.99.127) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 17:46:46 +0000 Received: from DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) by BL2PRD0410HT004.namprd04.prod.outlook.com (10.255.99.39) with Microsoft SMTP Server (TLS) id 14.16.423.0; Thu, 27 Mar 2014 17:46:32 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) by DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 27 Mar 2014 17:46:31 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) by DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) with mapi id 15.00.0898.005; Thu, 27 Mar 2014 17:46:31 +0000 From: Lewis Adam-CAL022 To: John Bradley Thread-Topic: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now Thread-Index: Ac9JvWeAW+r7N2YsS96k1esZSJ97mAACGN8AAAeYdsA= Date: Thu, 27 Mar 2014 17:46:29 +0000 Message-ID: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.179.150.36] x-forefront-prvs: 01630974C0 Content-Type: multipart/alternative; boundary="_000_4fa46e94eca54ce0940162f8ef4101ddDM2PR04MB735namprd04pro_" MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-CFilter-Loop: Reflected X-OriginatorOrg: motorolasolutions.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/78deayAO5VpEsFdsYIbnWURGnis Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 17:47:08 -0000 --_000_4fa46e94eca54ce0940162f8ef4101ddDM2PR04MB735namprd04pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi John, With respect to Google Play handing out id_tokens, are any there any known = instances of that being used? Either to kick of an assertion flow with ano= ther (non-Google) AS, or to present directly to a non-Google RS? adam From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Thursday, March 27, 2014 9:07 AM To: Lewis Adam-CAL022 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now Hi Adam, 3 is the most common today. In the Salesforce case it has the additional b= enefit that when Domain 1 is federating to SalesForce via OpenID Connect it= can provide access tokens for it's API to sales force scoped for that user= for use in the SalesForce custom logic. 1 and 2 are similar and likely it is more of a deployment choice between th= em. We do see examples of this currently with the Android play store providing = third-party id_tokens/JWT assertions to OAuth clients. The reason for doing 1 or 2 vs 3 probably comes down to connivence and secu= rity if there is an agent for the user's IdP on the device that can act a= s a confidential client to the IdP for security and provide a more consiste= nt UI for the user. That is what we are working on in the NAPPS WG at OID= F. We have examples of 1/2 now, the problem is that they are not as universall= y applicable as 3 but hopefully with standardization for developers we will= se more in the next year or so. John B. On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 > wrote: I am curious it ping the thoughts of others on the list of how OAuth is goi= ng to continue to mature, especially with respect to enterprise federation = scenarios. This is something that I spend a whole lot of time thinking abo= ut. Specifically, consider the following use case: An end user in domain 1 downloads a native application to access an API exp= osed by domain 2, to access a protected resource in domain 2, under the adm= inistrative control of the domain 2 enterprise. There are in my mind three basic means by which OAuth can federate, which I= know I have discussed with some of you in the past: 1. First option ... End user in domain 1 requests a JWT-structured ac= cess_token from the OAuth provider in domain 1, and sends it in the HTTP he= ader directly to the RS in domain 2. The JWT access_token looks a whole l= ot like a OIDC id_token (maybe it even is one?). The RS in domain 2 is abl= e to make attributed-based access control decisions based on the contents o= f the JWT. This is architecturally the simplest approach, but enterprises = aren't exactly setting up OAuth providers these days for the intent of acce= ssing protected resources in foreign domains. Anybody think this might be = the case 5 years from now? 2. Second option ... similar to the first, but the JWT-structured acc= ess_token from domain 1 is sent to the OAuth provider in domain 2, ala the = JWT assertion profile. Domain 1 access token is exchanged for a domain 2 a= ccess token, and the native client uses the domain 2 access token to send t= o the protected resource in domain 2. I like this slightly more than the f= irst option, because the resources servers in domain 2 only need to underst= and the token format of their own AS. But it still suffers from the same b= asic challenge of option 1, that enterprises don't' setup OAuth providers t= oday for the purpose of federating, the way that setup SAML providers for W= ebSSO. 3. Third option. Native client contacts the OAuth provider in domain= 2 directly. The authorization endpoint is federation enabled (NASCAR or o= ther) and the user in domain 1 selects their home IdP (SAML or OIDC) and do= es WebSSO to federated into the domain 2 OAuth provider. I believe this is= the model that Salesforce supports today, and it the most tactical, since = enterprise that want to federate today run out and buy a SAML provider. So option 3 is the most obvious approach today. Does anybody foresee enter= prises setting up an STS in the future to federate to foreign RS's (the way= they setup SAML providers today)? Anybody think we will see options 1 or = 2 in the future? adam _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4fa46e94eca54ce0940162f8ef4101ddDM2PR04MB735namprd04pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi John,

 <= /p>

With respect to Google Pl= ay handing out id_tokens, are any there any known instances of that being u= sed?  Either to kick of an assertion flow with another (non-Google) AS, or to present directly to a non-Google RS?

 <= /p>

adam

 <= /p>

From: John Bra= dley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, March 27, 2014 9:07 AM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years= from now

 

Hi Adam,

 

3 is the most common today.  In the Salesforce = case it has the additional benefit that when Domain 1 is federating to Sale= sForce via OpenID Connect it can provide access tokens for it's API to sale= s force scoped for that user for use in the SalesForce custom logic.

 

1 and 2 are similar and likely it is more of a deplo= yment choice between them.

We do see examples of this currently with the Androi= d play store providing third-party id_tokens/JWT assertions to OAuth client= s.

 

The reason for doing 1 or 2 vs 3 probably comes down= to connivence and security if  there is an agent for the user's  = ;IdP on the device that can act as a confidential client to the IdP for sec= urity and provide a more consistent UI for the user.   That is what we are working on in the NAPPS WG at OIDF.<= /o:p>

 

We have examples of 1/2 now, the problem is that the= y are not as universally applicable as 3 but hopefully with standardization= for developers we will se more in the next year or so.

 

John B.

 

On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <= Adam.Lewis@motorolasolu= tions.com> wrote:



I am curious it ping the thoughts of ot= hers on the list of how OAuth is going to continue to mature, especially wi= th respect to enterprise federation scenarios.  This is something that I spend a whole lot of time thinking about.  Specifica= lly, consider the following use case:

 

An end user in domain 1 downloads a nat= ive application to access an API exposed by domain 2, to access a protected= resource in domain 2, under the administrative control of the domain 2 enterprise.

 

 

There are in my mind three basic means = by which OAuth can federate, which I know I have discussed with some of you= in the past:


1.<= span style=3D"font-size:7.0pt">       First option … End user in domain 1 requests a JWT-structured access_token= from the OAuth provider in domain 1, and sends it in the HTTP header direc= tly to the RS in domain 2.   The JWT access_token looks a whole l= ot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attributed-based access control decisio= ns based on the contents of the JWT.  This is architecturally the simp= lest approach, but enterprises aren’t exactly setting up OAuth provid= ers these days for the intent of accessing protected resources in foreign domains.  Anybody think this might be = the case 5 years from now?


2.<= span style=3D"font-size:7.0pt">       Second option … similar to the first, but the JWT-structured access_token f= rom domain 1 is sent to the OAuth provider in domain 2, ala the JWT asserti= on profile.  Domain 1 access token is exchanged for a domain 2 access = token, and the native client uses the domain 2 access token to send to the protected resource in domain 2.  I like= this slightly more than the first option, because the resources servers in= domain 2 only need to understand the token format of their own AS.  B= ut it still suffers from the same basic challenge of option 1, that enterprises don’t’ setup OAuth providers tod= ay for the purpose of federating, the way that setup SAML providers for Web= SSO.


3.<= span style=3D"font-size:7.0pt">       Third option.  Native client contacts the OAuth provider in domain 2 direct= ly.  The authorization endpoint is federation enabled (NASCAR or other= ) and the user in domain 1 selects their home IdP (SAML or OIDC) and does W= ebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that Salesforce supports today= , and it the most tactical, since enterprise that want to federate today ru= n out and buy a SAML provider.

 

So option 3 is the most obvious approac= h today.  Does anybody foresee enterprises setting up an STS in the fu= ture to federate to foreign RS’s (the way they setup SAML providers today)?  Anybody think we will see options 1 or 2 in the future?=

 

 

adam

______________________________________= _________
OAuth mailing list
OAuth@ietf.o= rg
https://www.ietf.org/mailman/listinfo/oauth=

 

--_000_4fa46e94eca54ce0940162f8ef4101ddDM2PR04MB735namprd04pro_-- From nobody Thu Mar 27 11:08:18 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35131A01D8 for ; Thu, 27 Mar 2014 11:08:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4Ay3diCvkg8 for ; Thu, 27 Mar 2014 11:08:10 -0700 (PDT) Received: from mail-qa0-f46.google.com (mail-qa0-f46.google.com [209.85.216.46]) by ietfa.amsl.com (Postfix) with ESMTP id 8D0601A01B5 for ; Thu, 27 Mar 2014 11:08:10 -0700 (PDT) Received: by mail-qa0-f46.google.com with SMTP id i13so4083937qae.5 for ; Thu, 27 Mar 2014 11:08:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=j0I/jkqaonJEqa+JSrIi6U7q6KuDENj+6TxmcmcWzSw=; b=Xb4ThiPA+kjQ28A1aBnXx00Yl4WiITHm3zZe62ggh+XoMA+0Pm069uUmUKq3N0L/lM QQ6giBrM7+BbWo0sacnR7+svNlnVte4rJfYRcDnWFpOCoKjwAr+B+zs+sWnKV+LBbA4A X3SZT8uyLJoEf0JCto/NMQ3sPA1kLxe/sOylueGoARljCvTIjz92/jh/Op7dRa7jWMtL xsK0vhPolYJ+v6Gw2JRsF6J2SSCmE5evwjC+RpZMpIXl7xjvIlyzhwpSl9yJvDl2+ViL hQAFMvBdZY3j04aA8tr7OnL5UYAcJy39lpDvazic4/ngAiF3Ig6fX/LdrzGeqK3JOb7r zgMA== X-Gm-Message-State: ALoCoQmnl3IGL5gRrzAPP7KAgcAIVzE6K9dquDkdxGiV4CWWCpFnnsDz9/9atFZm+2G9ZMZhYGlZ X-Received: by 10.140.31.137 with SMTP id f9mr3865295qgf.52.1395943688057; Thu, 27 Mar 2014 11:08:08 -0700 (PDT) Received: from [192.168.0.200] ([181.201.135.107]) by mx.google.com with ESMTPSA id u6sm5136269qaf.31.2014.03.27.11.08.04 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 11:08:07 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_6C6CBC36-8027-4B34-A906-9D028AD7CBAF" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> Date: Thu, 27 Mar 2014 15:07:10 -0300 Message-Id: References: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> To: Adam Lewis X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/e2JkWCrv7Unw5AFE9UXtJgTi4eQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 18:08:14 -0000 --Apple-Mail=_6C6CBC36-8027-4B34-A906-9D028AD7CBAF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Handing out a id_token with a 3rd party AS or RS as the audience is the = standard way that Android apps that rely on Google as the source of = identity work on Android using the Google Play Services. This describes the API = http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-fro= m-android.html =20 On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 = wrote: > Hi John, > =20 > With respect to Google Play handing out id_tokens, are any there any = known instances of that being used? Either to kick of an assertion flow = with another (non-Google) AS, or to present directly to a non-Google RS? > =20 > adam > =20 > From: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 > Sent: Thursday, March 27, 2014 9:07 AM > To: Lewis Adam-CAL022 > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from = now > =20 > Hi Adam, > =20 > 3 is the most common today. In the Salesforce case it has the = additional benefit that when Domain 1 is federating to SalesForce via = OpenID Connect it can provide access tokens for it's API to sales force = scoped for that user for use in the SalesForce custom logic. > =20 > 1 and 2 are similar and likely it is more of a deployment choice = between them. > We do see examples of this currently with the Android play store = providing third-party id_tokens/JWT assertions to OAuth clients. > =20 > The reason for doing 1 or 2 vs 3 probably comes down to connivence and = security if there is an agent for the user's IdP on the device that = can act as a confidential client to the IdP for security and provide a = more consistent UI for the user. That is what we are working on in the = NAPPS WG at OIDF. > =20 > We have examples of 1/2 now, the problem is that they are not as = universally applicable as 3 but hopefully with standardization for = developers we will se more in the next year or so. > =20 > John B. > =20 > On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 = wrote: >=20 >=20 > I am curious it ping the thoughts of others on the list of how OAuth = is going to continue to mature, especially with respect to enterprise = federation scenarios. This is something that I spend a whole lot of = time thinking about. Specifically, consider the following use case: > =20 > An end user in domain 1 downloads a native application to access an = API exposed by domain 2, to access a protected resource in domain 2, = under the administrative control of the domain 2 enterprise. > =20 > =20 > There are in my mind three basic means by which OAuth can federate, = which I know I have discussed with some of you in the past: >=20 >=20 > 1. First option =85 End user in domain 1 requests a = JWT-structured access_token from the OAuth provider in domain 1, and = sends it in the HTTP header directly to the RS in domain 2. The JWT = access_token looks a whole lot like a OIDC id_token (maybe it even is = one?). The RS in domain 2 is able to make attributed-based access = control decisions based on the contents of the JWT. This is = architecturally the simplest approach, but enterprises aren=92t exactly = setting up OAuth providers these days for the intent of accessing = protected resources in foreign domains. Anybody think this might be the = case 5 years from now? >=20 >=20 > 2. Second option =85 similar to the first, but the = JWT-structured access_token from domain 1 is sent to the OAuth provider = in domain 2, ala the JWT assertion profile. Domain 1 access token is = exchanged for a domain 2 access token, and the native client uses the = domain 2 access token to send to the protected resource in domain 2. I = like this slightly more than the first option, because the resources = servers in domain 2 only need to understand the token format of their = own AS. But it still suffers from the same basic challenge of option 1, = that enterprises don=92t=92 setup OAuth providers today for the purpose = of federating, the way that setup SAML providers for WebSSO. >=20 >=20 > 3. Third option. Native client contacts the OAuth provider in = domain 2 directly. The authorization endpoint is federation enabled = (NASCAR or other) and the user in domain 1 selects their home IdP (SAML = or OIDC) and does WebSSO to federated into the domain 2 OAuth provider. = I believe this is the model that Salesforce supports today, and it the = most tactical, since enterprise that want to federate today run out and = buy a SAML provider. > =20 > So option 3 is the most obvious approach today. Does anybody foresee = enterprises setting up an STS in the future to federate to foreign RS=92s = (the way they setup SAML providers today)? Anybody think we will see = options 1 or 2 in the future? > =20 > =20 > adam > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_6C6CBC36-8027-4B34-A906-9D028AD7CBAF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Handing out a id_token with a 3rd party AS or RS as = the audience is the standard way that Android apps that rely on Google = as the source of identity work on Android using the Google Play = Services.

 
On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasoluti= ons.com> wrote:

Hi John,
 
With respect to Google = Play handing out id_tokens, are any there any known instances of that = being used?  Either to kick of an assertion flow with another = (non-Google) AS, or to present directly to a non-Google = RS?
 
adam
 
From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
Sent: Thursday, March 27, 2014 = 9:07 AM
To: Lewis = Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & = Enteprise federation ... 5 years from = now
 
Hi = Adam,
 
3 is = the most common today.  In the Salesforce case it has the = additional benefit that when Domain 1 is federating to SalesForce via = OpenID Connect it can provide access tokens for it's API to sales force = scoped for that user for use in the SalesForce custom = logic.
 
1 and = 2 are similar and likely it is more of a deployment choice between = them.
We do see = examples of this currently with the Android play store providing = third-party id_tokens/JWT assertions to OAuth = clients.
 
The = reason for doing 1 or 2 vs 3 probably comes down to connivence and = security if  there is an agent for the user's  IdP on the = device that can act as a confidential client to the IdP for security and = provide a more consistent UI for the user.   That is what we are = working on in the NAPPS WG at OIDF.
 
We have examples of 1/2 now, the problem is that = they are not as universally applicable as 3 but hopefully with = standardization for developers we will se more in the next year or = so.
 
John = B.
 
On = Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> = wrote:


I am = curious it ping the thoughts of others on the list of how OAuth is going = to continue to mature, especially with respect to enterprise federation = scenarios.  This is something that I spend a whole lot of time = thinking about.  Specifically, consider the following use = case:
 
An end user in domain 1 downloads a native = application to access an API exposed by domain 2, to access a protected = resource in domain 2, under the administrative control of the domain 2 = enterprise.
 
 
There are in my mind three basic means by which = OAuth can federate, which I know I have discussed with some of you in = the past:


1.       First = option =85 End user in domain 1 requests a JWT-structured access_token = from the OAuth provider in domain 1, and sends it in the HTTP header = directly to the RS in domain 2.   The JWT access_token looks a = whole lot like a OIDC id_token (maybe it even is one?).  The RS in = domain 2 is able to make attributed-based access control decisions based = on the contents of the JWT.  This is architecturally the simplest = approach, but enterprises aren=92t exactly setting up OAuth providers = these days for the intent of accessing protected resources in foreign = domains.  Anybody think this might be the case 5 years from = now?


2.       Second = option =85 similar to the first, but the JWT-structured access_token = from domain 1 is sent to the OAuth provider in domain 2, ala the JWT = assertion profile.  Domain 1 access token is exchanged for a domain = 2 access token, and the native client uses the domain 2 access token to = send to the protected resource in domain 2.  I like this slightly = more than the first option, because the resources servers in domain 2 = only need to understand the token format of their own AS.  But it = still suffers from the same basic challenge of option 1, that = enterprises don=92t=92 setup OAuth providers today for the purpose of = federating, the way that setup SAML providers for = WebSSO.


3.       Third = option.  Native client contacts the OAuth provider in domain 2 = directly.  The authorization endpoint is federation enabled (NASCAR = or other) and the user in domain 1 selects their home IdP (SAML or OIDC) = and does WebSSO to federated into the domain 2 OAuth provider.  I = believe this is the model that Salesforce supports today, and it the = most tactical, since enterprise that want to federate today run out and = buy a SAML provider.
 
So option 3 is the most obvious approach = today.  Does anybody foresee enterprises setting up an STS in the = future to federate to foreign RS=92s (the way they setup SAML providers = today)?  Anybody think we will see options 1 or 2 in the = future?
 
 
adam
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_6C6CBC36-8027-4B34-A906-9D028AD7CBAF-- From nobody Thu Mar 27 11:36:43 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 943AB1A0720 for ; Thu, 27 Mar 2014 11:36:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.348 X-Spam-Level: X-Spam-Status: No, score=-1.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVxeXeagThHx for ; Thu, 27 Mar 2014 11:36:29 -0700 (PDT) Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe005.messaging.microsoft.com [216.32.180.31]) by ietfa.amsl.com (Postfix) with ESMTP id D5B651A0701 for ; Thu, 27 Mar 2014 11:36:28 -0700 (PDT) Received: from mail211-va3-R.bigfish.com (10.7.14.253) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 18:36:26 +0000 Received: from mail211-va3 (localhost [127.0.0.1]) by mail211-va3-R.bigfish.com (Postfix) with ESMTP id 77C7F98032D for ; Thu, 27 Mar 2014 18:36:26 +0000 (UTC) X-Forefront-Antispam-Report: CIP:192.160.210.14; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg02.am.mot-solutions.com; RD:ct11msg02.mot-solutions.com; EFVD:NLI X-SpamScore: -20 X-BigFish: VPS-20(zz98dI9371Ic85fhe0eahzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1c8fb4h1de097h186068hz2fh109h2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24ach24d7h2516h2545h255eh25f6h2605h268bh9a9j1155h) Received-SPF: pass (mail211-va3: domain of motorolasolutions.com designates 192.160.210.14 as permitted sender) client-ip=192.160.210.14; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg02.am.mot-solutions.com ; olutions.com ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.85; KIP:(null); UIP:(null); (null); H:BL2PRD0410HT002.namprd04.prod.outlook.com; R:internal; EFV:INT Received: from mail211-va3 (localhost.localdomain [127.0.0.1]) by mail211-va3 (MessageSwitch) id 1395945384525659_2244; Thu, 27 Mar 2014 18:36:24 +0000 (UTC) Received: from VA3EHSMHS011.bigfish.com (unknown [10.7.14.240]) by mail211-va3.bigfish.com (Postfix) with ESMTP id 782EB80086 for ; Thu, 27 Mar 2014 18:36:24 +0000 (UTC) Received: from ct11msg02.am.mot-solutions.com (192.160.210.14) by VA3EHSMHS011.bigfish.com (10.7.99.21) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 18:36:23 +0000 Received: from ct11msg02.am.mot-solutions.com (ct11vts02.am.mot.com [10.177.16.160]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RIaMH6017565 for ; Thu, 27 Mar 2014 14:36:22 -0400 (EDT) Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RIaLTZ017562 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 27 Mar 2014 14:36:22 -0400 (EDT) Received: from mail159-tx2-R.bigfish.com (10.9.14.231) by TX2EHSOBE011.bigfish.com (10.9.40.31) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 18:36:21 +0000 Received: from mail159-tx2 (localhost [127.0.0.1]) by mail159-tx2-R.bigfish.com (Postfix) with ESMTP id 8BB854002C3 for ; Thu, 27 Mar 2014 18:36:21 +0000 (UTC) X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(24454002)(377454003)(199002)(189002)(19580405001)(83322001)(81816001)(4396001)(49866001)(19580395003)(77982001)(97186001)(79102001)(47976001)(81686001)(50986001)(69226001)(80976001)(47736001)(81342001)(95666003)(76786001)(81542001)(97336001)(74502001)(47446002)(59766001)(18717965001)(76576001)(76796001)(33646001)(51856001)(53806001)(93136001)(95416001)(74876001)(63696002)(2656002)(74316001)(65816001)(74662001)(54316002)(76482001)(31966008)(20776003)(66066001)(80022001)(93516002)(19300405004)(85852003)(56776001)(83072002)(74706001)(74366001)(87266001)(92566001)(94946001)(86362001)(94316002)(46102001)(54356001)(15975445006)(98676001)(56816005)(15202345003)(19609705001)(87936001)(85306002)(16236675002)(90146001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR04MB734; H:DM2PR04MB735.namprd04.prod.outlook.com; FPR:ACFC5179.A73658C3.B1F371BB.42E4B821.2056E; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received: from mail159-tx2 (localhost.localdomain [127.0.0.1]) by mail159-tx2 (MessageSwitch) id 139594538028655_28209; Thu, 27 Mar 2014 18:36:20 +0000 (UTC) Received: from TX2EHSMHS044.bigfish.com (unknown [10.9.14.242]) by mail159-tx2.bigfish.com (Postfix) with ESMTP id EB9EC100072; Thu, 27 Mar 2014 18:36:19 +0000 (UTC) Received: from BL2PRD0410HT002.namprd04.prod.outlook.com (157.56.240.85) by TX2EHSMHS044.bigfish.com (10.9.99.144) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 18:36:16 +0000 Received: from DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) by BL2PRD0410HT002.namprd04.prod.outlook.com (10.255.99.37) with Microsoft SMTP Server (TLS) id 14.16.435.0; Thu, 27 Mar 2014 18:36:15 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) by DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 27 Mar 2014 18:36:14 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) by DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) with mapi id 15.00.0898.005; Thu, 27 Mar 2014 18:36:14 +0000 From: Lewis Adam-CAL022 To: John Bradley Thread-Topic: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now Thread-Index: Ac9JvWeAW+r7N2YsS96k1esZSJ97mAACGN8AAAeYdsAAAMyVAAAA2Z3g Date: Thu, 27 Mar 2014 18:36:13 +0000 Message-ID: <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> References: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.179.150.36] x-forefront-prvs: 01630974C0 Content-Type: multipart/alternative; boundary="_000_2a2d0cadd4d445a9b148c8a2a6e06dc3DM2PR04MB735namprd04pro_" MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-CFilter-Loop: Reflected X-OriginatorOrg: motorolasolutions.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/64zly9gtB713GjR2W4rrriJvCh0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 18:36:38 -0000 --_000_2a2d0cadd4d445a9b148c8a2a6e06dc3DM2PR04MB735namprd04pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I get the idea, but I'm trying to get a feel for whether or not this model = is being built upon and to what extent. So if I rephrase ... are there known 3rd party AS's out there in the wild t= hat are consuming the Google id_token? Or any examples of a 3rd-party RS that is directly consuming it? Looking for actual examples in the wild to point to. adam From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Thursday, March 27, 2014 1:07 PM To: Lewis Adam-CAL022 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now Handing out a id_token with a 3rd party AS or RS as the audience is the sta= ndard way that Android apps that rely on Google as the source of identity w= ork on Android using the Google Play Services. This describes the API http://android-developers.blogspot.ca/2013/01/verify= ing-back-end-calls-from-android.html On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 > wrote: Hi John, With respect to Google Play handing out id_tokens, are any there any known = instances of that being used? Either to kick of an assertion flow with ano= ther (non-Google) AS, or to present directly to a non-Google RS? adam From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Thursday, March 27, 2014 9:07 AM To: Lewis Adam-CAL022 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now Hi Adam, 3 is the most common today. In the Salesforce case it has the additional b= enefit that when Domain 1 is federating to SalesForce via OpenID Connect it= can provide access tokens for it's API to sales force scoped for that user= for use in the SalesForce custom logic. 1 and 2 are similar and likely it is more of a deployment choice between th= em. We do see examples of this currently with the Android play store providing = third-party id_tokens/JWT assertions to OAuth clients. The reason for doing 1 or 2 vs 3 probably comes down to connivence and secu= rity if there is an agent for the user's IdP on the device that can act a= s a confidential client to the IdP for security and provide a more consiste= nt UI for the user. That is what we are working on in the NAPPS WG at OID= F. We have examples of 1/2 now, the problem is that they are not as universall= y applicable as 3 but hopefully with standardization for developers we will= se more in the next year or so. John B. On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 > wrote: I am curious it ping the thoughts of others on the list of how OAuth is goi= ng to continue to mature, especially with respect to enterprise federation = scenarios. This is something that I spend a whole lot of time thinking abo= ut. Specifically, consider the following use case: An end user in domain 1 downloads a native application to access an API exp= osed by domain 2, to access a protected resource in domain 2, under the adm= inistrative control of the domain 2 enterprise. There are in my mind three basic means by which OAuth can federate, which I= know I have discussed with some of you in the past: 1. First option ... End user in domain 1 requests a JWT-structured ac= cess_token from the OAuth provider in domain 1, and sends it in the HTTP he= ader directly to the RS in domain 2. The JWT access_token looks a whole l= ot like a OIDC id_token (maybe it even is one?). The RS in domain 2 is abl= e to make attributed-based access control decisions based on the contents o= f the JWT. This is architecturally the simplest approach, but enterprises = aren't exactly setting up OAuth providers these days for the intent of acce= ssing protected resources in foreign domains. Anybody think this might be = the case 5 years from now? 2. Second option ... similar to the first, but the JWT-structured acc= ess_token from domain 1 is sent to the OAuth provider in domain 2, ala the = JWT assertion profile. Domain 1 access token is exchanged for a domain 2 a= ccess token, and the native client uses the domain 2 access token to send t= o the protected resource in domain 2. I like this slightly more than the f= irst option, because the resources servers in domain 2 only need to underst= and the token format of their own AS. But it still suffers from the same b= asic challenge of option 1, that enterprises don't' setup OAuth providers t= oday for the purpose of federating, the way that setup SAML providers for W= ebSSO. 3. Third option. Native client contacts the OAuth provider in domain= 2 directly. The authorization endpoint is federation enabled (NASCAR or o= ther) and the user in domain 1 selects their home IdP (SAML or OIDC) and do= es WebSSO to federated into the domain 2 OAuth provider. I believe this is= the model that Salesforce supports today, and it the most tactical, since = enterprise that want to federate today run out and buy a SAML provider. So option 3 is the most obvious approach today. Does anybody foresee enter= prises setting up an STS in the future to federate to foreign RS's (the way= they setup SAML providers today)? Anybody think we will see options 1 or = 2 in the future? adam _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_2a2d0cadd4d445a9b148c8a2a6e06dc3DM2PR04MB735namprd04pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I get the idea, but IR= 17;m trying to get a feel for whether or not this model is being built upon= and to what extent.

 <= /p>

So if I rephrase … = are there known 3rd party AS’s out there in the wild that are consumi= ng the Google id_token? 

 <= /p>

Or any examples of a 3rd-party RS that is directly consuming it? 

 <= /p>

Looking for actual exampl= es in the wild to point to.

 <= /p>

adam

 <= /p>

From: John Bra= dley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, March 27, 2014 1:07 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years= from now

 

Handing out a id_token with a 3rd party AS or RS as = the audience is the standard way that Android apps that rely on Google as t= he source of identity work on Android using the Google Play Services.<= /o:p>

 

This describes the API  



Hi John,

 <= /p>

With respect to Google Pl= ay handing out id_tokens, are any there any known instances of that being u= sed?  Either to kick of an assertion flow with another (non-Google) AS, or to present directly to a non-Google RS?

 <= /p>

adam

 <= /p>

From: John Bradley [mailto:ve7jtb@ve7jtb.com= ] 
Sent: Thursday, Ma= rch 27, 2014 9:07 AM
To: Lewis Adam-CAL= 022
Cc: oauth@ietf.org
Subject: Re: [OAUT= H-WG] OAuth & Enteprise federation ... 5 years from now

 

Hi Adam,

 

3 is the most common today.  In the Salesforce = case it has the additional benefit that when Domain 1 is federating to Sale= sForce via OpenID Connect it can provide access tokens for it's API to sale= s force scoped for that user for use in the SalesForce custom logic.

 

1 and 2 are similar and likely it is more of a deplo= yment choice between them.

We do see examples of this currently with the Androi= d play store providing third-party id_tokens/JWT assertions to OAuth client= s.

 

The reason for doing 1 or 2 vs 3 probably comes down= to connivence and security if  there is an agent for the user's  = ;IdP on the device that can act as a confidential client to the IdP for sec= urity and provide a more consistent UI for the user.   That is what we are working on in the NAPPS WG at OIDF.<= /o:p>

 

We have examples of 1/2 now, the problem is that the= y are not as universally applicable as 3 but hopefully with standardization= for developers we will se more in the next year or so.

 

John B.

 

On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <= Adam.Lewis@motorolasolutions.com> wrote:




I am curious it ping the thoughts of ot= hers on the list of how OAuth is going to continue to mature, especially wi= th respect to enterprise federation scenarios.  This is something that I spend a whole lot of time thinking about.  Specifica= lly, consider the following use case:

 

An end user in domain 1 downloads a nat= ive application to access an API exposed by domain 2, to access a protected= resource in domain 2, under the administrative control of the domain 2 enterprise.

 

 

There are in my mind three basic means = by which OAuth can federate, which I know I have discussed with some of you= in the past:



1.<= span style=3D"font-size:7.0pt">       First option … End user in domain 1 requests a JWT-structured access_token= from the OAuth provider in domain 1, and sends it in the HTTP header direc= tly to the RS in domain 2.   The JWT access_token looks a whole l= ot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attributed-based access control decisio= ns based on the contents of the JWT.  This is architecturally the simp= lest approach, but enterprises aren’t exactly setting up OAuth provid= ers these days for the intent of accessing protected resources in foreign domains.  Anybody think this might be = the case 5 years from now?



2.<= span style=3D"font-size:7.0pt">       Second option … similar to the first, but the JWT-structured access_token f= rom domain 1 is sent to the OAuth provider in domain 2, ala the JWT asserti= on profile.  Domain 1 access token is exchanged for a domain 2 access = token, and the native client uses the domain 2 access token to send to the protected resource in domain 2.  I like= this slightly more than the first option, because the resources servers in= domain 2 only need to understand the token format of their own AS.  B= ut it still suffers from the same basic challenge of option 1, that enterprises don’t’ setup OAuth providers tod= ay for the purpose of federating, the way that setup SAML providers for Web= SSO.



3.<= span style=3D"font-size:7.0pt">       Third option.  Native client contacts the OAuth provider in domain 2 direct= ly.  The authorization endpoint is federation enabled (NASCAR or other= ) and the user in domain 1 selects their home IdP (SAML or OIDC) and does W= ebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that Salesforce supports today= , and it the most tactical, since enterprise that want to federate today ru= n out and buy a SAML provider.

 

So option 3 is the most obvious approac= h today.  Does anybody foresee enterprises setting up an STS in the fu= ture to federate to foreign RS’s (the way they setup SAML providers today)?  Anybody think we will see options 1 or 2 in the future?

 

 

adam

______________________________________= _________
OAuth mailing list
OAuth@ietf.o= rg
https://www.ietf.org/mailman/listinfo/oauth

 

--_000_2a2d0cadd4d445a9b148c8a2a6e06dc3DM2PR04MB735namprd04pro_-- From nobody Thu Mar 27 12:00:31 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02AA21A06F0 for ; Thu, 27 Mar 2014 12:00:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azo-INKSMRCd for ; Thu, 27 Mar 2014 12:00:24 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB8E1A0303 for ; Thu, 27 Mar 2014 12:00:24 -0700 (PDT) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s2RJ0LPO008231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 27 Mar 2014 19:00:22 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s2RJ0Llf002082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Mar 2014 19:00:21 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s2RJ0Lvb002074; Thu, 27 Mar 2014 19:00:21 GMT Received: from [192.168.1.186] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 27 Mar 2014 12:00:21 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Phil Hunt In-Reply-To: <53344407.1050802@redhat.com> Date: Thu, 27 Mar 2014 12:00:22 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <42ECC1E1-69A9-4D20-8613-1854D9E6D94B@oracle.com> References: <53344407.1050802@redhat.com> To: Bill Burke X-Mailer: Apple Mail (2.1510) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ubDeOdn3zosgu71L2GFRdXggYnQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] CORS and public vs. confidential clients X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 19:00:27 -0000 Bill, I can't comment to how effective your use of "private metadata" is to = supporting effective authentication of clients. If you feel it is = sufficient than you could classify them as "confidential" since you are = authenticating based on the metadata. =20 I also can't comment on CORS as I am not familiar with it. I would take a look at the Threat Model (RFC 6819) in addition to 6749 = and 6750 to get a better idea of the many issues - particularly with = browsers that are faced. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2014-03-27, at 8:30 AM, Bill Burke wrote: > I'm still trying to wrap my head around the differences between public = and confidential clients. In our IDP impl, we check redirect uris and = associate a lot of private metadata to the access code to ensure there = is no client_id swapping. My understanding was that confidential = clients made sure that only an authenticated client could obtain an = access token. >=20 > What if you throw CORS in the mix where your browser needs the access = token (and the ability to refresh it) to make cross-domain requests? = Doesn't this remove a large benefit of confidential clients? >=20 > Anybody know a good document that describes the difference and = pros/cons of public vs. confidential clients beyond the actual OAUTH = spec itself? >=20 > Thanks >=20 > --=20 > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Mar 27 12:37:49 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE6C01A0354 for ; Thu, 27 Mar 2014 12:37:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8n-tK_fwwgid for ; Thu, 27 Mar 2014 12:37:39 -0700 (PDT) Received: from omr-d08.mx.aol.com (omr-d08.mx.aol.com [205.188.109.207]) by ietfa.amsl.com (Postfix) with ESMTP id 88DE11A0345 for ; Thu, 27 Mar 2014 12:37:38 -0700 (PDT) Received: from mtaout-mcd01.mx.aol.com (mtaout-mcd01.mx.aol.com [172.26.223.205]) by omr-d08.mx.aol.com (Outbound Mail Relay) with ESMTP id 73620700443FF; Thu, 27 Mar 2014 15:37:36 -0400 (EDT) Received: from [10.181.176.36] (unknown [10.181.176.36]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mcd01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 25D573800009F; Thu, 27 Mar 2014 15:37:36 -0400 (EDT) Message-ID: <53347E00.2080201@aol.com> Date: Thu, 27 Mar 2014 15:37:36 -0400 From: George Fletcher Organization: AOL LLC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Lewis Adam-CAL022 , John Bradley References: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> In-Reply-To: <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> Content-Type: multipart/alternative; boundary="------------040301030405000807060303" x-aol-global-disposition: G X-AOL-VSS-INFO: 5600.1067/97246 X-AOL-VSS-CODE: clean DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1395949056; bh=AzU1ooLkm9TCCLMv58iRO7LoLYXt6Vxs8gOUwmdnn+8=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=AGDCDT/d9FNIBeuZxx4Z/kAs58T9jmtHqqm831ZNq69dioZ4Ex2DGS8MzVuI1L6Zr fx5bjeUGIJ842lJjekE6fr9hq9lq+wZY9GSjyiLznjWDH90RnRFlgXDadyuKB/jylQ 2R2lYZJe8Pk5RsN33OX0F1GCNW2yq09D2qvHq7Qs= x-aol-sid: 3039ac1adfcd53347e007a7a X-AOL-IP: 10.181.176.36 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/fncZlRxdUprIq7irv2iYG720R2o Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 19:37:44 -0000 This is a multi-part message in MIME format. --------------040301030405000807060303 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Adam, Don't know if it qualifies, but we use option 1 with a partner and our Instant Message service. The client obtains a token from the partner AS and presents it to the IM RS which validates it and provides access to the service. This process is not restricted to that partner in anyway, but the JWS is unique to our implementation. Thanks, George On 3/27/14, 2:36 PM, Lewis Adam-CAL022 wrote: > > I get the idea, but I'm trying to get a feel for whether or not this > model is being built upon and to what extent. > > So if I rephrase ... are there known 3rd party AS's out there in the > wild that are consuming the Google id_token? > > Or any examples of a 3^rd -party RS that is directly consuming it? > > Looking for actual examples in the wild to point to. > > adam > > *From:*John Bradley [mailto:ve7jtb@ve7jtb.com] > *Sent:* Thursday, March 27, 2014 1:07 PM > *To:* Lewis Adam-CAL022 > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years > from now > > Handing out a id_token with a 3rd party AS or RS as the audience is > the standard way that Android apps that rely on Google as the source > of identity work on Android using the Google Play Services. > > This describes the API > http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html > > On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 > > wrote: > > > > Hi John, > > With respect to Google Play handing out id_tokens, are any there any > known instances of that being used? Either to kick of an assertion > flow with another (non-Google) AS, or to present directly to a > non-Google RS? > > adam > > *From:*John Bradley [mailto:ve7jtb@ve7jtb.com] > *Sent:*Thursday, March 27, 2014 9:07 AM > *To:*Lewis Adam-CAL022 > *Cc:*oauth@ietf.org > *Subject:*Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now > > Hi Adam, > > 3 is the most common today. In the Salesforce case it has the > additional benefit that when Domain 1 is federating to SalesForce via > OpenID Connect it can provide access tokens for it's API to sales > force scoped for that user for use in the SalesForce custom logic. > > 1 and 2 are similar and likely it is more of a deployment choice > between them. > > We do see examples of this currently with the Android play store > providing third-party id_tokens/JWT assertions to OAuth clients. > > The reason for doing 1 or 2 vs 3 probably comes down to connivence and > security if there is an agent for the user's IdP on the device that > can act as a confidential client to the IdP for security and provide a > more consistent UI for the user. That is what we are working on in > the NAPPS WG at OIDF. > > We have examples of 1/2 now, the problem is that they are not as > universally applicable as 3 but hopefully with standardization for > developers we will se more in the next year or so. > > John B. > > On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 > > wrote: > > > > > I am curious it ping the thoughts of others on the list of how OAuth > is going to continue to mature, especially with respect to enterprise > federation scenarios. This is something that I spend a whole lot of > time thinking about. Specifically, consider the following use case: > > An end user in domain 1 downloads a native application to access an > API exposed by domain 2, to access a protected resource in domain 2, > under the administrative control of the domain 2 enterprise. > > There are in my mind three basic means by which OAuth can federate, > which I know I have discussed with some of you in the past: > > > > 1.First option ... End user in domain 1 requests a JWT-structured > access_token from the OAuth provider in domain 1, and sends it in the > HTTP header directly to the RS in domain 2. The JWT access_token > looks a whole lot like a OIDC id_token (maybe it even is one?). The > RS in domain 2 is able to make attributed-based access control > decisions based on the contents of the JWT. This is architecturally > the simplest approach, but enterprises aren't exactly setting up OAuth > providers these days for the intent of accessing protected resources > in foreign domains. Anybody think this might be the case 5 years from > now? > > > > 2.Second option ... similar to the first, but the JWT-structured > access_token from domain 1 is sent to the OAuth provider in domain 2, > ala the JWT assertion profile. Domain 1 access token is exchanged for > a domain 2 access token, and the native client uses the domain 2 > access token to send to the protected resource in domain 2. I like > this slightly more than the first option, because the resources > servers in domain 2 only need to understand the token format of their > own AS. But it still suffers from the same basic challenge of option > 1, that enterprises don't' setup OAuth providers today for the purpose > of federating, the way that setup SAML providers for WebSSO. > > > > 3.Third option. Native client contacts the OAuth provider in domain 2 > directly. The authorization endpoint is federation enabled (NASCAR or > other) and the user in domain 1 selects their home IdP (SAML or OIDC) > and does WebSSO to federated into the domain 2 OAuth provider. I > believe this is the model that Salesforce supports today, and it the > most tactical, since enterprise that want to federate today run out > and buy a SAML provider. > > So option 3 is the most obvious approach today. Does anybody foresee > enterprises setting up an STS in the future to federate to foreign > RS's (the way they setup SAML providers today)? Anybody think we will > see options 1 or 2 in the future? > > adam > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- George Fletcher --------------040301030405000807060303 Content-Type: multipart/related; boundary="------------040107090706080202060100" --------------040107090706080202060100 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi Adam,

Don't know if it qualifies, but we use option 1 with a partner and our Instant Message service. The client obtains a token from the partner AS and presents it to the IM RS which validates it and provides access to the service. This process is not restricted to that partner in anyway, but the JWS is unique to our implementation.

Thanks,
George
On 3/27/14, 2:36 PM, Lewis Adam-CAL022 wrote:

I get the idea, but I’m trying to get a feel for whether or not this model is being built upon and to what extent.

 

So if I rephrase … are there known 3rd party AS’s out there in the wild that are consuming the Google id_token? 

 

Or any examples of a 3rd-party RS that is directly consuming it? 

 

Looking for actual examples in the wild to point to.

 

adam

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, March 27, 2014 1:07 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

 

Handing out a id_token with a 3rd party AS or RS as the audience is the standard way that Android apps that rely on Google as the source of identity work on Android using the Google Play Services.

 

 

On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> wrote:



Hi John,

 

With respect to Google Play handing out id_tokens, are any there any known instances of that being used?  Either to kick of an assertion flow with another (non-Google) AS, or to present directly to a non-Google RS?

 

adam

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
Sent: Thursday, March 27, 2014 9:07 AM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

 

Hi Adam,

 

3 is the most common today.  In the Salesforce case it has the additional benefit that when Domain 1 is federating to SalesForce via OpenID Connect it can provide access tokens for it's API to sales force scoped for that user for use in the SalesForce custom logic.

 

1 and 2 are similar and likely it is more of a deployment choice between them.

We do see examples of this currently with the Android play store providing third-party id_tokens/JWT assertions to OAuth clients.

 

The reason for doing 1 or 2 vs 3 probably comes down to connivence and security if  there is an agent for the user's  IdP on the device that can act as a confidential client to the IdP for security and provide a more consistent UI for the user.   That is what we are working on in the NAPPS WG at OIDF.

 

We have examples of 1/2 now, the problem is that they are not as universally applicable as 3 but hopefully with standardization for developers we will se more in the next year or so.

 

John B.

 

On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> wrote:




I am curious it ping the thoughts of others on the list of how OAuth is going to continue to mature, especially with respect to enterprise federation scenarios.  This is something that I spend a whole lot of time thinking about.  Specifically, consider the following use case:

 

An end user in domain 1 downloads a native application to access an API exposed by domain 2, to access a protected resource in domain 2, under the administrative control of the domain 2 enterprise.

 

 

There are in my mind three basic means by which OAuth can federate, which I know I have discussed with some of you in the past:



1.       First option … End user in domain 1 requests a JWT-structured access_token from the OAuth provider in domain 1, and sends it in the HTTP header directly to the RS in domain 2.   The JWT access_token looks a whole lot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attributed-based access control decisions based on the contents of the JWT.  This is architecturally the simplest approach, but enterprises aren’t exactly setting up OAuth providers these days for the intent of accessing protected resources in foreign domains.  Anybody think this might be the case 5 years from now?



2.       Second option … similar to the first, but the JWT-structured access_token from domain 1 is sent to the OAuth provider in domain 2, ala the JWT assertion profile.  Domain 1 access token is exchanged for a domain 2 access token, and the native client uses the domain 2 access token to send to the protected resource in domain 2.  I like this slightly more than the first option, because the resources servers in domain 2 only need to understand the token format of their own AS.  But it still suffers from the same basic challenge of option 1, that enterprises don’t’ setup OAuth providers today for the purpose of federating, the way that setup SAML providers for WebSSO.



3.       Third option.  Native client contacts the OAuth provider in domain 2 directly.  The authorization endpoint is federation enabled (NASCAR or other) and the user in domain 1 selects their home IdP (SAML or OIDC) and does WebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that Salesforce supports today, and it the most tactical, since enterprise that want to federate today run out and buy a SAML provider.

 

So option 3 is the most obvious approach today.  Does anybody foresee enterprises setting up an STS in the future to federate to foreign RS’s (the way they setup SAML providers today)?  Anybody think we will see options 1 or 2 in the future?

 

 

adam

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
George Fletcher
--------------040107090706080202060100 Content-Type: image/png; name="XeC" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="XeC" iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk uBMSLBA0IWgCCa4JDoHB3SHI4AzMMMO49bRWnfePe7mzz+7m2eyGvbn3efvzz9DVVb86p7pO 86tTp05Lly9fvnz5shC4ubm5ubm5ubm5uf0m3bt/1KhRo0aNGn92cdzc3Nzc3Nzc3Nz+Z7ly 5cqVK1dA/rML4ubm5ubm5ubm5va/gTtxdnNzc3Nzc3Nzc/sd3Imzm5ubm5ubm5ub2+/gTpzd 3Nzc3Nzc3Nzcfgd34uzm5ubm5ubm5ub2O+j+aACr1W632f7zhQw40JEEUii7pAYgxkhhkh9o B5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8L8Pc7BsbcoGuRs8DV0XzEfBGU8VwwHgfpW9LZ AeoSuZj+NUiHc3/O+BKcHa1pWUPAeC74WtQPIMbaYi1J4Pj42aE7s0GskRsoB4B7rpXqYNBe Z6/KWAbqIWmU0hG0XPWhuSBYP8pc4IyF3GHZpTMPQm7RnMjsoZCbZOunZoHF25FuuwSW59b8 2RvBPtA+1doT9M+8N/jZQJroHeKXBpaEjFOZmZCzMpOUHuDqJK2TK4CoSiddVdBmeX4fkB9s B3Nzc4+B4m8qbL4HmZPTPdK/AY/TIXciMkGLV370eglmL88o750gTDw1VgT918bN8kFQv3DV 136BGoNqfViuEdSQKhYLfw5aKddi1z2QNoi2RILwl4LFJZAaYyYIRC4uXABI/8cHqfAfUxLe Q0IGApjABNDNlZYqA+H1tcSHqRvh0MYzHS5vAGHUP3eNgl5Tm8xu2Bick+WlUiRoe8RsPMH3 uec3xnwgL5P85b2gu2bqbj4B0TNPJh1qABn5rDa1HTxJSFpyaRl4vQ2endML7A8TPJRf4WHM m9LP14N0TdfOthmymqbMEFcha2DOWJ8J4H1L96XhLgQv908qcB2K7yqUXXoDWLvZJ+oWQ2p4 UmBuKEQ1Cl0phoJ1vJptmQIFj3jkRlYHv34FPoucCblNrU9TPwc/f4+OgfvhUuOYzw7sAutK tWtKYxgQ0WLgzLng+EHupnwMZbcU/zh0Mzz+7NnX2eXh0JhL0ctnQ5aP1XK9O3i1l0f6+kHy /aSKPt6w4N6UqFWz/uxm7ubm5ubm5vY+vL8eZxmBBmRKJvyA2mjiAkjLxBuhgjRc3JJ9AZt+ q7gIzoepSxObgzHAJ5/XBdD8tY+1qkATXUnzV6C/IKteZ0HzEzHqChAWMdMZCMp1KULUBs57 vfbvDIYvvOMDPwJtiusjx0UgWtTVqoKQXbvsjcHpk+QXuxfUj3M/Su8I6nBnM9unIBZkJmVP BsewzCNpN0C6qDxTZ4NI0F2Xu4Oy1nDXMBQM9U2Z+oXg6fS8bj4M5mPmNR5VwfCxbqL+FSie rjTHJ6B3CsU5HEzrTJf0JUD5QAqTg0De5DrpCgCtorOSrSgondVP7HVBn8gkVxCYeum7aJPB mOph89oA0khHHXs38B7qedQ8BcQBtZyzGQStCekacAY8l/scCTOBzkuv09+Gx8Njcl4eBcs0 S2WbBvKHyjjxK2gDpM+lEJAWsIswEIlSIBYAxF+lzP9BBQRQVApFgFSTOtJGcLYWr1zPIN/s cG+/etDP0r5b00NQ/2CF5DLfQdBPQQQY4dLgG/q7n8HDYc9b36sKWfnTB1r8gBvyYrkzGDox VvoazI2830SMAiVMKWXXQchbv6+sFrApWULvCVX7lNjerhX45UgJRU5C5tHU/YFp4DvUo1pg eSjUPrBbkTXgzHYULSpB1vnsXJ7C/cIvlDt6KLQovI5XGyjsiLCULQ83pzw4nDES3trTt2TM BN1+acTruuC1Q67uXAlvaiQdevo93Cp3v+ZPs0FbaWntXwjCwj0adtoGuubGPrpB4HXaPEoX BUnOpJUZL+HXT5/5Hr8Cmc0y+zyKBlfr7LScHEi7mzAqoxDkjrK9dEX/2c3bzc3Nzc3N7X36 wz3O/8WJhACpkLBJQSAu8UQsBa2udFd8AXIl/TLlHKg7LfHWSsBV+TvDHJDnGdrr5oMySRmq XgZxV+4taoI2UO6nlQYpTKzWjQHhrwmnHqQxzkWWISCV0k/xGATqF2K8ywpa2fgGj6qDlmi/ 7dwG0q/yQt16MJz1HOo/DZyHLOcsySCdcRVU4sDl7+zjnAiuT+0N7J+BGqE0F3XBsEjfUu8B hm1eZu+6IEfZhjtmAor9jq0NeC2UWkmnQDovWyUjqPNdk+2lQP9IvkwAOLbLY7T+YB7jYTbH AOOy81l+BrWSNk2bCWKZzZzdC6RNWpCyApyqxZQ1ATyLGAZ4rgIU7K5PQDtp3ZT2BWCQr+qj wDokR35bHfRLPQ4HB4BvUkAR/9mQeTfdlr4EXox99Vl6EFQ8UbpFqC+4XroGaQD95E9YAGgi VVoCSMgilv9Ikv/PBFrCAGgilqsgHkll+Qmk++JrxQJajtpQmwPWJ9TUXkExW8FR+c2Q0C31 cFIZqNGj3O6iXSCsZ0BqaBLYNPWQ6yxk/JJ1z/EVPBiVWujZD5D2pe2n16Xg9tXYyPsdIeUb S0KKN6j3sxdkp4JPqL7o7XTQp/htcq6HRssKdSxfHVzltIJyApwdfffsExPI23Tfh1QCqTRJ xnhouLVSmcY/Q6X5Bb2rvIGsu5HHEi5C/S9qSd16wv3PY94+fQOPGz2w7HgNzwPtGxyXIOOl PvD5EPCej2qaBdWKlb3QsBr4fxqZ4h8L/q0D/b07QdrSt0Mzx0PKukyj+BqerX38cWIVEA20 o+bJYKuTmZF/LrgSVJ/sBMgoxc3XnwJQ/89u5G5ubm5ubm7vx/tLnGX+IxnzIwsTcFBqynPQ tRAj6AGuYO260wDKKnFW3ADlVpHyxXJA/UosdN4G5ZSzZ+aHIMbr+5t8QX6upYjOIGrJbXR9 QOonxzMHtLicqekKaJdyOyR1BN0+fSWPHLC9UmPFCND6JA+LbwauHOtCWwYwTfpauQFyX6UJ J4D8hrHed0H3QDquLwPee71GK4XB0daxV+oGzkLacLUTuBarRfEGw3qx05gKrj7aQHELNDvB 0lTwKupVRdcb7FnWVVnfgnzducuVAp4llQPyc5Dvmq8aI0EuqKZLJUBaa6/hbAjWvc4WtiLA Fqm30gLsU3L0ljugT9ar2YeBOx7ngsqBsZurV/YQcJ6wv+IZZLqyP0ztBp6VA/unfgH60mFa ySPgPd93k9/P8GD54/j4VlDy68I7gkqA7gudl2gP6hTxiWwEuY7kKX4BcVfkogAKEtr/8QkK nIDAl0LATFFXvAK5qawwEHJic6bYasCVqbcq3eoCCaUzzsTdg5zaOW+0jlD5bYWPS0wBUw+P BkGh8HJpQq/nveA766Efdu4DXVXdodzt4Jqq/yalDxT5NbB3/iS4P/f5fZ8l4NjnKmR9Bd43 EqvfqwgRwf6tS30GGSfszVN9oNC4gBUNVsLrEW9rHp4OH65v5mreC3xS7FsNY6FMVCnPwmsg pnh86mMfeJ0Yvz82HSy3bd9ZesIL69vCx66Aa4NYoESDf1lrSsIlEFusG8O/gFJ1SucvtwqC AoNG+JwFz190mvUxJG6Mv56ig8RtGV+/ioZXckLEs7kQFBt2mV8hc/XzsLS1wCG9XToCmaUy Thk7g3zXp5PnJKA6Y/7sRu7m5ubm5ub2frzfxFkG8RSXeANSWSJJAWFjhhwC8if0lBaAqOzV w7wTpMsc1U8GeaBslRwgPza0iQgEKQC9LgvEHHzZCZJLHBf7QBuXG5e8GHimC/L2A/myx+WA L0H1z+r6eihIFqmaWgcUNaBc+CzQfkiwvMwEramrkToFlHue1pBY4JZJ9bgJIi33W3UiiHLq Z/ISMFilV1oMSBFatpYIUo69oMsCrnzyUOcKUBoo5eV00B3RcpVpIL0UT8Q8EJIySz8cOEMt 0QrM6aKT1hrUBLrKJUHuZX5sugfyAuVbnRfgsoaJ2mBt62qrzgItWdqkfAa2BEuwbQEYTuPK XAfKRt14XoD5meGpuQuk5U9faykMuu95qW2ELKvU2RgJPoHBT6MkyBlqbeO6Aq/1cXLaPCjW ulj/4Iqgpth/UUNBPJMW4Q/YgL/3A+sSoAEqmlQIpL18IdaAOKb1EN+B+YRpidEEzYPrPKm5 Ho42u3DgzgjYfeT82h0H4Rj3lp3pBjVuFB1eagvomkmqrxXyj/AtFBYNZfYUrlVxBSQXzZ37 6gq8kVODf6kJwfX9XzsLg+Oi1NC6HPxrm0eaPwbFO/teZgrEnHo71NUbLJ7W0mduQ5kV+QqE 34O4fWlX7qfCwNNtP+4TAmujt+p/DoGUnrb1jwZA7dgSJTuNgifjX6TefwA5FcRBz2MQOcir r+4K2JpkVfF8DaU8ix6v+gtU+rqAqcRaMP9g1HnmwtvliTXSn8PLEon7bu6BQzduTN57CEIe +uqcZaHBqSJBLWZARJL/hNoWMP5iKiVVh8zX/t0ta+BthdxzcTX/DS22MpWpDEfnHZ13dB7s 9N/pv9MfnjR60uhJI1BXqavUVVDkyyJfFvkS2h9sf7D9Qeic0jmlcwoo1ZXqSvV/Q7nc/q+q Vq1atWrVf367Kc2nNJ/SHLrM6zKvy7y/jXPixIkTJ06An5+fn5/fHy/ns53Pdj7bmfe6YMGC BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjNPTACpj3JBrg5Mkqb4BIN2Te2c swWUHKmOUgsYKdU1jQDxQqRIs4Bm0lnWgrgrbdbOgxRmOO5ZDfhE2W4qBtoVxxdZPwHztWDx CcgFfEWgJ8iWcE9zKshr9C75DLDJNMtzPUjn5S3mkuD6MuMLyxIQA+1e9oYg9TfGKgkgqfbj rhBQfrFb1c1gD3fkd3qD6rRfd4wGFqtbRXnQTZFKKmaQvtBNknqC1MeU69UbRIpor70AVwM1 1JUJ5jXqCTkXXLf1hZRFoCzSXVIfgHxMaizpQSuX29XeG9Qnjr3sAeN4XY55Eqgxzsr2EZC9 I3t4alMwq16D/BqA7wJfp+cOyJmR1TH9c6B4SujLUWCfYaxs9AbDS9/8kdvg6dpXkanfQeHT hfcFh4H0g3RdVAGuihi5HFAWSbwCPNDhB9hwYAUEGiaQIiQ9GojD4i4CyE8/+QEoVXQfizng 3OPM5/gVAgf6SmolaORVoWHUBrCMNqx6Fg26WtqJmJEgNc5MrpgOVfqX3VmjIvwQ9kvzn65B 6OjQ/qZqUGNE6U/qDobWX5Q9k28ePC6cOflNEuz56Nil76uCYZxyK6kYWBurgb6z4HbCY8+A B+DXw5DquwZiPJ9LV/bD1923bTY4IKi7oaM8Daz9Ml4G7ga1pCJST0HEm4B1RaIhZ6DlfNRR sMiW+heag6m9hyzVgZsFHze/vAGe1Ik1xBQHuYU5w8MM8Tff3k7YCOGpns8CH0K5lIDDTa+D b5GgSnF9wd+Zr33JpaA11ZVMegG57dR1Fj/Qh4h9D7dBStmU+MSLABR7nw124amFpxaegp1N djbZ2SRvud6ld+ld/Fdi/dDjocdDD3jY7WG3h93gRtMbTW80hQXDFgxbMAy4yU1uvudvE7ff LWRGyIyQGaAMV4Yrw397PY8xHmM8xvz3lav7wu4Luy/Me/1fCS1++P1ZB8vNzc3tf5D3lzjD f/Rk6oXAC0jnObeBl1jEGqAcYZIZRKiWpo0BbbHLO3ckSJPkw2YLSLOMh/gKpCVimboQRBrB IhCEQa6kqwxSVWuvrBxwybTINYIyx2Okb1+QWvtd9u0FuhtyV7kfiM2uWdo2kPYUqRxWBqRS upK6QkAPdaPLAko1mfg6YD/mnJPyATjDM/tlx4ArxXLEFQjWqtYbtj6Q+7V1Ze4rcPm50kQ2 SF9LO3UtQFkun5MXgbGeoaKxP4gyht7SALBPdCY7N4B0TJ3vqg1qea24EgJSLa2jqA+yQ3rk agSuIY7higSePiab0Q6u7fat9j2gHXUVdP4K8i7dbP0isMXavlOPg10vQrJLgumkT7ruDRjL 6H/VTQHF26nYt4N9cPqk+Gfgdc13QcAOsJ62VjeVhqy52RdtaeCT6R1vuAPqHnW2eA00xEEd EIXFTO17kHKlLdJL4KS0XMoBkUG4uAdo3KEYcJ6mruGgnRWxyimQL7DOWARSO71Nz7SAb3F5 jsMA6gdSg4xsSAvLUKkAqj5zxP10OJx97fTjC2B6bZJT6oDhkT4trCCkF8+eb54MZ1onHbSm QeKy1C9v74bkbGe7FDOoHXI+E15geqhVT6sF2kXboMRbIO4E9wypAOVTIgfUXACOU9Y9rk2Q 2Vl2OTtAwaMRA2sPg8eBj/fF/whhoYHL/ZtA0oDsRWljIbmaJSylJRi65h53zIBqbUt3b2wC +5PshEAveBuT2SqmO0xr0MM0wBd0bfSTzZ/Aa2dyy6zyEGN4efz4Gfjl4uXJ2y5D07lVu3ww DHy+sUeHPIETda/NvFkTspdorz2/A/by1ftoWqdPnz59+jTsHL9z/M7xYKxtrG2sDbPiZ8XP iocm3zb5tsm3IJ2Xzkvn4UzmmcwzmTAjdEbojNC8BOic9Zz1nBXqUY96/z3fMW5/x9YGWxts bQB+b/ze+L35s0vj5ubm5vZ7vc95nKX/vNVvkQoAHlJZ0Q0wc1+aC9IrSin9QQ11zEytDQy1 mLI+BlmQrjsBWl9ayuEgnRFD+QrwkA4px4DCtl5ZD4E4ndX8DJQ1nt7+HUGqq5tq7A3SMZoo Kmj5tBznVVCfyW8dD0DerJ1lM7DRMccxEUQV/J3fgzPE/io3BqTq4oE6DXT5dXcNTcF2Laen JRsy66ZmZSwCu2YZ49BAPFCzxF3QTZTTlfLg4WP41ZwMnh8bBnsUA31LqaccD9plcYuFQD9l s/4X0IUYwkyFgbbSR/JCcM1xZTg/AP0n+vPyL2BsZDQpTcFrojnB8z7of1EKGQJArFEXqg1A v19ZK/uBtt1lt+vB7mXxSLGB7JRvucygHZIaacfAtimrZ/oRSLsbV+zBXlCzHNuseyHnC8tD xwuQtkiZUkvQlosL6iXQ/aTEK5vBbDCM8qgOynzZZFwBbBVBkgdI5cQC6QBwmrbkAgNFqPwp sFQaKvWHzCrZB9PjwHzBXB0fyC6oF0lGyBjqMKVdhJdpb47FLwPXfHlKbh9In+sslngeCmzy G5J/H7im51b0leDBh7G/3giGo89vttr0KbyambzjWSFoUqbYxkYfgyFSMvt2AulXw0ytIZgy fFvojeBdnbFVj4HrLFUyEyB7mnP6k7Pw8puElkmR0LBKRUvYVShxwa9IsAy6o8oHt6dDZGjA VUM0GMfZPQNHQtsStTNaeMBY70GFBi+DwDch33mtgSZTaxSsfBAkh9c6MRYO97184tAW+PlU dLOVP8Kjwq9Mr9dC4Xmh1QKPwZNdj1+eOQOJtsRvbjeC6neKTy3VCgqeCNjy6tn7a1zbt2/f vn173uthw4YNGzYMmu9pvqf5nrxb6fJwebg8HBo9afSk0ROYtHPSzkk7oVVIq5BWIZBzJudM zpm/jR+/P35//H4Yt3Xc1nFbod7Deg/rPYR6HvU86nnAhMYTGk9oDAntEtoltPs7BfzPnu53 PeEdO3bs2LEj1KxZs2bNmtDh8w6fd/gcdkzcMXHHxLz138nIyMjIyMi7hf/u78N6D+s9rAdd 07umd02HTQ82Pdj04G/3u3nz5s2bN+cdj2YBzQKaBcCpYqeKnSr2t3Hf7e+91f9/iH+2HupV 9ap69beHkjRt2rRp06Zwz3DPcM/wt8d938x9M/fNhK6FuxbuWjjv8272otmLZi9g0clFJxed BFtpW2lb6d8u9y35lnxL/ts4A64MuDLgCrxo9qLZi2Z/vL5/+Hxzc3P7/7331+P8boxsFhAC Ul3s7AKG0kN0ArWz1FJeDDI8ZSmod5KeP30N2ktzZkhXkD1Nc6WyoNWjIqWB/uKm1B+kqvqO noDkaTgo9QDpsfa59hKwawHqLhBN5FO6AoCHdkHqC1J7qigPgUS5spQBDBcjdYOB0apTGwbS Nq9+AbtBP8gvI9QO4iPRT90K/hOD24TsBPOs1JYZ+UE7Yl1l7QhyojSVDKC4I962D3Rt5KLK erB5uqKEF+SMs7d3NgJuOqu4/MG1RRvriAGnQ72iVgWeiq1qNCjlmM4HIH2p/GhoBIb9tNZW AxZzMBHg6uG4oC8M9KaBKQMclZzfOxaAtkCMcpQD123HMmsIaD84r7h8QTqpK24oDcau5gyf c2B7kl4iqS9YXqcVi/eAzG+y4iP6QMFC+ZoFjgDlNlP0n8OrOxl+cdsht1Nu67hn4HfV44rv Agia7l2+6M/g6sZ+VwhIZUW8XAQQ0gj6glRXC2Y5GKqbdAZ/iFoVllDUCywrxXHxESTeiPnl 1WAILui3xloQDI08+yZrkBWUNtnmB5eWPB6YvAuMQ4w1Mp+BZ3GljecbMJ/Tpum/gqBWprOV PwTxiTJP0kPAAY+eAV+Bxz4lI/8xUG+6soxfQ+UllUuXegxKhLS54AU4N+BCqQtToJNX1cTm 3aBMi6rHSv4MLyyvL2YNhZTcV+WFL/idDf0lcjL4hHoce+wAwzDTEE8Vfni023noNNzbHFvr yhHISMpc6LcdNrQ9lLGzAPj7+Xfy7gXFMqNa+44AbVhODc0B5qYeB8Oeg+6Q/ro9DX6Jutry RCUwJ/rJvsvAXEO3wb/BH29WYrAYLAbDnR/u/HDnB6A85Smflxj+I+0i2kW0i4B2h9sdbnf4 b9/PXZq7NHcpDI0eGj00GhITExMTE6HOqDqj6owCR1lHWUdZOJV1KutUVt4QkO0523O254CX l5eXlxfs2r1r967dsLDbwm4Lu4F+mX6ZfhlU1iprlbW8xGhR/0X9F/UHebe8W94NXelK1/9L +SfunLhz4k5IaJbQLKEZ8CM/8mPe+wcSDiQcSIBly5YtW7Ys7wKicGzh2MKxMGv/rP2z9gNL WcrSf1/9/1kfffTRRx999Ntjh0uWLFmyZEmY23lu57md/3G8f7UeW4puKbqlKBToXKBzgc4Q uzd2b+zevLj58uXLly8fGBoYGhj+4nz+6eeffv7p57zyGWYZZhlmQRW1ilpFhec1ntd4XgN2 RO2I2hEF2cezj2cfh8/5nM//TvmnT58+ffp0iCCCCPIuAO+OuDvi7gj43PG543MHbGADG97D 5/avnm9ubm5u76/HWQMkkPLhIgfEtxSgDYjqLJK2g/whIa7LIG+Q95lvgWNRbqHcKSBuqCZn AMg9pKdSFRDbSOAIEClVEdNBOiG/UJ6AeCoqiZ9Ba6J9px0AFpEi5YBk4TppQB25tq4QSEWk FYYI0OK1gZIGUjlRXAsFJUCKNI4BZbb/es/WQGkPf/UjkCv71DHYwayFnDJFgnmheYNrFXiP CuyjJIPxsddXWjGwNXCOsgyB9Mnp5ZOPgeV55uS3XUF9LQo5C4C2mm3qcHAutw9xfgmuz9Xb oh84BgqTVBbEZ3JRuSsot+Q1uhVg/sq4w9AW/D73auc5DnzP+qT6TARTC2M1szcYhvsUCvgJ tPXaauktyLtFSWJBt06+jweIVa7uDh2olezfZ+cAE5TRpnqQ8WuC/slASN2bWjetOrxIer0u cRkcn/brh9+1gM2nj/VbvgWWf7/92PdX4Yfo6Gk7KsCrAUljEpNAf1Bs0X0Lao7oJ30GWmst iaJgqqe7qisH54LvZF7rA7eqxPV83AaY4UpXfgbPEGWU3xowe3sWMY4HQyF9uGKF1Onpm1Ki QdmtzDAcBc+p+ob5ukDudMsMz2EQnmGS8m8F/+0+0/SxYPzK3CnnDLRZXn1i1b6ghnAz9xaU OVq0j197OFn/fMiN43D0+NWPz5+GOrPK/9jjGpwbcKfQ2/Gw/ouNh4+Mg5f+sZNjJoIx2NjA yxvUMvJK+zaosqzEyFbTICXt5eIcFS7l3GpzvinUT62cU+QIBIwKdBVbCuZ+xj2OOWCpYO2Z PhCezXwxKn4axFhTuj4Khgs3Ht7ccxouj3jp2rsA7JGipHoWnP2thdKvw8vFiXrllz/erCxL LUstS8FZ3lneWT5veVBQUFBQ0N+uv8SyxLLEkvcw2V///eabb7755pu89Y8kH0k+kpyXeHzw wQcffPABLO+7vO/yvrDq6qqrq67mLX+33qHPD31+6C8yoE0PNz3c9DDv9bshJN9W+LbCtxVg ZujM0Jmhee9vbbi14daG/7j+dUfXHV13NOxvs7/N/jbQ5ViXY12O5b3/44MfH/z4Fz2C7xKw bd7bvLd5wxAxRAwRvx3/fdX/nxUXFxcXF5eXqP7133f7+b3+1XocXXB0wdEFsGfqnql7pv5t 3I0bN27cuBGKLy6+uPjivzjudX+s+2PdvNez281uN7sdrBywcsDKAXl3APR39Xf1d+HY3GNz j80Fm81m+68fzPoL7x6C3PV81/Ndz2FFmRVlVpTJe/9B3Qd1H/zF/v5dn9s/Ot/c3Nzc3u8Y ZxlwoYjnQBDp2ACFfaSDeKEdV5eDmCFmOjqAYY7PrJCBoHymtJHLgVgi+ojxICVJaXJlYKC4 J2wgnotHohtwnSbyWZCDFBuBwHw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graKH GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+NKV7XoDcD7PbqF+DuKCNMRQA 2aDrbowD5zC1quM1kCHdsHmB8wwhSh2QzvjpvfpCysVsKTcHssOzMlIHgW1u9qqsE+D9uWmA x1iQKstL5BJg8leW6z4AuZvujNII9LL6i2sG2HroHfpC4NrBN+ImGDe55jhaAjWVMkSCyO96 JXcC+13Ho9yJYPpUv8gYBUqslmbcAzkjM6Kzt8GO1YdeXDwJ966lXV9fEzxOG6oX+RWUHuqC qFZwq9f9clcmQO5YW459JUw62H3Q7CJgaCuPUbqA0lzXQ9sID0rGJz2ZA7pxxhJp8SC7NO+M XXBv3stNt25B8mWbZ/JiCG2p8/aPAdvknKm50WD81uuucS34ZXvsdc4Gj1rqIf02sF/QHbZN ANPpELvUHwxzTJPVOEj0tByLrwxZca7kN6+guldRtdU+8NykO+BxAWp1KNf1/jG43vnXw9Zb UGVy9QKG+uDoy9QSQeDnbdqf5AvFFpUtXiMd9r+Ifr6pCegmEJkSB5kfG542NoKzh/VX8RYK XgqtV7gqxHrHn8ztBecSHpe86QG+Qeazxhlgv24tlDwTtMPqbMMM8O3hddTSAFxl02e5RkPq 106jaSY4L+umaycgo5P9YnpZyCmQW87YEoCMP9KkzA/MD8wPQFonrZPW5fVAp3dN75reFYJ/ Cv4p+Ke89VOiUqJSoiC2UGyh2EJ/Gy+lbUrblLZ5r+//cP+H+z8A4YQTDrt37969e3fe39/y bjtrgjXBmgBvHr55+OYvEueGYxuObTgWaElLWkKDLQ22NNiS9/7rkNchr0N+O5F6Z8T3I74f 8f3f9uy+2+6vb+E3ndR0UtNJwCY2sSmvx30Zy1j2f6nHv1p/FrKQhfzT3vcsEv9d9Xg35OLd 5/dOLUMtQ62/GMoR2DyweWBzuOS45Ljk+Mdxa/9a+9favwJtaUtbKNqtaLei3YAAAgjIG1Ly vurbYmqLqS3+zoXCb51vbm5ubu+8z+noBDKIF1IY8SB9Jr6VuoMoILUT20CLoLEcB9IXWrHc BJBHBNyP9Ae1h2ihHgTdMHawBMQZMnECh0kWj0HazSQpBcRHklHoQERQXw4EiooB2jyQ1lKV R0AMy8QhoJL8NUtAlLQtzN4F3NS/8iwEsqoMlvtAduFngU9KQ5LuVM9LvmDd5DCJr8G2xvCz eSy4fpF/tDYEg6p4W/KD6Yjnp/6+INfWj5Lmg+Qn6bSXoDilpror4Fqvfm9YCaZCPt+av4H0 /Nb4jJ6gK5UzJLM/hC0x3jSfB2t51yciH0g/KIV0V0B7KYKJg9yBFs+cKmDrllk/czpkj8z+ MuUZWJd4bPFuC/YPXN1cL0EMcupyeoDHeWOE70sQUaKcOgB08/DiMzCOsj/JBZRW8nKnP+gK 2/rmzIXAQj6FgmuCbtSbx2WbAqla1+SvIOzDYKNrIjhvGse/Hg0vtj2qY8sP32zatPCHZjDw ZOe9nctAYsuEh1lr4UZYQujtCIj+7oXX/Cfgs118HVAI0h+kNLYPAaWBcl9eCHHB0gClFZhS dDXMHaHk2RJfma9CRsPkA86fwXgpeGZ2DJSqLQqo3vDmg4TabxaBMUE6oA8E76Fe5nwvwKFa ryv3oOnyehkN94DfLK9A/0Lw5nbapuAXUGJRvra6PfBG//qCZQQ0OV8rueBWeBTxqK98ESqM rT6v5OeQu87+1Yf14Hq3mEmvZ4B/paCrPvPgqRYz53oEtNzRdH3fFXCk/rUB90KhQcUiJfU2 ePxFXImH/cBjhnmc9yFQDulSH8sQ3F6/zdIQkrrqSnjfAG2omOoZCtJa9WbOPpBdynK2Q2Bb 0w5RGzj3x5rVu1v5pS6UulDqAjzgAQ+Ag7MPzj44G/rTn/5/sf681Hmp81JhHvOYBxw8ePDg wYPw2WefffbZZ38b33bRdtF2EehCF7pAwJSAKQFTwPuR9yPvR79dLtMa0xrTmt9fD+mmdFP6 e7N4vBvrfJGLXPzbt38rgdFWaau0VX9n+WBtsDb4L47fMGWYMgzwwQefP6/+/27/XfUQVUQV UQV4yEP+4kJJp9PpdH/gf5N3QzP+y7tZX5rSlKb/ffV1J8xubm7/yPucjk5CAP4ilQDgZ2Ri gLsiUmoLUgBfacVAbmGuEPg9iH1yoZyTwFJRngOAXptFOPCYKRwBMQo/IQEtCJOXgfS9Nl87 CuKMMGpDgA7KWLkPiATRRooHaQlntMEgPlHyG1+AmJQbn3EDtH45vWLrgfSD91Dvl5D79MbD W8EgdntX9OkLjiR1l/4Q5J5NbZmZC5Jd6pPTFBwrhGLZDRm6jOrJe0G3Wv5emgy6R8otgydI /vIi3RfgMcf7pd9WUGbntvCTwbQ6JzJrAAR+Zy5uHAauEF1z/RZQguSOylGgj3OKswcYhslR 0hwIPGq441sCXBGeZ429IPes43v/XyB1ra20/hYkrXTOs0aCrVhKv+zjoK102e31wJQoXTVd BsN66YLYBR535bJKOTA2cbrskaAuf9D7+iDwtpecWfwM+GwLn+78CJIWZc6ze4LjTGbvnAjI bpqgL3IVSnfPX7fZIAj9zrtsvs1wcE30uuhOkHxd+sr6HbyIT5h5aT4E3PYZbPwaCn4ZUN/b Ai9d2hspChwWl8ZOKEbw+cqn4dLqmCWXfCDuRdqD3IUQtlhf1+8rCBkRsc78KRgXy/XrrgQm KOsTa0PcxMzqTxpDAT+P6MipUG52mLHmRYjb9KZm/DW4MyVjxauq8GJ0Qu3kDVBgWqHwoC5Q /If8Z4JugH8xf9lvC/hXCdiQ+wmIlnJXXRIU7FLqx4L9IOUTy6dyInR43bpV+XlwdNLBAsoT MCaaZluHQ13/qgOLrQePq8o2509QunzJy8FdwS7ZLxoC4aS40uLlPLCvllube4H+K2Nv6Qno SjnGZQ+C0Jc+DQMkeB1lqxB/Awp+7XPe9z+GJrR4H82re3T36O7RMItZzALWVl1bdW1V8N/p v9N/J7Sd2XZm25l5Ccgl5yXnJScs279s/7L9vx23YOeCnQt2BiQkJOiUv1P+TvlheJfhXYZ3 yVvv8bjH4x6Pg5cvX758+RIKzC8wv8B8MPcy9zL3gvCE8ITwhLyHsE4vOb3k9JL/6nDm9OLT i08vBlrTmtYQ2T6yfWR7MM00zTTNBFuGLcOW8fuPh8cmj00emyA4LjguOA6So5KjkqPgZPeT 3U92h3YJ7RLaJcCRo0eOHjkKdKMb3d5//f+n+HfV490dDnaxi11gvm++b74PYRFhEWEReUMg 3s360rJly5YtW+bd+ejQsUPHDh3z4p3scbLHyR7/c+vr5ubm9o+836EaABIqEuCUQtADe4VE QZBtfKdrDWKINMKjHijbDEuVNSAeCy/1C1D7kK3eB+mJtFrbAXJNsVv5FNgm0qRMECWVHVot kEeL6q45oC1Se8k2kJvK4yU9aBfEJN0GUGZq653nwFlfNFP9IMf3eo0r40HUFvOdp0CZFjEm 2AuyCsTeTi0LydeSctKvgNrX9dz+C+RMSolOngbPRyfvz3oLWYd0awwdQTlkbOhZAIJeyB8b YyFfkLmIR3fQlTVLWbNBPqOLf90OfDP9JslBYJsohrrWg9RAP8m7FhgqGNd47QX7Y60nXUFt KTcwbgFDR+Np43SQL+kNehNIoTqT4xswxPk8MpQFU0NpfOAkSMhSV1i6glbFLqUvAs+rhqoi Fcw1RCWpGpjfykvVvqB8Is/X7wSpxr0iMRch4LBfaecQ8Pkw6lHcRYiNS3jw5lPInm+sm/Y5 lCtU6nDHWuA73epf9AH86h0/5OE3kJSZ0eH6RDD4BquJ+0A+I4137AP/Wt4nvP3A8ci6WXoB voMMO31TITvFsUA4ICjTfNpQBMKHe+6NVCHxSawh/zowVAlabd0MmQvizz39GaIGBwcGxUDP nk1f9GwJx55eX7ytCLyckrXqyQVIvGQvlbEU7vfPir3yI2RnZ31j3AcBlXy+za0GZz45OTWu D2T+WGm3KxU6+jbrFq6HoI2BD7w/gzMDLv348CW0eNRYKucDL+Y87/i2M6QsSrucNQ10ZQxh 2k7w6+5f2icVPE4GLlU8Ie1ZYrrVH27Yr0++2whefJfZ9qkA/5H6k8GfgOWIc8szBbyO6JJs U8DRUMxVZMjZ4+iSUQm882kdgj+A7MvKQBEBVHw/zarNz21+bvMzXDlw5cCVA3C4w+EOhzvA nDlz5syZAws8Fngs8ADZQ/aQPcDxteNrx9d5D5n9V0/sX/UUtj/U/lD7Q7A5enP05mj4Xv+9 /ns9PPF84vnEM68n8d00dtzgBjdgQ40NNTbUAHrRi17Qt3Tf0n1Lw5dFvizyZRGYHTk7cnYk 7L+z/87+O3kPB77T19bX1tf2zx2D/8N/9kh2Wd9lfZf1sHr16tWrV8OcTnM6zekEW4tvLb61 OLwIeBHw4v/yEOX7qv+f7X3V4900h/aL9ov2i/DFnC/mfDEHxsaNjRsbB/lu5ruZ7yb0mdhn Yp+JsChxUeKixLw7GvvD94fvD4fnpZ+Xfl46L867Mfbv4v/p9X3DG9zTALq5uf0L3m/i/B/T 0TkxASY8xUsA9moJwA5pGDWBsqK2poHwlGKkZBClpfW6HKCZFC56grRPLOEisFeOlaeB+nPW 4CdTwd7+xf7bniBPDPAv9BHoM01PDSq47lh1tg9B931Y2ZIdQJP1VwJPga4DdZVK4Ih4uzS3 IaQ9Th366hTgyv8s9FuI2x+XmNQN7N/Zr2mHQIwVJ1xBYPvW+jUm8KnkWc1vJhRsV6hakRQI jPW7EpkCnh2MX/mYQIrVZdEcnNe1M7lnweptPZkhgFuW0OxIyN6WFp0IGPU+PY0xYIwzHZPb gO6RrqjcHKTb8mTdjyAdp7DUAqQW4rRUBXR91C1qNBClXckdA54vPQfI08AzwCfZxxNc53JO cgMME0WYownoF6sxtuNgfmo/rD4E/XSP9gEnAEVZlH4EtKvP+qXehJT8znxyY9AnGtp4dgdl uaWFawvE9TWtv1AOCA64krsOPHZZKhfbBl6NfT/1ioCiDU0n6p+Gxj5Vb1WdD6/L5TZ6tAW2 lDtZfONm8PPwcgRfAFvF5B3Sd3C3sd3p9RV45tNuVh8JtVrWSXmUDEn5EqMze0LOgOyxrmx4 vjtbfzEa1GaOaGME1N1a6kWjfhC+It6erx74GH3igj6EVFOSNX4geF0sPSnSA7Ia5wyLLQ6m fqablifgWmyPTd0D27/dV+3ER5DPkD9/uDcUaxvhV3AxuBbbf1ZHQlm19PyIMfC81Mtjb8+B 5zLvLw3FwFjA3MI7HPQbXO1EN8gU0itHPTA89itaehS0lkuMq7cJsrtk1I2rCK9mJKvWlfBS zlqb4w2yJwP108Fkzylp/wEkX6/+2Vlg9iDLFPYe29Z/JoqzB88ePHswVIqtFFspFnZP2T1l 9xR43ux5s+fNwGgymowmaLGnxZ4We2DMgDEDxgyAsTFjY8bG/G3YsLCwsLAwWLN6zeo1q2F5 meVllpeBy99e/vbytyDdkG5IN6ByxcoVK1eE4dJwabgEJXNL5pbMzYvTtVDXQl0LgTpeHa+O h62vtr7a+gpuHLpx6MahvP30ftb7We9n0OVol6NdjpI3puRf1L98//L9y0NO75zeOb3zpkdL vJF4I/EGTPOc5jnNE2a3n91+dvt/X/3/bO+rHkMYwhBg/ab1m9ZvgsuXL1++fBly7+bezb0L LGYxi6H7ie4nup8A+YX8Qn4B27Zv275tO9xYc2PNjTXgV9mvsl9l6Dur76y+s2D4sOHDhg8D mtOc5n9+ff96OkI3Nze330v6jy9GIWrUqFGjRo1/PoDVarfbbPzXrBp4AC7gDhYkEMvwkM6C fIEfpQ+Azsx2hYP2jbrZngZSrNxUbgFSQdnT2B24pfkr9UD7TndQNAX16+R7d05B7vAzQw6/ BhGvC/ftCYZS4a9CMkAUzXqYsgDkAb7rveuDcUblVp29QKknfaxrD5mxZ2dcaQ7JvV8NiV0B T/3idE+SIHN++istPzh+Ur/TEkGxqYG2x2D4UTYY6kNYo4DNAXMhfETUwsjPgB3KeF0uaD/L I6WR4GpBjiMcqGQPdE4AubO+kb4H+B2NulKgCMQffXrm5TcgXZGny4NB3Jani5ZgK2+/ZVsG IsplUZeD1EF0lWsCRs2kzQJ1k/2A9SfQ5qtf8QzsT+RZWODty9wJmQPAejtzUeoX4BtqeCqV APMkexe2gWmMVtpQBPQ234e+AgQJPbNDwGRVV6iD4cSo0o1ep0PMN/KuBxXBp7+9nNcEyNgn TmZokP6xukc9A4WmeSXUOAclPEOV8tEgj9VPzf0FrNXtafpNENDO9JHoAdd/eh52fRVExXuP q7YIUtPejnx9E/SPPZ35CkHS9kzvuwWgUMHQxq6+YPhMfhHwBXBXnHTFQuqm9Ddpo2BUlX6j vikA+nVyI88EiPV6s+7hKoiucafH7kWgP+vYbEwDtaxjvakHPH/1tkaagPAigd7aFZDSTZ97 mcH3Q913RS6CttLWWukF1ZtXLFBzEAR5+X/i2QPCL+e779cMjlvPXH30PWT0TSn96ibU8697 utyXYPdzFJSPg+KnWy+tgFL7is7N3wn25h7ddakl7Iw4WXBXNIR+F+RnHwZp8zKq5T6A8Br6 y5ZokMZo54UEIiLSJzUT8l+O7OVdAiYrvb47sfLPbub/73nXo76mypoqa6rkLX/3cGCpc6XO lToHN4feHHpzKAy5MeTGkBt5Q1kunL9w/sJ50G/Qb9Bv+LNr4+bm5ub2P92VK1euXLnyPnuc FQQCyJA8kEGqK24ggfQFN9gIWkccwhvke2yVO4IYroW7uoBSRhrnkQnaNtFUKQ8MYon6BKSu mq+YDlJ1xyluAqu8Bhb4AcS+rKSM1WDd/PKThJGgzXC0y1kNUr/kjhmpoEvNb35zEaQJ+V+X Ogee+avsK7kUbEdSgxNHQ9CHPvMj64BzuEGz7AWtlU04k8FvlWfV/D+B+b6SqAaByShKCRfk Lre+yJoMOk/9WONL0G9Rbeoq8M5QeoqSYPo4KC74OZj2579UaCUoxfyneNQFUS5ji+UiZH1o PZb7K1gr2DfZHKD7VtqlOwNqPmm0yARaSXZpIsgL5VaKBURbbYRuEohD0iD1SzAsUTKVlhDw hWmiTzrkbLBPzOoDunDnd9kmUNfZ+jkU0KqZl/p8CgJHTPZCUEzeMw0bADnntZgA2pjMsp51 wH+SXy3POKiUUeaTqBh4OePpV8WaQuLg1BKBvqB4qPWlDZC409Y5syeYXnrZpFBgnzy98Hp4 lhHfy3oDCjSX79TuBVrd7O26cyC+cUUF7QH1vO1kViKE5fg3r9gRrAHZGZkdwFFbCiQX1IP0 ztkGud86R9sscDLx+rSzU8D8xHw0dAFca/J45881ofyEAqsiHGAMtw7wi4IbPe4mZnaBBocr iEbPILlRdsWn+SHjsHX1nULgddP7XNAYKF6lVGCtZlAsp/iysJ/hxdVn9+M7g2loxh3jV5Bz L/5M7G0ocaPsush0cM63TZPNkO/byNtBdrhT9bbytDzoD7p6Ck8wPVIKphwEr88998W/AP1R c3llMuS/5oh22MC203MHDjAO0MU7+4NzuHLZPAfi5zguOZ4Bs/7spv7/JsMGwwbDBrg66Oqg q4Pyfrhi0/BNwzcNh9CI0IjQvxiD++4hxKYTm05sOhH0qfpUfeqfXQs3Nzc3t/9t/niPc67d bnMCGhouQMOAAlIEqTiBqsRyHcQ4fKkIkhOrbAftqjbK3g7EK2mm/jQo86V4CoFUhK+1SSCK iyDJAGKEY0P2SrC2vv7o5COw3njc4eFbcNWyFssdA4YKvn2DZTBMLz607Lfgmm3/KnMp+Eyr 9qB5DZBLyD0MuWB//Krn87eQM/b2zJvN4PKRNGPuDnirpRRIKwz5k7y+8W8Oun2ObvZsMI2U 3iodwXjeVExfCYwxxLsGQ3BUvudR/SHgZbW1VS+ALIerQQ9Acul7azXB9uzG6vvbIefsywsJ n0NqwZzBOfvBmmR/5CgL2iJmajngeOu46bgDopq0XsQA5UQvrRrwpStRWwJamPOp5glisC5I uQ5MMpY0poD1vPVU1jzI2JHoGz8NsrNv17krQ+DDoDEhh8GzeeCRsIWgZfvuDTkE1pNafeNy eHjA02VvB5aFhgeutmBYKu6p3UF7bl0tmyHrkH2l6geW1hk/a/3Blc81M2cLqOnWGOcusE12 rrE1AV2u3qV8A9qvzvr2nuC6qD6Uw8BQTR9rHAZUVDoKfzAeMY3xPgyeDwy95B6g+9C0UMwD Rynx0OQNqk3XSQsBJUy3SE6BwC2+p51nwcvpd9hzMVRYX2J2k3GgvHEla/ngUcyTfk+uQWBq QKi5EcS3ir/96DnUy9cgpMYv4Hpt/TR4LwTvDq1rfgjesZ5dfUpBbpp9EEXhzbWXSuY10KKt rlfnoGxGlTkVMuDR3ZilrzvAS9831WKNkPxpks+zQhC3L3V/3GhQLD7ZaRp4mkzzsg6CPCa9 j6sv2Dd7BLj6Q0A1/3H+X0DqQlef7KlgnST3lqtDTljGwoxE+C560uaLaX92M/9/V9r8tPlp 82HpuaXnlp6Di2Uvlr1YFrJ6ZvXM6pk333Wzps2aNmsKw6sPrz68Opg3mTeZN/3ZpXdzc3Nz +9/iXY/zH0+cHfZc23OQikvhUikQD8RbEQckkCxVA1TSSAOpM0GiMFCFFcpxED+KYa7ywFR5 pvQIpIEiUkwG1zIW6w6C3ET/XH8b1Bkxb0/shxc7t07ZEgVpv+R8YtoC5gee431GgX8vryiD Fcwi4BdpHXg8rHqmvgeYvcp0rlEY5EjilJugfmMzZd0D16obSbe+h6fak4m3+kDudC1D/ALe P0gLQm6Dep7lhhTwnu69x7cIeEQZ83v0A3MVzxcesWB2Vk4oNg74Idjhmx/EbltZ2xXQfWuZ nzkHcoMennilg5S9LysmxkC2l/UTayVwdpfaagoIC8PFQnA8dnzt+A4cg11G61cgzyBYFAPO a5f4CYjUopQKoO2T+igakGp4rWwGtYoYSBLYLtk+sAyHzMFvH+duh4w7GV1tz0DZHroiYCqI mSbh+QNkOB17rL0g7Y0rK707pOYkifSSYNFlTM1cB7aXltqZj8F+wrHRlQ76LdyRL4Be1rUw bAL5gr6/XgNTiFFneAnSZtmu1AbFoS+qnwlyY7mfXBnkKfI4cQbETFFSjgStiZpBOXCO177S CoBWm+aqN4h72g7hAHmcPEXfFZSpxmKml2AsZnok1QbDaB9j8AbQN/X18I8Bv+cBNwOiQFfI XNK4FJzPk+NetIOMWtaPH4dCEY9Inf42qDsc9zxqQsPZDfL3bwDmcbquzrbgvC/rxBSQWzkK eR+D3PJvKzxqDLmvpU/lZsBe7bq0C1ST6GzsDA9LPW9/yQZii9Xz6S7I6pUzVv4A9H1Nm1zD wFrQfDt2ATDG8bm0DKxmZy1lAph+8Wuhi4HXD9PqpBeG1AZJPbgC+x3LWp2v+Wc3dzc3Nzc3 N7c/4v0N1ciVAqQZIKqIr8URkDylohiAnuIunwKpjKULiLJStlBAqiMsojYQpqyRBgLHtYHS OhAJoqC2EuTvlefSftB9lrU2tgE8PLRNt/06XPvk+XbRHQo9LlenkglKJdYbXPkiOANiNz6+ CLoLnhvlq6DvEp4euQnkcP18r89Ac7pu2peC8omhquc8yB1ut+hnQKEbYU2jWoL1sDYqJxUS dr+xOqqBHGw+ZN4Ahs36VKUnGIr4tjXPBQYaOssJ4KqR/XPmJdB/6bPD+AQwp5/KyIacXY9e vSgNubMTvs7RwNlTPSsSQHhKPswA7Zg6UlwF7SJNtXCQjsmV5NYgN3cFaONBDRWhjpIghUlH 5KMgd5cnyckgdxPJaiVAr33ONHDk0832PQq5ozx/8boPuUOiNjpLQmp139K5YyCnVvaitC2Q /n3cuJiDkL4j4UWiAXKe5rS0hYAcK9/RtoNXgtcY73AIvOl3y/8LMGV7n/M6BMY9HqGmZaBb Zcqv3w46Rd4ofwvaehHLLRBXhVXsBSk/rcU00JWUPpMOgnRRiZbuAkZptn4WKBHyYiJBvi2W S01BC9N6KfdAayXGu1qBOtZeSLNDzh57pvUu2JpZZbUS5N54G5TYCsTQ1EtJrSC74Nuqfk4w feJVyy8EvD82VnKkgP8qj9n+zeFOx6en7QJqq1EWKRye/nB36cVXYHHIvTxWQL4VoZs9o6DW lhqnGhaBG36PJ8esB+tJo1XbCEUKFcsN+haMG+XJXhbQpaqJZfqAXxnfDVVrgse5gC6Bc+FU qSvXt6wDNTnzi4QuEHjT4wtpBHgUkF9W/gru/vj26JXCENg0ZLypFaibRRn7u9krYv/s5u7m 5ubm5ub2PvzxxHmg+I5NQF3pnmQBYmhGc+Ah3cXHwA+cldeDyM9SZQBIdbRXLh1QSnRRygEL pCx+Bi2TRpQE/Q/6/Lo4yPnynse1WEhtdi87uRIUeFwpp04ilBnXon2F+eC7OTS/bwNwVvd/ UXQViO3as9yh4GqT3SurARgvh22VvEBqIirLWaA1c8y3nwVR0elPMmQfdzwK2ge2rVlXnVXB 2TOzY9xK0PbZRrgWgKWk+qX0MRiClQbybjB+VNoR5QWSL9tdl8DV++WF11ZwnEk6mT4ftB1Z ZtcH4KolX5evgmui84hWHkS66xgrQJqASQwDXUN5n9wVnF9pKVo7YLWkyp2BWdo9vgZRQxTX GoPopW51TQAe6Md5zoKsBtJ8j48hKdtZVrNAqrA2y/oEUpe82RVXFpIOv+72aj+kibefJbQH 7aL6g6sjeF7x3xywGKI8ixYp6AIPs5/idQv03xpOK0fBddI1QbOCo6ftK6sOclMzv8/sAGJs +khxFeSdYrpkBG07HcRuYIwcK/mALp+ySLcTDMmKj1IYlJJKtqKBzqz4yj+CVkLeJy8Gua2S xG3Q5ei2SkYwVNMt0m0ENptL6X3AM8NriFcOaMWUdLkqODNcK0Q1sGdY67kqQ+6lnA9zSoKt SsrBrJaQskiZZ4gG81qvLeZUKD6mTMPa4WB84RfgfQTKHS92KLw2BMeGRYd0B9NO003DQDB2 NQwVs6BiYNNV9bzB9IW5me4wEMgq6oDSj3B5Bxg6eBgDGoLtrWipfgi+VczfG2dC2cySnXuP had+L7Keh0FuG4f+9QnwCgvUedeBgk28Y58shKyinrmZNyAsIl89r7KAO212c3Nzc3P7f8Z7 6HFmgpoCfCiOyJuB2RSVEgC7tJruoO0RY1Qd6FbxVtcIHG+l6bQEqb04K4JA7qL0lseCrqVr qrwWuPMfYV01k9NTakLhHnU61BgPUcOHFf84FKRnXuUNdsgt9aL+gzKghtl6ZewG+bn80pUf TNsL7ig3GbQurnU2P2CT/pY0E7QWr3dmTANXA/s+1QUZP2XPzu4AmYfezkzZC67t1gBbVwju 7VvJfwYE7Qho7hUGyg9KPiJAPf5mSWoqiOmFXoasAmW70abzAc5RUBcNopCUzxUFSiOmSEZQ jmrz6AWSUXohTQXpmOhEBIjKWqyrPigXpNnCAMpaaZr8E2hlpMvKxyC2GHZ63AF7f/3nXgqk TFBHKDXh7de52yw+kFg3/tWLs5Cy+vHbh8ch5Wbyg6SToLQxTjHmgv83EUXCvwTP1cFtglqB nKCPwQzOTpYbtkDIepb8NDUSHN0cg7VyoNSTK+ozwTTebDO8BY8Azx1eQ8Fjpmd1z41gnOCh mBqDoYfxa2MG6HbqF+pPg05WKusTQBqtHMIbRHWhilyQhguD1hW0y+pw7VfQVmgnXApoi13X HP1AfO2o5BoCWgGXQX0A6J0HHP1Al+L6ULKCAXm87jl43/EyG2aDa5f3r8ZEcLZ02rQ4yBlt CXM2BcvO3O254+DpgYsfnqoI9tyIo+FXobgrdFjdhhCuyz8t8DPQNooApxO0666PzE7w6ulZ k2jI6Zfjaw0B+bz8iXwZMtan9bJ8CqYBpqEmB0R+HTDXOwfU865B2iKo+EG5r0qsBd2vpjUF SsGVvnfDnx0DW6ay2DEVSocU31ZsC9w8FJO5/zvIOepY8WgF8D/o1+Xc3Nzc3Nzc/pg/nDjr uuo/Mn0EajFnIWdzYJj0BfWAhayX5oGczGh5Oziau1o6jOB4mbzg7UdgCDMmmZwgbwwICPgV XJsd3o5KID/TqVJNMKwpWaP4JAjuEWVXs0Ed72X36g1Mybqb8BYUq9zV+RWoj6yrsrqCElZ8 ec0bIB80zfAdBdRWC6iTQQSrZeydILfPi9qJhcG2Imu8LR+4WtmStKnAdemMXza4TkplVBne vIo/nBgLrgB7gsUIYYUjixcYCnKSq5dzGejLMknsBlEuMin4A9BHhizyPgdiqy3ONgPwy75t 3wpisH6yuAa6R+pFloCrseOQOgCELD2kHogBLKEa6A7r5hq7gM1uXOW9EzKXGU6YJ0KyZrvk SITED950fjkZEivcX3fXG5J8XzteTQVum2p6hEJg68LeRaaBuUxgCb9m4CjpLOkcA9njkh6m DgK1mq2SmgymJuYhhqvguzLQ1+878NsQ0iDoKviNDPjZvw/4TvOe7tUHzEs9C5m6gG6m/oWu CSiHpGLKOBA/MkgsB62vGMAykD8UQVIiiP7spyUwUnQSm0C9qk7TPgT20FE0A05rR4QFXD9q N7Td4Gqi7lQbg+ap3VSPgEhwDndeA2c766DcYFA72YtZ74HrR/WEYzK4UtTFYhoYOuseSJXB tNh3m7E3+FT0ESYJcr+353MNhbcDUgclB8KPQze3+KkP+F8M+DhoB4QsDG4fVAoqx1YYUOIX KFu6zL6CCyFzdOpe6T44Bkr3Xdfh7e2EU6nLwDDbEKT/Bcp7VvUvkh+kzboJcltQrNoN5zoo saSIr+Eo3H3+a3vHJ/Dk9d2Dd6PA52z5mWWOQT21zJY+R+H0o8sT9pYG4IM/u5G7ubm5ubm5 vR9/OHE+W+/iyMujoFa5qver1gb5urRNJIBYLZK020C0NFxOAbm89JNSFjxWByQFX4ekygld k1PAt6Bpmf0yGC4ZSkmfg7Ze9WQLGDqHphYZBerVrF7Z60FUc+jsP4G0UHolHQay5M7GONAP K9K42legXx4kIm8C0fZbub+CGKvz1D8H+uVO0LJAuWmfLTSQU5Unxt3gud0zyXALvDy9GwQ2 AmeWmJD/R7B4JC6LKwNx3z29eHcbWHekpabUgbCfooIKvgXjLWv7nChQNqSGpRlAF+nT2vcB aL2dT1y3QW4hV5SagOED0UiOAvtCTWi7QFdDOagsBFcDrY7WD9Q6GHTbwBXvd9xvKKQ6nZGa BHGzk4ckroSEtY/1dyfC62sPQx6sBeta1yytAPhujCqerzUYdwdO8PkZnF7OzepcSGkcN+fN dJCfqNcJh+B6QfUCC0NoWqlT+VwQ2iBydehc8P3R39PXFzxOmyeaMsBQWr9a8QS9QbogBYEi CR1dQFxTm4qKYH3smqV+B9pj7QutMUjP5UeyAbTrrlfqJHAN1KzaMNDKiYOiOSiNRQvygTRE aiiVAeWhvFr0BqUyQkoG5RLrlOogIWfLgK6sXhhegWOK6WvzEXD1Uau7QkBscFkcVrDXdky3 DQRXOWtJaw1wDLEvdg4FZaIqaZlgCDFVkm+BxwRTjt8HYL1n7ewoCWn9MountYfkolm+6eUg e1aONX0xpF1LrvQ2G+rfrn+5/k0w/OT71K8ABHUJ2umXCa4a6gh1Nujy6x2KA9QWrngRCy7F VVz+GVJJNuZ8CzkjMi4nnIVMR+L0Z9/Cxac5u2N7Q4lxxSNL2aH25jI9G2/+s5u3m5ubm5ub 2/v0hxPn7NbpUfaaoBulZEnFwdVMraD5gdxTGs1BEBNwiNkgdZXrSddAaewpeUSCKSBwsu9k cHZx3HbGgmdT73F+2eB6oY5T14FYb74ZNBh0maZwfxO4imW9TW0B+i9Npc3XQKkePqTUApCe U09ZDuAYnVsJxGdKf+UViLJSTXxBtNKeauNA7JXniQpAMOO10SCPlEa7OoDXMLms9SQ4R2sR zr1g3OGfoCsMrhhLeMS38FafkP6yPThPWJNjakDw5+FHA6eCV1O/uxGjQctv7W3/GMQcqZ3y AJybXd84r4BYpa0SFpDuSiPEEZD7O7s6fgGpgW6uvjDYS3mOCgqB2FD7I1ssxH77cvTjfvAq 69aTm/sgsfkbXs0AJc6/p29T8B0fWSYiFpTaoqe0HtJLvCmR5ADdKM2uLILIbyLnhZeHAnHF jxYaD8Fb8yWFrwbfAr7ZXifBdFV/2LAb+JH1SiNQW6mq+grkuVo9oYFrMiOpAfZZ6kY1H2hj RQgGoLHkL38HBotOJ+cD3WCpJ7mgBUpfaSPBdc61QekCtlHqfbUkODOZJY6Bq4v6ldofnJ00 ozgNylb5SykK9E7piLQN1FLaEw6DXVKTXT+AKEs1RoAUIXZIlUG5pNtk+hZEH+kToxmUj/RP PBJAn+u6aJ8A+lXWOtb74Iq3p9vvga6u+tDZGvQdzCWVTDB8Zjru4wHZW3OT7UPgTeuEPUmR YBtnn+bsBrw0NjB1Bv8lXl96lYHszIwdOd3AWtcyJucnsCc46jo8IXewzd+RBrmvrFtzK8Kb 5Lf709uCZa2lffJh8B3rO0eZCdbi9nC1Bfz64cPK976B5L0pjd4UgnrUp+4faF/vfsAjJycn JycH6m+pv6X+lr9dL6NwRuGMwnCg/YH2B9pDb0tvS28LrKu2rtq6ajBkyJAhQ4a8/y+QtWvX rl279l+P/0e3d3Nzc3Nz++/0hxPnGz891+4+haj4h60i10DlkuVHFp8COSVsU+w+oDRkk5gN bCBeHAHXXKfFeRP8Ovos994N7BGnpS/BkeVs5PocpJGSwkmQmivnlQogAlmuewK6LT6JJiPg S2NJD9oRta9qAfkjSjuaAUOk3vqPQHsg5qtnQT5MjPYGxPbcAqmtwb4tPSP5JdhfWc+mpwFN Xa7UdvBo7etSz+IhtVZij/j2kG9OyOchNcF/q//cSBUyvcyvPYtDup+rr/QAXJ3eNExfAt5D LIOzreBfMcg3/CQYd5lr+JpBq6kW09aCFCxCJStITx2dteEgL9LZfFuAJdq3hfcDeDw3q2Fa JLzIvHf8/jp4Pvrmrmu5kJ1se2YpAx6xkVvy54Khg19/z+tg3Zx5NfsZaMVyatq/g3BbRP2I lVCkV5kyReMhf/4Cr/KPAe+TvkN8ToDcQjkqTwLpc2kyu0FEqme0pyA6av1cBUHs5nPagKua 2COGgyjDK+aA9EbWy6dBdNO8teGg/aQN1IzgKscBLoPukPSK+aCvrZSWWoLYL0a5DoEo7Tgj moAzVB2rXgRXpvjVVQjEM+0m8SA9UadwEBhMuNQVxCsh4Q1ijMgS5UG8FU1FARC5YqK4CmKb Nk3rA9JcnPQD1zXxVvIB0U/52hgBclmP8oZE0EcYntpHgXzP8YutJ+j0jk326qAEOHY4vgL9 XnMHgzfkPtSN0NeCdGvW99lOONT4iO50FdB9pj9r3gD608o1ZSTkjss6m/EW0uel3UopCmpN Kd55BzQfrZwrGVxXxTrdUjBcNeyRKoMrRPPwDAA/nX8pLxNIO2iu1oWky2nfZU4CalKWVf96 +yq6qOiioovgp+k/Tf9pOtStWLdi3Yog35Zvy7fz1nv3k9uFFxReUHgBSCbJJJlg4NWBVwde /fd9gQysOLDiwIp/3vb/buK6uC6uw+5mu5vtbgZd07umd03/HRuuYQ1r4O7du3fv3oWYmJiY mBhwVnBWcFaA4Njg2OBYaPio4aOGj8Bwz3DPcO9vw2R2z+ye2R327t27d+9e6O/s7+zvzHv/ ud9zv+d+cHX11dVXV+ctrz6s+rDqw6BwRuGMwhn/uLjHCx0vdLwQZERnRGdEQ9fCXQt3LfzP H6+/vhByXxi5ubn9v+YPJ84vNqX0eXIezhS4XS3AAqU+KLEzcgDocuRX8mIQ34m2UnGgMy9p CDiIwQXqWc2o6UGqLy1iGEgP5a+YCOwhWwoAVlAGE1BetNfWgFgiLVFWAS4xX/0UdPc4ISqA OIxFfgLivujg9Ab9Qv1xz47gNKX2fNEPsgdcLHp6LqiFkvomdQZxUz2TWwmeN7m/4lkpuPnZ wx/f+IG0zd5AigFfUWqsdyHQv1DOJH0I6jS8vMuAwemnhP8Cumu6ItIFyNzlOp7WBhwbMwKS LeDv6dxoHQzmk4YN5rsglVIDDSNBd8a7cvBCSKrnlRKwCB5MTXj7RgfPrl6XrvWBx573jt5I BUd+xWnQgc9XBeYVyAE5TRcsDYCsFW9Wp94GX8WjurkxlChQK7LSRSh4ruTkwgkQtDzgXOAe 0E/Wf6jvCdJB1lIDxGJV0iqCSNMScIKwikHCDLLKd6wAZToLJQ3UL6WtfAq00lZoK0GsFEFa BOir01rqA+KoVIaZIJfV7omBIC6Lr9kJ4jB9tK7AdpFPrAWlmlxYpIFpmhSs5IL9c/WoqA4u GaOQQVuqLRZzQT2tTtAeg1aOgsIA1BL7NA1EazFT6guk0o5dIB0QbRkDorHYLlqB+B6ZAFAX iJoiP9BWpEhJoLWR+xu8QAoyHlS+AH15pby+PIjD0ge5k4FJzrqun0EaIt2hFii3lT2mmZB5 3lJA/hTsd9SJzuvgHeR7zDsGDPM9VY8KYD8kqcr3kFkq7VaSGXgi35OrgtgtpqkBYO1i2+8a BEnfpJzPGQnGC4aBymvw6ujT2LwYtDdin/oT8AeTVh8fHx8fH/Cb6DfRbyK8bvi64euGUIAC FPiL9d4lzvVO1jtZ7yTQmta0hu9uf3f7u9swpPqQ6kOq5yUyNe/UvFPzDjzxfeL7xBdaTG0x tcVUiF4YvTB6IVhLW0tbS0OhtEJphdLgju6O7o7ubxOg34pfYUCFARUGwItmL5q9aJZ3AVC1 atWqVav+7faNAxoHNA6Amzdv3rx5E8RgMVgMBnWVukpdBaXPlT5X+hxUXFVxVcU/cCHyez3b +Wzns53waMujLY+2QPqX6V+mf/n7t3887vG4x+Mg3j/eP94fOk/uPLnzZFBqKDWUGnDBdsF2 wQZXKl+pfKUy1KMe9f5ie62iVlGrCGffnn179i04VzpXOv/OT7efX3F+xfkV0Glfp32d9oFY I9aINbDPvs++zw6FKczvyX9fTHkx5cUUGJw2OG1wGr9/Qzc3N7f/n5H/aIBCg8y60HHwWry6 mjAVfr508MTZZ2A6arCZvwSthmjGciCCeB6C9KW0RFoCqLhwghggpvE9SCvEcak6SBDBABAn RRHxAUhTpE1KDMibRLTWC7hDcVaDVkJapHsDNNJ2uzxB2y35MQrUEpbGCfPBcTBhxP1ZYK33 0i/mKGjjXRHpu4AsrZP9OJh+9CpjWg91BtVqWNEDasU0dtX3AePq4JzISpDS1rbB8wBILq+F /jvA84XZy2My6FSvCV6bwbOyd8XIr0GsVuoFBEDm15mFLT6Q8bHlfPZPYH/oMcGnMiS/8W7v fw0enn9T/5UBYjacK3/mEcTsvLXkehg4ehiPeRwFc3jk8dAPwFXD4bCrYP3gbeP0e1D4qyhT yD5oVL35/DqtoeK56rcrfAdRNyOGRZYGrxeGqUYrKC20c9o60B0TxbTmYFoq95LXgr4KReSV oKsmPpeqghQrWvANcECdpwaD7gPtnBoJSiwLtEdg/EDpIo8GvcxeEQbSZ669rtvg2OTs7+oK 1iHO711pkDvOqajrQRsrVlMAjA/1djEBdAelw65BIHfSGmrRoEzXzroughIkZFEMdNfkXuSA cknuLnJAuiAFSWVAuiqNEbVADqOJ6AC6D+V4qT8Ytso6+THoG0svpSpg7CWtl9qDYaDUnWAw zJeuiw6ghEo9pOGgXNBlGi+BQfJ46r0azPvMrTzegscX8lapNJg3S9+ofcHXw6uGvgp4f6zL UbZAVsWUqJQHYK9kz7JGQ+idsKmhDyDybES1IutAviuumHqDPJ71whN0/ZTZyhWwjXQM0DpB evvMGZZ7oN5WW6vdQHaIBc7I99dQi2UVyyqWBc92PNvxbEfe8syTmSczT4Kzv7O/sz+Evg59 Hfr698ft3Llz586d8xK5IulF0oukQ48ePXr06AG+T3yf+D7558sbOTtyduRsaJ/QPqF9Atz5 /s73d77/7fXvjbw38t5IqLKmypoqa6B7ZvfM7pnQ8W3Htx3fwrXB1wZfG/zPl8Nms9lsNnBe dl52Xv7923k/8n7k/QjKli1btmzZf36/DzY/2PxgM1STqknVJNCN0I3QjQCpqlRVqgrVq1ev Xr06lD5f+nzp83+7/eVvL397+VsoWbJkyZIlf3s/73563HrOes56Dqznreet50G/Qb9Bv+Ef l/NU1qmsU1l5rw9GHIw4GJF33E6cOHHixAnYErMlZksMbG+0vdH2RhBdJLpIdJG89X7v5/B7 473rYU+JSolKicqLs3///v3798PZs2fPnj2bt/zdhcqpYqeKnSoGDofD4XDA0aNHjx49Ctu8 t3lv84bDHQ53ONzht8v97sLv7oi7I+6OgD1T90zdMxWeT3o+6fkk2PV81/Ndz2GH7w7fHb55 5X/U4FGDRw3++fPEzc3tf58/3OMsG+R1HgOh4e6Kxrp3oLq5cnrh9mB1Op7Y24IcL5+SjoM0 gp0iB8QR8VzUBO5whUvAXGm69BmIG1pt7TVQQosnC/hBPiLlAm0YLU6CeExVqR/wmFtiCrCN HHEDtBTpI8kI8jbXohQfSJ14qMbGX0CzXv7yflkwfV9rS/UaIIp5N/cdCFLS/R63Af9lxouG ZZBZRV/Ovxk4dhv1pkRwpjqme64ELcJU19AKzPUNmnEE6BroZnmOBPVTvnXuBkMT2UcYwfDQ p2/ACsgNsDw1tALrclMtY33IvRDQJ/x7+PXI63txpeHex2cfnHXCM/OjL56awFnG55rHQPAs FlDV/1Nwds6OtJUA/XYt2nUHyq+q1KIMUHJYhdUl4iC/KWpVvlPgsUzXWT8Zcs5ZhlvWg727 GCa+AcNWXXlDNJi+0B8ylALHVHs9+3eg5GLEC5RZcgCfgmbVjNou4GdphigKjrKuQFcP0KaK C9wFW0vR37UWRIBqFt7gaq7FUA7kZ9J0bQpI+bR8YhM4X4qiUk1QakgFRSEwrNG3EWkgpzFS fAFKIH3EY1By5GipBaitRSNpIDirqIlkAFXFIOkuSLvQ1OWgDKcN+8FwRNdYXgRSmjSR+eD6 Vo3RfgVptgr1QHsqPhS1QGvAY8kEcobUgARQO3AFLxAXxXkyQFop3ZYjQa1nCDZsAK0LH0kf g9Fke2CzAnbHDPv3wGPzTaUpiEzachCyC1ubWl6BEbMwuiDkk3yrQxaBtF/pbvgM3o6L+/jR InDdJth+GNSF8lGhQq4597TaCmx7rCbHA/DIUQbLEe+voRb5ssiXRb6Ea6HXQq+Fgmula6Vr JbwY+WLki5FQpH+R/kX6A0MZytB/HK906dKlS5fOS+Te6N/o3+ih0ZJGSxot+Yv9di/SvUh3 OHv37N2zd39/eSMORByIOAByjBwjx4C6Vl2rrv3t9Tvk65CvQz5IOJBwIOEA3K9zv879OpBy LOVYyjEQW8VWsRWoTGUq/+P9J3dK7pTcKS/R0t3R3dHdga65XXO75oKHh4eHh8dvbx8yI2RG yIy/WLCWtaz9h7v9L+ld07umd4X4NfFr4tfA0c1HNx/dDPaL9ov2ixDeNrxteFuoP6b+mPpj gMc85jHE7o3dG7sX7JPsk+yToNj4YuOLjYdTnOLU39lP3U11N9XdBD8f/vnwz4eBOOKIgzZh bcLahP3jcjbyaeTTyAee8IQnQLuIdhHtIuBE1xNdT3QFzxjPGM8Y6LWh14ZeG0DKlDKlTLja 8GrDqw3hQpkLZS6UgSbPmjxr8uy393O+z/k+5/v8/nj5ffL75PeBN+3etHvTDvyv+l/1vwq5 ubm5ublg72fvZ+8HpJNOOiQcTDiYcBDyv83/Nv9buH79+vXr1yEiIiIiIgJaZrfMbpkN93+8 /+P9H+Fy/8v9L/eHhtsabmu47bfL/e7CcmOtjbU21oIuQV2CugSBT6ZPpk9m3rMH7y48S1CC Er//NHFzc/tf6A/3ODtuGJ7GW+CpZ+xnx9uAd3Gv3l6VQL4qpmp7QLKLC+JrEL3EZWxADq94 DjzgKU9B/la6Io0AR13Ha2cPsO9ylnLWA1mTK8tvQOwSy0QYkEWWiAOpEn5kAOXEM+JBHq/h lCE342qxM4Eg1U/Pyq0K0vDSrSu6wGd8k197bYFgS5sjAz8A38Eto7qUgODeVXpVzIbQ1IC1 3h+AcQI/KoNB/cR02kMFZYfumikWlL2612YB9qualzUc1F6OCeo5sLe1T7YUAVsXS4uMPeBV InB4cHVweRW8UEqG+4Y3X72pCTHrzu07ex+edXtUL6YX2Bd77zM+BtNjnyp+PcHZOSckNxK8 nihT5aZQY1TN11XsUPmXOksq/Qz5e+bvnq887DMcrn74BaxN3fzrj6vgh5E7tm3/GtZ4bZix YQ2c+vXC0bMfw5tTSWfjvgPDUZOPXB9ks+6kbgq4rmtnxGdAtLxU1xvkt4ax+uGg/9DUXL8Z PE4YPtAPAcMQxkkXQXogvNXZYBok54grYGgiz5X2AKPFNVEM1AZqAdc4sO50fe0cBNZvbPNd FUEeLOpJZcEn0/xauQGmBXqdVAD0emmKWh4MxaRp6grwqKF8T34wL5M/kn4F/RY5iu6g7laf qLvAsdKpuW6A86iaqHUC12SytH7gmkcbLRacqhjiygDXdW2E2h1cFnWJ2AmuNqKN9jM42on6 IglcSWIExUB+rfPUdwfDVtNXHh5gemI8Z9oCHisIFmXAlGJaJ7UH7xBTvDINsk+lN0l9BJaJ lhPZ9cDvaMgYn0NQuECB6wV9wFRZf87bCoYY4wyPTNBmyUNN5SFnU+4wUR9cg1x7zTPfX0M1 /mD8wfgDhMeHx4fHQ2xwbHBscN4QjaLRRaOLRv/+eO96QN/RrmnXtGsgr5PXyevylktDpCHS vzA29a/HYP8j73oGnzx98vTJ07we38qDKw+u/C/0NL8bWvFuqMe7hDVncc7inMV/+OP4h1wu l8vlAssZyxnLGehSsEvBLgWhz9k+Z/uchcCXgS8DX8LJYieLnSwGuUtzl+YuzRuqUud+nft1 7vMPL4TeJYjNJzef3HwyNAtoFtAsAK4Pvj74+r9w3N55/fPrn1//DJUGVRpUaVDeBRY3uclN qHil4pWKV+DVT69+evXT+4/3LgF+lzgnH0k+knwk706GPFweLg/P62FPmJ0wO2E25MuXL1++ fPByysspL6dAyV4le5XslVeOUpZSllIWiGsT1yauzW+X968vLCNmR8yOmA2nep7qeaon3L59 +/bt23mJc4vmLZq3aP7vP6/c3Nz+fH+4x7lc6/zba00Gg5AfZPrBm+KJHoktoFi5olsK3YGs ajkds0eC/oT+oX4kMIHNVAb6EUQd4JK4wnXI9MiIyDoIATMDPQMsoHUTpbUokLZKEdJIIF1c EbVB3GUM20DaKa+WPcHVJLNMsgLW+rHh8TfAmZAWaL0FwZf6rRqwC/TngrtH3AHnCHuq3QrG LQWOlVkG4iP7F/br4N+16my/NPCYdnHLk6bwqubLC8mrwTaGKLkmuKo4AuwnwbDf4C0sIL91 PlOjQDqoRtuXgVRBCGkz2E56HfL8EJ6/TnqYNBUe2S9PuHgSniY/Wv3gc8jq4rHceA18k7zq e60AOcXayH4HfGwerU0zIOJh0eP5B0Lol0VP5VsJhjv6HcahcOfBvWP3e8C9pjE5z+rA6/jY M2/soIxQtuhfgy1TfeH4Eu7qYz54ngWHvzle66QfVNld0VJuHJRoWPRh4VxQPtYVNNSHxIGJ uYl1Icgr6EDQUtA1EU/1ncE8W6+qXhBSKnROSCfwfGCe6V8NHJ/YLzs+B+ceV5jrEDg/c+Vo nYEGcgvlC1AmiTrSAJADdJ/qLJCWlHPYUgoyG2Xpk0+Bb1fvj/1WgGGXcbkpBbinmPgWXONd FV0/gnOO6zybQe0qBoiNoI0WX5EMaj/xGd7Afp5oK0EbLxCXACvp/Ap8yhjRCuRa4iO+AjzF MdEURGEeiPMglRWqKAvqEPFY7AHhEudEDMjT5NfSSZAKGoubhoDhOy2Dk+A1yN7SehxEsqEo m4BCIkgpDVl3U18mbwTPZv6DXAL8lwS09ysFocfFOWkjJJ1IvPr2BDhShLAkQUZAVmF7JdBe 6T/2PPD+G2yxnsV6FusJt9bdWndrHahX1avqVQhYELAgYMG/HjeiXUS7iHbwZP6T+U/mQylK UQp4uvPpzqc7gbOc5ey/Hv8fSUxMTExMhB7DewzvMRzMKeYUcwrExcXFxcUBhznMYf7robt/ lFC+u5CwGq1GqxGMtY21jbUh5EzImZAz/756vGO6b7pvug9Vo6tGV40GQ11DXUNd4B73uAeV HJUclRywaeSmkZtGQtq1tGtp1yB5TvKc5DmwcePGjRs3/m3cd0MJunXr1q1bN0iZmzI3ZS5E RUVFRUWBiBJRIgqi50bPjZ77r5f/3VhpubfcW+79d1b4z+P/7uFJylOe8u8vXkhcSFxIHKQ+ Tn2c+hjehLwJeRMCYSXCSoSVAOWIckQ5kjd0ybjduN24HUzJpmRTMlhuWm5absLG6xuvb7xO 3h0DBQUFpPPSeek80Jve/J3y/PWFZYvAFoEtAiF1dOro1NHw9tDbQ28Pwa1Xt17degUc5ShH oRWtaPVvP7vc3Nz+TH84cY6vm/zZsxPQ3KNOVDsFzt++8uxKCNi8XD3sNaBQbD41qhYowXJv ZT/QVVQW20B7zWZtFGhl1SzXXqCR6Kt9C9LHoqI8BuSlLJang3O3a6fzFsgF5CSlBUgRUhQD AadkwAy8ti21jALRzXrNXhw8TlcoVz0X9B7hZYrWAO217dfc7iAFKHeMp0F8gkVeAS7f1GBL ezCWDu9XuAb4d6w1tdTP4Pwx+0tbIKRHZi9xDQIaG7/SpYHWTPVxtAYmOQtnHgNKqO3UV2A/ FtGt4CR4sT/7tb0EPC14OfLiSXgWca/brWxIG6ovpV8NHi1N2b4mcK109naUBPmQfFN6DspW nwP6FfBi5pslLztB3OmkT+OzwLbfVtrVHeL3Jf6SfBNspa1lHVVAFyd3VOqBmiKaOQJBtHZl iJvgChN6cR8ydmdH2b+HAz8fO3y6P1y0XMm8XgvkZ/JKnRVyDuR+lHse5DrSaKkkmPObAs21 QBxgp9QGfNr4XvIoBd3fdPBuWw38fXwHBQwEQ1d9NaMP6H807DDUhqwR2YtyksEx2/m1Mw3e NkrpmhgCV6tcr3t7BKSuSRuV6g/BZ0JLBLwGU5apqPkX8MwxbTX7QkWlfPXyLvDqZvT1vgTq Le1zrSVorenJVtDGitlacdAGaTLbQNwWLUQFkD6RRkinQRupfao1A+GLygPQPEWEqAvaMfER H4D0kpqiGUhDtR8ZAtpAESiSQK1JdbEDtCasFzkgW4wLDZdBX40e6o/gUdNa1fYxiPGGqXI+ MNfQ6it9wSplJqXNBTnXOE9fBCI6FiC0DJQ6WvBZ5Ifg84XhjnkpmD/wKKP3BQ9d6JqIhQA0 /COzavy1dwnSmZ5nep7pCeXnl59ffj6/ewjDb6lbt27dunUh2ivaK9oLft35685fd0LhwoUL Fy78Fz3RQxjCv2F2hGq3qt2qdgv219lfZ38dMM00zTTNzOthDw4PDg8Oh8ttL7e93BZqUpOa /5d473okK1CBCn/5RklKUpL3Lrtnds/snuC9zXub9zYoWLBgwYIF84YGVKxVsVbFWnk9+A/1 D/UP9RDaOrR1aGvIdyDfgXwHfvvw/tbsFO/2l9IwpWFKQxApIkWkgO8E3wm+E4BBDGLQP1+f /B3zd8zfEe7UuFPjTo28sdrv3K50u9LtShDVM6pnVM/3H0+WZVmWIXha8LTgafCwwMMCDwtA h4MdDnY4CLp5unm6eXCx38V+F/tB8ezi2cWz8+L5NPJp5NMIGu9ovKPxDghuGdwyuCVkn84+ nX0a4jziPOI8/nG539nVbFezXc2gzdI2S9sshdK20rbSNsjfM3/P/D1hz8s9L/e8BC5xiUvv ++xyc3P7n+QPJ86lyxVrVXUG5M5xPM6+DN5jPX41fwLJO+P3J38K+TxCfPzjIetD6zGpE9ya eW/PlSUQVNv3ZVhhiKn6us6FLhDh71+2YHOIvJBzpoQOCsQV3V2wPRjX69NN40A8kHK1WHBK 6mPXbNC/EOliPzBKtuAFhm/yzQ3VwMtYZ37jDuBqKQdwH2SVB+IAUJy7WjDQ3pirpIKugX8T f0BL15fyGArmgBJ3S4wAvxLxczMyQGtz7soNJ1hjtZ+lOuB6kPM2NQAso7OfOwPAtb7QwdJv IflLz+k+peDVjDv6a8fhRck7C25aIOW5NoX+oDvu9dRrPhgsSje2QtaM7Io5IyC9gXrZNgji J2a0fVsAXCMdPtoGcFRQy2oHQIkzTDdYQC2k9lQtoA1ydnbZQF4u38UC2mbXClcHUFuJc8ob IAdFfQquvs55ajqYq5nqe20DSw1rqNYM1JFOW+5IMA007jF9B65Mra/qD1m+2S2sOlAzXW2l FEgqk2rKaghrx/yYsbMD+Ez0Kel5HsrtLxFX4iNQV2kbtNrw4HmM16NzoBugt8gNwVrd9oHt HFjJ9XKcBMyipDwEtC5KC/kUOE47nqTvA/HANdDxCRiKG1P1HaGIo8DrwpPA74HvvYA5IOao D7XBIN1BEhdAv0LpqmsOrlvqMuc00DqobykALBYuUQaEnTNiOdBcZBEI0kS8RX/QPhcz5fUg 2mjp6jcgXaE8NUALVVuqC0Cup5znLqgLpLMiC+inVwx+oO+pDdT2gjnWNsxZAfjcECLfAm2v qK9bC9ZH6WVSF4Kc5L3Xoz9Um1FvVeWBUPVNtWqVbgHnpTJUBi1KFOfeP92c/iGlulJdqQ4f Vf+o+kfV//H6f51o/da0YKkFUwumFoSWsS1jW8aCabRptGl03q3wGFOMKcb0r8f/vcvLZpbN LJv5/o/bv9ueFnta7GkBH/ERHwE1dDV0NXRwvvD5wucLw1avrV5bvYCtbGUrhLQKaRXSChr3 aNyjcY9/fb91R9cdXXc0RPeI7hHdAyhKUYpCA2MDYwPjvx63nkc9j3oecC76XPS5aNiWsi1l W0re+8Gvgl8Fv4J6m+ptqrcJaEpTmr7/ePmT8iflT4Lkuclzk+eCVwmvEl4lQBevi9fFg2Wp Zallad56hBFGGDRs2LBhw4Zw9sOzH579MG/ozLux7rUX115cezG/2eP81yoOrDiw4kDYH74/ fH84SBOlidJEkDpJnaROUP9G/Rv1b/zh08jNze1/Aeny5cuXL18WokaNGjVq1PjXA2lBrkHq dUhNTduQdAk8Bpmf+u2Duz88fH5qDMS6Yh1pvaCIrui20icgsWt2p2e/wv0FzwufCYbwFM+N +cPgdeGEqfHHoGVs3cN9i4N3qFc7023wM/o89y8I/leCZoW8AHWJaCFmgbo25fyvj0BNU7N1 VcEwOXxnmZkg37I/VyVQY5QZ6lgQslRWXgI6P/Ub6RGofYxt5MKgOyFvU26D1evhhlu3ILPw /sAjcfB2RGLTzG8gu6J9We5TcLzMnWSIBF1igXIlraCmV9pdOgCeHXo0/84cuBN2LN+ekfDk atLgDAvkNvAw+54H3yOeAZ5fgr27daO1CqQUypiZ2h4snR0B1gega6fP0t8H1a6liDOga6O7 YWgL2iy5tpYCtFX1og44ZtnnOGeCOCbqa71AipBq4Q9amBYtSoLwFsHsBZElojUZ5MdyF6kh yI/kfXJ7kC/KA6RqIE2Xlkm9gR8lM73BMc7xRi0Phmh9G2U/qJJ4o90BaaxorjQFySV9zi8g hUr5tX7g8iZJywJdsmzX1QfDIP0leSao89SToinID6XjSn7QtrgixTmgE3OFDvQnTbm6nSB6 aVvVCVBwdlSlfCcgdF9oSPA2yDc47Hh4CQh/G7I7LB2cVudw7RPItGU2Sd8LgWsDFwTeBckg Zeh7gVxB/kT7AtS7/x975xmnRbHm7au6+4mThxmGnHOQnFGiknOSKEgUlKCABCUHRUWCkiUj QSVnAUFyzjmHgYEZJocndFe9H3b5sb/d9fV48Kzn7M71ZWa6q6rv+19193NPPdXV1krzFCib amIbCeZKq5o/GERn8UxMB32r9qvmAX8d3yeyOOhljGKyPHi6+Beo06B6CbvYBsYCqsmewHv+ 2mY3MEd7y3nPQ8Yin2ENB88iK4FCkPKud7y/G9hM52DXEMg3P1/+3Ieh5r0KWpkvoUSXEvML zwI9LqC5/QK4+ttzuv4FEsEDqQdSD6SCc7lzuXM5VFAVVAUFZxedXXR2ESR9kfRF0hdQv379 +vXrv/r1/rexcePGjRs3QsuWLVu2bPlXW5NJJplkksmfzfHjx48fPw56r169evXqNW7ci4cq /iibDhwY/3VF8Nj9lTM2gqirHQ64Dnd4OPTGVTgVcuXWiXUQOT1YFkyEuitrjXg9FzxVT5o/ GgSPGj9ueK84PJ+XOCcjAuIGp5WN7QPGHbEjPhoe3XwyP3YtyDcznmf0hryz89zOlwf8xRhj uEEfIAd6ZoM9jzM17B7II3rVQA1EoG43vwBN6gXdM4AH4kNWAJXEHtMC/7fXR5woB0ktD+/6 5RoklV73/vYdED/01rZnIeDz8G14LdAauVvmHgr2ijk/KbILQjtUK1bmHjzTEpIf/AoX39tr 7mgKdzMe5Hn8EST2Nz4NeAAhMwOk8yyoyWY1cxsk7E3pk1gTUk6nf5haD5igXxUDwAjVbovb 4Bho/9EYCqKjuGweBe2C2iKXgb+d/21LB7OEdcVsDOprNUotAeuQdd3sDWxHlwLE29rb/AxK U5dlFWCX+oUYkBflEVkIpKlcKi9YU5RQb4GZaK0ze4Kqqh7KW2DbbxQT1UG9Ln5RV0BdUHWF B9RSq4X1Lki7XCnDQbopS2dgp2wjj4OlZE65CmSS2qRWg4pQk9gFMpscLxuArKoOyIcgj8to cx+onOJ9PQc8ezt2RspxiG8X//HzLeBr5O+UcRus42a4PxoiD0U+iMoLMR2fLoxxgX2RY71j INhy2Jo6Q+Dh8oft7lmgrdRrirOQlj+jsm8NnDlxfv25aRBXIO5UXE0witlXGkshIC6gmLMj PMsVF5dYDU58eKbsuSYQN+d5vZgfIOutrO3CioJxWb/sigditB3aE9DzUVT2BWu4XGwOAaL1 69p3kFHVM8p3Aayz5gDrV4hbkjwnJQ58hTNqex9B4MeWU1yH4B5ZQ8JH/dXh/vtEHos8Fnns 5X7NR2YfmX1kNshNcpPcBK8nvp74eiI48jnyOfL91db+8/F728ZlkkkmmWTyr010dHR0dPSf sFTjxHcngw8KuLc2b+MLpcExxEopMwbC3g5sExYPzyZ4Hl4+B+GrfFpYO7i/9/7Mu/sh6Vvv nRQLTs64t/fh65Az3nE1zAaFNkQ0K3MFnurPqqUtAEe0c2DSdrhc/Fm7E8FQ/JNCR0pUg9AB OX0FDoFnjvFl0ByQgeo9bS3oU0V56yikF7ykbe8BtqVZ+hXYDEbl4Pth18Bz5EmtWx7wXrlX NiYExAEjIjAWAgrX8tWrAsH+rBk5N4NzQnjnsK6QsOrwtgtFQI4KGxVyHZ5oMk/8Uri980S9 I3HwaND9kPvJEDcUSz8O7kj3XqcElom5woS01qlVUm5DalR6SOpD0D60f6XNBucc53ZbD1Cj rWj1DHydrSneQGAQu3kOdJK9xFugbstiZj3QBos3mQFWX/Vva3NnGbm08iBGWnfkB+AY7Cgs 5oJMVbX0eEhPTks1JWjp+ldYoCbTQLsBcoh1U54C8SGntZugrRCLmQv+fN4kGQvWNcpRHNjD NfND8FeXR1RDMBL5TmsDfMJKVRKkn3WqJoiv5VFxGsR08ZQwEPHklMVBPVKFeR1USfpzHLSy ZhPRC4xgW6j1FcjjqqaaDalZ0jCPQ8zKp+WergC307XE3hHoefuQ/iM4B7obu1vBnc/v5bp/ HnyGr48sC56LnvkpH0Pqj6m1It6Gp/cTDidoEP9lyleJK4A1yYONBXC3ePTsBw4oe/A1UXgr RO9/OC19F8QGJRRIqA2iQfwacyhoLfSJ6ijojbWPHUFgPLDtVBchrzfqWfYNILswy8oLRrQY ZowGZ23joCgEKWbS14lTQPvYfdD1NpxOudb2zlO4v/xByccToTclkwv91dH+NxDwRsAbAW9A S1rSEv7DL/9OLnLxd/xjnUkmmWSSSSb/m3jlxNnT2VHdp8G9T+O6PouB8E4hfY8OgNtjHlzP MKH0iYg7dSPgZ9+p5msLgK+R9Yv8AfKQO7hAXcgWYvySBWjQtEK/pl2g9tq63vo/w/0j9yvc CQbvEe+19IHgITGXVQf8Pc093o/BvKjG+kzQ7tvuBlUGylhbzI9A5Bajva+DL/wWN6bB87Q1 M7ekQ0S9jrl65AXnrAL5KrjAsTV/dXcq6Bft1fXJwFGttHEf/APiizyOh9TspzodHwPG6/Yf UxRYP2e/lqMH3Lt5dt657fCw/KXyF/LBs7wZM70/g/rKFRz4FBzN7d/r30B62fTmqY/ged2U 7xN/Bd9ps6B1CMRX4he9LviiPdl8H4HZyr/aKgH+BbKIWgJqu0oSK0BlUZIJoHwqQ/YFkSE6 EAoiXu+oxoJozxKxChwdHR/oQSBqyXzUA6XJMKsw2Ge5b2tnwGztXWFVBJnTvGdFgxFtFBAV Qa1S3a1TQG9xTXwC1psqXl0Fc5FZVS4CNYBBdAAxSA83soGsocYpAdoutUxMAPWT+Ep9BKqG HCurATPZy4cgEkRu8RSwxI/iKzAXyGTZGfR4BuuVQTbwNfL/DLphK8Eg0JOMNsZWSBiQlDWt H5ypcn72lUuQb16eaylOUH3VJXtreN4x/kF8XrBVsY3T90NwoaBPg/KBb6t/hwJSUtOKJydB mj+1e+phsCarz1gFnv3ekJRCcKj+sYYpM0B8rd7Qx4LaTzG9GGgVtOlaVrjd6+7V6CtAHTFB ZYCcwGXrG3iW/WmNmOxQUORqHNUGgj8M+ihqI4iiejmjKmCa12QnSAmOzRf/IfCz2K/vBf/b vuf+F7sMDP6rwzyTTDLJJJNMMvkzePXEea38hFBIG/U8zJMENishw3kOHI0D5oRWgcdBosEF P9hei3rXbAwZTuvH5x9C6oqnttBoeC+pdZb+oyGwhX1rQGcQk5gtp0HBXgVaFPNC3L3kKY/d cOZKSsL27yHkJ//ESl0hqqhe2v4meBN8680UEEsNp+NTsPqyxHKDPjO4Z1A6hK6o8V7VXeA8 ULp+rWgQlaTdXwVUF7nfvALyB38JRoLvzaeVr46FpMZbRm4KAl+nxINmNgiaX3lDrUbwxJU2 JjkZHvhPDzk6DmJ+jL+SUBXSS4rHWmsI/t5VIiAbqBDzsVUfUk6mZklZBN7z1jE5ENQKHonr INzyqvwBVEORQHuQQWoebwNzVVlygmqtbqh+IKqziysg3qANHlAfq1+UCSySIwgEeZlZahp4 b5uDzFQwHooyWhCI7uI1nMCXZlazOkibdUetB3VJluYyiBDtgVYYVB91TK0DulBOywHWLZVd tgLWUUk9Br2t6KUJEHGih1oHspUKoANYlawk6yigKKZ+An2yll1/H+Rnqr2cCOoHtUFNAPGN aCyygm2P6MBZMPrZGvM+UATJXDA/k+W5Bt5y3lRrPKi7sp+qA6Kg+EGrCjd236r+KAZMj9Xf ygb6CKOpfgK0FK2wdgDibYkLk96BXLYcsyJbQELlpOeJucHsILOoDuA74v3ZnwBahl5abwG+ LL5B3lNAK/mJmAbaTe2MvgGMQENoG0EbL6qyCsRFPbcuQTVRMWI9PNv8fE3aFXB9aV/8PB/Y h9sGu8+C46QjLiQnKLsRpfUEb7J3c0YryKiRPDxpI1jb3Tns1YAfif2rgzyTTDLJJJNMMvlz eOXEOfnT543Sx0C207bWJUtDn9BmsUM7gv1O2AJ/Lfh58bmiq2eAv4u7o+ciBOxzhqY1hx9a Hhk6Yxx0LeEu+eED8OxIXy+OwrEeWxL22sB9PWB+hAFmLW2rNQkKDQo/XfACPJqTtCKmBEQW C5n56DwEusLaRUWDbCqHW4tA+0H0dxwB24Qciwu8D9r0oIZhacBwraQSoK769vnrgKqo/Wzs BzzGKvUc/On3064tAt/MZ1MSD4M+Knty0RrgSw0/F+SF6wN+PbBvHTxacnfr7YHwrIqZTxYB Y5ZrSlA70D+htzoMSZfTMpL3QOpZT3nPYLB1cEh9D5gXzFLWPtDsWrI4BaoDq2UC+H/yb7I+ BXYzRTwEPd6op78PsqhVzBwJ5kSznBkGmkPrq4UCi9UwMQvkDVlArgP/PvWJ2g4+pZZjgebS osRZ4HvOi19BrpG35WYQo1QWURr8Cb6R5kGgtSgndgCVxUHVBqwEtVLmBH2wnqhtB06LYaoK yKbWe1YFUPVUFzSQS6yVVm7Qcxrdjc2g1qn9UoBWQ0xmKxi5jHr6DVBDVZTqDPoucYXpoH9o zORTMN+2PlYDgFUqH4FgNbfqWLGg/WQY2m6gJrPkZjD7ytPKAC3GmKPlAjNM+eUOYKp5RNUG M9J8KlfBvfb3A549B25r69VjEEu1t2QU2K/aL+lvgv+m3+ctCtY+6x25APQ9ejNjCagwFSIB 8YPVQRsIcrEYSl3Qu5OhtoAcrXobH4G6J58oHWK+iRueWAWCI4MqBCyGbB+Fv+1wgpaTS/YP QO8osomPwJ+Wtix1Ohid7NcCx//V4Z1JJplkkkkmmfyZvHLiXGxw1CfVtkB/1b7l8CgICA4r 6voM4vo/PfK8AKTmiS0QdAWudbt/9U4RePr0WcDjO6CtthfKkhe22o6X2NMP3JP17wMGQ+KX /jEPssCThr5Wt45C2vepkekTITk19djT1RCU5FsfMBly98n5RrbGEFYlysqVDt7NGZ18PYBn 9HB6QB8WsS+/AdTL+Pr5TtBOWPutKDDLaMNEWdB2q7ucASrLkh4/GANDkgISQdejZgX2gCxX qn9Zvh08D/DkTrPBw5Nnfj7VEWL6JPs9OSHjA7HUCAZHRTnOegDpJ9OPppqQmJE+Nnkp+FrI UVZ30HuZicoEtVytYS74S/pj5DvgH2l5rDTQviZMXwKkcY8GYG33L7X2gXwmE8zNYIzVjusf gMihDRVTwV/J7GSWBPETNUVpEA/lI+UE1U8kib5gZVMj1FAQYxioboCqyLt4QJ0V7WkL+nAR igCZT25Xi0Hd1VbwgH/bf/QHEJu1luI4iC1iMvlBXTDvqxignmpLbTB8xo9GOIh1ml0UA2ow VV0FUUUUESEge8tSsjmI2byploE1nnosB/9+j6E6gSylzqs8YF9hLNfyg/xVjhA/ALlUYyqC WibGUQ/UAzVHhQN9VQF5CsQl9ROlQGWTA9V+kO9whq/BP1/usuqCvtLobUSAQvaSXUC+qXZb jUB9K/Oom6A+V21UPlCH1CpzJmh9xVQ5BxivdzXOga2sraIGUPvf3plrVjOf+bqBY7l9o54b Mo57vxCDIPq1Z91i20LAbedrAV4IlO748LXgSxTjRTjIIv5Y7wmQhzL2a1eB1rT5q4M8k0wy ySSTTDL5c3jlxDmfyt0g51w43ut86sGmsP/GScfePPBoZMLn0SHgWp2lesJkCO4U+pOrFSRo j4f7ZkJgV/dQZyik5PJ89egNSPlRHksBcrcK6htyEYI/C0mvmAKBO7Omu3KCcPFUOaDS2DKr m52BG7areU/egrwPi04uWBZ417bb0QaoYxb3TAMjMSQq23egpjoWsBqUtNaZtUBUEte1FNDu qGFWc1AllHQ9AEfFAu+Uqg9ZFmSNKGhBwNBsOwp9BRcmrfxu0Rh4En3vk/u7IWGMVYK3wNoi MpgO3uUZI9NGgBmujaIWeNP8TayFIH+U8YwCdV9+KJeCbCgj5SqwJqiOagNY5WWUbAfiLa2y ugwsZhzFQfZVxeQzUBv4VnQCmcQzFQWimKrEaiCSPDQAFUgFlQsoIKbwI4h3Ka6qgUqR/VUi sEeM5zFo3VUGscAV0V1EgfqUItpnINtgNzNATZQfUgsozkCxCqzDZpg6Bfo3emkRBvpj2+va TVAbVScRCwxUQ1U/YDtNmQSqgHSqbUBzLYtaBfKMVU3eA5XTOii6gshqvKMlgr28PVI4gM/t R7X7oNUyd6qPwJrGFzIfqMnyubEKOEpPvgJqkkdmAauNvKu+B3S114gAsQmbyAWypypvDgQ1 Ch+zgDIy0coD4hNhN/KBOd98RHvQSogQUQBERXrLt0DkUblkb5AjuC1ugDVNlrdagyhtmioS pC6vi65gTTcHqvLge0N0xwbaWqOOlg2eJ8YHZQyGZ7WDIp4ngHuKM869BeyPxSz3QUj/QCyR +cC3O+Nnb8i/B8nVVw/U69evX79+/X/ilpBJJplkkkkm/3spWrRo0aJF//76r5w47899ee3W ZfDgbPzCpIHgLmrvYcwF8761T3YDkSNxvt2CrJFZnoZUBs+nWZ2Pa0O2Lr68xcvCkxwpk2Pe hoDb9gj7Ybiz9tlr1hIImpNUJcYA2zvGHNMFhsMt0t8F367bfdRauLb8ontje8g6NmeK2QSq nK11qv+nkF4yw54xDHSHXtLtAtHEPTZ7D+CRila1QKtFBP1B7hc2kR1UNPEyGMQ641BUKDi7 RT2wD4Lkrg/H3n0NzrU7kP9gRXj+WUYWXyKkr2KOmAbuHY5QdwiYucWPIgTSynouZgSCf4G5 UC4H8bZI046CFqvnNvqBfNuc4tsF2mnZWiaCFquX0fKBbCrvqENAbqozHIQmfOI6MFNNVT8C DkrxASipSqmjIL4Q1bRPQPVU3VRLMOrZxhu1wZovB8g3Qc6UDeVXoFcXWUUkaFe1a1obkI9l mHoEshnl2QC2FNu7jmJgVgABsj0AAIAASURBVLFymrlBWtYk2Rp4WzkZAVLJtuoZAJNkNtCS tWr6TtA+0c/rh8EqYHW2uoNeXBQRP4HKKTOsSqDWqiecBqReQ5wCPhM2+oFKpwIJoOb5SkpA lrLekDtAxYv2+jLgMr+opaBOqLdUf6A8bdUyUJesUgSD+E5kN0uB6KVp2imgqrqurQO5R56U dYBcIo5vQIykjrUVeEclyp/A/xqz5GsgdqulejZgL8XlERA79HesWaAGG6OMxWCVtfqKH0Bv pBkqEORSFaGlAF1FIe6BbbmoqtUDfxlzrOWA+LUJg1LLQ2SnMGeqDQL7uLHfB2E3p5ELzCNm FeEFuvLonyHQM8kkk0wyySSTV0d71QY8a3w7Y71Q2pHXIVtC2fpl26c0g+y/5qkgfoWY2IyL vmFwvf+tETFZIaCF54YRBOp4cK/nJ6BA42JFC1WG2Jj0CqoTyBJcSv8c4halnr7xAzy9mtLh /ocQXy594+PjcPbC+Z77S0HAgIjyhZrCMc69sasapGyIef/OQNDsjom2/mB9qrKaj0HuoYGz KlCfd0VuoCqN1D6gAg34ELQqcrkYA7IGN+XXwEym+cPhbuKxFcfiILrFvaCHdogb5lusPgDj U8cddz0I2R7wZuAY0Jdq32nXQIYog3tgT3bkcYwFrb52Rr8DcrHcYH0L2jrtB20xGJFGUaME aAO0Tto+EDmx8QDEdbFTfAzaW9o72scg8ugldBfYctpK2U+DeqBOqzfAVsZWxsgHzsPOI87z YO9ua2b3gaOW47QzBVzHnX1cI0FboW02+oP+hl7P6ALGJcPU74PYLvJTAbTd2nv6anDZHN86 c4D7B+d1R2lwzrJftecD+2N9uO0YaOMV2tvAFquwnAWinpyuFoMtm75BHwtKUotTYMWp2VwD +TmfsBbUXRkpD4NIpSa1wGpoZlP5QLb15lBxIPdZo7ULoGqq4zQGUVc4terAAnbzHlCS+eIZ iG/EaD0FRLQIFFuAeSxgBdCeruoSiGriNWGBGi+Lq9Yg7bKk1hY0XbPZe4At3VjvPgqqqtyp XQPrmVmeHcBEftJHAjPlKqqDtdasLKPBEmaytAH71EPVDKwi/v3mPbC+80fJrWDetIabvSCu z/MZqeUg4V5SdGozoK1yegeA8ZH2DjvAqiOzmRX/6vDOJJNMMskkk0z+TF55xtk1zHnKOQaS N3inpjSFHOm85e4GAePVE/MtyB4d1sSZDJHnjYHB8yFPmyx27T7c+jF51dOFkPt9Z+UKH0DJ OWVX5Y6D+xUeXj9/F1KPJsuAUWBg+8pWAPTrti4pYaAd9P7kmAFhPwdrIcsh5m5i8fQGsKPW 7lqzI6DDyk4XphWEtPtqn9EEtDYiXg0ElUvcVt8CWYnXugLbRQfVFmRlOqi+oO3W2hnx4G+U eCGpAlzST/Y8VgLihqRFpi2GNL8apk0Hdy9X64BI0HaoJ9YR8I/1HvEWAFxinNgA2lnxjiZA S9JqyWgw5/gum5dBGysuax4QLY0Kek2gh+oovgGxhiTrY1BO9qlmQF26i4MgP1Q2okG6ZUXV ErRvtGX6d6BrultvAEIJqR0BS7c81hDQuutbtLkgNor92jHQh9gs41eQe2R5eRTMcVZ98yoY M/Vx+gKwlsg0eRaYpIqwC2zj9ZpaMogHWrJWA7RGWletJliXzI7KB1RhkkoDbollTAExRQwS 58GY6WijB4L10HPbdwbkXjObmR20qlqAVhlIkV+IeJBlRR5RDcRMVY6fQVXQe+oPwMim/2C4 QKWpZJkfKMByEQXGJW2U8SbQTaAKAl+L4fooELP4hHogHNpA1QXEI56K+yB66fNEAbCfdpQJ Cga1AqeoAfo8Omn1Ab+al3oa/F/7RmTcBvm11UiTwHD5qXwE2iZ1ge2AQ/RXLUCGyjXmFNDX 6p2MFBBHVGGtFLj2u4Y4l4C21mjmuAYpk9OKWMfBt9Df0goFvYUeLHaCilFO/yKg/V8d4plk kkkmmWSSyZ/FK884P+seG5WxHuxhjqnOnhAuImLztwaPU4tLOgO2bpRUY8BcY1+ccRRiYr2f J+SH9H7pBTO2w4UKT9b+fB1u1Ho0+kJdSI5/Xl9VAluca6zzBrhd4ccCFwM/mif1E6A6Wz2t G3C3yE37w3BIKZ9wXu8Jj/dap+8mw40Vd4YsXATuq85L9oYgP6OB5QGWcE7fB5wTd5QEsqql fAMsk+3lT2CfbatjpMOz4ddqXD4PDzrffvf2e/A8znfIDAYVJqbZDHCEOJ7rLcCzzlfddwHS a5uGbxPI/OqCtINvua+S/zBYU6zdphOMI7b79vngX2JWs9aBUtZxuRgcLW1ltHugHTS6GQ7Q Db22cQpsY23NbA3BUdz2gS0MOM959QZQmrKqIzCQ92kAYrvYxhpQdVQe6yZ4vs8Ykf4c/N39 ob53wV/KfGz1BdOyClibQM+hl9IzQLskTmnTQPtAXOUcKI2J8jKIs9o4LR/wiVqlBgFplOET EIu0DM6B2iKi+AiMpcYm4zCYE+R0uQH0ZmqpqAWOYfZyjsmgtzRu2muDHmG49W9AVVQlRB1Q NjlBLgUZzRTygz6XQboGxgOtpS0IxGpKaZ+BTJB2moO13XooQ8Dfz9/VXA+2ZWKHURxsi7QA 2xmw77B/6L4H8nPZTJUAWdrcIneCb2DG1dSvwfde+u2USpBeJ61B8jCwXvMvNqtBQL0gPTQD sl/LGVukKIStCV+a9zQ4Ogf0y7IW3KGhTbL2hohdkVPyfg2hX0R0zl0QXP1CxkX0g6CaYQOy t4Cs+6Pm53CA7TPXitAS4O9mrtfLg+1LsdRaAEZnUdP45K8O7z/OsLrD6g6rC+33tt/bfu/L 49MKTis4reBfbd3/HSpWrFix4h/4xuI/l/+r+utVr/uqfv9V/v2z6P+vyj97v/+j+FvHUyb/ XLxy4pz7eNYO9kuQY0GuLCHREJ0RfyPhEDzw3R+esQ+etUx74ukA8Xc9gfHT4GHHZ2e0s2DU sTq5GkDGN2p2alPwVjaPWbkhPY+/jKMPiJvJBZNqgDaA58kNwIoxZunjID1OBskZkHFSdk2e A+YqY/vdhvCwzXOblRsW99g65ccjcL7xoaClceC64jwZ0AvMJaqA9wcgm2otwkFlUWVFdxAr RHk9J6hRVj7vHbg1/nSl0wsgrmvCw8SykNLV9wQTbLedF13zQY8Ul7XOkD4to176B+A9r67K IaDyiFixHmwTbfOMZDCm6E1tU0DfoA/TVoC9mj3S2AHyjvpe7gb5k5ojW4PR3uikvwV6Nb2W Xhe0cdpobRKIVPGAlcARHvAtiO/EClEFZKQsqjaAeFd00z4CeyWjgcMJzvOOh67BoA3R1hhf gExSddkFWoTeVTNA84l4fQ1YTa33pAbG+3pDvT44UuyasyAY8wy3MRNEhnZXqwqikUAsAY5i 8SnYCxiVjBFAKJdJBq2SeF0UA+qqjQSAbhdT9LfBGKEv1iuBSpc1RA9Qw1gv5wBVcKvPwDhk JGhNQTQX91gEcqlVVE0HtVw+UQdAxDBBTAWSxEWtNej79Pv28uDb4y/juwxynLXZCgHv/PSj qU/A/4t/n38yyIVyhvoexGnRQ0hQP6se1ndASVGDFqDlNGobVcEqLB3qCQSdC6ob6Iesz7L3 zVUIcp/PPajwA8hdO+fogl9Dntdz9cgzAvKuyJaU7RDkO5WjS0QgZNsbusyVBqELHduNfBBy xf2esykYNbRLWk/QOophWjvQI7VNWte/Orz/OL8k/5L8SzKsubHmxpobL4+vC1sXti7sr7Yu k9/iyDtH3jnyzsu//6r+etXr/mc//tn4Lf/+WfT/V+Wfvd//UWSOk39NXjlxNq/Z0jzz4Xqz O0/v2eHctGuLr22BqNdz1QwsAhmnVfqzxxB7Kr6sqwpoN0WYYxPELkvrKk9BwoCkgsFbwN/c ap9lNzj6hH2QdBvSq/l7pi6B57sf5EzTIOnwswne8SDHWlfUIvAEZEzRa8Cz1MTOSS0hplN8 +ehxcL1Q9JPE92HZ6b0tJidBtONar32TwJnL2S6oPsjcsojZDcRqsUu1Ae2O8bG2GDy3YzfG FIV7Ny8fufwcEtplzPbGQ2o9awrzwV7D9aWjD/g+8RexzkLGXN+CjCgwq1OeVLAWye3WUBCa uERzkIdlMwmIrqzhJhi7jX7GcrD1N3obCuQzWU3dAvMts4m5FaxsVrjVFFRtVV/1Bzlffi/X gFosB8mtoN5XdfkORAHhE62ABbzDWuATLsg0YIFYq6oCi/nKHAwiB9ssA7ijnrAfRFftWy0b 6Ev023pr0BbpM/QfwTbf+Mn4GtR3ahvVgJ/UYlEWNItJ2gUQHsqJbcAolcEBUEXlWHUV9GVa W20Q8AOadhOsyXKxtQZEJzFQ00B0Fz30i4CPaPE62JbYdhoNQcuuxWvvgP2i/YL9EKiHuK1E EFeoolqACpefWyfADDOTzfOgVsuHqhH4f7SG+MtB2iLvNHMOmEusMQSD/kxfY4wHDIR4C/zN /W+b28A/0z/POgiqmnJa68DsYe7x34D0X9NbJf8AMbWfnLnfBuLnxw2Mng3pnVJaxD4GmeIv lboJ0nKmtUk6CskNk/MkdYQ0d9rN9I/A86E3h/8epBRN65MRBime1JopoyDpXGqP1GTwn7Ca +7aCo60+Q17+8wL15/if43+OfzkT3CpPqzyt8kCLCS0mtJgAm8ZsGrNpzMvyiYmJiYmJMGLE iBEjRkDjTY03Nd70svzIt0a+NfKtl+XGRI+JHhP9sn6/yv0q96v8X4/3Od3ndJ/T0KVLly5d usDV16++fvX1l+d79erVq1cvmDRp0qRJk14e3/J4y+Mtj+HTxp82/rQx7Ny5c+fOndC2bdu2 bdu+9Kdp06ZNmzaFJReWXFhy4b/q8GImZsWVFVdWXIGOKR1TOqZAampqamoqDB48ePDgwdAs R7MczXLAgMUDFg9Y/NLP3+PPtisuT1yeuDzQX++v99ehZcuWLVu2fHn+8vLLyy8v/217pjyf 8nzKc2i+rfm25ttgTpk5ZeaU+a/lqi+rvqz6st/urz+qzx+1+7eu+0d54ccLe158A1K/fv36 9eu/HL9zT8w9MffEy3p/b/+/6LdZ3lneWd6X7c+bN2/evHl/u3+/p//E7RO3T9wOW7du3bp1 68vz1gnrhHUCGj1s9LDRQ3i++/nu57v/dr3+aJz/Z79nH5l9ZPaRl/W6luhaomsJeJT1UdZH Wf/xur5qv/+jdHrV+8DvHf9b4+Vvjf9M/md55cTZX8KKDp4A/rh4p20ABGSRvpA2kPWCm6hv oHhU5IaIu+DKGmBL7Acp97R+TxuBscJeIX4acC91SJwB3gpmz5TmQKL4Mt0D1qzAyknnIXCj 0+d6CgFRej37EKC8udGzFRw7g3p6RoJvtK+c7TlEN46+qp0Cz8cZsz01wKgb0iziZ1hUbcPd oTMgZVZ03yvHwBju+CDgAchIs6//AHDYGKyFQHyDu6XuVIKH9x8HP9oHCYkZEf6qYD3TquhH wZZhP2nrC55UXy/vU0gf7y/tbQ6igvCIaaDyWxflE7A0s75ZAmQz2sqdoEpbH8m7QKJsIN8H bbC4JTQQTdUnYiXIgtIl8wIHOaHeBnlZXrSqghgieghAj9UzRAxoFrVoDeqZVdB6A6wTZoLv MJjP5SrZAlQu5Vd5gCEqP8vBVd9hOOPAvtHWwRYO9tw2ZY8Ae1tbSXsdEEXlc1UJeFOVZD7o ffQBemsQd7UvxULQ4rXK2ijQe2jh2nbge4K5BXKAvCODgWbkpCfIC2qzWgT8KC6yD0gUU6gJ BobHXgCMd41KDic4GjocARng+sIVG1QTXF5Xn+BL4Krv3hJUHxyf2Iu5t0BwrcB9YcUgqHnw 3fBmYI23slj3QV7gGrsgaFnIlPAZYLR3VHTuAlWKO/wE/kCzoxkF1nGrqPSCjJU1VQ3whKVf SesO/k99oRl2MDt486b3Bs+mlFuJneCpK2by48tw74O7i2464e4XD/vfPwXRrWPnJ06D5G7e Df7ikLTce5xkiB6Y0CejKsTuz2jlj4CEVmnJ5hGIC096x/szZBz2tbF2gXYHm2z45wXqhFwT ck3IBdM7Tu84vSNseLDhwYYHML/P/D7z+8CBzgc6H+j8svzU3VN3T90NkQ8iH0Q+gK2Ptz7e +hg2Ptz4cONDyDEux7gc4+Dz9p+3/7w9TMg5IeeEnC/rL6iwoMKCCr99vJq9mr2aHU7NPzX/ 1HzwzfbN9s2GuLi4uLg4OL/4/OLzi1/WO9PvTL8z/aD6xeoXq1+E1TdW31h9A3qX712+d/mX /iy9sPTC0gsw9+Tck3NP/r4uq1auWrlq5csP5BcfUC8S9Vqraq2qtQq+/vXrX7/+9ffb+7Pt +rzQ54U+LwSvX3396utXYePGjRs3boT3l7y/5P0l8FXRr4p+9f/ZLaVO7Tq169SGxVUWV1lc BVasXLFyxcr/zzj5jf76o/r8Ubt/67p/Ly8ShtDQ0NDQ0JeJzIbIDZEbIiGlY0rHlI4vy79q /1cSlUQlAYvOLjq76Cwsq7GsxrIaf9y/3yrXsGHDhg0bwu78u/Pvzv/y/LFjx44dOwbFOhfr XKwzZHkry1tZ3vrbdfqjcf6fiWgQ0SCiAWxvsb3F9hZQd03dNXXXwLRfpv0y7Zd/vK6v2u// KJ3+rPvAb/G3jqc/Gv+Z/M/wyomzc6L/Hf9OCF8YvDagOUS4gnfauoNWWK62qkDSCivNtQ+M ZvKmagCho4xdWXKCY6FjhXUaPKe03DGbwFfOvzkxCXwpabmDskDe08H9sqeAs6q6bTYG263U eXocuE5ZBRzlwTbZ9YO6D1meZp9oLwMREVkqmcMghzd8dkBxSD8eZ9PsEN3GMzXjKKy6vq79 x32BxDSVWAvEPNtQd0swtqoatISYkw+b3CgGz4smtEz1QOIzc4s8AnpWmzD6gRgvKmszIa1g xpOUTuBdZqb4poEYbjWX3wMmdcQK4Hs5WFQGfQgfam+BOs808zRYueTnZixYHSy/9ROwgFFU AtlUdlarQXNoKVo4aB+LN1kBtl7G++J1UNPZq5UFvYBx0tYXxGVthJ4FrJsyD1OBKBLVXhDt REOtJjBETNQnglVXzaM7qK/lFJxgrTc/8f8I2jOxSWwBvb/+iV4B6EwjboDoLtqLrqAv1736 JaCbCGYHaHP1anpf4J6WKGwgZovrNAdtHSdYCLqpz+IoGGu1HdolENdUBTEYjNb2b4xzEDU1 Z8N8wyH7lewtC7shaELIg4h8ELomIjVrfYj0Zvs1b02IzJWjZJ5gCD2ftWxUfohqlj0y/yhw XnCPD0uDqG+yzyzYAbQlhkv/BKzd5izvRDBH+GNMCfJT64j5OcjPrG3+PaBWWfvkOZDrmKqV A1GAJDkEzDQr2GwE7rLBN0L3gn2UY4CrFViNVDWrFqTdTtmVdB58H3hWpFcAOU1+aa0C207b bsd4cLV01w6bA84ljpIh2UG+Jdq67kPaSPOA40dIXevLxjRQIdoH+qA/L1BffACN2TJmy5gt sHTp0qVLl0JMTExMTAx89eVXX3715cvyR7of6X6kO/Q81vNYz2Ogvae9p70HYqFYKBZC99nd Z3efDYffOfzO4b/jK9IXCfDpBacXnF4AVwZdGXRlEFTSKmmVNDDOG+eN8xA/NX5q/FQ4q53V zmpQtWrVqlWrwuKqi6surgrhP4T/EP4DrB2+dvja4TDn5JyTc06CnCvnyrm/ff12bdu1bdf2 pV8vlpi02NZiW4ttL8u1jm0d2zoWjs85Puf4nN/368+260Vi9J/tqrG0xtIaS2FOjzk95vT4 7fZeJCwRERERERHg7+Hv4f//lP8t/qg+r2r3q/Liq/sXM96GYRiG8VLXFwnN3+vff9G5b8W+ FftC5IbIDZEb/n6df4sK8yvMrzAf7nx85+M7H0PyF8lfJH8B28ZvG79tPDR/0vxJ8yd/h06v GOfNsjfL3iz7f9ArrnVc6zg40/dM3zN9/+d1/aP9/o/S6VXvA38Wf1b8Z/Ln8sq7ajjGGee0 CpB6wBtsaw0yxAi2e8Ezw3xipYHhdGxLGwNqh3lUzQBRUV73fAvu/NgYCzEDrFvO3uAYZOzN WAiO8do39gWQsj5pOMEgj3lbpm0Da7LW1p0dgkbkqORIgJSrqRUCqsHTXzxP0vpByH3nKv0H CGnI8YCD4LyYY2hSLHjaJncPioVTXaLHP14GJTvtbru4MrxerEGTPhtBfKD7xXCIznNjyv0o SPBkpHteB+8lc4NZAFxlAz92lQR5Rg1Uw8Az1JPguQ3cZ6M4ClYlNdmaAvRS47SHIDerM2o+ iOH8wHJgD061HtRWuVy1A56JxmoNiN2aTywFo6/RyPgQ5Bw5U4WBroxWxnsgP5FpcieI/sIt SoG+Ul+ntQZ5TB5TB4ExajdFQBvBbv1z0HIJTfODccZ4LuqB+dwcZT4EUUwvrKeAli4qiq9B m6r9LJ4BT4RbvwR8KPrzFHRhVDDygHbHEtZJ4Cf1hAhQe7Wc6j6IKqqf3h9ECREijoB2gIrk AzWHSNEcxD3ht3kg8LuQmyFnwXkiQAVvATOXedy6AUnvJ617eg5Ya8WlVQHvN2mV4qaAsOk5 nY9BHZYXzU5gTjeL+iaDPkDPkTgegiYH7nQOAG+bjP4ZTkipkvxhQj+Qp31l/TPAKmVGeoeB epMq8m1Q48UUbTlwTozSroL4haeqMpgh1nsiDBw/uhNCJDjmub8MHgnpb6cTawPznBXirwVh 94M9WeMh9LOwHtkjQHyq56c3iJIGzitgVLNVdJUDla5K0QCMNKO0cRmMQnJGxltgXve9m34O zA6WxhBg/Z8TqNOLTi86vShcv3399vXbcGHIhSEXhsDiQ4sPLT4EDGYwg2EWs5gFqPKqvCoP xk5jp7Hzv7YnTovT4jTIh/KhfAh0pjOd/3Z7Sh8tfbT0Ubix7ca2G9vgVKlTpU6VgnJbym0p twXsJ+0n7SdhV5tdbXa1gaAVQSuCVkDYlbArYVfgg+ofVP+gOkTujNwZufPlzErNmjVr1qwJ m9nM5v/P9Z1XnFecV17+HZs3Nm9sXqizvc72OtuBilSkImDHjh3EVDFVTP19v158Jf1n2WXN teZac0G2kW3kf/MOyRf/+OQjH/n+m/ZsS2xLbEteYeD8nfq8qt2vijgjzogzQBOa0OS/Of/v 45dwwgl/9f7/s3T+LV4kanVn1J1RdwZsfnvz25vfhnOLzy0+txgmfDrh0wmf/vF2/+w41xZq C7WFL9v9n9b1j/b7P0qnwXKwHCz//vvAC158E/f38o8el5n8fbzyjHOCO+VNqxvIsXoWX3fw v2d2IhmebIodlvEFmNPThJ4bwqrrRyJuQVSWkFupbtCjrRNiEWTdE9g4ZDJkbZLlQzETbHVt deP6Q2Rk+B5bCXC/E5TV0RcCRzsasQni5qQdSTgGZtZgX9ISiByca2qGgiyvhSxyFwdtk3Mk X0FqoaSuTALPU2+w/33w7Xddz2gLa0JOdFvbHXaW2hK2aDF4X3+y6m4QPG523/UoByR18oX4 C0P6NuszOQ70Zrautm/A38Ms4N8NnpG+DN8wUCUYos8CVtFFqwLSoWbJ4aD6kKj6gQpUJ9Vt sOrKWLUOmKA90tqA+EXfrH0IagGl+Ai0NswTdUDMVc+4A2Zh84R5AuQQFaTugjqnflUHwVpl TZMLADfpKJCn5H65E1Qv1Uu+C/pEfbY2FLQ2WgfRAPRR+njtW9C+FwvEO6A/1aP1zaDt1HZq U0GbLiaJwmArbxto+xyM1tomvRAYJfVpRhwYbuMNoy4YaUaCrSzYq9svO3aBbb1RyB4MaqqI ETnAnssRZDcgoH7wg6DzYB/o3OnMC6qxnCq/gtSCzxfHnAZ6+memVQLtushlFAImqcvaQ9Av ctLXH7Sqap41Dmw3tF5aMbB3tz3XdQiYEewMOwXhdSPOZV0GeaPyDyn6DKJa5f6xEJC7VMEb r4VCnjOF5pSvCjmm5n+/zMeQ82qBWWVmQfZv8nxb/BfIXbFgcrkKkN8oPL/8KtDr2fOHVoXA q+GDs3qhcJXXBr9+GMKy5QgufgNcC8OfR6RBQFhwn7DiIN40WtuKg/WA1XwE+lJjub4NVEha 29g9kJov/stHX0JGl7TBGdvBqmYtUAF/XqC2/6L9F+2/eDkD0i6hXUK7BPj49se3P74N5787 /935716Wf7FmcNnAZQOXDQTVW/VWvV/+XLJ0ydIlS19+EPytvKj/YiaoeFrxtOJp8FODnxr8 1ADKyXKynHw5w7a85vKay2tCtYvVLla7+LKdc+fOnTt3DgacH3B+wPmXSwIeZn2Y9WHW/3DB 8pTnb5hhyjk+5/ic42F5jeU1lteAU6dOnTp1CjY32dxkcxMYOWLkiJEjfr+dP9uuFzNG/3kN +kl1Up1U8Gm2T7N9mu3PGye/1V9/VJ9XtfvFdV8QvTl6c/Tfkmn8OzUG1hhYY+DLNa2maZqm +XKmb4FYIBaIl+X/rP7/o7r+0XIvlmzMseZYcyyoe7Puzbo3wbhgXDD+mzWzv6fbq8b5lidb nmz5DzPd6yPXR66PhPKnyp8qf+p/Xtc/2u//KJ3+3vuA7YLtgu3CyyVrp/ue7nu67x8fJ3+U Pxpfmbwar75U42pUdEIlsL/vqvc8CsRSYZofQ+pH3mFJJcCe4btnWwtF2obMyzEMiqaE+Qqt h6CY7D3s68GTnLZGHgNxPPXXkE4gJoj0gHrwdFnaYysVfG8nVravh7Au4SsdfSCoUo653pGQ cOl5tYzSQKvE+u5pkPZMz+ufD2kpab2cpcD5q/AFb4AskREia3MIcKsvHRcg8Zh/xdN8cKjK jdh9RWHXpp03DyyF6FHJJT3ZIa2qt75/K0ibyCvvglHLeNNoCd6OZkW/Bv4yVl3/Z2CWUlvU TLCGmV/JEyAbqXRGgrwlJ5IM/vbWeEuCuqLyshWsVlYv633wrfAd8Z0ANUDNV6NBbBPPxccg J8t5VlGQuVRvuQ98hXw7/XvBdJmrzfpg9jF3+weD+Y75s382UIWJFALLrS5YWUBeU8PVZrDu qXHMBTlU/UR7YDWHVQ5gJRMZCQJxRjwDGlCb52DlN5+YK4CP1Di5CbQErbeIAm2i9lg7DNpb PBALQWsu5ujnQW9iNLPVA6dwjg1IA8e3ruLBbYG+WpLzc9DCxVijCngnpOVJ7Q9yOj/5bKDK 6/e1NBBK89rngfGjfk/UAmOzbje+B1cJ956QdRBwInRtVgXhn0Vuy9UXQnIGfRQ2DAIiA34J +gJcPQJLBreC0A8i5+cYCCGVsgzMXgHCt2V9N7cdIr7MVjjPJgh/Lev7OddC1hw5FuZzQDYt V9fclcAxzFHXdhbchxxbtH4QlTXrR7m+g4Dx7inunRDY2u22PwA9K5VYCNZIKdQbID5knVwJ IdMCT9rPg32FeEvdBfm+McJ+HFwDIprksIEtV9CsnPVATBRDAsw/L1DfOfzO4XcOQ69yvcr1 KgetYlvFtoqFQcsHLR+0HD755JNPPvkP29+NyjIqy6gscH/0/dH3R0OLli1atmj58ueLG+2L h2J+j+IHix8sfhA6d+ncpXOXl8erX6p+qfqllzNF2aOzR2ePhvIny58sfxJi88Tmic3zcmnH C148XPTiYcIe/h7+Hn44KU/Kk/Ll9WZ0m9FtRrfft2/cuHHjxo2DiTsm7pi44+XDPEPrDq07 tC7kbZO3Td42v9/On23XqDdHvTnqTdi/f//+/ftfPlz1ZccvO37Z8eXDSn82/7m//qg+f6/d vzVOOk/vPL3z9L/d/hftx7eLbxffDhplbZS1UdaX4z77luxbsm/58/v/j+r6R8uVOFjiYImD 4HQ6nU7n7y/R+D3dXjXO77x55807b758OHF3vt35dueD4SHDQ4aH/M/p+vf2+z9Kp7/3PtC1 eNfiXYtDzzk95/ScA0f9R/1H/a8+nn6PPxpfmbwa4t/WsilVpUqVKlWq/PEGerw25mbpHVA+ tNDWyg3AE2ee8v0KJ45de3TkHISsdQ8MGA3ZKgRXyfUE5FNth+0deP7o6Vsxp+Da/LtlkhpB 5NfZDtuuQJlLUW/nPQH3Wzzv5fVDcCtqyf4Q29qYkDwUAhzhQ8zWoF2yqqj58HhFUnlvHQjr JfbkmgfyQeq49AMQNTX76CyJEHzZvjXjGiSWTXN5vODfYOxOnAb5L4SXrdoHitwL99R3waaz i/osWgLnyj8oc+8CZLyvOtkXQY5jucblT4DU+LQfkn6Ch1MfN7y/A6zCopBxB+RBy6G6ARoF 1EUQHbjMEpCRSsrioHaq46o7iHyipegA8rDcLbeAllcfrFUDbbU4p88Hdc36SD0BXKKvegzy PT4Tk0AekJet46B9gYemQCW1RrQEUV07JUaA8GrXMcFW1MDZGMRdsZg+oH2ixahLoPXRduvr QYvWNzgmgnHIuK33ByPCuOboAmoy+eU6UJdUhvKA86DznPse2A1HVnc70B9pJfVyoGXVB9uP gy3V/qEjO2gJxmO9K1i7xDtsAq2iuGvbB1yVkfI6eGM8b6TNBLYywXoPXH2c3ZxPQa6wjvta g/mJZ0TGl2BUNTbbB4OoZNti/wTEdH2FfTaoeazQ3wFpyRxyJagjIsLQQDzUlmo7QG6Te815 4FmS8SClI2iBbFfJoOoSrHUBf4xsqpeFjPEpeRNOg7e/PyPjfQjvFV4t4gMInB6YGvEpeGd7 AzJKgnlcPkkfD7Yl2iZ9J9gKuoaH1wNvvLe9byWEfuTCmA/abr7xj4HE2im+1C9AX2d/EPQA 9EJaE+JB+5nzZkHIUzFrkiMQFjkXn1144K8O80wy+Wvp3r179+7dX67N/7/GixnTs/pZ/az+ 8h+Q1UGrg1YH/Xa9f5RuL75ReDGD/K/O//Xx9X/d//8pjh8/fvz48T9hjfPTrxML6H449s3t HFePgdrmu58yCiIGBHzhDgLNDDqkHYe4Z/YbsRvgdMrx2OenIbCK64g4DI42qoreDrLMJizL eNALB+aV46HAObduOwuPjj+4H58E5kb75LRckNQ//Vt/LTAKyIMBkeAeoivbt+Ar5E1RK8C9 MXSw2AepBcXSJ63gaVDiFbM4OLY6+gaWgqDhMk/gFKg0osj2Nx6BpSW2dkyGhNzJB1LGgucj q6JVD7SfjGriTRBb9ePqKHht3rf8zcCqZi5RNlCxRikpQC2V42VzUBEqlzoPqgqDVTaQx9V+ FQ/6ZfGtbgNysZeWoAqpu8QB78qe4mewxqifLAHUxqMArqlG4mtQJ0U4DtAGavtpC1qk+EA/ CNxXV0UCqCB1RC4BWovyogpYr6k8Mhe4ejnOuMNBn2K8q+tgH+t8P+AWBM8NeRJxC8TP4gPl AW246GfTQNqtbr4VIKV1Th4Cxy2n3TkfjMKOoc4loO6LjrYWoKfrI3QBtmP6BuMtMJNkCV91 EF6rvu8tUNWVZb0B2utGoO6DgGNBowNSQQ70r7FGAfGys68bCMFDhoLjamCbUD8Y2YwWRgTo PY3vnfdBHrK+U8NAHBPN1FWQrdmvJoLZyHzbegPkJfNkRnGQK70l0veBvYEKsC6D744VRiJ4 P/XPN/NCohb/XUJxSPs6/ZeE7GAMoJn6BEzN0yPtV5A1st+UncFZxlXU6Qdzj89SG0BU1Daq OeD/MS170hhQU9W7+lB4vsNbM80DcqksarYC8a79lH0H2LNbkzw/gTXGvKWeQmiewK8Cy4PR D7d+FVj6V4d6Jpn89fxf/0DfNmHbhG0TYHra9LTpaTBl9pTZU2YDF7nIxd+u939dt7+V/+s6 /V/3/3+aV06c8zyNWqq9D0ndPUdiekHIbn2Fux5k6WQEuJZDgi09V2oj8I4yDpgfQilZJCzQ gvRK1iLVH4xk/SfnZHA8S7lsGw2ycobHXx9CZej5wM/AmeFpa02CgCDxVc5R4F3r/ODZE/Ce t2ZmHAZ2+Ru5WoOYz6CEGPBUNrsZF8HYoJU2NAgbEtE+/BB4rroveAaD/CRhkOscRHwaYs8X Ab9eOdJ1/17wHWEOO8DsaH4px4HtJ3sp0R6YL9oRCv4p1kAzHOyhLhkwA2yX3GFBiWDG+Ieq a8BZXCIEnBNcTvcpcAxzXHSWBlnEumX2Af8+U/lzgHZdH6/3BaHopX0P1rdWR/M90M5rb6p0 sF2zxwbVBGkXd2RFYJWKET+AMddW37ECeK4Ksg+scH8O7wHQB4sKVhkwltj89iJgxBpV7QVA /9iw2wxgsSa0j8FWyDbW3QzkryhrFxiDtG3GeyC60FN1Ar2yPkcPA+s9ecrMA3zKXa0PiHFi HeeAjaqWegSqhepjvg5Gey6o3aC77O+6KoCVqNppD0DM0pvrJ8B8z1/L3wPUNyRQDewf2IY6 SoFrr/Nt+2nwXjPnqkYgl8gU0wZqkPzCigTtlmiDF0Q8N61gsF4jTesB1m2rp+wIHFevq/wQ eCQg3P0Y1Fxzs/wCYk7GOmNHQrzr+cCnXcHXxvt66h2Qh6yfZXPIOO3PJR+BXMxeLQjiTsW2 iRkBAbPdA0PygqOjK0vgLUg6lvJZfD5wvun228uBeKhPcK4Df4p3v7cOOMboQbbOYPvF/FU7 DukJ/pxpc8BdILBEyDJImp3SNTUAAs/oobYpf3V4Z5JJJv8MNHvS7EmzJ9CMZjT7q40BNj7Y +GDjg7/aikwy+dfk1fdx3p2SxZMT8nYNX5MNCCziKO6+D6nl9GQzHPT55i09DrJEGwUCakN4 3rznrA/AWcWZTWsIEc1y5shxEOJ0W3RicXha8Gkx+wEoeDO4dJkIyKpHFQldAlk8Qde9ErJ0 dKRF9QTtU3rbGwG3Wa22gP95Rjt1CBxjbHONPuDO72isfw3ebc6az+ZDfIvYa3d3w2vF898u twHEGC2IRvCwRMzp2/3B/7G8aLlAXpFv8B2Ij7RGWhLIAjK/6AlanNFFfwKhlSMOR26ByPzZ luYPhJxd898sEgw59uatUMiEsM5ZH+ZqCAGesKCopRD4bZYPst+GYD3yRu5mEHogqmI+FwSb kW/keR9CWmb5JscyCAwNbRDphqAuYbuyrYegiNB2UQcg+GzYpciK4KoadDnsEbg+DOoYfgyC CocNy7oX3KNCpkcVBvuCgCth60HP4WoZXBdEWXungLxg3+0sG7gb9F/sya7ZYK/ruB6wAvSx do8rCGjsmOv+FeRarbY+C7Qq+j57L9Ba649sNnC8b3vgWAXOR85Y126w2spjMgeIiUYV4xsQ NfSftR1gxNhy6JtBxIoYLQyc05xn3eMgoFVAtsAUcLoDbCG9Qb0rctq2gjbQ6ikfgXFfxBIP bJOveXTwRXuLJDUBT7aMPqnfQtobSQsSB4GnU0aHtEDQHmpLtVmgLTe220eBNU9O8dWAyI6h 51xLIFvhiCJhtUF7X1vqMMB539nF1Qmy3cwbmNcOWc/lPpF7NIQ2Ca0SuhWCA4JLBFYF2yPH XSMLhDYMLR/+GCLKhfaIqgt2S7sofwGjsHFKKwvynOYTiWDNEAPMYeDoa69nLAPGM5pmYH4i evED+IewhcxXpmaSSSb/hOR6lutZrmd/tRWZZPKvySvPONs+ML8IHQOybfwvtubwrIN3ScYa MCLCPBllIaUAu63tYO2L+dK7F8IquecbieDYqH+vBULiGHX4biq4soT0cu+BtIOeKcmr4cSi SydPAcZH9gl6H3DtDq5Lb/CMS0kym4FZgWp8BwFxgU+02mCr7znijgB/x/T7vnTwZgtrbzQG 28T04MA3IcJmfKs6QtGiuXJWbQJqUMZwLQOMHfIXURO8Tcw+Vl7wl1CP1PvgaqGP4jGoIqxU 5YECHDfGgnHCvjT4PbBqyHX+Z+BfmD44/QKodqqpugjaN8Yge1/Qj9tvB+YEfbFe2rUYtAF6 a68JaqB50WoKoiJNrLYgmuv5qA62VH1ZgBvUavW9vyzIKrK2LAVaQ2EzFoLMoJTVAJgo6mn7 wZnm7B1kA+FQa+UxsBQfEQB8IUrKMWC89m+7buhTxETVCXiK22uBaMsKfQWIK8SpVmC0ki3N 70GavuTUGUAz7SP7XdAK6YnG+2BNMnPgB9mOJvQCJqr+qilQX+0SWcA6bzW2soJV1bydMQis RuZmhoHvqv+JZzKkz0xKiM8KjsvOrx2dwdnd2d+1HwKMkI0RPUEEi2nGZND6yE7ekSCHqa2i AMgzagC9wTFRz6rth/Qq3pr+vpBgT1qfkgZ4glq6poDtiv69Pg8CTwYdCL0IIbsipmc7C7rL /TRqEGj3jSiagP6aY4itMuizrZEKUPVEeTUZtFlGoC0OsPT+rqHgD8tYlLYBPMfTW6Q4IGxS UIugjaAX1kvau0P6GO+X6WvA6kCMvhPMoqbFZ6AX1Ks7BehL7DMoDpQwNhv9AHiFRz4yySST TDLJJJN/Jl45cX5yJv67lDlwd4y+N7496D8FleQDcHZLbxDYGaTb8476BVI3+GwZSSA9nmfO ThA13nUvrxviPk9NuHYBCtZ0vOMsCOlZjNeNXJA41lvI6gJWakr39H0QVCp3T98EcDV1fu+9 AmkHzk/wbAF/DXtJw4SoVUHPw/qDuxUNnWshS0d9jfsApD709YtpCbU2lvc2uAH5t2UZUvQH uOe8+uhaNvC+r85JDawoMcIqDtZyVphXQdWVQ43doAqqoaIB4BHBekHQ3rQtctUA9a6W17gM jrKuWUE3wL/GX8A3FYyG9ijjddCqiQdGI5ClzeoZ9YFQYqwmwKcyVYwG7areVnQAosVMoycY h+yNXH3BWqcS2Ar2gvZJNg3UNTPZug7qO6sd98HwGSvEcvB9Z55MjwE5Sz10DAFjGkPVd6Da WYMzqoO/srzg7wO+ceZ4T24QDbWD6ltwDnJsCOwDnq+8OdJHAl20/DQA43PedsQDBY3s/gIg Aqx36A66qWc3hoE12PL63wbZ23zNfxP0MsyQV8HTI71UajNIWpNU8/le8L7rneYpBtZS8w1P frDntHU0hoN3mveSKAdpEUnDtRHgveodm9EDpE+zHJOBprK/vydkNEpNTl0JQY+DDwUtAsf9 IML3gGOZ47qjPNjCbfltEsx9qqpVAVyFXf2dH4PR0PVO4F0wp6v95IGIm9nr2r8G76L07f4P wF/LH+v5EUS08PrLgbdDRp3UmiDHc0gcAe1H7UBKO/C+nlEvpTYEVQwbHmID94DAKYHHIK1w crPUqyD2WynmGjBWCTuh4O3tddAAfL0zTiTdBOnTs5IBQQP1YgHZ/86gyiSTTDLJJJNM/il5 5cTZ2c3dMrUxODKcxVwfQkai2UfugpCGjgYBZaDgrnwN3cXhRvaHl+Ofg+dI+jf6XUht7YmI uQH2zc4ftByQuDc13PgJzKYZs6yrkHZbK5WRC1yF9ZJBh0Bcebg+3QnJnTKe+g3wXzV3Bh4E r9Mq68kKedJCt/juQM53KlcN+xG0M67mCW9CyT5ms0r3oWLjoqM6NAJ3+cBSkbHgPKzMG9Gg tz3bQzwAc7k5WDwDfZfMIy6B1UGM8k0FmUuVlv2A9mqVlQfUMrlJ3gDb57YiRjPwvS/7WqVB b+gc70wAbaPR0PYWiDlyjtoKorOZ3Z8I5iGrq7wIUlOTzNOgX1JZbf3Bdsj+vb0I+H/w97cm AOvELq0/mAd9rc0FoLUnm7YKrN7+x0mLwFcqo4ivM+id9efuiSAq2Qtre0BW8sd6PwY1zirg rw3WNS7KpaDlURkyCOxXbGvt48BjywhKCwIzh1kjfQ8Y7xprbZHgW2OdU1+Ab7N3m78g2Ocb mmMsaGe0MvoxsBaa57x7wFnMdkHfCZ6E1AHJ0yC1c0rz+HEg55mLrDtgvuvrk34LdK+WYNwC WZwC4gyY75p7LCeI5mqIPxekf/Ws0RMDHFHu1QH3QdvFYOEHK9qf4U+CuKbPn2dsBXd7/ygr DIyZttedoaCN1LYYS8HR2THe7gSrv1hsDIPkyt6J1giQYeoWPvDPNsf7s4Exw77JeAhip/Wp VhV8n/p/NW+Ab4BvqG8seBtmVErZC3o2Y7tjCOh+LatqCuaHPuUbDE9WPb3+LBTSwpK1xFZg L6JXVgXBscZ5M7AH2BoYowPc4K2ScS3jczAe6F0dgLZVnvBWBpoDyX91mGeSSSaZZJJJJn8G r5w4W8fN5bYyEHnJVcop4XFiSlv/ejA05XS1goy2/j5yD2R8ljDXJiD4bHCB4DS40yc668MH 4G+Tkap3g6CAoG/NTqB0eU8fAeKO1SlxNsjN+lj9Z4j//PFkrRpEfRD2nXMJBNbOvVxWBu12 ygB3Twhqb49ONcBf4H4ZOQE6NmhabVJvKPRd3uq1p4EvxCzEZ6Dn1/pbWUAcjJ8Y9AjY9vyA vyDY+9sq2e+AtVy/q56AdtHqZnQFsYvB4jDI23KUfw9k7E05GVcDzDBfDVcoaH20OD0O5E/G I2djkPeNcY65oCZYr6ui4FjorOcsB/Ywfar9M8go5GmbfARUM4YSBP6L1g7rAOjC1svIA+Ir Od7XC2RdXwfvRcCld9BHgic99UTKVZBNrZvmXbDHOkuoRPD5U+88qw6OOc43nI8hcEpwt7Be oO/TythWgjnKum05wFfft8ZTDPQHtkTtaxAVOG/tAW2OsdhxA/wtlSvjAhj1aal1hMSm8bti 0sFWX0/WToDMJm+YFyBjASuUDeQbcqpVEPTP9BQ9COjKMa0riG5iLiaYJeRI6wjoweZJ8RH4 65vzrEIgW8gt/qkgY+U9MQRkNCvESKAsjcRKsF+0bbd/ANYdDqoY8A9R51CgDxKNtWmg0hWq GqhotU3NBl9zb4J/Nsh2WozlA/to+3HHXTBDfbVlMngXmxUTvwIRY673VwGtot5D3APjK+E1 soMxLaRF+Hhwh4Z6o/YBd+SHagWoEeY0sybIYr7vrEngmuVehwTho6p/NNBR+9WeBjQTy8QG CMofdCf8S/Dv8d6wykFyt+fOp8OAxL86xDPJJJNMMskkkz+LV3440GjkvKR+geSG1rjYPmCu 9B3xnoSEavHZMrrDRd/1Yan5Ia2xYzON4PldX8PHUyBH9rD1KgdkK5HlmrYY0p65p6RfB3ay XHUBrbseYrsH4d1se/2TwdFSLyLHwr3XU0MTL0HKmLRw0wXeznztLQelH0QNq/sQBpRu+/Wa y5B/Qp6CdZdB+l3PHX8g+HL530z6Dh7defTG+SUQ1/JKzuihkDXd8YW7EjgM/WvdAdpg7TB3 QN0Wba0TIFZrW7VZoAwZw31Q26xW5mwwhuur7Q/AvS3odFQ0BH4a+mlkBXDpAekBDcB+yu2z jQbHDcdrelkQKHfqVXB9H7IvtDwE3giuGd4a3GddbzjygSPMmGNWBH0IQv0KySOS3np+EFIr Jm+Jfx207/THRjKYjc1ZfhdkVEqu8tQFcrvZyH8H1HgRrQeD1VaFyBVgjjTf9ZwCOY216iY4 KzlPuWqAkcdWz74LjAO2n11HQF3Svrc9B/WxSLQp8PX0vO4bC2Z9/0BfRUjNmXIn7jR4nmRk SY6C9Eaeqam1QD0QplwJcrW6odaBaCbWqwDgIK3EdpCBVmtrNchJVrjfBMaZ3XzDwBrgH2E6 QD6Ry/ytwL/H/7W3C6gw2V5cA28F/2RfA7APcZ4N7A/GJu1j+w/AY+UnN+ibjQZGN/CfMHua 08EX7VuTMRrkACvBvA6yMl9QDWy/Oka6YkA/bP8sqBywy3nS9gCcFdxFAuuCe0HowywPIeCN 4MKROcHR05bsKAq28banjp7gDfQVtn4F432tud4B3D+67zrbQEDBoNZhcRBSK9we0Q0C4kJe D04GW3tnc8dBMH5WrfzFQV/pqG4b9leH9/8+Xuw/+49iWsFpBacV/Ku9/J/nH61rJplkksn/ Fl55xtnjcIxK3gERQaHFgrJA2j1/OastpMZ6Kyc8gOQPkr7wrYVStlzVC56AG+/GF0sPg6i8 Ybuyx4GRR3ybsB5y5A2dHxgPCQdUuLYAIvoY/aIc4Osh9qd9CrazvoX2VmDc9ntDfoK4E8nX nzSFxl8VjyyXE9pf63F9yjHwfiUMWz3wfuNJSJ0F4kuSxNuQlP4k/GkT0GeqGyFlQFuVksOa B9mqZL8bnAZaM3FT5gR9uX7XsQrUEKunvzWIUuq++RY4Bznu22eC+DrwaJauEPRrljnZV4Bo rDe1ZwV1kfscBa2b8LAWXDsNZ/AgSJuSOOdxaUi7l/Ta07sQfFKfo3UFXydrhT4P5GAZ7+8B 1k75qTUXHDZbP7cBgWaQChsJ/su+jimvgXbVXk4vBXY3XlcA6AutHfaqYFsemBByHxzjHYH2 rCB7ml4rClQRo79tPBgLjdt6KZDjzXd9WSBtaNqnyXWA5WqfnAipD5IGJMVDSpG0kOePIEAP uB+wG7yXPZ0zpgEj5U7rPBhPjCh+BT1NT9O/Ad+7vua+n0CvoGmyK2i3tbJaAdD6a5FaUxA1 hE36QXagspgGuLVEbQCgy/XyNTCm6Edsz0AbIWzCDX7Lfy79NXB85D4a+AAcQY68ARdAL65X N9aDKCU0EQNae6OpsQ/oqK/QdoHtLje0SFDvavnFaFAlzcdmCIi+3OYa2GId6boELasok3UQ WM2tZmnBoL1tn6MfBds7Wpg+Bawffad9+cF72rMh/Szwg1pnFgbiGOWfCd7rnqbpbUHtENP/ fReNU2YNsB6bk7QnQD8tj0oEx0P3p7bXIMvToFxRXwBNgU//6jDP5G9lXdi6sHVhMJzhDP+r jckkk0wyyeSfjleecQ6Q3n5ZJ0GoDLTnvQo5KgUfztEE6l7Pu6piMWi4qdbdyscgfFjYHZEB FT4rtCdXV1C7jPqWDwLvBHwWfhMeFEqdkdYSkvJnBNhaglVRDM/ID9pPYo0zHbIuDS2arT7k uqwHJbwOjc8W21x2MLwb1Pf8rIbgCVOdZE2wzvvuZAwAY5aR4DwIGePTSieHgKunc5F2HBLi HxZ+XBocc+1OexwUH1Q+toIAx7vGN+I1MEqJjbaaoFrKGDqBFSua6F+CJo1fnctB26jdEddA PbZy+26BFeBzpncD61dPg5RnYO73tE2tA76c6S1Tm4CyrGy2peCeEyDDl4M3e3q/tOuQkTX9 eZIF1hfma+oYaK21hvYK4L1kfZLxCRh3HCuMh+AuGGqLSAHHyYAHQZMg6GZ4UtRtcKWFfR+1 EGybHc9dJphppmb2BjnUOmUtAiHlHfkZMMEqa1UDn8+z1jMC7P0dtW11wDhrbLYlQ9DY8E0R /SBHnVyu4qMhaEjAraiPQH5jjsxoBNZr1k/+eeAd6AvzXgSf7jvmbQnWRnOheRCkXymzAviH m938E8EMlHsswOpOHfUQrAxzkW8myMfWad8q0NO07eJr0M7r221twMhvTwxcCUHhWapnfQph MuK9XFnB3sI5M6goiAXOr90fgp7dnsORBJyyvhDvg70Lr9lHgMot4vQfQU3ErRcG/a5xwHYA VDm1T1wH7bBVyHwGqrR/iN8AqlkNrF9BX6+V1bIASfoHzgKgT7FfcujgXOs+GDAWIntnnZWt Ojj7uz4LyQGBvUJ+jqoGIatCzkZFghZnNHVfA3Fez2/7FuznHUcD2oFcbYx0FQBbCecP7jf+ /ID9rZnB3zv+VaevOn3V6eWrk7/Y98W+L/a9fMXsi31mZ5WcVXJWyZf1d+7cuXPnTmjbtm3b tm1fvnK3adOmTZs2hSUXllxYcuHV/Zl9ZPaR2Ueg8abGmxpvgq4lupboWgIeZX2U9VHW/1pv yvMpz6c8h+bbmm9rvg3mlJlTZk6Zl+cTExMTExNfvsL3RbstJrSY0GLCS79flBsTPSZ6TPTL +n1O9znd5/QfbycmJiYmJublK3pbtmzZsmXLl7r+Xj+tuLLiyoor0DGlY0rHlL9f/3+Urqmp qampqTB48ODBgwe/HE8vXlH8Qoe/1b9MMskkk381XjlxDskX8rM7H6TGph6KWQG+s2nX4tqD eQr838CYQe+krakMvds13TZgLURmDQrOSIdCfXI2yD4Mss8z3g86CtmauFvbl0GWPFm7WIfh ieULs1+BB2+mXo+bBFohb4Ub/aCRXsn2dm3o2qmvNrskaK1CygYLEGX9n+mlQHTQw/RLYF5W o6zDoIJlb999SOvvX+iZDonvPnkWMxLyfln28OvPIGB+ZN48Y8CVYlttRIGzoBFoCwWrq9os 54DmIsB6C/QJor84CN676Q09z8Fb2LPLfAhqjryIB0zlDfeuA+Uw3/DPAGun+bnvEhi5xTqr H7DTXsOVAMY1Z3CgDVy43wh2AW/aj2l7wL7ZVdN1AAIjg1PCy4HrVMC20IngGOucHhgDtmjV UBQA81rGLe9sEKOMKjY/6DvtDVw1wUagIzwc7N8HFg07BOJ9faPtY/DNkiv1VmBr6U4OKQv2 X937sgwDtz24f47DELg3qEjWYhDYKaxCZBlwdwgbGzUHcg4sMLHcxxCZmnNegWgI3xI1Ik8w hG+MOpTnOwh8OywuWy2wFXekBYaClmprEDALghqE7I6qAmHzs1TPdQFcfQKXRRkQdCe8UO7v IaJDrtEllkJEgTwdSv8I4SJbeMEvICJX1MhC98DZNuBw1kkg6mkV9dJgq6cfEL1Bm63c1q9g 7bCqp5eDjPsZnRPfA//HGd2TZwMzzNqeLmBF+N5OzwFaLhUq64BV21yr5QaZm3DffJCtVWWb Br6qvlxWHPhX++am9QSrn8+XMRG0oqqYrA9iPtf4FrgqpHobfKW9W31NwdzsjzNXgsojfXIW aAHaJ+obMIt4f7R+AN1OgDgN7rw2m4r5q8P7JfWG1xteb/jLRGvt8LXD1w6HDtM6TOswDRb3 X9x/cX9YvWb1mtVrXtZbfWP1jdU3oHf53uV7l4cNDzY82PAAll5YemHpBZh7cu7JuSdf3b6I BhENIhrA9hbbW2xvAXXX1F1Tdw1M+2XaL9N++a/l69SuU7tObVhcZXGVxVVgxcoVK1esfHl+ 6u6pu6fuhsgHkQ8iH8DWx1sfb30MGx9ufLjxIeQYl2NcjnHwefvP23/eHibknJBzQs6X9RdU WFBhQYU/3s60pGlJ05Lgrbtv3X3rLmzcuHHjxo2Qe0fuHbl3/O16rFq5auWqla+u/5+t67x5 8+bNm/cyEd7yeMvjLY+h1qpaq2qtgq9//frXr3/92/3LJJNMMvlX45WXaojV4T/HLQFnddvm sPaQ/kPiFt8jcDxmnisAtk3YOmLGfpDrPe+mjITC97NdrDMN7GneJb7hcNe0Dl2aBCUvOz95 PQekfyZ8CdXhlxwna8Xnh6LVIkbnGw7dVnbr8HE+yH688OqKDvD183/u/w7Mbr7N5iLQ7ujP 1GHQ8hKlx4O5xp/DEwpimIy1/BC4wrk2/A0odK3id68Xh+CdOd1hZSCtQ+wM7yTI0jR0V1BV MBrEfZPeH1RD7xqvF9RduZqKoF00humDQczK2OvZBxnvpdSLnwc+v/1d90GwlTae8C14ZMZX njVgNDbO286DHqfOqXwgxyiv1QDEVhEhNoD5xKzv+xVsdtt5hwusjzxrUlaB+XlaojUEhKnf N9aAfZDz3cC5IIbqV20lQU9xTNeWgnndXOztD1SzLlrTgHnqllUARLQWZSwB67p6ro8FrZB2 xBoF4jUesAesO+Z2cQ60CHtnlRPYoR3Vp4KcZRawroNxzd7f/iUE5Lati/oK3K1lbGQaaO/a gvR2gN/3bcZ58M/0PU37ADhhTVLvge4zuov+oOaI77WKYJusjRUrQPnUXOsMWPWUJsoDCFOv CiqYh1pnMBvJDpQEq7Xp9r4LjmL2x1op4JLV3SbBKmR5vJXAecnIYSiwPrTvdTYGbQdBEnC+ ZWskZoN1Wl5Q9cFUZqSMA1laxFkRoE3U1thGgV7RKOoKA12Kq8YFMEK0umYymMX9T31DQKzl Iz0ajAp6Hlt/8L7lPW91Bk+875qlg9ZOa2ybBZYui6pNwBTlERdB1ND9zi9BnLO9IXtCgF9v Zv4ITsveTU/49yDp8FeHOZT5tsy3Zb4FsVAsFAv/m+MbxAaxAfwV/RX9FYFTnOIULK66uOri qnCm75m+Z/rC2sS1iWsT4frJ6yevnwTZRDaRTYCe9KTn329fs+zNsjf7D9v3tY5rHdc6Dr4b 892Y78YAhzjEoZfnXyRutghbhC0C/A39Df0NX9p9pPuR7ke6w5ZsW7JtyQba99r32vcv63fv 2L1j947Q5J0m7zR557ft+qPtqHKqnCoHE3JNyDUhF3CDG9yABj81+KnBTzCZyUz+/+jQrm27 tu3agnZFu6JdgcUnFp9YfOLv1//P1vWX5F+Sf0mGNafXnF5zGuhCF7pA69jWsa1jYfGcxXMW zwGa05zmv+9fJplkksm/Gq+cON+y32rjMyBXfHB7621wTtE+lt/C0bWPip05Agfa3u24fzMU Ph++LMcYKD620OUSm+BZD4KfrISzda+fePYt5HJl72imAa60QI8fXitZ5L1CE+DtnB2WDWoE YbbsYeWTwbshbVL6z2Cl2p6rY6C1F+eMD0B9JldYjUArZuSjF1jtPSnpN4ApxhP7adB2a6sC doN1xjPj6bfg/zLjI8d4iLiWIyhvN8idkvvbXOPhlLw3PW4HaEd9ltYKZGfZV6aCUd9W0fE5 iJ3+PP6FoGdxTrA1BVszrZuIBz5SSy1AbKG49gAMw/aV80fQZ7s6uJ+DqGN29gvQRsqh0gHi O4+Z/gb483sfeGaBNOTb/iXgd5jLPQYYyXpnbSWYT2W0PA22Gq42AcVBK6dfMnqCKim7qy5g XhWGKgKqmlXGvxCclR0ztAhwTXB2dA4HFat00R2wq2A5ADz9/bMy9oNZ2tNEtAOtnr2acxho J8Q1fT0Ya3ibyWA/64hV0SA2M0dGQmKrlDfTcgFPrGdqORhnjTj7HtBy2JvqN8H60DMp4zyo rXKTtxSkzxZ3+Bl0S50wc4Ftm77bKAbigpoic4L+hKpWO9BuqipWKdBD9A9cV8CdbozQ64CY atyz9oBqTKLeBUJeCy4ZGg+e3GZlLoIVaW2Ud8Ce1bnOmA1qnipsfQL+Nr4FZIA3zr/M+yW4 nI6xRnMQh4TUboK5y7/R6gvGQb222AB6Ece7TieIu6qgeg6iq1ZRPIOAVFVMuwVhEwL2BQ0H zw/mY2sPmJWlR/sYVBHzvqoA+kV9spwPRhbHPkd5CD5gO66PBLtyhIuqALz3jwxg32zfbN/s 3y/3nxPm3zv+ghdfyUfujNwZufPljGTNmjVr1qwJm9nM5n+AX9pCbaG2EFR5VV6V/6/nbUts S2xLfrv+i3rGTmOnsfO/8fu0OC1Og3woH8qHQGc60/nV25Fz5Vw5F/Q9+h59z38od0acEWd+ 32/nFecV539IKP9s/V9V19i8sXlj80Kd7XW219kOVKQiFQE7duwgpoqpYurf7l8mmWSSyb8a r5w4+35I+sJWGDJ+Nhonm2D/VEwNLQvOoVZz6zkEfxGwMN8IeF5E+8UKgYuV796+nArZ80dc Cv0agmtFvRfYEJ4t8UVeSYWa84tVbNgWOhV9M3VwAthzBJcsEAP+tRlP02+Cdll3ieJg5FDf 631A9VS5zVogt/PYOgTaVWaIM+Bb5t+TEQPuWcExEfcgdsjjLE+ugu1bW2srCOxd3LHOCaD5 bE1c1SHH8jzVcm4F9y/2x1d+gZSLvg6OAWCNUwtFCrif2Qs5KkHK/qTiSd8CCZ5pnipgGxLy pSsNvCHenGYBcLR2hrqbAGPEm2QD78ykis9ug6Oh8/vAvSDWi1zGp2B8bfvW+QTEYP074z44 cIQ5RwI3xTZRGcRK630rF1hfmlW940EvrIXrMeDL7atj5gXHUqOm0RD0z+12hwT1lvpCXwUU tZ6ZTSFlUKIR9xh43frZ2xe8e83q6hI4HwWeCU4G44Hjy8DWYKtvM4wNYJTRr9svA4vlWjMU xCK13vclGL+SxdYWXAeMirI4OJo5T4kL4L7ufqCXAz1ZRfvzgxpsP6JL8NX2/mTlhwy3VUAF gXOU+0ZQYcg45e9AEvhX86W2H7ynzA1mADha64X1jqDf1L+zvQlqvjZRbQRXhmuPszmIuaqh /gaY5VQOfwMI2efKacsJRmO9iz0KzJWyByNB3BZVNQvUTFuG6A3+u+ZSwsH2je1rIxVkLVlN fQ/aeNdp20Hwd/Kv85QFvYUxWtdBvKGWqjwgW8jlVgSIbNpzXYGWny1GcQjITYKyQFRhtGwJ 9vl8pn0PvnBzkbwO3ovyCysHOO5rN9Tn4B5pz22v8u9B8uafF7C2C7YLtgsQFxcXFxcHN/ve 7HuzL7CMZSz7828Q586dO3fuHGw8v/H8xvOQ5WqWq1muwrFjx44dO/YfCpanPOWBM5zhDERv jt4cvRlyNs/ZPGfz37/Olidbnmx5Ah3pSEdgfeT6yPWRUP5U+VPlT/1xu6svq76s+jJYNnDZ wGUDob/eX++vvzy/ZOmSpUuWQs3NNTfX/G8yT9Vb9Va9/3g7afPT5qfNhx1BO4J2BEFrWtMa 2NVmV5tdbYBJTGLSP17/f5SuOcfnHJ9zPExuNbnV5FZQYmaJmSVmwuOxj8c+HgvHRhwbcWwE sItd7Prj7WeSSSaZ/LPzyomz+3pwgYiZkLN7cLF8xaBc1ai38teHsDMhP/uD4Li8teFeGpwe Fdv2yjEwf4qq4/4Bwi3fKF8IlFjr+9aVDPU3Nhk98xcoFVb43eoh4Fkkxrr7gRgqPrP3AxUr 5psNAE39SDqo10RFhoHoqIZq3UCP0KbpZcFMUi21NHC1dcwM7ARJd58eTHwEt06fz300EYoN Kj+ryjPQsxgPHStA7QJxA3Juzd041woICHMudR4ELXtGf88MYKr1s5YMthhbFsdssKc4f3St A6uEbYTeG8zKxIgzEGAP/DZ4HJjb/dG+hmANNgf4i4Arlzs6ZDX4h5qxTAftdeOx3h30KrZY eoL2vvxKzAFRRNuubQMryTpvVgffLm+1jNug39euGltBnVYh6icg0WirBYPaLiaq3uBf64tJ bwpc0uK142DN9J7ydQRVUd0SdUDo9sjA0eB+4h5sCwZW8LmVB+Qi3zhrEfguSJ91F/zNtADv BbCOmE+tK6DOmzXU1yBz0EfeB1usTRoW2N+liGgFqSNSJqTdA6usFc0UsH2g/6xagim5Ii0I fBAyOeQpeKL9g7V4UCmaZY6EqAKh80OuQpDP8a5WBGwbjJVaSRCRopRWC/ynfTPM3qCPIKv2 FohV+klNQVoV32pzINhGaPfkatAG6RX1aWCVUh3lWfDf8k3wDgEqsUEvAv4xviOmCTK7/31v M3BMcMwwWoFwyvv8CNoTWqjFYK0z25v3wFHE/pkRAnpbMcI2Fsw3rDnyZ1Cfi69lLxD3VBfL AP2cftVYAGq/vlYLA8/WtO2eN8C6oQWrtmAdMh6Ly2AMtCfqO4E5f27Adi3etXjX4tBzTs85 PedArY9qfVTro3/cDeLFQ1+9evXq1asXhN4OvR16G8rL8rK8hOIHix8sfhBmzJ8xf8Z8GMxg BgOdp3ee3nk67G++v/n+vyFxvvPmnTfvvAmNHjZ62OghhOcLzxeeDz67+dnNz27+cbtHZRmV ZVQWmDJ6yugpo6HFtRbXWlx7eb7E5hKbS2x++XDfC1740/lE5xOdT8CcLHOyzPkD7aRWT62e Wh1Grx+9fvR6+L7t922/bwv169evX78+6JX1ynrlf7z+/yhdx40bN27cOJj42cTPJn4Gng2e DZ4N4FrhWuFaAR/l/CjnRzn/eLuZZJJJJv8qiH+buVCqSpUqVapU+eMN1MzXZ3SeXlD1h7zn Kv4MH//a+W7/Z3Ah5833L86BpcW3dVjZF7SrgcMc9eHJ1tgFj55Bt9qVqtfaDm2SmxWecAi8 3/s7OmeDtj7ghGMH2BYH3A2MAjFADlBesDxqc+pQ0PaIYa7JoJqKZUYkaGd429wN/Cof67eB RHte4x4ktY3t9yAC4nc+Pf28M1hDzE7P80LO4QXffC0I3D+66kdsB32HY6zeC26XO/rB3lSY 6J1Ybs5ncOODmMfPvgD7UUeB4LMQujBH1zwlIbVBwtaYd8D7rTVTNQKbLeB8cBcQQdYu/2Zg knT78oCYxSfaWtAa6uVsc0Ce0OKMRHB3DWuS7SFYBzNqpPeC5LEJeZ4eAxVpFfTvANsFY4WR B2yHHMEBj0D+QnXtMlimNzbpNMgFtlLu82AM1Dbo+UHZZAO1GPQTxre294B5fCxOgXSoHPIA GMvtK10StJ9UNvM6eAun504uC/4kXx/PZDDm6nud3UEU04uLQBBltVHyIRjb9ZSAYDC62bfY C4KKlGX940DMkGPlA/CM9I72LAT5VBWx3GDe9p311YbAW+6ejl/BQcD1EMC8YNXRn4NruesX uwNCB7mz2LqAWOjP7qsF9jW2m/rHYHtbf0uUA2ce2y2tDuhdtFTCwFfGX0z1hvRYz7qMFDDO Kaf1KZh5rFCvDr4w/x5/FbBdM07ZXGB1lO/RAGgvNrIX1EdWEKOBM9oQjgPVVZBZDAIGB+rh 6SDPibrGa6CXN246FHi6ez5JzwZyu7nDXxbsi+1FdB+IDtoBrSqYPjFWzAe5zayj9QZCpNs/ E+z3HaX1eRCx1h0dOBNC3gj/wDkKhnz86alPL//VYf4/T/fu3bt37w5Lly5dunTpb5d7sab2 1KlTp079HTOg/2y8WANcrmy5suXKQuid0DuhdyB+avzU+Kkvd5PYNWXXlF1T/nF2/G/TNZNM Msnkr+b48ePHjx//E2aceSpCw87BlYq3+54pBzPqrrrzRSPIqGheDLwCKTNsHqWBtj9p+NN6 8M6MyLeqHISWr5X7aUwbSLqU+DStB3hCnrW9cQByHq0eUK8L+PpaP5qLQBuv8plJoEmx0N4D RJJWSwwA8aGKVwtAvi4+MxYBU5ltrgWHW9S2VQDvJP1mRhwkdTj5y/YzkDZw59zzH0DU52Pr j4sGFV3618hboKZTTdsHUbfzFMq3GnKXCtsVVhtuN37eNvUYeG1+zTMRZAFliigwnthvuxyQ fjapbnwHsK11FXOZoD/Sr+hLwGpHM9EVbC2N9fYnYE2XH+nVgNnWj/5H4N+TFvN8EfjmePb6 KoHrnPMdVz4QT3nisIE8r7rIRqDCGCNXgu9bfzXPayAmYOobQGwi1rYZzLn+S/77wCPV2fc2 GAO1FLUOfMf9V8xQ0Hprw7UzoJ3QDqt7oPW2R9iDIHhByMVQE6gma/pzArv02873wDspo5K3 J/gee99Lawsyq8qR9v/ae884qYq1X/taoXP39ORIjpKDJEWSZJCcREBFsiggKCqggJJBxQAo QUBAFJEgSs4oOecch4HJqXOv8H7wzDse3DzbvWEfn/Ocvr7Ur2rVqvtea031/Pvuu2qdBs9K b2rOD2CpYJ1g84B/rVJNHQLqRW2y+jlYZ9suG0eD1N4ab3SA8bJhvGQF+WPZyxIwrpXe078D bvOZeg5cvQONxbdBaiMEpaHg/i5QBicY9om7uQNCO39U0ALG44azhtUQKO7/LvgDBFsHPlan g/SupiojQDoqnRITwTbTej6sJMgLxDZif/D38R33dQX3Ju9i3+egdBaHShIEdnqKqhYwdzd8 a3gRpA/8A/xNIVhZ/cg7CFQ/g72VQfxUHmdaDoqslhAGg8vucno6gOms8UdzP1B/DMwOlADr IEsneQ9o4cIy82RQf1X3iytBvmA9JJwAwSevluf83dP87+OfCeb/qezz7vPu88IZyxnLGQsM rDiw4sCKsLLeynor60GN2BqxNWIf3U6IECFChPh7eGThbFlhquF+HsKy/c9FA8nL73mC30L0 tvih2kQwndNSM09DF1fMN3WOQfst7Y6M98Gt3b6haRpYL6d/4/kFoopVnv9kUdDma0s5DUIJ fYLeH9QwfX52F5Ds4qFwD7CBi8JF0K/pt8W5gFP9KdAVpDTrUtuzcLvKjSMHqsLdYZM+mrAa TL1/+ym1F2gl/fuk2yB+4ktSW4GsEJCrwx1xX4cdWWCbEz3V8SWUF6v6SneB/bNvPZ96AAKJ /lr+FyD4jL+o8gEY+pqHR+wHYX/OsqyXQC8XMAZSQP/F+JtlK9BPLym9C8pyZZ3+KigblEj3 BcAv5guZEFiXvSPVCVJfwwyDBUwbLT9H1ADvK77T3mVguWRtaz0Eahm1v3YWTNX5TGoI0iZp ufwL8Lp4lb2gbVTfV9eDlqa6DftBKM1NtQpILwrvKbkQ0ALp2hgQums3gx9BdJuwWFsS+C56 v/V+B/lirjVrI9BVfTowEvQ0fpTWgKWpbb3zDghlpa1iH9B1ZZlvKfjb+dd7BoLUwtDI2AYc le3dLadBKK155L6g7tNeUkqB0oKK6hzwn/dfzbsL+ofaeu07kK8aJlo7gHBD+Nn0AjCRs0IA rL9YNxsA5bo2XRwC1NSbMRt8kf76gW9BOyHsE/qDYY/xprUR+Fv4u/qGgHeL55j3LmS1cXXM qQ6mSQabdBkMl+QxhmGQvc/VOjAaIrY7PrS6wbHRvl9sCmoHsYfhXcje4Vrr/QFMbiE8GAnB SZpFeAf0w0KCfAXkjdJY6UswHTb1lWdB4Adff981EI1CJEcgsEjxB9eD4lGjlCNgb2R8T44G 8xXzMKcDpFPiV/KzAIxD/bun+X9f1t1ed3vd7b/bi8fH4PmD5w+eD6Nrj649ujY0sjayNrJC pZcqvVTpJZi0cdLGSRv/8378T7uvIUKECPHfhUcWzk92D29cZADk3BCnhsVC+Cxba8cWcFY2 dQmuh16Vuke+ORgqVy7Vv+fnoG2KyY/eCeFPnPMd3A62jJi0Cg4wPRu+IPIe+COCPwUHgNRG Ox9oC+JUfbq8AMS5HDcdBLW/Pkf/GIQqWAIdwdjF9K55PXhiXGpaAzj1+SdXPyoB5RYc7JoR AFuNJ3aW1SD8a0O9sFiw1qgwpMw+ULxBQckHa2bRJkXXgvWYrZ3JBUWs0beiMyG8sf1E+A5w HXEn5G0DdyvXj55kCM+NaZLQB4wlzbOtqyDQRK2khoF5jHmINQr0vcJW/VNQnwtcC9jAcsBQ wfAcKC/Jb9nKg/kJa3owFiii1gt8Bf5L/uPeGmDsYXhW/hiCA4NtlaYg9JaWyy3A8J40Qk0H RWKD8i2I03SXsBcM1eR4ix/0BKmTdhTorbf1dgIhUugkTwHDp6ZZxtfAOMFwzpgFvn6ue9kb IFW+92pKVRD7GtoY14FsN1QxxYLJbpph3AryKHm9sQcExvqOeoaCmCqdMP4Mktt4zxQNhlZy XzES5NlcUS6CoYf5Tekm0Fk/YtLAP1EZFBgPnNLipB5AR/GC/hoElvv2BxaD+JleN+8yxLQK jzTLIN5UHQwGw3TZa9oDhg1GrIPAOyDQI2iFYGu1YvAOyHWVUaIIhnZCHX0GSFuNCSSA4lcH iN+D/rH2QzAZhDFikrE5RLwUPTCmKQQG+aeqL4N+PNBTvQOqKG6WaoF5qemIqRxY55k/tySA vldfKtYG0xbDQmkrGGoJlaVUUC8rVwJJEDwuZ1MGhFum3ywvgdfq368UBavJcJLnIXZjxBPG IRDRIrxPRDlQg8EBSm1g9989xf97UyStSFqRtL/bi8dH7Hux78W+B0tYwpJ/1KEudfk3UuL+ Vf6n3dcQIUKE+O/CIwvnMOSkuMXgG+1smZ8GRW4WrxvsCp3nPXlnaC4kzCqdWSsaPPuE8eJt EMt6l7rPgPNMmR7VpgI3xLmGrRCU/HG+r8CwS9xoqgvBCvllb+4FsY2VpFagp/ChNACEzzkU eAd4Q4yX74Nvkcfjvg37iy9985v5YH0558NoCRLnv2Noq0N2/wvTz5QD9Et170aCtl953/0Z SActC8xFwFkl6VhJG5gvGSqK20COdvS0vAvmvpamdjcY7lrmOnLB7XH3zlwDtqoRReJHgPEF 89SwoZDT5f6xG7WAt7U2QgMwH7Itt/8KWll1R+Aj0EQmCCVAslBF2A6KWV3IdQi+qd1Xy4Ee qw5WwoC7lNZLA2bha+kmyOv1rUI2aE30/cEvQPAJIzU/SLPlXZZ0sCw1HhNfBN9zHtHzPYgj aKhsBXG1PMRWB9TnxKHSfFC1wETPbxAYG7T734GYz4p2Ll0XTJukd41fgSRzNOAHqaHmVb4G pXFgiXs1SEOM7dQICKb7P1Q3gn+ed6zfCGpz8UPRCWFVHVgXgX6e+awGT6rnJV8qqDW0ur6S YKtv+lG6A+FpjtfCSoHi1d7w3wZ5kN7AUBOk40KGEATrTdMC/SvwPetfLnoh/fPcrf5eYGlk XKq9A+bOop0z4LME0n3nQI/Rdwl9wLzKEGN8C8gSz4qjQL+uVjG+D5mH03ulzQWKyCbjDFDq Cx2kJyE8zRFteh8ifLayUbvBGwwYfQch97gnQb0FYlVhrncJyE+K34X9Bt5h3mP+FmDqbxkk XwOlvLBEPA1ZBzKCObshfHtYpO0+mDeImzU/lDxZXAg3gX2tY50jHtxx7uq+OwB0+bsneYgQ IUKECBHi8fDIwvluE9cAY3uIyEzop7YGf0r6+zefB+9zOYcyx0P+caGktyuYVkt1LH1Bucpn +scg5eutmAVMUhsEpoK4VOxlHAmqruzPqgn6UPVH/WsQPjG9FR4P+vMYlBnARO2idgJM043l zGvhUOeDSw9nw7FXT/bK3AF9Ml6e+2IbCJv9bHYtE6Sv7PfRiJbgVlxFMjtDTv6GistfA4f5 mXvPvwSmiyW3x6+DnHrZTdxF4E753JctCRC3Iv5GzEJIb5vXwDcVPN3zrbd2gucVt99dG+xD HL2dd8A61XTTNhv0jGBndx9Qw4K79PtgiDYZHU+C7hOc4lzQ1xKvzwH1aaVo4AoYehsnyMfB 4LIOjRwGegntIzEFuKbNUy6BFgiudu+A4DD/Ke9lkH821BJHgz/Ld80zBPSJ/gTBBoFNVDD9 CNbXrIedRcHe21ZGfBu0oHe/qwpYUu1ntQ3gnqnI5g7gnu7r6TkHhqry594NoDuDsd44kIZK PbQnwe4wDze3B2ZImZaNkHtB2OevDg5RXmyaBIFRwUG8Dz6fp4fvKriH5u9J3wVRO6LirD+C uakhU3wfMmPz1rm+gtyy2fPy/RD+sfMNexSoovCu2AjUtcSIL4HBkrdd6QFqi0DT/OtgetJ6 2zAacmvkvq/egUCX4Bh/LeBzsQv7QT4hLze8A8q5/HF5I0CeZahkmAd8rC3Ve4Hxaev3lv3g rxqI8iWC6S1KBLuA+GLwuOYEuaVe2z8PwgYYV8oZIF21dDYOhqBBOWZ4H7S6Qhu1GhgCtjXi NgguUfvqDcDXWknwVgJzijFFHAK+nvmxOb9BmdUljtoleCK98phiP0BedHYH8Rjo94XXwrx/ 9/QOESJEiBAhQjxOHlk4V75apXmxM5A8/uwZT2to+uPT3t4rIeHDWuZ6y4ARprJWHbTqyhZO gPCdsEjcCGwTsgxzQDeomYEXQJgqlhUzQX/bZcjKA8NYvaX1CDBb/FpsB4HjrpL5FUGYIMxV i4DWKjiAjXD78p0J8mBoYnihRcM0iO7wVOmKKeCueX9KyisgCDk78/ZD+MkiJ0smgCm/5POV j0Lmk592X9IJEqSxnQdeh5zKLmvwRTB+bY2OnQFlp5baXSocbra+H51XBXJn5SbaJ4PnaF4w fRFYvnHYilcGS52wURECGAZxO68FhK10dJFlcP3iPewJgKOC7XZYRaCmsF8qAvLuiOoRn0Dg jhBj/ALUbcoifxT4KufszhgOenW9n/IikCBekQSQdkoThSYgbhWiRSeI48yiaSiYK9qu29eB s6jRYkkD65uWNeYiEMh3vemaDOq8wFbvV5DxZP4xLR5c9QJztC2gH5HixergOOv8zFwV5N3i e9oNMOyQiupdgZ3UCZjAXS5/gdIF1Nb6Sv0KaKpgMG4DrYemarvA1ELeLqZDSWOZUon3QW6t n9FGw9XuKXp+T5AwDJfjIXBWa6uVg8Al/W0GQsQLzt/CwyFrQ04jT3HI8OYezc8Gy1nzRG0R KJdcHZUGoNsw6rEgHzNOkD8FPYs0TKD+pM5SJ4Jxn+mwyQnabE1QGoKhr2myMQGUTqpFqw/B NO1H/RewvmjNNt2F4E71mDAFMg5ntcrYA/ax9rccF8F41DDU+D5I0XJ/80Xwip4+7juAojuU T0HdpN8W1gGqp6I7GYLhUkC8B+aqgSu5y6CypbgpOghR9y1LHcmQMzp1UOAqODvF2B3ZwNi/ e4qHCBEiRIgQIR4Xj76rxhhf/dvXoMalkpPKFYXKNIt5viJoijVK7AiBtpldshuC+I15gyka RIX3lWRQ5wqDFBsYa5tz7C+Aulysrw8HtV3u954yEKyj37P3A8tzCWH6BsjvnLfBXwScWvjF 8NngbRr4KVAP6p9o/G5ZMyR0TlIjmoFfyTOk9QBVze2W0wyMiW6dXBBbxpY2fw6GjyPCYtsA 120TwytA4GTu/dzyED05bmb88xC71f6xWgak5NihliiwHw07LqwDY/XwcbGp4LqUXuRmZ/AW 87ZL2Ahms2V1xDIQ7e5XfQ4IL2/cZZ4PtvHCj0ojkK1qeqoIwjnhnFQdtDe90/PfA/Ubdbtk AXGxNkVqDf57why1NSjHtBr6TNC/Dqzyx4DcwtLa9isItbQSigd0j1LfvR3UIt4N0mYQE4TJ xu3AEaG07yvQi2pZ7t9AqGfYYZsA6lr1x8BgcKqWBnIxsJ6zXrd1Aut5w1K9AVhfk6eHRYI6 OjjM3waCpwOT1F/AXjvskLAEIh2muYZXIa93YIA4EwLPehsHVkGJkrGLTRIo8coC6TLkrneX 8h2CItGxb1nDwfOiZ2qwLGQV1/oK3UG97U/z9gble1dexnUo+rV1oNoIXOttu8P2QLoxb1Gw K2jJSlVXP3DUtIjG5WCobShnTAT2k8Io0H7SY4TSEFS0OP0EBN9XMsUDIMwWDopnwXbY0l4u DTGDncMsMpg1c5I9HZR1wWRhGOg6V/yAPkT1aF4IZPl2+UqAsN+wWUmB/NGu6LxhIPh0j/Y2 +Otqv6gKCLXUxsoC8J4O9FE/g1LXE06YxkL42KT6JZMgqHu7imXB+Kqtn+UZsLWK/DHswt89 vUOECBEiRIgQjxPxUQeQbuqN8kR4+mxLrbMCXLHNMyyCPGdqvzvtYe+kn3qvjAD3zjtnkteA Z2RmdvZboFTIj8t/AdJrn9x/ZCWoT3u+dKVCbuWcV1RAfcpy1vkdKEcCuxQrKPfVq5Y8EJbK 1wUJnFvsknE7xGfEtQ57DfwN3GXd74F4yjEnNgP0kq5D2hoQJ2VWyfwFxBWGkVYfSPPC+jmP gPCs7ZytMui7pL2GKBByAx+7OkBpc/GMYrsh/F7kN1pdcGyzqv58cFqcXWOdIMnGXPNw8EzP mp4yFtQ4qappEngPCcNs78L5eckfZY+FvOH+SK0OmH527k26DnaT7avIDpDdJX+kD/B/7Z6V vxeyW2elp7QFz1ue27lLQD0dGOo+Beb3TEGpMViLGtvSCUzVTFbLEFAv68fFiaBcDL7grgjZ l3LLJl+HfJd7gWsYZNzNSVAHQ0rHzO55FSBqYVi0bRpYypneM+wF/bT2pPciCCf0F0UHOOZb NPNrELbTMTx8EhhizE9ahoEYI9V0rIec0nmfi6vA9XKu1T8VlFOBBe4D4O/tfcv/LvhfCHzv igTrFilbUyDu47BnLPNA+VFdq4eDa5r/Tc8U8ESo7bXDYNONr+iVQEvjWckO4lg1Qo0EQ3mh gzgPol91GiKyQf7UtN7aEawp1o+t20B6hpHySNAXCk8TBNMroioPA1Mpw6vSPBC6SEmEQyA3 eF1dBIHr/hVaFdDKB/BLYBouJ7AeTK3F9wyfgXGp9LpcCoRWwnTjNXBfy3s10ALcWd5mrm3g z6GlHgDJadxorApie0tpywoIvxk2wL4TSh0tlVa0FGh95AznBkiblLfJNwviX0rqGeUB0xmt v1j0757eIUKECBEiRIjHySNHnIu5ra0bvQqJDUuqtY2QZ8r8PjURLlc+XuvwXMi4HrNcHAo/ z9x7bu3TUCLXlFxsMTSY0zO8mwDsNow32IEm7n3ZERDckrM+fQOYXE8sq1wNsjumJh3eA1Jb vb7lPBj2mt6uPgsCTYKbFAUYoF7Rp4J8UsgxfAlCNWGgdBGUYykL02+B0k/62ZIK5oSosrF2 ECrEn0o0gPGb8NSw9iBc1arpdcCQbKtvagHZX9nqXZgCGZ/n1ju2GZ749Ynrke3g/oH8voEh 4Kgf/U2xPMgqc3f51Ybg2+Lqlf8smJ+zmcPdIHwVyPe8Cbk9/eX0H0EbluZyb4SwL42dNBUi 34sdGbMV9HlamFYRzJNdjfPHQ9RK55zwOqCfwCC+Du4vAje99yH/qKdd4BPwGrxlfLVASJUG mtuCdoeBgghibb29Ohjcgm9FvhGE9lRjAST0iZrrmABOp+lVoRG4h/sWattAeFfsI+wGy3Zj R+k6+EsF2+r9IedEdl7WQAiUUi4yB7yfKAmu70C/o73hnwn2z4yzlM4QvOj3B4uDd1bgUwZD fIPwkTEn4Gb/jOWZr0N2H/c87UkIfqMXF78Ey0zT2GAVsKcaX5PLAiPUbcqHwChjd6kq5K/0 VWIc5DbyzPHZwbhMipJ+gvhvw2uYJ4KYLO6UGoAyzdzVZAJjlcDuQFvQDgobeAPEYUqyUAr0 bKW6PhFMbpNIcfC3803zTwFpmTBZTIGcXnlB91YIVlUn6fUgGKutUr4DwwbTUasVfGf8ae5j 4HzJeThiASiXlYD2BSjj9E0KIK7VZxp+gWIx4afEo1D5allDiR5g+cBQ1jYCpN7yZntLiCwR mRmhwPHlv/W91Byq8/R29v/d0zxEiBAhQoQI8Th45Ijzk5Oazu3yGgS8ajdlIUgnDCaLDIyK /EreBDmdPCvy6kDGOHmquyyEhSct0CtDsEnGR9fSwfhOVIWo0cAs77HMYRD9XFwxxw2Q6pqn GIdDVOWYmk9cgOhV8c+W7g/KSeVHfTgI0WzUa4P4g36O1aBfFXwsAm0n6Bmgf6aWE8KAdbYm jk2g2/xLtFfAMMhgMWwCyVxifvhiYKM+VVwHAdFz1/MplN1eJD76M8ifoafoTvBMzpqV8SUU c0ZuFyuDYZNjanRLMNd0RIZfB//E7GZpFUFI1D40TgPzfNtXtlbgveLvJvwMeWP1DrIDcrxC jHkGeL9Qxgv9QNuqdZLGg2G7ebvNC9ob2ig1Ddyn3DfdPUE6q2YGdkLi8xExdicUS469EvEe GIPaQr8GUlA9GkwHR3XzfNs3YN5oXGroAJbZhsPSLjDfkw8besGN1mnZmUchYNMHq1+DrZt1 qqM0eCa4W/vC4e4rGUmZSyGnovts3sfgec5XI3saeGd7otPrgvJdsJ8rH9w3vU21cJBipJPa AihWP2ZFdBqci7jxYnokJDfLDvP1h+ze7qHeuSDM1RV1PThNUkNxNcTOtTUUO4Kw1thYKg1Z FlctKR8CK4I/qu9CTFR4a8s6sC00HzBYgKD+qrYB0s9mSXkNIXtm7jtuG/hqea3ez8C3Ld+f /x14Nrlb5XYF6Xk+9X0IqsGXIZ4CPVvvJLeH7LOuhf62kDnOVczbFtKu5TTMyYXs0a6xnmWQ fTi3ZU5nMJ4xepkDxnLiZmEXhK20PW38BMIX2iNsW8AQNOQwA5L2FU+J3g4Jt+J7xUeCc60p wnYPil4uc6HsVxCs4xmumeCa77j5YuO/e3qHCBEiRIgQIR4njxxxdpyIDk+sBdrr+lISQdSN kYaTkP5azo/Zz4Fbu2O5b4NaIyrcqX4TKn9TbWmTMaAcN82V74LUUDukW0Ct7ctz/wgcELrS EvheXe4uA9r9/F+8bUAsH9ku8S5IU4OrlOug/SquYitQSnwJHQKfqi38r4BpVGBA4Bao7ZVj 0iLQc0359hEgbPAMkCcB90HaDsbVSbXjKgI/KMnBzyDQLqPR3aKQN8DRLS0LyresaXyyHpw9 cu7AfD/U61D16wovgr2rvjB2Ofy20rehaF/IOXx3yMUy4B2R91rqSrC0j3gl8jBIQ4Jv+j8F LUkZpI0HbZzxckxVyHtSr6/+AMo7/kbuVmC4rn6n7Qf3C95DnrJg62pd6DgOYXOFptIhsH5k 6Gj4BaQdzNUOQIlDCbOihoD7qF9QloB3Sv6ynBZQZErcsZhIcFX0OdXaINaVP5ItUKSN/Yti t0A06PhU8E73XHYtA9d9b2ruFvAd9S7z+sC81XTC5ARmC3tNH4P9onV9mA0sg2Wn8AZY5kjV lUVgmmD8xGqEq9PuXnPNBPd8Lcc/ECy7DG+ZrkPMprCKpoWQMjF1+L1wiJnv6Gt9HuwtbR2c 1eFc8M7E+8+C6QNTtH0EOJ4zzDSXB9mgJLoHgdZdSxP3QLIpd5TSEvRkdV3gJmjVeM7YDXKa qMOCKaCJvq7KKtDaKBfcW8A1Tf5WzwDRLtTQe0NEMKZW/DsQnKQ0JAvkCPG+eh4caZZPxFOg 5+qD9SQwrpd3aU9B2G2zhSKg7gne8vcG83b7nggT6N8HtuhdIPznuFL2GIi+UGZf+bXgzdZ0 Uz+ISU8oFdsCIoyJa2NS4EjCmiG/2eDG2vuv3AkDuv49EzsnJycnJ+fPb/AreBV2eHh4eHj4 3+NbiBAhQoQI8X8rjyyc9ctCkr4QVJu7bv5YyFLuz7wSCyWnqTZLZSg/qZr8TH9IKlJt09PP gPZjbIukciDeCNzwJ4J4VQ8TFoDrvVttTw0Fa3qcr2oF0F2ewfmvAx96BmbXAe5FfptYDfRL YhM9E/T6wj1kkPbpacL3oNemRPAk+D7yR7j7QrDW9ZXJW0FboPWnF+T0l+15L4Dj1J3vL84A 36ZjvY9VA8uTT+wseQ7MVaprZQ6Cft9XJ2wSPPlmkc8sXvCPaLbx9jWoVKHie+2ioOWn9Qb7 akPqqelPftcVTi3yjIj3gueTzCt3T4Dc2JLueBNMU83Hwn8F/538X7I3gWdyzpHsj8DgN9mN bUEoLswTeoPnsF5C/gQszxrd4RXAt0Jdwl7IaSUtEVuCPyq4jT4Qs9HxnE0Ak8lcwfY+5Ld3 5XruQjDSPNnUHJwLrE9bT0Jc/YjOchr4mvmn6uPARV5+7hWQXhZu6h+A9Lm9lGEc2K6b2zk/ Bt9YfxPLQKCz8kmwGogxBt14DbK7ebYpP0BwQUAQpgA75ZFiZTj78c2ktHQIXpHjtU/BYTRt NJUFPlXqZpSHu53Sx4q9wP6k5RuTF0gT07wCZJiyfjYvgvDfwqfFDId4Y0SKdRTkyjk18+5D wB2ooL8AGWNy77g+A/9a9YR6GaJXhv1qbgom0fS+/jrY3ggOEg9ChsZReR/I8ZIacQli9oYd N8WBqZy8WM2CQNtAPXEHeJ9lm1oepJ5GwaCDtFk7aqkBehW9cfAnUDdo3fTZkL/UU0V1gPSK abdxIeT1cO3zjQLHCfMmw/eQuDbxWOx2ECqIB6xLQW2nVpcvgv1I3Nb4SxAc517sfhsO+g94 jpngZI2bzW7of9/Ebty4cePGjQsFdAEFQvrkyZMnT578+/wLESJEiP8puFxut98PM2cuXPjb b3D58s2b2dn/OXvlypUoEREBb73Vv3/9+mC322wm0x/98fuDQZg2bffuCxfg8uWsLJ/vP+lP ZKTZDO+807hxhQpgt5tMBkPhcZ9P0zQN9uzJzMzLg9xcRVGU/5w/TqcsyzI0ahQVFRYGZrMo io+cX1HIo++qsc29wb0GfPmeSzmLwVY7fFXccCjarG3RupVAm8o5/TAEyylvqamgz/OpvltA fzFcbweqMfim2wjmiIhXomqDXKvoggqVQJppbxDWBPRttqiIcaBpql14G/Tewg+0BmEu54VY 0CrSgx/AtFZwOGaC2sBmi1gPEZvrVE+sA6eO3G3iC8DxOrFfXLoEPcZKWbci4P6mCvrdjyDx asm3i0WA7S3TywmvgFTW/Hn4xyChtwt8CM1fbxYYUwn0z/Rs+oHwbuIR3oIutVrEX+wINwev aXd6BeREug/mVADX+1lN7mVCuBhXruj7YCpriwpbDN7e+cezd0FwtreFdgiEduI+doDwm+FT 0Q7ireAkyzegOOWqxo/As83cX04A6Xv/Z97e4M9TX2QF5C9wd8j9CMynVEfes5A9LOPO/Z+A eeZvIgYCs4NtlQ0gjpIXqtPA/L1llWk9CCPoLJ8APT/o9J2GsD6mO1I90IySw9YalHQxw5wA nmjPOKU6uDt7Dd76wCptiK8fiG2EI9YtEJ4bectuAPcTedtzHOC97/k6dyMkmGIM0e9AZm5G 9Su9Iaxr+OIS1cG5yDE27m3IvuvvETgHgZycN9WzkPGWLytlFpi3Wr42fQNZJ/J/890Gbydf nL8EFMlKmBN5Bgz7DbWsnwMvqF18MRBxwvmMuQmoEwMt8wZCaqw7wt0NMjVhhTwI9I9I0z4C rQ+laQambw1uYxKoB4Vn9SMQ/EX7SJsL/onBz7VfQXlSec3bC6TK2mdCLdCH0dYrgmONtYR8 EkpWKuYqq0HkgOiLUbXB8FHgJS0dIn6OccXsBNNtcYnohAMH164+tgx+PX3RdfljSEtQDNqV /9wHw8PYvXv37t274dSpU6dOnYIbN27cuHGj8HjJkiVLlixZ2K9AYIcIESJEiH+PadO++mrP HsjMzMsLBqFs2dKlo6NBEARBEB6fHV3XdV2HtLSMDJer0O6kSSNHtmhR2G/SpG3bzp4Fr1fT BAGefrpYscjI3/15nNf9uzdw40ZmpstVaHfatOeeq1GjsN+OHRkZOTlgtUqSJEH16k6n3Q6P 1xvQ/1ew6u5dr9fvL7Tbtm1sbGTk47PzyMLZU95VPPspMF4wzjfPASk3bFLEPvC6fO29xUAo pt0WUkFdKW9lAghPiK30sSDFE2bYCPo29W3PC2BsU/yHSufAeMS23XEN1Dr8zHUgliFiUTCY 9D6BpyD4jOBnI3BQbyrmgu4TDut3gHbUVcNBvBnYYygG1gqNX6/9OuSfzSqxJRtyyibvCnSG vObs8uwGdUbpI0WrwW8dLp/bmwEt9oadLP8C+MLTjpqPwv2Pb1syFTDWMyzJGgnZ3VMW3z8B 2QvvD7qSAqf633o+ORqs7zuahP0Knuf4unwn8A2/eeDYJsgfnb03vR2E3YqKjN0ExoYWc6Au BF3+4rkvgjRA7CQMB3sfa2RYW2CmwWIcAcZn5WRxMjhzxfnaOTCUNN52HIK7N/Im6XHg7+L+ zv8CZJ3SBxnyQGlgzInWocjcsFLGjyBzQtZiz0iQ5nNLz4E8t+cX3QL+0mpDvxnkkvISIR18 FbTS2rMgtxLDct+Ae1rOOfcekERjTUclMNY2+I2NwTTFUNnxPFiPc8O3D/z3vV9mpYJ6khm6 FUzDzNu0MFCOq+9qVaHIs3GVy02HiAaRcbYz4H3efUGeC3kp2Re9ncHdW5sQ6AqOmvZzluPg axpM1sqCr4+6lc4Q93rsgujTYJ1rbWcpAncd9yZmeyA4JDjQeww4qn8aXAk5Bt/agBuEL+WX rI0huFi7TT0wf275yrgCjAfkbOk4KGO1CLELKMbgfV8xsM0yjBRWg2WR7JDLgPyTtDLiCuRu DJwOdgX7VONmsSOUH160QVwqFBtYbHqx+2D4XrgrvQFxkVHDI65BdETUoujucOmN30pc/gHW td9UercTku/6y7lzQe4ibrO/+b8mydbH++HwX1G9evXq1asX1mfPnj179ux/3i9EiBAhQvx7 nDt35UpWFiQkJCWFh8PNm/fu5eX95+zZ7RaLwVBo90HOnElJyc2FMmXi48PD4cCB27czMv5z /sTH22xmc6HdB0lPDwQUBUqVstsNBrhwwev1/gdfEBYRIUmyDOnpvwvox80jC+eU168ar78E fmvqnaxJUP1Gt7VdMiAQ6S8XfAn0k7KZ70A6q53gKAgthUHCfNATxVO8DfpF/Zy/CYilxGj5 C9B+Ee7IScBVrV+wGQgvCAsFDwSnCK+J00C8qN0VGwFxwklFB2GEvl88AloYDtkKfC18HSwL agXPi8o3UHZU4utVP4Fbqs+790PIiJAP5O+EJJN21dEJUp5Tv5W/gKxa91++txs+cbx1/ZOl cNOUZgi+D1HjTFPzZoN+UPncNRoyY90Lva+A90v7+uI1IKFX0Z9LJAJzw9o4N0P63ejcYofA dyC9a3Ic+M4YnzXvAUeY862w2yDc4ku9BJizxflBCcKDBl29Cvq76lWXC5zdjC+KpcG8SwoP RsPVtskv5pwEfyctz9oA1P0MkNygd6GWNgLkn4Vu+llITc0NC+wGW1NHBXN7kIfI1SwDwVfT m+l9D5yZcl9VAjHIS8J1MJaTu9tOgzncHGGOBeM8+xZvBghFaM0NELcJycIToBbVPgj+ALZl crp0DcwvGktHzwTf0/4uudVA6EAr42Hw5wSfUOaAf7vrmfwcCDY3rbV6wG30zMqdDPp84S3l Qyjui3hZqAlGtxAlTYRss3e+dg9iuzt3WPLBedKUrp2AnBL5i/N7g0fVvtA9QDzphk9Ay6Yv zcF80VbFmgOWlwxPG46C2lw/ovYANVbdJnQDtZ9+RLwB8lpJD9YBU39zQzkAEeudnzo6g2+5 r4R8GTwf+Wv7K4PtiMEuTYbim+POOs9DnLHY8uJvgF5U+MgSBPtBsYfxFJR4v7QlqTW4g9k3 PTNg83O/bNh3A+50z711oy5YivOxLx6UT3WEaOCZ/9yHwz+iIHd58eLFixcvhr59+/bt27fw eEF7KMc5RIgQIR4PiqJpqgq5ub+nbDz6eMGgzwc+n9v9x1Q7uz08PD6+0E6B3QcJBAKBYBBu 387JcbkK21NTT506cKCwHhdXrdpTTz26vwV2Cuz++XpUVdchI0NR/tHxHTu2bDl6FPbtO3Dg xg1o0OCpp0qWhKZNW7asVetf96fAToHdx80jZ31kB9QmGRMhI0iHvPYgfyco0nUQeui7tBig JKs4BsJkYZWwBUjX9wqHQfhIWCbUgECRq2G/mkDZmZ2XsxvEG3KyHAQtSugpvgH6VrxCWRBu C1/QGxgjVNOuAZ0ZJlQCXaSyXh2E8UJLoRiIy4lhBvgV4R19HRSdWObLxheheVLtmV1ag/0Z c/mEWnB5c4Z8viyYzZaTzmzYl3zw6QMV4OZFi/nOWxCwWmt5d4C9Vbkvy5yC6tWfe69NDpRu Ur1svSEwvMzA2t27QwNHRT32Q4h7j1V5c8E6P7Z5kZUgB8J/juoE3r05z6aWBk8fT0vfe2Bs aq8R1gm0TF2Uj4G3j3e2dwoYn5TvBPPBh+8Tz09wPuHGa/e/g2RL+ncZt8CX7R3jLg3SPaPF +AuY/dZXbN2BU4JP6g/SOYPXuBeUgVqGYTfkDXBX9VnBtNj8nHEhhFvC6li/gehKYTXCWoD5 uBipHAKGBP2uvhB2x3yWpyHh68hPwpMh9oYtYK8HSR/ZejmWglEQW9hzILBFmR0Ih/xvc5/J T4KUQ/e/TJ4GqkN9OTgL8sOUcN+LcP1o5pSTC0FuINzyzQZ26ZdyT4Pnt8CyQGm4dyTzRqYV DF9IUYGdYH/CWlJ6E1KMGcVd88A1xXs7sAP8lXzVfT+A93P/5qALlPusEuaDVJrPdBmMscad 8niwV7DHmFqCrbz5e9v7INc0ZooiBLvqe8VMyPwoL0u7A1fm3Hw5PREyNmaXyLwCyg7lB+/P EPNN9PPWZZCwp3j9xOsgficPM7UG345AFe0DcDSObxPXDfImuNKEV2DLvc1HjkTD4V+vfH2h K6TvzduT1hlc9bK63m8HgVHeENFhgAAANEdJREFUGfd/fPwT9q9SsAjwr7Y/KrVq1apVq9Y/ L7vv6L6j+46/7748brpM6TKly5TC63vYfSno99+FlY6VjpWOv/7cCsrLoy6Pujzq7/a+kCmZ UzKnZMJXA78a+NXAf/38/J75PfN7wlPGp4xPGQuv807rO63vtP67r+6/799PiP8dVVUUVQVV VVVN+/dLv9/n83hgypRhw5o2hfXr580bNKiw/PN5v9t9kEDA7w8EIBAIBhWlsNy//6OP3nqr sHzw+KOXv9t9kGBQ0wA07XcZ+2B54MCpU5mZYDZHRSUlFdYf1v+vlgV2HzePHHGW65axxs4A c0bE9xGfgr6DJxkHelN68ioIO7W4QCKo3+q39TdB6CC+aVgN4rNCGSkJxINCL8NykHbaY2OX gvqO/iMJIHp5UqkAQnOelcygH9DH0Rj0Rhh5GYhBEFqC0F14Sn8d6KDX0U+DnsFqsTeIP4ua 5QAoB+ViwU+hqFZUb3QLxNUy0mXIzBTHXL4F112padd/govp189460D575um1H8Ozn78U9cT AyF8cPHOjhSoEFN2aeXN8PyxnjdergTWrbZipjawq9vOMt8Vg6Z7Ym/nj4OwE8dztY1wtlLg 9dJ3IOtD7bAyGfwLM4qkzAdjX2lm0XIgj7I/GREN/o8Ds/I+hBx/3sq8WeApF5wldIHsg767 ehaYjhk+MTQDw7fCumBFEHsrRz0CBMN9bjkZzNMsP5vaQHBG4CW/FXIO5b2QfQ5sRSxzLONA qa9ZLGfAdclXRPoQjKXl4saTEDDqc7QjoJwPDvdeBtsUw6e2beDtmL86OA0CX/vbZV0D9wfK zctGSD2Vtj9jJUi/yE25BIZlwnTLWPCt94lSN9BXSTHmcGCRWDU/CO5AoFvWSRBrM9P+K+SV zx+RFwNn7994z10CSh1MGBOtQuwZ635HEqQ8m/ZU/n7w9SArMB4stRkjrwFzWTmVbAhf4axi XgjCCmGe6Rgoe8WL0lKQ9xrWS++BGh+8K/4CuRH5b2dnArWIltqDdaj1mLUSxM4N66S3AjU3 0Me0CgydzN2NT0CRaRFrw/dC5M1iUvx8kDdZ6jqugVrLN5TREPN1giXqPMiqrW+4Dgde+PXX SzVgb9LRdqeeh/RGbAj+DNqXxtnRMviepufdT0DoJDWXKgH3/hPT9uEU5Czv2bNnz549fz5e kHPXqFGjRo0aFeY6Py6iWkS1iGoBr7322muvvfbn447LjsuOy/9n78nfyfifxv80/iew2+12 u/3v9qaQevXq1atXD8YvHb90/NLC9ontJ7af2P7hzzF+RfyK+BV/t/eFrGm5puWallC8c/HO xTvDIAYx6F84f/v27du3b4dg1WDVYNXC9i1dtnTZ0gX605/+f/dFhvhvj6IUCNkCyfbvMW3a G280bw6lSxcrFh395+MPjl9g90ECAa83GIRAwGr9rxbhBQK/p1Aoitfrdhe2y7LFYrOBrquq okAw6Hbn5//ebrWCKBoMf1yM+KDdBwkGf18cqKqFech/RJYtFofjz/WH9f+rFNh93DyycM6y 3k1MfhniR0ZsLfshCJ+oCXoWMJTXsAB+PVe6AOI68VnhcyDIJ1IsaF9orbR+ILUqOrLcYhAP WIfG7AUhUh3q3wvaev2GfBoYLY5lMQgWfb0+AvQUnJhBKImbWkAt/SPBAPoVSuo24J5u1H8E vSXntP4gdZbrSomg1Fe/UH4F6b5hmnUnPLE7rnSjXhCZq/8SdhKigyUPm7fD6tOLszbHQ+mO lU5HuqFGbvVDpsaQHHY37lxlSGyQdkzbDlFv2MvYO0PZ6uErLW+A0EFrlfgcpCyQUy59AvcS 7Rucz4Jem/ByP4Br6b0V52TIs2f+kuyHiBlRC5PWgz7bOtvhg5yqwZ5aDVBH+xxpJ8HQSh4u fgexayOLRz8Phs6kqOMhdX9WozsVwVnTWTHyGdCK+k9KB8EZHaaHzwb7DsttaQe4fvX86hkJ gda+I/l7QLhs6GqMA9L1Pv774M7x3vHOAMtY0wvyPlBHKJN8bvDc8eW7i4AvL9gq0wvaJuMO f2+Q1xva2qeDZ4Tn6ZxnQMw1z5Hag3WxeQ8nQW4kvKufBhF9nO0piI+Iial6BPKnuNvkXIUi d6Kaxl0H6WtxWXp/SNzsjA6bDFnlM5d4v4e7X2eS8wuUfinhSfsmCMYJ+cHaIE4yz7JMAmUO 3fkY7AlMU3xgWiae0i+CwSV2lKtB5q685hkrICbRnmCYBvEXo9+N/RnMb5u/kY9BSv3MXp4K cHN8ast7w6HcC2WWFTkHjk1F3okpBYYFxu62k+DtlH8t+DJEN4gtEbsXwpbFzoluDDfePtf2 rh8Ov34i42R1uH9Rr6YfAXWU/Fn0NWBmICblIBjnWmfKN8HUwVIi4fnHP2H/GQUR5QIBPXHi xIkTJxYeHz9+/Pjx46FEiRIlSpR4/PYLBGK7xHaJ7RL/QYdEEkkEbZ42T5sHi+ouqruoLqxb t27dunWQkZGRkZEB0dHR0dHR0LFjx44dO0K/Q/0O9TsE4hBxiDikMBJXIJh+HPPjmB/HFEbm bq25tebWGjh69OjRo0cLzRecFx8fHx8fD5ZllmWWZeAq7yrvKg8jL468OPIiNI9sHtk8EpSq SlWlKszInZE7Ixc2Ft1YdGNRKFOmTJkyZcDbydvJ2wlYwxrW/PlyC3LMi6YVTSuaBk2WNFnS ZMnj86OGVkOrocHtVrdb3W4Fd3+6+9Pdn/583Q9SclvJbSW3QUlKUvIP7ROZyMT/6jm+xVu8 Veh/scnFJhebDHUX1V1UdxFkdc3qmtUVdszYMWPHjL/+fK6turbq2iqYXnp66eml4ezZs2fP ni00W/6F8i+UfwGGnxt+bvg5+Hz/5/s//8OLhQrGG5E2Im1E2sNz+x9kY9rGtI1pUP6T8p+U /wSMS4xLjEv+IJxr9q/ZvyZwnOMcf/S/o8/8n/k/88Om9E3pm9LB5XK5XC6o+WXNL2t+CRMn TJwwcQJE346+HX270J5/v3+/fz/0mNFjRo8ZkDcrb1beLBh2dtjZYWehdWzr2Naxj29ePey5 Tu8+vfv07o//c+P/dhTld4GpKI8m1MqU+d8Fc6dOI0euXv3P7T5IIOD3F0SC/xiRrlJl8OBJ kwrrkZEVK9auDfHxPt8fc6Bv3MjOzswEg8HjycmBWrXKli1aFC5evHPnxg3Iy7Nao6PBaHQ4 IiL+bPdBgsHfBf/DvlbIstlsNv+5ffr0adM2bHj49detW6tWkSLQsGHTpn9cjPig3cfNI6dq GPIDzuBtiKhmWho2GoIlqCK8DnpD4QPhGRCWiSsNG4CnBJ+UCawUdmMC+iifeiaANjy3Vdo4 oKJ2WzwNtONtYRkITcUBugeQaaF/DohkEQMYBDMSkEo+t0BvQ2c9GYTqQjXdAXxHG+Vb0AVt WEACvS8zjb1Bmic4pZag9lXOeU9CRAmHtcJVqFC11Pi2M8F3W/7B0BTMYtl2tv7Q2/H8pPYt wNHMOzpyIATu3h+eux9cwrlDqckQNtdwO3wnFF8aFYzvAfpgeYBUBJwjiq409YeokbYqeXaI GmtfJCWDeXD8zvLbwLjfMNGyEjyNshx3JVA7eS/4XRA2M+wZZ3NwtI49XeQCxNWOvh6bCnHx 0bExkyDK53TG6FCmf9GIMmch8mfbmbC9EL3P0cdQCUw79JGeT0Bq6nsraxOUSIkaJO8BZ09D WWU62GzSF76NYFhDBVcSWL82ljY3Bt9Arz1YArK/zVTTvgDvfs8OvwaYtUTHCjDFa0eraBB+ 0tS/VBhYmxhuWvoDd1W7eQE49pj2Fs+H7BbuYPoICDyvz6AoZDVJ7elWwPCW/kpYM/B870vO bwqlU2OPFp8HtvfltIi94G7h/9x3FOKWRyZZb4B9t2mhaQcklI/sGBEPSY3Ci1q/AF/L/LNB Ozg2WFRxDBhb6R8rJSCjyv1XbveHwE+BzamDIDfJuyyjK1z5Pq3Cqd5wMfFORPJSyD2Qd9ZT HCoeq3i2SCKU7FpGKPkdmA6YXnYq4C7m2an9ANZjjsrhzSGc2Hejc+He9VvfZpWGo08eyz51 G26Uyt/nOQy+hrpX7A/e8d4Nua+B6wvX3bQkMGRZ7kUvA880faP5y8c3UQu2j5swYcKECRMe 3q9AOD+sX4GQvnnz5s2bNx8+TsH5/+q2dQUC5mE/9W8quqnopqKw7MKyC8suFP7EXm53ud3l dsPM3Jm5M3ML6wXHV4xcMXLFyMd3P1M/TP0w9UPoOrXr1K5TIWdHzo6cHTBz18xdM3cV9lv6 zNJnlj4Da2LWxKyJgRY3WtxocaPwp/20D9M+TPvw4XZyd+buzN0J+eXyy+WX+/f9WLZ82fJl ywv9aDmm5ZiWY6DcrHKzys0qFMz/p0lOTk5OTi4U7s8Mf2b4M8P/9XGmbp26depWOD7o+KDj g2DSxkkbJ22E6d2md5veDZLjkuOS4woj4pMnTZ40+Q8CIGFDwoaEDfBui3dbvNvin9u7n3g/ 8X4inKh9ovaJ2oUCt3lE84jmEXCj+Y3mN5rD1atXr169+vBx/urz+9rwteFrA3zr+NbxrQOa OJo4mjhgSvEpxacUh4sXL168eBE+rfxp5U8rP9xOxw87ftjxw//i7+QxzavH9Vz/X+HfTdXI y8vKunevsHyQB4//1VSNYNDv9/t/F86/R55/L8+c+fLLceMKy4L2778fM6Zfv8Ly5Zfr1Stb FjZvnjTp1Vfh008HD+7WDbZsmTz5tdegTp24OIvlz+MX2H2QQOD3XGNV/X0fjgdLSTKZzOY/ lzZbUlKZMg8vT568etXvf/i4BXYfN48snI0LzRnGJyCin/NAZCxob+iTFA8I+UKYkAqkYdIb A9v1KsIyEN4XP5EmgfCxf2bup6BeyqubFwbil8I8815QBwgZ+ioQ6ujfMBuorI8WIkH3UBIB kBAA9Dwy8IEwhzlCI9BXIAlzQc9SZ3glELt6r3hfBl72+H3rABOfaykg1BCqkgViA+lNpsP9 77NqpN8Dcfe1p66mw3hLz1XD34Cqxyo2bHcVqjeo+3zbjtA264XmXQeAYULFj5Ii4Ofvd7bd sRq2d9ybdXoTGE8F52h5UKmpIyKiESQ49ETvu1A6YIrJfRIqPB172dgBwkrE9y8rgLTXss/R C/ybs15JOwOBEa6L7r5gTJYtznKgtzGZos5A2oa8QVpVuFs1d6a/CWRuc5VVO0Dq9syDHhHS F2UPcS+Ce60ytuR8C+bj5uqSC4TbgTRtBMjdmaoOh+hs60tCFYj5zvqluSY4zsk2tSxYz5he NyZAIFZ5jYbgG67eyE2FXDG450QUpL2aU+vcGcjaEexzaSS4avu/8cSBdIcdBhk87YJh3q+A CGmg4R54+viNOZUgf3twf/ICSB+Qc+zmLMj4IOcb7z3IWOsypr0LhufCrzv6Q5jgyI7eAo6O pm+wQ7gh7LCxIggvKtNNEyD/Qn6i9xkwnpDOKF7gKdFOR1B7iXbbWtA+Nzf3DwGhk21gTjLk XgoWT+8Glxvec16Lh/Qo75l7F6HI6NLdwmdBscPF2pXpB4IiJFgHgqdYfvFgOljiHEPCXgXn 6tg7sVUg/bNkZ94+OBN35JtTAtx8Pvdgbjio9QwjDaeAbppf6A6sFpoJdUB6LiK1aDwoG2Rn ggBCljhS+Av/wP8qBfsxFwjfgojRg/s0/zMKUjMezHUuGKdg3AI7/+r4BQJm9erVq1ev/nPZ 4EKDCw0uwPbp26dvn1543rhx48aNGwcNVzRc0XAFjF0zds3YP0RwH+z/qBTpUKRDkQ6FEbyC yGHW1KypWVML++3ptafXnl6F9eHLhi8bvgwGHR10dNBRiLgecT3i+n/ejwdTaoaZh5mHmeG1 xa8tfm0xhL0V9lbYW4/v/vxVnM86n3U+C5/7P/d/7od299rda/dvpCcVXHcBM2fNnDVzFmzL 3pa9LRuGmYaZhplgmXmZeZkZ4lPiU+JTCvsbFxsXGxdDXJu4NnFt/rm9zVM2T9n8h5zhZs2a NWvWDJq+3fTtpm8Xtm/puqXrlv/iJUZ/9fnt+3Xfr/t+LawXpMA0udLkSpMrsPDEwhMLT0Dv 3r179+79ZztJE5MmJk2Envk983vmF9rJm5k3M29mYb/HNa8e13P9f4UHUzX+arljx5Ilr79e WD7Ig8cfPP/hqRq/7+NcEHF+MPJc2O8ft3fs+PTTNWqAw2Gx/KNIcK9eDRpUq/bn8QvsPkhh xPn3+oNlQcT5Xy2fe65Jk0qVHj7ufyri/MipGsU/j+pb7Esw3DQftTpAW6lna+VBSOCGfht0 q95D2AxiItOURsAoYZ71O/A/lTM77zoEjnsl52EwGgy9pd4gdlMvB5cCa/VweSOwXOyj+0D4 RJ9LPuj79Qv8BsIAoTvLQI3S22uJIPXQSglXwT8o/y2/AEKK1+W7C4IulzPNB6mtaZ22BoRn ZFFuBfpC7Yg6BgwbfN9746Cx80l/pxoQcd12q3Qi+CMC2b5BYO8ZM6L4KHAYhUYlG0O0r4RH +RkivZFvhD8Be/rtGbH9Q1iVeulAZiWIneFtoF+A0hfCJ9s6gDFB3O2LhiI9wkW1Gax9QqtM HhyzGeqWHgza7qz+d9ZB8MO89el7gbfUPnofsFQPaxpxALSF8jrhcwg8G+ilbQHP/bzR6TkQ jPKH5XcEew1za2koRL1sU82bwH7WcMBaDryf6E31cIiuF7HYMBUiB4UnhedC2tcZP3iXgm2o /IV7DZg2ypnSPkgrliWk7oDEd6L6x/eE9B3+4THDIX2Rv+GVQWCPsjZ0jAV9ovSuWYX0NR7t 1joQFufFyScg7Ljlu7iiIP1s/cmzAWwVHe2c80DsqfwY+RkYfxPvGJNBm04J989wq+HdSRnl wP+KL921Goo2jV1sLwU396ZV1V8AT6KyKn0gFMmJaC33g+Ac5UvzIfC08j4bjIDs+56B2iyI Kmv/tsg5cL8SHExpsMWY5hvHQMkusdvKn4Ait4t+XOoQhL8WMTJhCQTaBqdKjcFTO1DR7wTn sYjOkXHguBxTKbILZD+VvsW1FG6ePhV3fj3ccWS/kToItBnGKOdwYJ76kvAmaD1Y7z8LYkVT 03ATCNO1I8FI0J72V8w+ANL9oO6OBUo9non6YGrF+vXr169fXxgR/qv7MRfkNj9IwTgF4z7M 7j+jQMCUGFNiTIkx/0VHL17+sB2RcEw4JhwDWtCCFiAcF44Lf/hpXBugDdAG/HmYB9vVw+ph 9fA/91McLA4WB/+hvkBcIC74cz99gD5AHwBYsWL9g58FHOMYx4BudKPbX79P/6ofwWrBasFq hXVpsDRYGgyCXbALdpDGSGOkMf/c3uMmbGXYyrCVII4Rx4j/wP5ffT4fJH2Q9EESdPyy45cd v4TDzx1+7vBzcKjfoX6H+sHGpI1JG5Ng2fRl05dNh1WsYtW/43BNalITNs7cOHPjHwRnwRfG BylI2Rhac2jNof8gZeOvPr+CFIo/9ftfqS//DKmOVEeq88/tPMi/O6/+2XMN8b9TmKrxj4Xs 47Tzx/EflqoRDPp8f1wc+DAednz58kOHLl+GZcuOHLlxA95/v3XratWgW7datcqUgTp1ypcv UeL3848d+7PdP9v53yPOD/KwVI2JE7t2LV784f7fuZOXl58PHs8/Hve/bcTZfNTdQG4Ghmr0 kooC6HO5DVwXKgtXQfTLr8q3QUWYqq8FRgiH9COgvuebJV0EfwupVtynIA6RFqAAZbWzzAd9 uPAuN4Dz+ko9CvR0vEQCe3BxHvQeel2+AsNA6aD8HRiaG2cZq4J0yJEUWw+S1/snGYvCpcWZ Y/R5kDPTX0wYBtJPYjvag7JR2RXYCWFFEoqX+xGc9pgSRbuA70fF57kPwmdiRwaD8qaa6VsK wfrBJb6RoJ30vaHOg8S+8RVrHIaOa+pIT1eChp9VqRiZB+HDStY11ANljXGQ/yMoaYnZGRkL 5aPL1Q87AdV1qzOnJjwx2ihprSBciQkrvgwkwpsWaw1qE/+NnHrgTsg5kjIJuKTVZBo4Tzh/ jRoDceOS/CVyIelu0ddKDgOn31Y5sjQI1w2z5Arg3B8zPzIIDpNlmukbSN2b1jHnKpzZfrFc 2oeQu9kXFlgOtr72VpHZYP/KJtk6QLU+JbYWXwxle0fGF4sGg532/kVQLD/6UMlfoMKQ8OwG b0PRS/bGRb8B21WLxdIAyiSWPF+lFUTawl+OOg6Rk5ym+MkgT5OkyPLg7aEe8yqgjNTtuXvA JJpnmntCxFr784RD4kfxG8P2gSritlaH6Deif3F8C0+eKVc28Sw4I2wfOQeANFWIkluBzWlJ tvQBq8f2stEKYgtTB/NhiLsdnlDiKyjbo3hGORkqHKhYv1ZzsCeH/ZD0K+T2dE/V8yFnmM+k 3Adr3aicqFpgmhj1eVQe5Op3++dWhVtnj71w4gSkHsjqd/0wqJHmapZU0F+SYoznQVP0VXpb EEoKX1AEuK9u9zUAxeZf57oPSmX1Gfd1UKw8q+x+fBO1QMAWL168+B8/SAr+4T/4au2/SsF5 DwqHAjv/qVzopt83/b7p94X1Dzd9uOnDTbCvwr4K+yrApEmTJv0xF695s+bNmjcrrBfk4KZu TN2YuhFWNV3VdFVTuDv+7vi74x+fn/WH1R9Wf1hhffaLs1+c/SLMF+YL8wXI7pbdLfvfEMz/ KnVO1DlR50Rh/bMDnx347ADMPTL3yNwj/+f8+Kv8q8/nDdsbtjdshTnONY7UOFLjCAypM6TO kDpgfcP6hvWNP0dYhQXCAmFBYa5wQYrBw7jivOK84oTrb19/+/rbheM/+MtIQUQ4ZXzK+JTx cPabs9+c/ebfvx/1l9ZfWv8PizA/3vfxvo/3wc4eO3vs7AGvzH1l7itzYeXllZdXPsLi2Ued VyH+PQpTJ/61iHOzZoMHf/ttYfkgDx7/8zj/WKgHg79vC/fgrhcP8rD23buvXElNLTy+ePGB A1euPPz8grLA7p/7FSwO/McpFbL8e2rGg+Xevdevp6TA+fNut9f75zI///f9mh+eqvHfdHGg 7beo8fELQe8s1TVcAnE543kPlJTA7uDL4H/Cu8pTFUwvObF/BsZiwlj9DJydcy03sx84G5fo VaIdGMcySxsBvg+EDuJ8EH7hF90P+tsc15JBnCX0kg6DUJWNwmrQz1KbsuB61ZWXcw1Wz1pz doMF/F+o5sjtUH3bU+0bbgO9iOEuu0DqLafJZ0GM0bYpJUEbIJ4wvAy8SG3hCwg+FbihnwUx ILVjO7Be70EmCCt5U5wKzBVLqC8CRbShshWCvUkT3wTx+6S3q5WEKofF9+3roeRrpvmnP4Ws 0hGpOaNBvJB31GsD8eOkd57wQuVxlfcGL0DS6rQ013Q4VSLLr6yDM3PFy/a34U4Fc7MSd0C7 mbczbQz4u2Y2Tx0IWlH7IudWsL8btihMAdMvluamJBA/tn9tPwNaUOkaaA5p23NihAHgLuY9 r+aCe5b+vGEniLFyKfUGMFxbpEfDnVfTTmf4gE3qqwYnhLd0FrecAeV56Yx/P5TeFtav+HMg JxrmRRaFvDNur3cx6LOErf53wLxFGxy+E2inNWUQmKbIncSvwXiJtpFpYOhv659zEbw/eKWs i5BpzO3Gl6COD0xOPg9lS8fGVQiCc6K0L+ElsK0Ln4UflMruUy4J7o9KVt1jIe1lV6rbAuYX zarpNIjNhZ3qEXCkmafaeoOzfGSDsHlgH+8whK8E8wf22ZZK4M/3lxJ2g+t915CAANI7prdN ERClxi2OXQLmbuadhjGQP/n2y6mfQPqamwOumiCvWa52qwx4MRoiPgN1OOOMr4E+TZuj/v73 N0S9APod/ZBeGbRRxOlVgEghS10Hop0Y41vAM7TWq/+vSdLp8U3Ygtzjgv2Zc3Nzc3NzC+sF 5cMiy/9s140H7fyneNH7ovdFLwT0gB7QYd2odaPWjYJRGaMyRmVAzK2YWzG3YHCxwcUGF4Pe wd7B3n/4QB5pG2kbaYPZ5tnm2Wb4bvR3o78bDTG3Y27H3IY00kh7DH72rdq3at+qcP+5+8/d fw62TN4yectkKLa72O5iuyFqatTUqKmQuTVza+Z/8EU3A/WB+kAd7o2+N/reaNiQsiFlQwpU jqwcWTmyMEWhQKj+3fyrz6dAwM5cOXPlzJUwyjbKNsoG6iH1kHqocDHmqOKjio/6wxfHzumd 0zunw089f+r5U8/CRYMPW8RWsKiS85znPLR9v+37bd//c6pIwWK7L/iCL4AtU7ZM2TIFKn9b +dvK3/Iv079///79+4Nrtmu2azZs3r159+bdsPHWxlsbb0GdQJ1AnUDh4sd/l0edVyH+PVT1 91dIP0zI/vvj/tfjFdh9kGAwEAgEQJJ+3zXjYRTsqvEgFy7cvfvHF6s8WH/Y+QV2/+zP75Hf hyVO2Gx2u8UCfr+i/LHH9u0HDyYng6YFg6mpfz7viSdKlDCboXr1J5/8RwGeAruPG+HgwYMH Dx7U9bp169atW/dfH8CDu1F2LeCy4aS9BwhZfKBVBa1B4MvAIfDHenp6/WAzRsyNXAjqZf1N fz84P21r1PHeUCqq7tga18H6SsRxwxBQz6uZegngqOrStwHb9JXqKyD0MTxpKA/XS9xNPrcc im+OrV2mHij9lI56POzJ2Os6UgNcv7ktahTQ1vFD0V5QKrO0v8ivUOFewjpDMli7W4uyH9QK aivxHkidhQmcBKWCutm3B8SA0Es+CsKrUmXxU9Df0jpJ+4A14sdaEPRnEYREEPfrovIOBGq6 KuZ1BmOKob26ANTn3FMzXgftq4wXM78DyR01M7wb+O5kbrzvAH1q+vT010HaJeusBF+qdMeb Blklru/MSYfV1/aUvN8Kjo/I/llKh8AS34SszyGQ6WmVPRWE6vJoy2UIfyOsbuQmcLzl3GDe CCaH4VX9HjBY7RWQwVfJvd73LfizA9uDn4GyTL+ojYBAXOCqLx38g92WnANgdlnWWYdCZHbU 6+Fvgu+OZ5yvB3iLebJcv0Bmtayc1KagzhQ2um6D1kl40VIUXN0C27PTISzPsVKsCoE0zzbh A8ht6Ml194HyaQkTin4G8gUx2lIFbkZk3Lx7FAz15O2WlyF6Tbga1wmi9pjPm8qAtkcfo3SH u0PujPBtA81nHMI6cExySlYBzC/JK6w3ITY3YYNNgciWUcWjM8EwxHwt7Bxo7yu7DW+AO9VV QckHX6a6ITgSLEr4ufBj4FwWMSf8HoiVtF8MO8AVfT/nfjfwr8gedCcVvH7li9ypkB1wvxU8 AHnb9DHhPUAvI84zH4PgJGZJz4L/vvIer0Lw5WCvYDsIHlC+958GZVawq+8csEC9550OUmV9 ib8PHEvd98mGU49/4hYI24LdAwoE9L+L0+l0Op0wYsSIESNG/OeFc4h/jYJfBlLapbRLaQft E9ontE8ozG1+Yc8Le17YU1jf2GFjh40d/m6vQ4T4f4MqVdq0mTEDqlatVatChX9/nBUrPvig XbvCeq9e77//X+0qcfr00aMXLsCZMxs3jh5d2B4T063btGlgMhUrlpBQ2J6c/NFHL71UWC9S ZNSopUsf3v4g/6yf33/79r17kJ7+ww/vvFPYPnTo0aM3bkDlyomJVuufx01Lu3/fYIATJ+7d +1e+eAQC+flZWdCuXcOGTuefj589m5Li8cCcObVqlSz518d9GIcOHTp06NBjiDhrqvcn30Aw fGtsbjkCWnvtI70LyOWM3xpqgLzEpJiTQA3TR2o/AEu86wOTwPGFY79tFxi/tHxl6AviZqme aALxCeGi8AxoHXhe/RGkGDnD8Bqk5mV/npIP11+/Pv/QFijePr57fDPI/NJTxzMEXC7TJNML UOz7sgsqFYVAEc+beODWrPsvuodCoieiv/0mWI/YyxmyQa+tDWU4cFxvqZ8HcbKwQAyAsETs Kn8JelH9S20aaAP50ZcFVFLXqSNBWiyesIwG/Yg4xHgP5M8d66KiQQuoHYNO0DsbZqjfg7LA Us3VEuQOljtx74E5PKqh+XOgT2xSmf7AVEf72KlguSeZ5RiIXFzjU98ReP10zXfPfQe/Ldtz 4cTPsG7O/rLq13DvVdNpZwlQDuV1Td8H2Qcyq9x/D3x5no2WxRCxLfxmZEMIP+0sZ7eBpVXU LUs+6PX1Jeog0DcovsBqCFT1TzBtB/cISwPDaTCdl+OkIZB5MXuR7wfwPaPsDr4D8nnjxOAx yFni65c9DKztzXssk8EeZVlnuwemw5aO/tYgrzFM0LaA+05emGc2hBeLnB1eAvLrBIz+I5Cz Mr9LTl8QDkujxE1g/NIwyfAiXB53s/G1HLC9aj1k6AjOLeFNjAGIHlPsYpH1EDUjLCqiOUTc Dvc7uoJplsnl1MFQ3rbdPgGChuBKaQS4J+b+7H8S8tf5LwbbgGS25hjGQ8Sx2KtxElh2WA85 TKC8lHfRtw8ysu/cvjUcMtbcrXphPQQT9KZ580D7WH9beA/yS3iqaSvA1UuV82pCMFsroi2F QHX1O30UKNv0zvoToO5X+qubIVAj+EYwCvSJ2lZ1Ougn1f7B+qAGg8387z36RH0YBcK2QOgW COgCgXXr1q1bt249/PyCVIyCRYIF44TeKPjfk4Jt53at2LVi1woYwAAGAMxkJjMLt2t7I/ON zDcy/25vQ4T4fwtN+z0ynJ+flZWfDyaT1fqP9jn+VwkE/nHOsN/v8fj9hXYfJBj8/c15up6X 53KBKP7jRX7/agrHw/ppmtfr84Gi/OM3A/r9v/uZne3xKAo4nRaL/Af1Wbp0dLTX+/v+0GFh cOFCZqYgwH8dL4enny5ZMiHh90i2x1PYnpvr9SpKod3HzSMLZ2WqO1//GQwNwleI8aAuDWxU a4H/U/2r4DIwNjY1IxbkdnJjQxJ4DwW/9rcA8bywRJsDhmXmboa34f64+7dvrgNlu/Jb4Acw IX2t9wHHUdvwiIOQ/1ROzzw/2F8xX4scB6Yy5vX2wRAdYd9sjgTXaleRMxpcWZnSMXcRJFWM mhWdBrYdlhfUhpDybdreQFko1iSiiOkUqM0FP0VAGauUCh4GYYrYQWwCFGWBEA7Cdu7L34Nu Ez3ZE0CoQ02xGhCluNRnQLnrcuc8BYam9uZF2oFaRbinXgLZ5bgeXxMMZ+3h8VVAe0Y54soG tb3vYH5FMDYwN4j5BdQdhtW2Z0D9QntRl0Czyi+aD4OtRoVjDd+FNuUq9Hu6H5SfXLb6hm9g fo8fvz5cDy5vtcqlT4KvkrtFxirwDs6/lhsHgR1pG+8OA/dXeZvNE8G5yJEfHQNhyWErTQfB dtn6kvk7cL4T9qFDgejz0bXVNAic9a5xPwMGxZaUVx6Cu5X+YhlQknyavgnkT0rlF+sCef1y 3/RpYGpmeN1cHaS76pqwVPAYPLUC88G+3zJQKA0JP0VWijkNdgzPJE6FtJnGtikvQdgu+wHb ZIjeF7YqZje4uhZ9y9sPDJ8ar7EbHCkRVtsAsFwzu8K/BmNj2WwfCsGAtl16CgJFgyZiIScn /UvfcxD8Rs1hK2i/GbubO4Hla+doyztgrxaxNrINSMX8B3FDbuObx9M3gLtj1v3kvqCcVRak fwS27vZF2lfg36JcscwHX7nAnkBPsIuWEtohkNYH53mKgv8DpaJeBvSGckXyQbmt9VedoD9l iucDUPrrJv1p0I5pmzQRhEuCwRgARVRWyo/wk+tfpUDoFgjpB7eRK9jHtYCCXObq1atXr179 P+9fiMdDtVeqvVLtFVjKUpYCDGMYwx511BAhQjwOnniidOnISLhzJyUlIwPi4xMTo6Mfn4Au oEAw37//u50Cuw9SqVLx4pGRcPr0rVuZmSCKTmdYGISHDxny1Vd/7v+w9n/WT9e9Xq8XNC03 Ny8PqlYtXjwq6s/nOZ1Goyz//mruQAASE39PoAgPt1gkCbKyRFGSoHhxpzMvD+rVS0qy2UCS BEH8L1bi3br1u938fF2XZcjJ8XpVFVJScnMDgUK7j5tHTtW41+jiOze2QNT6J6YVGwXBdG9X tSQomWpccAyY+hpbG46DLituvw1yR+/ucSgM8j7Vv5arQZHLz1ar3x6yvTneew3Bv1wZoYwF U7ZxhVgdzr5+OfG3FMi9pL6a/yKULR2zvHQPSFSj1lTKhdNdL7iO58G59+4GLlyCi2funpbq QtU3Kn3Y+jmoO6lyZrGx8MSx6A1CaxBKGbqIxUDcqG/RV4I+TWuh3gY9VWwvpIHYUyhuaApC qrhHbwOppuzrlwZBenffpzfKQeSIyI5hL4P2icudPQ0iLCZXpffBOcfxcvkG4O+oVfRcAN4X ZFEGYRcp8ssgfqlFBkeAMkv/RWsPoi5WM7wOJOkxWioIX+vz9NOgpuuNhESgEvukaLB9aakq N4FVzln9Pr4L6zocNd7oB3qibWb0RfBM9TUNNgB1vadk7m+gX/TOzrsGoqydCiwF67tynjQL zLvs3e354LA4LNbPIWyU9QXzaTDPNJsMMhhGyWPUZ0H7jRTNAIEy6keKD/STWmmlF2jztNPB nhA0KU+rGnir+14LjAXhezlZaAPSXCFerAXSDGG+cAm0+VorQQCTx/SecQ9oG4WW2q9gqirW N74Ahnzzz9YnQYtgjXAOtCnBxmIq+Kr4WmgVwLXXVywQhOCY4NZgBqgNpIXCmyDFGo/YjoNx oiXCmA8xZcPqWYAi/rghtktwJ3j/9YxfIF/JqZj+JWTXSU282A1y89O8gZmgHmNT8DeQ45X2 WgkQTeL3pkbAaqNZjgT5A3GdVBT0t3lbehsCk9RyvAP6x+Tr4wGBJsJJ0BOFX8WVwPviFukr 0GXtlF4btDeFG+JO0DPEc/IM+KnnL6N/2Pb4J26IECFChPjvQVZWTo7LBX37vv32N9/A+fNX rqQ9jkUWD6FixbJlY2Nh8eLp0198ESIjw8P/+GbS9PTcXJcLnntu7NgFC+DkyStX/tE+0Y+L 6tXLlk1IgJ9/njx5wACIiXE6/+hPdvbvseP33z9zJjkZ0tJ+jzz/p4iNtVplGT74oEqVIkUg IuLxCOjHlqohT3B8Z1wLwZk59fI9oL+U/W3OLhAmulPcVtDHlptXujWoZTz9PMvBVXzzud/e gnDz8291zAdhnyVROA6Jk40vFR0E2UM8VfPscCLjuHZgFljKGY3OF8C7z7ZGvwXRO6ylEhqD 4W1j+Yh6sCNtV8SdvnBvlPDj3W7giZTWBW/A1mO7zv9wAfxdA/T4BkonNV1fvAFY3Kbz9AF1 v/aa6AXhlHhXmAPiaGGP1AW0XD4IJII8nwbmM+Cpk+fPGgiXV1/pc7w0KIf1mYavQF9gGqn5 IeZUZFTyRai0vcgX/hIQk2xtmrQLsIhDDV7QV4hojYEpwmYxDARobWwLwgd6DbUi6OvozQZg u7BUmAxihHCbYqDNpqsShKCmFNEOglApkJuvg7gho9l1QJ6gzVXfA7mfuYd9A2jPhZeMugTK r2HVIq+C+nJAcP0AgYH+zfmdQYkJjtNqQXBD1oysi5DjyqovdwJTQ+MH4ttgtph2WDqBqbJh pKkMiBGmedIGkG5IsnwQpHqG8tadYNwjNxM7gcEctpcgIPOslgKCj0niEhDCdEnfAFpz/Rbl QBmup2r9QC2vRLEQ8lsqZXkJ/Gtz+vniwNc3OE0RISgGSyoXQD3KXs6CvMaUbJ4HxqXWlbbp YOxsbmQ9CPFj7MuNS6Fmt/Kzo9dAze9qvVhlFsR/VuJy6Wmw+Z2tn35TClJfz5tyswzUaFTL 36E9rN605t4vw0Df7H3FUAqaf1e1dsN0uBJ/tnNGOTj27bHy5yvCnYVZkVnjwN9GGap0B8t4 0zLzyyAfM7xiGABaJbWI/g6otbVFygnQvxEGid+C2FLvJTpBu6zf1QygHdf3qWOAnv+5D4cQ IUKECPH3UyBc16//6qtXX/27vSkUrocOffHFG2/83d4UCtfPP//Hi/j+b+ORhbPlK2VqoC0E l9/Mu7ceiPK38lYFrb6vSOB5MO4W2pdaAzjdn7p/AbYErgeXgOnj2Kiw6mBYzgx5I2S+6Vmb IcDx9cdH7vsUEmcbt8W/Ce5kc0t3BISnCaMcSRC3Kb5k8Zfh1Klri9JEEE+HDU2aD/rCzDUp TihapMLIqh0gpeb1flfmwoX5V33XMuDIlhKdIhPh2e6VZttfhuCq4DL/FJC3mSItz4B6WFvv SwHhlDDHVBTor5cVIsDwvmWyaRfElqyolQWSD5/yXhkBpXdLkfHfg/2SO8rSAa6lbt69Kh7s c8ukVW8Pwjqhi1QC9NuslzuBYVTR7WV7gPx2THbJp0HfrjdmHrBS6EM26Av08+ggJDOGoyDW 0mOE0mBorCeq74PwjbZY7QHur11PZt4H+RVlt7cMiF3Nux0bQI617I+MAWOe5ULUJRBrWubY fgLTL05PhADaNNfArDjwocRpcyH4nn5PywHtkF5c08HV0rvWexzEF92B/MugSOou/SLQUvdw BoRVwhlxChgX8IRwHvSdYj/6gf6KsFBwg9CYxUIi6F/xs7ga9CnCAsJAG6g/o+wDPVx4VywL +qtCUfkuCGul7XIrkE4ajhkOgnwyrFH4LbDMsMyw/QJmh3GN+SDEZ1o92k6o2bx4HYsdqret U7VafYjfXU6uKYGyUDhnjoHgSX02O6HxOw093SeAq4gr2OQdiHw58dUyX0CMpdeCcnvAvsBR tqwMzkvhfYu/CxUza824OwBKbK3R49xw+MGz/NaG2xB4Nz/nnBeSu6R+k10J1D7iDMkFRodZ sx4FQ5K0xPAVyGZpgVgf6IlL7Ab6KjVBOwPaYOW4/hkA5Wnyd0/zECFChAgRIsTj4JGFs7RB PiKdBt3jaGj7CYRNsWlxY0DozAUhE6gsB+Rm4F9+J/76DZC7R78SMQ7k92Ij474Fb1jwfn4N yBubl3xvCNTYWqVevQUQMzBiZoINDqSfb7phLETE2HrFTgG9o3zd8AacG3y8xo5dYJxt7VB8 MRSfbVtUIQZqbyt39SkbXGgU1acUILRRF2lPQ7WMct4oAfxj3c+kvwvCm96mWa1BWyWrtuIg LrcOtPlBb2LIM/4I0iXzRjEGUgafkK9WhpSzue9e6Ai2+QkfmLIgMjW6aYnZUOG9Kv7Ww8Br rlT9bgD05Kza94qAf/69bjd+BL2E+92caqBKERUca8HwTGRCTB7whDDCWR04ywBlHuhtOMdY 4BTJfA9aa+EnPgD/x4HOegvw5wc24AJtkHzX0A18t4MLPcsAg++wZzsIebmrMn8FU74p+74N rK3t48IDUGxLsaToFOgU079hi6pwP/3e7ewX4PbKawl38+H2wIyh7j6Q+ZmnZHA65J8MLBDq gidHP6ecBKGdGqWPhqBTRUsAzwk1XesFPCFM0NeDHiPsYR6wlg/IBDFWHC4+BWK04X3DjyBs kKIMK0BeZ2hnbATSLDlDngzyKIPX+B4YSohvysuBiXTjGTDEqNZgOmgzMhrfrwHPFm/TuXRL ePqZ9nQqBb53xXbRN8H/VXC8Lwb0w+KX/hYgxkmXxW4gPW8Oty2E6DFyRUs+6OOoZl4MScWK 7m02AYImZbqyFQKZgcuB42B8z7bb3AqC59Wh4R3g6VdqdKzqh4Q54RnFXoHkg55t+guw/dyW T/a6IWVO5ut3d4HXbDgrrweLoHxtOg6m7021jBtAPCTuE4+CHGl4Uv59+5xQzDlEiBAhQoT4 H8Ij5ziHCBEiRIgQIUKECPE/mYIc50d+c2CIECFChAgRIkSIEP8vEBLOIUKECBEiRIgQIUL8 BULCOUSIECFChAgRIkSIv0BIOIcIESJEiBAhQoQI8RcICecQIUKECBEiRIgQIf4C//92dAWr BUOECBEiRIgQIUKECPFn/j/4k62J5WpfAwAAAABJRU5ErkJggg== --------------040107090706080202060100-- --------------040301030405000807060303-- From nobody Thu Mar 27 14:41:54 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 273661A06A8 for ; Thu, 27 Mar 2014 14:41:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOnrFIR8rKqQ for ; Thu, 27 Mar 2014 14:41:47 -0700 (PDT) Received: from mail-qg0-f48.google.com (mail-qg0-f48.google.com [209.85.192.48]) by ietfa.amsl.com (Postfix) with ESMTP id F37FB1A06D8 for ; Thu, 27 Mar 2014 14:41:46 -0700 (PDT) Received: by mail-qg0-f48.google.com with SMTP id j107so3523260qga.7 for ; Thu, 27 Mar 2014 14:41:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Q9BHADbV0U1qFRZBIBGK9PF7NzqKoQXJREu2DhxWP5c=; b=CbSZdvS09XrDYYzuZtFd9sXlomfdDnPFnhgu4zfgb0B0a3MCZosZ9ubUpHBIbd8Puk WiF6B5F9/cPZvilYuNRazcwZ4fbAqGA6rwa2XOX4EQau0zpeVXIvdO7qTKDEK7jhIHeV T0APDKb410B9DZjuntTnY2si35xdkbLkxPHsHNe37V/jzZQ95NsfAMTYFt0wEEpc58L7 NOwyY13Aea+GBguwsO8nYjj+xGdU/eGgmGFg/BVeY3Vje828A2mhWzWUH6mPoyi+zz3e KDSas7/xrDZFYQ3zDPNZ0kXsEeG9ez5tAEqKFIBmKCAF1UP/HcJtTwjAcPF38jrmlL7d kmbA== X-Gm-Message-State: ALoCoQlaK3HZQhvCdPOElxKsHrhRD2fcPoH4H+GPxAWP+R2qUylNi6bI1ZN4zZWS1XSmE46eAo9w X-Received: by 10.140.33.136 with SMTP id j8mr4833797qgj.97.1395956504733; Thu, 27 Mar 2014 14:41:44 -0700 (PDT) Received: from [192.168.0.200] ([186.65.199.97]) by mx.google.com with ESMTPSA id e4sm6114701qar.12.2014.03.27.14.41.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 14:41:44 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_99FAD786-228D-4CC9-A216-4D262C7D0F83" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> Date: Thu, 27 Mar 2014 18:40:43 -0300 Message-Id: References: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> To: Adam Lewis X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/598MXmETzbqFiyx82uylQ15QNXY Cc: Tim Bray , "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 21:41:51 -0000 --Apple-Mail=_99FAD786-228D-4CC9-A216-4D262C7D0F83 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 I don't know what clients are using the play API to get 3rd party = tokens. =20 Perhaps Tim Bray can comment on scale of use if not specific clients. John B. On Mar 27, 2014, at 3:36 PM, Lewis Adam-CAL022 = wrote: > I get the idea, but I=92m trying to get a feel for whether or not this = model is being built upon and to what extent. > =20 > So if I rephrase =85 are there known 3rd party AS=92s out there in the = wild that are consuming the Google id_token?=20 > =20 > Or any examples of a 3rd-party RS that is directly consuming it?=20 > =20 > Looking for actual examples in the wild to point to. > =20 > adam > =20 > From: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 > Sent: Thursday, March 27, 2014 1:07 PM > To: Lewis Adam-CAL022 > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from = now > =20 > Handing out a id_token with a 3rd party AS or RS as the audience is = the standard way that Android apps that rely on Google as the source of = identity work on Android using the Google Play Services. > =20 > This describes the API = http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-fro= m-android.html > =20 > On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 = wrote: >=20 >=20 > Hi John, > =20 > With respect to Google Play handing out id_tokens, are any there any = known instances of that being used? Either to kick of an assertion flow = with another (non-Google) AS, or to present directly to a non-Google RS? > =20 > adam > =20 > From: John Bradley [mailto:ve7jtb@ve7jtb.com]=20 > Sent: Thursday, March 27, 2014 9:07 AM > To: Lewis Adam-CAL022 > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from = now > =20 > Hi Adam, > =20 > 3 is the most common today. In the Salesforce case it has the = additional benefit that when Domain 1 is federating to SalesForce via = OpenID Connect it can provide access tokens for it's API to sales force = scoped for that user for use in the SalesForce custom logic. > =20 > 1 and 2 are similar and likely it is more of a deployment choice = between them. > We do see examples of this currently with the Android play store = providing third-party id_tokens/JWT assertions to OAuth clients. > =20 > The reason for doing 1 or 2 vs 3 probably comes down to connivence and = security if there is an agent for the user's IdP on the device that = can act as a confidential client to the IdP for security and provide a = more consistent UI for the user. That is what we are working on in the = NAPPS WG at OIDF. > =20 > We have examples of 1/2 now, the problem is that they are not as = universally applicable as 3 but hopefully with standardization for = developers we will se more in the next year or so. > =20 > John B. > =20 > On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 = wrote: >=20 >=20 >=20 > I am curious it ping the thoughts of others on the list of how OAuth = is going to continue to mature, especially with respect to enterprise = federation scenarios. This is something that I spend a whole lot of = time thinking about. Specifically, consider the following use case: > =20 > An end user in domain 1 downloads a native application to access an = API exposed by domain 2, to access a protected resource in domain 2, = under the administrative control of the domain 2 enterprise. > =20 > =20 > There are in my mind three basic means by which OAuth can federate, = which I know I have discussed with some of you in the past: >=20 >=20 >=20 > 1. First option =85 End user in domain 1 requests a = JWT-structured access_token from the OAuth provider in domain 1, and = sends it in the HTTP header directly to the RS in domain 2. The JWT = access_token looks a whole lot like a OIDC id_token (maybe it even is = one?). The RS in domain 2 is able to make attributed-based access = control decisions based on the contents of the JWT. This is = architecturally the simplest approach, but enterprises aren=92t exactly = setting up OAuth providers these days for the intent of accessing = protected resources in foreign domains. Anybody think this might be the = case 5 years from now? >=20 >=20 >=20 > 2. Second option =85 similar to the first, but the = JWT-structured access_token from domain 1 is sent to the OAuth provider = in domain 2, ala the JWT assertion profile. Domain 1 access token is = exchanged for a domain 2 access token, and the native client uses the = domain 2 access token to send to the protected resource in domain 2. I = like this slightly more than the first option, because the resources = servers in domain 2 only need to understand the token format of their = own AS. But it still suffers from the same basic challenge of option 1, = that enterprises don=92t=92 setup OAuth providers today for the purpose = of federating, the way that setup SAML providers for WebSSO. >=20 >=20 >=20 > 3. Third option. Native client contacts the OAuth provider in = domain 2 directly. The authorization endpoint is federation enabled = (NASCAR or other) and the user in domain 1 selects their home IdP (SAML = or OIDC) and does WebSSO to federated into the domain 2 OAuth provider. = I believe this is the model that Salesforce supports today, and it the = most tactical, since enterprise that want to federate today run out and = buy a SAML provider. > =20 > So option 3 is the most obvious approach today. Does anybody foresee = enterprises setting up an STS in the future to federate to foreign RS=92s = (the way they setup SAML providers today)? Anybody think we will see = options 1 or 2 in the future? > =20 > =20 > adam > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_99FAD786-228D-4CC9-A216-4D262C7D0F83 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 I = don't know what clients are using the play API to get 3rd party tokens. =  

Perhaps Tim Bray can comment on scale of use = if not specific clients.

John = B.

On Mar 27, 2014, at 3:36 PM, Lewis = Adam-CAL022 <Adam.Lewis@motorolasoluti= ons.com> wrote:

I get the idea, but I=92m trying to get a feel for = whether or not this model is being built upon and to what = extent.
 
So if I rephrase =85 are there known 3rd party AS=92s = out there in the wild that are consuming the Google = id_token? 
 
Or any examples of a 3rd-party RS that is = directly consuming it? 
 
Looking for actual = examples in the wild to point to.
 
adam
 
From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
Sent: Thursday, March 27, 2014 = 1:07 PM
To: Lewis = Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & = Enteprise federation ... 5 years from = now
 
Handing out a = id_token with a 3rd party AS or RS as the audience is the standard way = that Android apps that rely on Google as the source of identity work on = Android using the Google Play Services.
 
 
On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 = <Adam.Lewis@motorolasolutions.com> = wrote:


Hi John,
 
With respect to Google Play = handing out id_tokens, are any there any known instances of that being = used?  Either to kick of an assertion flow with another = (non-Google) AS, or to present directly to a non-Google = RS?
 
adam
 
From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
Sent: Thursday, March 27, 2014 = 9:07 AM
To: Lewis = Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & = Enteprise federation ... 5 years from = now
 
Hi = Adam,
 
3 is = the most common today.  In the Salesforce case it has the = additional benefit that when Domain 1 is federating to SalesForce via = OpenID Connect it can provide access tokens for it's API to sales force = scoped for that user for use in the SalesForce custom = logic.
 
1 and = 2 are similar and likely it is more of a deployment choice between = them.
We do see = examples of this currently with the Android play store providing = third-party id_tokens/JWT assertions to OAuth = clients.
 
The = reason for doing 1 or 2 vs 3 probably comes down to connivence and = security if  there is an agent for the user's  IdP on the = device that can act as a confidential client to the IdP for security and = provide a more consistent UI for the user.   That is what we are = working on in the NAPPS WG at OIDF.
 
We have examples of 1/2 now, the problem is that = they are not as universally applicable as 3 but hopefully with = standardization for developers we will se more in the next year or = so.
 
John = B.
 
On = Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> = wrote:



I am curious it ping the thoughts of others on the list of = how OAuth is going to continue to mature, especially with respect to = enterprise federation scenarios.  This is something that I spend a = whole lot of time thinking about.  Specifically, consider the = following use case:
 
An end user in domain 1 downloads a native = application to access an API exposed by domain 2, to access a protected = resource in domain 2, under the administrative control of the domain 2 = enterprise.
 
 
There are in my mind three basic means by which = OAuth can federate, which I know I have discussed with some of you in = the past:



1.       First = option =85 End user in domain 1 requests a JWT-structured access_token = from the OAuth provider in domain 1, and sends it in the HTTP header = directly to the RS in domain 2.   The JWT access_token looks a = whole lot like a OIDC id_token (maybe it even is one?).  The RS in = domain 2 is able to make attributed-based access control decisions based = on the contents of the JWT.  This is architecturally the simplest = approach, but enterprises aren=92t exactly setting up OAuth providers = these days for the intent of accessing protected resources in foreign = domains.  Anybody think this might be the case 5 years from = now?



2.       Second = option =85 similar to the first, but the JWT-structured access_token = from domain 1 is sent to the OAuth provider in domain 2, ala the JWT = assertion profile.  Domain 1 access token is exchanged for a domain = 2 access token, and the native client uses the domain 2 access token to = send to the protected resource in domain 2.  I like this slightly = more than the first option, because the resources servers in domain 2 = only need to understand the token format of their own AS.  But it = still suffers from the same basic challenge of option 1, that = enterprises don=92t=92 setup OAuth providers today for the purpose of = federating, the way that setup SAML providers for = WebSSO.



3.       Third = option.  Native client contacts the OAuth provider in domain 2 = directly.  The authorization endpoint is federation enabled (NASCAR = or other) and the user in domain 1 selects their home IdP (SAML or OIDC) = and does WebSSO to federated into the domain 2 OAuth provider.  I = believe this is the model that Salesforce supports today, and it the = most tactical, since enterprise that want to federate today run out and = buy a SAML provider.
 
So option 3 is the most obvious approach = today.  Does anybody foresee enterprises setting up an STS in the = future to federate to foreign RS=92s (the way they setup SAML providers = today)?  Anybody think we will see options 1 or 2 in the = future?
 
 
adam
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

<= /body>= --Apple-Mail=_99FAD786-228D-4CC9-A216-4D262C7D0F83-- From nobody Thu Mar 27 14:48:12 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1459D1A06DA for ; Thu, 27 Mar 2014 14:48:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVM0BznuMZYs for ; Thu, 27 Mar 2014 14:48:07 -0700 (PDT) Received: from mail-vc0-f175.google.com (mail-vc0-f175.google.com [209.85.220.175]) by ietfa.amsl.com (Postfix) with ESMTP id 8AF1B1A03DA for ; Thu, 27 Mar 2014 14:48:07 -0700 (PDT) Received: by mail-vc0-f175.google.com with SMTP id lh14so4964530vcb.6 for ; Thu, 27 Mar 2014 14:48:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=E9CoBgkt5/uWO0BRihwJrDg08jtB5nafmZ9CLlD7Fpg=; b=U2cl/gOOWHd+es9RsLYxm6e6bYsUL7xpFFc5TBSvi24payPTrPx9Uf482We0YbGZYA hMQlgegDh7gxMHofE7KreVKHppjM19/8l0eWx2X9kR/puDsIILQrm5M/9BKci/5QMVDR nMWFQLyq+4UJ01HqM0g8kpfopoZNQ4vwZoxllinLu7R7q/H3woxs4gXMyRO66fGN9YPz FrPpC9LreihrYaveRUxEkSI8xNDyUIdQLW6R5P1ebiMfBJgkHjWg7mnuA6TYjhZt4JH3 LDgIY4IOp/GbUGaTWrpHNQZu0QR3WONG2w6jEDv1b5ligLOPQnJ8movV2+34Ta5niH+i i3bA== X-Gm-Message-State: ALoCoQn1I94LV3+2t3XqA54p9X9SXrZJR8fHayg3pvhn8C+DMq8HRsOzRscD19BcVVZdJEsxG7Mu X-Received: by 10.58.195.202 with SMTP id ig10mr491812vec.33.1395956885496; Thu, 27 Mar 2014 14:48:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.98.73 with HTTP; Thu, 27 Mar 2014 14:47:45 -0700 (PDT) X-Originating-IP: [96.49.81.176] In-Reply-To: References: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> From: Tim Bray Date: Thu, 27 Mar 2014 14:47:45 -0700 Message-ID: To: John Bradley Content-Type: multipart/alternative; boundary=047d7b66fce74841ba04f59d8a0e Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RBSq2SVEL9lhhyXJD1hy4baR3qA Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 21:48:11 -0000 --047d7b66fce74841ba04f59d8a0e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I can=E2=80=99t give names or numbers but yeah, it=E2=80=99s happening. Esp= ecially for Android apps, it=E2=80=99s easy & straightforward to get an ID token, and c= heap to validate on the server side. Obviously, it only works for Google accounts. On Thu, Mar 27, 2014 at 2:40 PM, John Bradley wrote: > I don't know what clients are using the play API to get 3rd party tokens. > > Perhaps Tim Bray can comment on scale of use if not specific clients. > > John B. > > On Mar 27, 2014, at 3:36 PM, Lewis Adam-CAL022 < > Adam.Lewis@motorolasolutions.com> wrote: > > I get the idea, but I=E2=80=99m trying to get a feel for whether or not t= his model > is being built upon and to what extent. > > So if I rephrase =E2=80=A6 are there known 3rd party AS=E2=80=99s out the= re in the wild > that are consuming the Google id_token? > > Or any examples of a 3rd-party RS that is directly consuming it? > > Looking for actual examples in the wild to point to. > > adam > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com ] > *Sent:* Thursday, March 27, 2014 1:07 PM > *To:* Lewis Adam-CAL022 > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from > now > > Handing out a id_token with a 3rd party AS or RS as the audience is the > standard way that Android apps that rely on Google as the source of > identity work on Android using the Google Play Services. > > This describes the API > http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-fr= om-android.html > > On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 < > Adam.Lewis@motorolasolutions.com> wrote: > > > Hi John, > > With respect to Google Play handing out id_tokens, are any there any know= n > instances of that being used? Either to kick of an assertion flow with > another (non-Google) AS, or to present directly to a non-Google RS? > > adam > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com ] > *Sent:* Thursday, March 27, 2014 9:07 AM > *To:* Lewis Adam-CAL022 > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from > now > > Hi Adam, > > 3 is the most common today. In the Salesforce case it has the additional > benefit that when Domain 1 is federating to SalesForce via OpenID Connect > it can provide access tokens for it's API to sales force scoped for that > user for use in the SalesForce custom logic. > > 1 and 2 are similar and likely it is more of a deployment choice between > them. > We do see examples of this currently with the Android play store providin= g > third-party id_tokens/JWT assertions to OAuth clients. > > The reason for doing 1 or 2 vs 3 probably comes down to connivence and > security if there is an agent for the user's IdP on the device that can > act as a confidential client to the IdP for security and provide a more > consistent UI for the user. That is what we are working on in the NAPPS > WG at OIDF. > > We have examples of 1/2 now, the problem is that they are not as > universally applicable as 3 but hopefully with standardization for > developers we will se more in the next year or so. > > John B. > > On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 < > Adam.Lewis@motorolasolutions.com> wrote: > > > > I am curious it ping the thoughts of others on the list of how OAuth is > going to continue to mature, especially with respect to enterprise > federation scenarios. This is something that I spend a whole lot of time > thinking about. Specifically, consider the following use case: > > An end user in domain 1 downloads a native application to access an API > exposed by domain 2, to access a protected resource in domain 2, under th= e > administrative control of the domain 2 enterprise. > > > There are in my mind three basic means by which OAuth can federate, which > I know I have discussed with some of you in the past: > > > > 1. First option =E2=80=A6 End user in domain 1 requests a JWT-struc= tured > access_token from the OAuth provider in domain 1, and sends it in the HTT= P > header directly to the RS in domain 2. The JWT access_token looks a who= le > lot like a OIDC id_token (maybe it even is one?). The RS in domain 2 is > able to make attributed-based access control decisions based on the > contents of the JWT. This is architecturally the simplest approach, but > enterprises aren=E2=80=99t exactly setting up OAuth providers these days = for the > intent of accessing protected resources in foreign domains. Anybody thin= k > this might be the case 5 years from now? > > > > 2. Second option =E2=80=A6 similar to the first, but the JWT-struct= ured > access_token from domain 1 is sent to the OAuth provider in domain 2, ala > the JWT assertion profile. Domain 1 access token is exchanged for a doma= in > 2 access token, and the native client uses the domain 2 access token to > send to the protected resource in domain 2. I like this slightly more th= an > the first option, because the resources servers in domain 2 only need to > understand the token format of their own AS. But it still suffers from t= he > same basic challenge of option 1, that enterprises don=E2=80=99t=E2=80=99= setup OAuth > providers today for the purpose of federating, the way that setup SAML > providers for WebSSO. > > > > 3. Third option. Native client contacts the OAuth provider in > domain 2 directly. The authorization endpoint is federation enabled > (NASCAR or other) and the user in domain 1 selects their home IdP (SAML o= r > OIDC) and does WebSSO to federated into the domain 2 OAuth provider. I > believe this is the model that Salesforce supports today, and it the most > tactical, since enterprise that want to federate today run out and buy a > SAML provider. > > So option 3 is the most obvious approach today. Does anybody foresee > enterprises setting up an STS in the future to federate to foreign RS=E2= =80=99s > (the way they setup SAML providers today)? Anybody think we will see > options 1 or 2 in the future? > > > adam > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --047d7b66fce74841ba04f59d8a0e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I c= an=E2=80=99t give names or numbers but yeah, it=E2=80=99s happening. Especi= ally for Android apps, it=E2=80=99s easy & straightforward to get an ID= token, and cheap to validate on the server side. =C2=A0Obviously, it only = works for Google accounts.


On Thu,= Mar 27, 2014 at 2:40 PM, John Bradley <ve7jtb@ve7jtb.com> w= rote:
I don= 9;t know what clients are using the play API to get 3rd party tokens. =C2= =A0

Perhaps Tim Bray can comment on scale of use if not specific cli= ents.

John B.

On Mar 27, 2= 014, at 3:36 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> = wrote:

I get the idea, but I=E2=80=99m trying = to get a feel for whether or not this model is being built upon and to what= extent.
=C2=A0
So if I rephrase =E2=80=A6 are there known 3rd party AS=E2=80=99s o= ut there in the wild that are consuming the Google id_token?=C2=A0
=C2=A0
Or any examples o= f a 3rd-party RS that is directly consuming it?=C2=A0<= /u>
=C2=A0
Looking for actual examples in the wild to point to.<= /span>
=C2=A0
adam
=C2=A0
From:=C2=A0John Bradley [mailto:ve7jtb@ve7jtb.com]=C2=A0=
Sent:=C2=A0Thursday, March 27, 2014 1:07 PM
To:=C2=A0Lewis Adam-CAL022
Cc:=C2=A0oauth@ietf.org
Su= bject:=C2=A0Re: [OAUTH-WG] OAuth & Enteprise federatio= n ... 5 years from now
=C2=A0
Handing out a id_token with a 3rd party AS or RS as the audience is the sta= ndard way that Android apps that rely on Google as the source of identity w= ork on Android using the Google Play Services.
=C2=A0
=C2=A0
On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> wrote:<= u>


Hi John,
=C2=A0
= With respect to Google Play handing out id_tokens, are any there an= y known instances of that being used?=C2=A0 Either to kick of an assertion = flow with another (non-Google) AS, or to present directly to a non-Google R= S?
=C2=A0
=
adam
=C2=A0
=
From:=C2=A0John Bradley [mailto= :ve7jtb@ve7jtb.com]=C2=A0
Sent:=C2=A0Thursday, March 27, 2014 9:07 AM
To:=C2=A0Lewis Adam-CAL022
Cc:=C2=A0oauth@ietf.org
Subject:=C2=A0Re: [OAUTH-WG] OAuth & Enteprise fede= ration ... 5 years from now
=C2=A0
Hi Adam,=
=C2=A0
3 is the most c= ommon today. =C2=A0In the Salesforce case it has the additional benefit tha= t when Domain 1 is federating to SalesForce via OpenID Connect it can provi= de access tokens for it's API to sales force scoped for that user for u= se in the SalesForce custom logic.
=C2=A0
1 and 2 are similar and likely it is more of a deployment choice between th= em.
We do see examples= of this currently with the Android play store providing third-party id_tok= ens/JWT assertions to OAuth clients.
=C2=A0
The reason for doing 1 or 2 vs 3 probably comes down to connivence and secu= rity if =C2=A0there is an agent for the user's =C2=A0IdP on the device = that can act as a confidential client to the IdP for security and provide a= more consistent UI for the user. =C2=A0 That is what we are working on in = the NAPPS WG at OIDF.
=C2=A0
We have examples of 1/2 now, the problem is that they are not as universall= y applicable as 3 but hopefully with standardization for developers we will= se more in the next year or so.
=C2=A0
John B.<= u>
=C2=A0
On Mar 27, 2014= , at 10:06 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<= /a>> wrote:





--047d7b66fce74841ba04f59d8a0e-- From nobody Thu Mar 27 15:04:36 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851AE1A03D1 for ; Thu, 27 Mar 2014 15:04:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.948 X-Spam-Level: X-Spam-Status: No, score=-2.948 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfZSqkT0rmoO for ; Thu, 27 Mar 2014 15:04:31 -0700 (PDT) Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe006.messaging.microsoft.com [216.32.180.16]) by ietfa.amsl.com (Postfix) with ESMTP id 40C871A0253 for ; Thu, 27 Mar 2014 15:04:31 -0700 (PDT) Received: from mail133-va3-R.bigfish.com (10.7.14.246) by VA3EHSOBE002.bigfish.com (10.7.40.22) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 22:04:28 +0000 Received: from mail133-va3 (localhost [127.0.0.1]) by mail133-va3-R.bigfish.com (Postfix) with ESMTP id 7887C38016A for ; Thu, 27 Mar 2014 22:04:28 +0000 (UTC) X-Forefront-Antispam-Report: CIP:192.160.210.14; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg02.am.mot-solutions.com; RD:ct11msg02.mot-solutions.com; EFVD:NLI X-SpamScore: -20 X-BigFish: VPS-20(zz98dI9371Ic89bhe0eahc857hzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1c8fb4h1de097h186068hz2fh109h2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24ach24d7h2516h2545h255eh25f6h2605h268bh9a9j1155h) Received-SPF: pass (mail133-va3: domain of motorolasolutions.com designates 192.160.210.14 as permitted sender) client-ip=192.160.210.14; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg02.am.mot-solutions.com ; olutions.com ; X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.85; KIP:(null); UIP:(null); (null); H:BL2PRD0410HT005.namprd04.prod.outlook.com; R:internal; EFV:INT Received: from mail133-va3 (localhost.localdomain [127.0.0.1]) by mail133-va3 (MessageSwitch) id 139595786583821_8724; Thu, 27 Mar 2014 22:04:25 +0000 (UTC) Received: from VA3EHSMHS010.bigfish.com (unknown [10.7.14.242]) by mail133-va3.bigfish.com (Postfix) with ESMTP id DAC964A0057 for ; Thu, 27 Mar 2014 22:04:24 +0000 (UTC) Received: from ct11msg02.am.mot-solutions.com (192.160.210.14) by VA3EHSMHS010.bigfish.com (10.7.99.20) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 22:04:24 +0000 Received: from ct11msg02.am.mot-solutions.com (ct11vts02.am.mot.com [10.177.16.160]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RM4Nqm021074 for ; Thu, 27 Mar 2014 18:04:23 -0400 (EDT) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RM4NOq021071 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 27 Mar 2014 18:04:23 -0400 (EDT) Received: from mail71-ch1-R.bigfish.com (10.43.68.246) by CH1EHSOBE014.bigfish.com (10.43.70.64) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 22:04:22 +0000 Received: from mail71-ch1 (localhost [127.0.0.1]) by mail71-ch1-R.bigfish.com (Postfix) with ESMTP id 074CF4603F1 for ; Thu, 27 Mar 2014 22:04:23 +0000 (UTC) X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(189002)(199002)(377454003)(24454002)(83072002)(85852003)(56776001)(87266001)(74366001)(74706001)(74316001)(65816001)(63696002)(2656002)(66066001)(93516002)(80022001)(19300405004)(74662001)(76482001)(31966008)(20776003)(54316002)(56816005)(15202345003)(19609705001)(98676001)(87936001)(90146001)(16236675002)(85306002)(86362001)(92566001)(94946001)(15975445006)(54356001)(94316002)(46102001)(69226001)(50986001)(47976001)(81686001)(95666003)(81342001)(80976001)(47736001)(4396001)(49866001)(19580395003)(19580405001)(83322001)(81816001)(77982001)(97186001)(79102001)(76786001)(51856001)(53806001)(33646001)(74876001)(95416001)(93136001)(74502001)(97336001)(81542001)(76576001)(76796001)(47446002)(59766001)(18717965001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR04MB734; H:DM2PR04MB735.namprd04.prod.outlook.com; FPR:AEFCD149.A736D8C0.F1D171BB.2E4BB21.2064C; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received: from mail71-ch1 (localhost.localdomain [127.0.0.1]) by mail71-ch1 (MessageSwitch) id 1395957859666261_31822; Thu, 27 Mar 2014 22:04:19 +0000 (UTC) Received: from CH1EHSMHS015.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.243]) by mail71-ch1.bigfish.com (Postfix) with ESMTP id 9DECA2A004F; Thu, 27 Mar 2014 22:04:19 +0000 (UTC) Received: from BL2PRD0410HT005.namprd04.prod.outlook.com (157.56.240.85) by CH1EHSMHS015.bigfish.com (10.43.70.15) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 22:04:19 +0000 Received: from DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) by BL2PRD0410HT005.namprd04.prod.outlook.com (10.255.99.40) with Microsoft SMTP Server (TLS) id 14.16.423.0; Thu, 27 Mar 2014 22:04:19 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) by DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 27 Mar 2014 22:04:17 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) by DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) with mapi id 15.00.0898.005; Thu, 27 Mar 2014 22:04:17 +0000 From: Lewis Adam-CAL022 To: Tim Bray , John Bradley Thread-Topic: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now Thread-Index: Ac9JvWeAW+r7N2YsS96k1esZSJ97mAACGN8AAAeYdsAAAMyVAAAA2Z3gAAabrYAAAD7igAAALtaw Date: Thu, 27 Mar 2014 22:04:17 +0000 Message-ID: <4087640a4a3042c485a3e8cca52720f0@DM2PR04MB735.namprd04.prod.outlook.com> References: <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.179.150.36] x-forefront-prvs: 01630974C0 Content-Type: multipart/alternative; boundary="_000_4087640a4a3042c485a3e8cca52720f0DM2PR04MB735namprd04pro_" MIME-Version: 1.0 X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-FOPE-CONNECTOR: Id%1294$Dn%TEXTUALITY.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn% X-CFilter-Loop: Reflected X-OriginatorOrg: motorolasolutions.com X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2x9_udD05Df_T0FZzUyQ8XEAzJc Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 22:04:35 -0000 --_000_4087640a4a3042c485a3e8cca52720f0DM2PR04MB735namprd04pro_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 U28gdGhlIEdvb2dsZSBBUyBpcyBkb2luZyBmb3IgdGhlIFJTIHdoYXQgYW4gSWRQIHR5cGljYWxs eSBkb2VzIGZvciBhIHRoaXJkLXBhcnR5IFNQLiAgSW50ZXJlc3RpbmcuICBUaGlzIGlzIGEgcGF0 dGVybiB0aGF0IEkgaGF2ZSB0aG91Z2h0IHVzZWZ1bCBpbiB0aGUgcGFzdC4NCg0KSSByZWNhbGwg YXQgQ0lTIGxhc3QgeWVhciBWaXR0b3JpbyBtZW50aW9uaW5nIHRoYXQgdGhlIEF6dXJlIE9BdXRo IEFTIHdhcyBhbHNvIHB1dHRpbmcgdGhhdCBvcHRpb24gb3V0IHRoZXJlIGFzIHdlbGwsIHRvIHNl ZSB3aGF0IFJT4oCZcyBtaWdodCBwaWNrIHVwIG9uIGl0Lg0KDQpHbGFkIHRvIGtub3cgdGhhdCBp cyBhY3R1YWxseSBzZWVpbmcgc29tZSB0cmFjdGlvbi4NCg0KSXTigJlzIG5vdCBxdWl0ZSBhcyBm bGV4aWJsZSBhcyB1c2luZyB0aGUgaWRfdG9rZW4gaW4gdGhlIGFzc2VydGlvbiBmbG93IHRvIGEg M3JkLXBhcnR5IEFTIHNpbmNlIEdvb2dsZSBvciBBenVyZSAob3Igb3RoZXIpIGNhbuKAmXQga25v dyBhYm91dCBzY29wZXMgb2YgdGhpcmQgcGFydHkgUlMsIGJ1dCBpdCBhbHNvIGVuYWJsZXMgc21h bGxlciBSUyBwcm92aWRlcnMgdG8gcGlja3VwIE9BdXRoIHdpdGhvdXQgaGF2aW5nIHRvIGRlcGxv eSB0aGVpciBvd24gQVMuDQoNCk5vdyBpdCB3b3VsZCBiZSBpbnRlcmVzdGluZyBpZiBHb29nbGUg b3IgQXp1cmUgb3Igc29tZWJvZHkgZWxzZSBzdG9vZCB1cCBhbiBBUyB0aGF0IGVuYWJsZWQgdGhp cmQtcGFydHkgQVPigJlzIHRvIGNvbmZpZ3VyZSB0aGVpciBvd24gc2NvcGVzIG9uIGl0LiAgQXV0 aG9yaXphdGlvbiBTZXJ2ZXIgYXMgYSBTZXJ2aWNlIChBU2FhUyksIGFueWJvZHk/ICA6LSkNCg0K DQpXaWxsIGJlIGludGVyZXN0aW5nIHRvIHNlZSBob3cgdGhpcyBhbGwgcGxheXMgb3V0IOKApg0K DQphZGFtDQoNCkZyb206IFRpbSBCcmF5IFttYWlsdG86dGJyYXlAdGV4dHVhbGl0eS5jb21dDQpT ZW50OiBUaHVyc2RheSwgTWFyY2ggMjcsIDIwMTQgNDo0OCBQTQ0KVG86IEpvaG4gQnJhZGxleQ0K Q2M6IExld2lzIEFkYW0tQ0FMMDIyOyBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDogUmU6IFtPQVVU SC1XR10gT0F1dGggJiBFbnRlcHJpc2UgZmVkZXJhdGlvbiAuLi4gNSB5ZWFycyBmcm9tIG5vdw0K DQpJIGNhbuKAmXQgZ2l2ZSBuYW1lcyBvciBudW1iZXJzIGJ1dCB5ZWFoLCBpdOKAmXMgaGFwcGVu aW5nLiBFc3BlY2lhbGx5IGZvciBBbmRyb2lkIGFwcHMsIGl04oCZcyBlYXN5ICYgc3RyYWlnaHRm b3J3YXJkIHRvIGdldCBhbiBJRCB0b2tlbiwgYW5kIGNoZWFwIHRvIHZhbGlkYXRlIG9uIHRoZSBz ZXJ2ZXIgc2lkZS4gIE9idmlvdXNseSwgaXQgb25seSB3b3JrcyBmb3IgR29vZ2xlIGFjY291bnRz Lg0KDQpPbiBUaHUsIE1hciAyNywgMjAxNCBhdCAyOjQwIFBNLCBKb2huIEJyYWRsZXkgPHZlN2p0 YkB2ZTdqdGIuY29tPG1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbT4+IHdyb3RlOg0KSSBkb24ndCBr bm93IHdoYXQgY2xpZW50cyBhcmUgdXNpbmcgdGhlIHBsYXkgQVBJIHRvIGdldCAzcmQgcGFydHkg dG9rZW5zLg0KDQpQZXJoYXBzIFRpbSBCcmF5IGNhbiBjb21tZW50IG9uIHNjYWxlIG9mIHVzZSBp ZiBub3Qgc3BlY2lmaWMgY2xpZW50cy4NCg0KSm9obiBCLg0KDQpPbiBNYXIgMjcsIDIwMTQsIGF0 IDM6MzYgUE0sIExld2lzIEFkYW0tQ0FMMDIyIDxBZGFtLkxld2lzQG1vdG9yb2xhc29sdXRpb25z LmNvbTxtYWlsdG86QWRhbS5MZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb20+PiB3cm90ZToNCg0K DQpJIGdldCB0aGUgaWRlYSwgYnV0IEnigJltIHRyeWluZyB0byBnZXQgYSBmZWVsIGZvciB3aGV0 aGVyIG9yIG5vdCB0aGlzIG1vZGVsIGlzIGJlaW5nIGJ1aWx0IHVwb24gYW5kIHRvIHdoYXQgZXh0 ZW50Lg0KDQpTbyBpZiBJIHJlcGhyYXNlIOKApiBhcmUgdGhlcmUga25vd24gM3JkIHBhcnR5IEFT 4oCZcyBvdXQgdGhlcmUgaW4gdGhlIHdpbGQgdGhhdCBhcmUgY29uc3VtaW5nIHRoZSBHb29nbGUg aWRfdG9rZW4/DQoNCk9yIGFueSBleGFtcGxlcyBvZiBhIDNyZC1wYXJ0eSBSUyB0aGF0IGlzIGRp cmVjdGx5IGNvbnN1bWluZyBpdD8NCg0KTG9va2luZyBmb3IgYWN0dWFsIGV4YW1wbGVzIGluIHRo ZSB3aWxkIHRvIHBvaW50IHRvLg0KDQphZGFtDQoNCkZyb206IEpvaG4gQnJhZGxleSBbbWFpbHRv OnZlN2p0YkB2ZTdqdGIuY29tXQ0KU2VudDogVGh1cnNkYXksIE1hcmNoIDI3LCAyMDE0IDE6MDcg UE0NClRvOiBMZXdpcyBBZGFtLUNBTDAyMg0KQ2M6IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0 aEBpZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIE9BdXRoICYgRW50ZXByaXNlIGZl ZGVyYXRpb24gLi4uIDUgeWVhcnMgZnJvbSBub3cNCg0KSGFuZGluZyBvdXQgYSBpZF90b2tlbiB3 aXRoIGEgM3JkIHBhcnR5IEFTIG9yIFJTIGFzIHRoZSBhdWRpZW5jZSBpcyB0aGUgc3RhbmRhcmQg d2F5IHRoYXQgQW5kcm9pZCBhcHBzIHRoYXQgcmVseSBvbiBHb29nbGUgYXMgdGhlIHNvdXJjZSBv ZiBpZGVudGl0eSB3b3JrIG9uIEFuZHJvaWQgdXNpbmcgdGhlIEdvb2dsZSBQbGF5IFNlcnZpY2Vz Lg0KDQpUaGlzIGRlc2NyaWJlcyB0aGUgQVBJIGh0dHA6Ly9hbmRyb2lkLWRldmVsb3BlcnMuYmxv Z3Nwb3QuY2EvMjAxMy8wMS92ZXJpZnlpbmctYmFjay1lbmQtY2FsbHMtZnJvbS1hbmRyb2lkLmh0 bWwNCg0KT24gTWFyIDI3LCAyMDE0LCBhdCAyOjQ2IFBNLCBMZXdpcyBBZGFtLUNBTDAyMiA8QWRh bS5MZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb208bWFpbHRvOkFkYW0uTGV3aXNAbW90b3JvbGFz b2x1dGlvbnMuY29tPj4gd3JvdGU6DQoNCkhpIEpvaG4sDQoNCldpdGggcmVzcGVjdCB0byBHb29n bGUgUGxheSBoYW5kaW5nIG91dCBpZF90b2tlbnMsIGFyZSBhbnkgdGhlcmUgYW55IGtub3duIGlu c3RhbmNlcyBvZiB0aGF0IGJlaW5nIHVzZWQ/ICBFaXRoZXIgdG8ga2ljayBvZiBhbiBhc3NlcnRp b24gZmxvdyB3aXRoIGFub3RoZXIgKG5vbi1Hb29nbGUpIEFTLCBvciB0byBwcmVzZW50IGRpcmVj dGx5IHRvIGEgbm9uLUdvb2dsZSBSUz8NCg0KYWRhbQ0KDQpGcm9tOiBKb2huIEJyYWRsZXkgW21h aWx0bzp2ZTdqdGJAdmU3anRiLmNvbV0NClNlbnQ6IFRodXJzZGF5LCBNYXJjaCAyNywgMjAxNCA5 OjA3IEFNDQpUbzogTGV3aXMgQWRhbS1DQUwwMjINCkNjOiBvYXV0aEBpZXRmLm9yZzxtYWlsdG86 b2F1dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBPQXV0aCAmIEVudGVwcmlz ZSBmZWRlcmF0aW9uIC4uLiA1IHllYXJzIGZyb20gbm93DQoNCkhpIEFkYW0sDQoNCjMgaXMgdGhl IG1vc3QgY29tbW9uIHRvZGF5LiAgSW4gdGhlIFNhbGVzZm9yY2UgY2FzZSBpdCBoYXMgdGhlIGFk ZGl0aW9uYWwgYmVuZWZpdCB0aGF0IHdoZW4gRG9tYWluIDEgaXMgZmVkZXJhdGluZyB0byBTYWxl c0ZvcmNlIHZpYSBPcGVuSUQgQ29ubmVjdCBpdCBjYW4gcHJvdmlkZSBhY2Nlc3MgdG9rZW5zIGZv ciBpdCdzIEFQSSB0byBzYWxlcyBmb3JjZSBzY29wZWQgZm9yIHRoYXQgdXNlciBmb3IgdXNlIGlu IHRoZSBTYWxlc0ZvcmNlIGN1c3RvbSBsb2dpYy4NCg0KMSBhbmQgMiBhcmUgc2ltaWxhciBhbmQg bGlrZWx5IGl0IGlzIG1vcmUgb2YgYSBkZXBsb3ltZW50IGNob2ljZSBiZXR3ZWVuIHRoZW0uDQpX ZSBkbyBzZWUgZXhhbXBsZXMgb2YgdGhpcyBjdXJyZW50bHkgd2l0aCB0aGUgQW5kcm9pZCBwbGF5 IHN0b3JlIHByb3ZpZGluZyB0aGlyZC1wYXJ0eSBpZF90b2tlbnMvSldUIGFzc2VydGlvbnMgdG8g T0F1dGggY2xpZW50cy4NCg0KVGhlIHJlYXNvbiBmb3IgZG9pbmcgMSBvciAyIHZzIDMgcHJvYmFi bHkgY29tZXMgZG93biB0byBjb25uaXZlbmNlIGFuZCBzZWN1cml0eSBpZiAgdGhlcmUgaXMgYW4g YWdlbnQgZm9yIHRoZSB1c2VyJ3MgIElkUCBvbiB0aGUgZGV2aWNlIHRoYXQgY2FuIGFjdCBhcyBh IGNvbmZpZGVudGlhbCBjbGllbnQgdG8gdGhlIElkUCBmb3Igc2VjdXJpdHkgYW5kIHByb3ZpZGUg YSBtb3JlIGNvbnNpc3RlbnQgVUkgZm9yIHRoZSB1c2VyLiAgIFRoYXQgaXMgd2hhdCB3ZSBhcmUg d29ya2luZyBvbiBpbiB0aGUgTkFQUFMgV0cgYXQgT0lERi4NCg0KV2UgaGF2ZSBleGFtcGxlcyBv ZiAxLzIgbm93LCB0aGUgcHJvYmxlbSBpcyB0aGF0IHRoZXkgYXJlIG5vdCBhcyB1bml2ZXJzYWxs eSBhcHBsaWNhYmxlIGFzIDMgYnV0IGhvcGVmdWxseSB3aXRoIHN0YW5kYXJkaXphdGlvbiBmb3Ig ZGV2ZWxvcGVycyB3ZSB3aWxsIHNlIG1vcmUgaW4gdGhlIG5leHQgeWVhciBvciBzby4NCg0KSm9o biBCLg0KDQpPbiBNYXIgMjcsIDIwMTQsIGF0IDEwOjA2IEFNLCBMZXdpcyBBZGFtLUNBTDAyMiA8 QWRhbS5MZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb208bWFpbHRvOkFkYW0uTGV3aXNAbW90b3Jv bGFzb2x1dGlvbnMuY29tPj4gd3JvdGU6DQoNCg0KSSBhbSBjdXJpb3VzIGl0IHBpbmcgdGhlIHRo b3VnaHRzIG9mIG90aGVycyBvbiB0aGUgbGlzdCBvZiBob3cgT0F1dGggaXMgZ29pbmcgdG8gY29u dGludWUgdG8gbWF0dXJlLCBlc3BlY2lhbGx5IHdpdGggcmVzcGVjdCB0byBlbnRlcnByaXNlIGZl ZGVyYXRpb24gc2NlbmFyaW9zLiAgVGhpcyBpcyBzb21ldGhpbmcgdGhhdCBJIHNwZW5kIGEgd2hv bGUgbG90IG9mIHRpbWUgdGhpbmtpbmcgYWJvdXQuICBTcGVjaWZpY2FsbHksIGNvbnNpZGVyIHRo ZSBmb2xsb3dpbmcgdXNlIGNhc2U6DQoNCkFuIGVuZCB1c2VyIGluIGRvbWFpbiAxIGRvd25sb2Fk cyBhIG5hdGl2ZSBhcHBsaWNhdGlvbiB0byBhY2Nlc3MgYW4gQVBJIGV4cG9zZWQgYnkgZG9tYWlu IDIsIHRvIGFjY2VzcyBhIHByb3RlY3RlZCByZXNvdXJjZSBpbiBkb21haW4gMiwgdW5kZXIgdGhl IGFkbWluaXN0cmF0aXZlIGNvbnRyb2wgb2YgdGhlIGRvbWFpbiAyIGVudGVycHJpc2UuDQoNCg0K VGhlcmUgYXJlIGluIG15IG1pbmQgdGhyZWUgYmFzaWMgbWVhbnMgYnkgd2hpY2ggT0F1dGggY2Fu IGZlZGVyYXRlLCB3aGljaCBJIGtub3cgSSBoYXZlIGRpc2N1c3NlZCB3aXRoIHNvbWUgb2YgeW91 IGluIHRoZSBwYXN0Og0KDQoNCjEuICAgICAgIEZpcnN0IG9wdGlvbiDigKYgRW5kIHVzZXIgaW4g ZG9tYWluIDEgcmVxdWVzdHMgYSBKV1Qtc3RydWN0dXJlZCBhY2Nlc3NfdG9rZW4gZnJvbSB0aGUg T0F1dGggcHJvdmlkZXIgaW4gZG9tYWluIDEsIGFuZCBzZW5kcyBpdCBpbiB0aGUgSFRUUCBoZWFk ZXIgZGlyZWN0bHkgdG8gdGhlIFJTIGluIGRvbWFpbiAyLiAgIFRoZSBKV1QgYWNjZXNzX3Rva2Vu IGxvb2tzIGEgd2hvbGUgbG90IGxpa2UgYSBPSURDIGlkX3Rva2VuIChtYXliZSBpdCBldmVuIGlz IG9uZT8pLiAgVGhlIFJTIGluIGRvbWFpbiAyIGlzIGFibGUgdG8gbWFrZSBhdHRyaWJ1dGVkLWJh c2VkIGFjY2VzcyBjb250cm9sIGRlY2lzaW9ucyBiYXNlZCBvbiB0aGUgY29udGVudHMgb2YgdGhl IEpXVC4gIFRoaXMgaXMgYXJjaGl0ZWN0dXJhbGx5IHRoZSBzaW1wbGVzdCBhcHByb2FjaCwgYnV0 IGVudGVycHJpc2VzIGFyZW7igJl0IGV4YWN0bHkgc2V0dGluZyB1cCBPQXV0aCBwcm92aWRlcnMg dGhlc2UgZGF5cyBmb3IgdGhlIGludGVudCBvZiBhY2Nlc3NpbmcgcHJvdGVjdGVkIHJlc291cmNl cyBpbiBmb3JlaWduIGRvbWFpbnMuICBBbnlib2R5IHRoaW5rIHRoaXMgbWlnaHQgYmUgdGhlIGNh c2UgNSB5ZWFycyBmcm9tIG5vdz8NCg0KDQoyLiAgICAgICBTZWNvbmQgb3B0aW9uIOKApiBzaW1p bGFyIHRvIHRoZSBmaXJzdCwgYnV0IHRoZSBKV1Qtc3RydWN0dXJlZCBhY2Nlc3NfdG9rZW4gZnJv bSBkb21haW4gMSBpcyBzZW50IHRvIHRoZSBPQXV0aCBwcm92aWRlciBpbiBkb21haW4gMiwgYWxh IHRoZSBKV1QgYXNzZXJ0aW9uIHByb2ZpbGUuICBEb21haW4gMSBhY2Nlc3MgdG9rZW4gaXMgZXhj aGFuZ2VkIGZvciBhIGRvbWFpbiAyIGFjY2VzcyB0b2tlbiwgYW5kIHRoZSBuYXRpdmUgY2xpZW50 IHVzZXMgdGhlIGRvbWFpbiAyIGFjY2VzcyB0b2tlbiB0byBzZW5kIHRvIHRoZSBwcm90ZWN0ZWQg cmVzb3VyY2UgaW4gZG9tYWluIDIuICBJIGxpa2UgdGhpcyBzbGlnaHRseSBtb3JlIHRoYW4gdGhl IGZpcnN0IG9wdGlvbiwgYmVjYXVzZSB0aGUgcmVzb3VyY2VzIHNlcnZlcnMgaW4gZG9tYWluIDIg b25seSBuZWVkIHRvIHVuZGVyc3RhbmQgdGhlIHRva2VuIGZvcm1hdCBvZiB0aGVpciBvd24gQVMu ICBCdXQgaXQgc3RpbGwgc3VmZmVycyBmcm9tIHRoZSBzYW1lIGJhc2ljIGNoYWxsZW5nZSBvZiBv cHRpb24gMSwgdGhhdCBlbnRlcnByaXNlcyBkb27igJl04oCZIHNldHVwIE9BdXRoIHByb3ZpZGVy cyB0b2RheSBmb3IgdGhlIHB1cnBvc2Ugb2YgZmVkZXJhdGluZywgdGhlIHdheSB0aGF0IHNldHVw IFNBTUwgcHJvdmlkZXJzIGZvciBXZWJTU08uDQoNCg0KMy4gICAgICAgVGhpcmQgb3B0aW9uLiAg TmF0aXZlIGNsaWVudCBjb250YWN0cyB0aGUgT0F1dGggcHJvdmlkZXIgaW4gZG9tYWluIDIgZGly ZWN0bHkuICBUaGUgYXV0aG9yaXphdGlvbiBlbmRwb2ludCBpcyBmZWRlcmF0aW9uIGVuYWJsZWQg KE5BU0NBUiBvciBvdGhlcikgYW5kIHRoZSB1c2VyIGluIGRvbWFpbiAxIHNlbGVjdHMgdGhlaXIg aG9tZSBJZFAgKFNBTUwgb3IgT0lEQykgYW5kIGRvZXMgV2ViU1NPIHRvIGZlZGVyYXRlZCBpbnRv IHRoZSBkb21haW4gMiBPQXV0aCBwcm92aWRlci4gIEkgYmVsaWV2ZSB0aGlzIGlzIHRoZSBtb2Rl bCB0aGF0IFNhbGVzZm9yY2Ugc3VwcG9ydHMgdG9kYXksIGFuZCBpdCB0aGUgbW9zdCB0YWN0aWNh bCwgc2luY2UgZW50ZXJwcmlzZSB0aGF0IHdhbnQgdG8gZmVkZXJhdGUgdG9kYXkgcnVuIG91dCBh bmQgYnV5IGEgU0FNTCBwcm92aWRlci4NCg0KU28gb3B0aW9uIDMgaXMgdGhlIG1vc3Qgb2J2aW91 cyBhcHByb2FjaCB0b2RheS4gIERvZXMgYW55Ym9keSBmb3Jlc2VlIGVudGVycHJpc2VzIHNldHRp bmcgdXAgYW4gU1RTIGluIHRoZSBmdXR1cmUgdG8gZmVkZXJhdGUgdG8gZm9yZWlnbiBSU+KAmXMg KHRoZSB3YXkgdGhleSBzZXR1cCBTQU1MIHByb3ZpZGVycyB0b2RheSk/ICBBbnlib2R5IHRoaW5r IHdlIHdpbGwgc2VlIG9wdGlvbnMgMSBvciAyIGluIHRoZSBmdXR1cmU/DQoNCg0KYWRhbQ0KX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxp bmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQoNCg== --_000_4087640a4a3042c485a3e8cca52720f0DM2PR04MB735namprd04pro_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAz IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJ cGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8N CnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsN CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWls eToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsN Cgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hh ciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjgu MHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkJhbGxvb25U ZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHls ZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZh bWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNvLXN0 eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNl cmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBl OmV4cG9ydC1vbmx5O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsN CgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtw YWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0K PG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwh W2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9 ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlv dXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0i Ymx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PlNvIHRoZSBHb29nbGUgQVMgaXMgZG9pbmcgZm9yIHRoZSBSUyB3aGF0IGFuIElkUCB0eXBpY2Fs bHkgZG9lcyBmb3IgYSB0aGlyZC1wYXJ0eSBTUC4mbmJzcDsgSW50ZXJlc3RpbmcuJm5ic3A7IFRo aXMgaXMgYSBwYXR0ZXJuIHRoYXQgSSBoYXZlIHRob3VnaHQgdXNlZnVsIGluIHRoZSBwYXN0Lg0K PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj5JIHJlY2FsbCBhdCBDSVMgbGFzdCB5ZWFyIFZpdHRvcmlvIG1lbnRpb25pbmcg dGhhdCB0aGUgQXp1cmUgT0F1dGggQVMgd2FzIGFsc28gcHV0dGluZyB0aGF0IG9wdGlvbiBvdXQg dGhlcmUgYXMgd2VsbCwgdG8gc2VlIHdoYXQgUlPigJlzIG1pZ2h0IHBpY2sgdXAgb24gaXQuPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj5HbGFkIHRvIGtub3cgdGhhdCBpcyBhY3R1YWxseSBzZWVpbmcgc29tZSB0cmFjdGlv bi4mbmJzcDsNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+SXTigJlzIG5vdCBxdWl0ZSBhcyBmbGV4aWJsZSBhcyB1c2lu ZyB0aGUgaWRfdG9rZW4gaW4gdGhlIGFzc2VydGlvbiBmbG93IHRvIGEgMzxzdXA+cmQ8L3N1cD4t cGFydHkgQVMgc2luY2UgR29vZ2xlIG9yIEF6dXJlIChvciBvdGhlcikgY2Fu4oCZdCBrbm93IGFi b3V0IHNjb3Blcw0KIG9mIHRoaXJkIHBhcnR5IFJTLCBidXQgaXQgYWxzbyBlbmFibGVzIHNtYWxs ZXIgUlMgcHJvdmlkZXJzIHRvIHBpY2t1cCBPQXV0aCB3aXRob3V0IGhhdmluZyB0byBkZXBsb3kg dGhlaXIgb3duIEFTLiZuYnNwOw0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5Ob3cgaXQgd291bGQgYmUgaW50ZXJlc3Rp bmcgaWYgR29vZ2xlIG9yIEF6dXJlIG9yIHNvbWVib2R5IGVsc2Ugc3Rvb2QgdXAgYW4gQVMgdGhh dCBlbmFibGVkIHRoaXJkLXBhcnR5IEFT4oCZcyB0byBjb25maWd1cmUgdGhlaXIgb3duIHNjb3Bl cyBvbiBpdC4mbmJzcDsgQXV0aG9yaXphdGlvbg0KIFNlcnZlciBhcyBhIFNlcnZpY2UgKEFTYWFT KSwgYW55Ym9keT8mbmJzcDsgOi0pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+V2lsbCBiZSBpbnRlcmVzdGluZyB0byBzZWUgaG93IHRoaXMgYWxsIHBsYXlz IG91dCDigKYNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+YWRhbSZuYnNwOw0KPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4g MGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBUaW0gQnJheSBb bWFpbHRvOnRicmF5QHRleHR1YWxpdHkuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5 LCBNYXJjaCAyNywgMjAxNCA0OjQ4IFBNPGJyPg0KPGI+VG86PC9iPiBKb2huIEJyYWRsZXk8YnI+ DQo8Yj5DYzo8L2I+IExld2lzIEFkYW0tQ0FMMDIyOyBvYXV0aEBpZXRmLm9yZzxicj4NCjxiPlN1 YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBPQXV0aCAmYW1wOyBFbnRlcHJpc2UgZmVkZXJhdGlv biAuLi4gNSB5ZWFycyBmcm9tIG5vdzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPkkgY2Fu4oCZdCBnaXZlIG5hbWVzIG9yIG51bWJlcnMgYnV0IHll YWgsIGl04oCZcyBoYXBwZW5pbmcuIEVzcGVjaWFsbHkgZm9yIEFuZHJvaWQgYXBwcywgaXTigJlz IGVhc3kgJmFtcDsgc3RyYWlnaHRmb3J3YXJkIHRvIGdldCBhbiBJRCB0b2tlbiwgYW5kIGNoZWFw IHRvIHZhbGlkYXRlIG9uIHRoZSBzZXJ2ZXIgc2lkZS4gJm5ic3A7T2J2aW91c2x5LCBpdCBvbmx5 IHdvcmtzIGZvciBHb29nbGUgYWNjb3VudHMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBw dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24g VGh1LCBNYXIgMjcsIDIwMTQgYXQgMjo0MCBQTSwgSm9obiBCcmFkbGV5ICZsdDs8YSBocmVmPSJt YWlsdG86dmU3anRiQHZlN2p0Yi5jb20iIHRhcmdldD0iX2JsYW5rIj52ZTdqdGJAdmU3anRiLmNv bTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkkgZG9uJ3Qga25vdyB3aGF0IGNsaWVudHMgYXJlIHVzaW5nIHRoZSBwbGF5IEFQSSB0byBn ZXQgM3JkIHBhcnR5IHRva2Vucy4gJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5QZXJoYXBzIFRpbSBCcmF5IGNhbiBjb21tZW50IG9uIHNjYWxlIG9m IHVzZSBpZiBub3Qgc3BlY2lmaWMgY2xpZW50cy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Sm9obiBCLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIE1hciAyNywgMjAxNCwgYXQgMzozNiBQ TSwgTGV3aXMgQWRhbS1DQUwwMjIgJmx0OzxhIGhyZWY9Im1haWx0bzpBZGFtLkxld2lzQG1vdG9y b2xhc29sdXRpb25zLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPkFkYW0uTGV3aXNAbW90b3JvbGFzb2x1 dGlvbnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPkkgZ2V0IHRoZSBpZGVhLCBidXQgSeKAmW0gdHJ5aW5nIHRvIGdldCBhIGZl ZWwgZm9yIHdoZXRoZXIgb3Igbm90IHRoaXMgbW9kZWwgaXMgYmVpbmcgYnVpbHQgdXBvbiBhbmQg dG8gd2hhdCBleHRlbnQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5T byBpZiBJIHJlcGhyYXNlIOKApiBhcmUgdGhlcmUga25vd24gM3JkIHBhcnR5IEFT4oCZcyBvdXQg dGhlcmUgaW4gdGhlIHdpbGQgdGhhdCBhcmUgY29uc3VtaW5nIHRoZSBHb29nbGUgaWRfdG9rZW4/ Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5PciBhbnkgZXhh bXBsZXMgb2YgYSAzPHN1cD5yZDwvc3VwPi1wYXJ0eSBSUyB0aGF0IGlzIGRpcmVjdGx5IGNvbnN1 bWluZyBpdD8mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkxv b2tpbmcgZm9yIGFjdHVhbCBleGFtcGxlcyBpbiB0aGUgd2lsZCB0byBwb2ludCB0by48L3NwYW4+ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPmFkYW08L3NwYW4+PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAj QjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwO0pvaG4gQnJhZGxleSBbPGEgaHJl Zj0ibWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tIiB0YXJnZXQ9Il9ibGFuayI+bWFpbHRvOnZlN2p0 YkB2ZTdqdGIuY29tPC9hPl0mbmJzcDs8YnI+DQo8Yj5TZW50OjwvYj4mbmJzcDtUaHVyc2RheSwg TWFyY2ggMjcsIDIwMTQgMTowNyBQTTxicj4NCjxiPlRvOjwvYj4mbmJzcDtMZXdpcyBBZGFtLUNB TDAyMjxicj4NCjxiPkNjOjwvYj4mbmJzcDs8YSBocmVmPSJtYWlsdG86b2F1dGhAaWV0Zi5vcmci IHRhcmdldD0iX2JsYW5rIj5vYXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0OjwvYj4m bmJzcDtSZTogW09BVVRILVdHXSBPQXV0aCAmYW1wOyBFbnRlcHJpc2UgZmVkZXJhdGlvbiAuLi4g NSB5ZWFycyBmcm9tIG5vdzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkhhbmRpbmcgb3V0IGEgaWRfdG9r ZW4gd2l0aCBhIDNyZCBwYXJ0eSBBUyBvciBSUyBhcyB0aGUgYXVkaWVuY2UgaXMgdGhlIHN0YW5k YXJkIHdheSB0aGF0IEFuZHJvaWQgYXBwcyB0aGF0IHJlbHkgb24gR29vZ2xlIGFzIHRoZSBzb3Vy Y2Ugb2YgaWRlbnRpdHkgd29yayBvbiBBbmRyb2lkIHVzaW5nIHRoZSBHb29nbGUgUGxheSBTZXJ2 aWNlcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoaXMgZGVzY3JpYmVzIHRoZSBBUEkmbmJzcDs8YSBo cmVmPSJodHRwOi8vYW5kcm9pZC1kZXZlbG9wZXJzLmJsb2dzcG90LmNhLzIwMTMvMDEvdmVyaWZ5 aW5nLWJhY2stZW5kLWNhbGxzLWZyb20tYW5kcm9pZC5odG1sIiB0YXJnZXQ9Il9ibGFuayI+PHNw YW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cDovL2FuZHJvaWQtZGV2ZWxvcGVycy5ibG9nc3Bv dC5jYS8yMDEzLzAxL3ZlcmlmeWluZy1iYWNrLWVuZC1jYWxscy1mcm9tLWFuZHJvaWQuaHRtbDwv c3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBNYXIgMjcsIDIw MTQsIGF0IDI6NDYgUE0sIExld2lzIEFkYW0tQ0FMMDIyICZsdDs8YSBocmVmPSJtYWlsdG86QWRh bS5MZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHls ZT0iY29sb3I6cHVycGxlIj5BZGFtLkxld2lzQG1vdG9yb2xhc29sdXRpb25zLmNvbTwvc3Bhbj48 L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhpIEpvaG4s PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj5XaXRoIHJlc3BlY3QgdG8gR29vZ2xlIFBsYXkgaGFuZGluZyBvdXQgaWRf dG9rZW5zLCBhcmUgYW55IHRoZXJlIGFueSBrbm93biBpbnN0YW5jZXMgb2YgdGhhdCBiZWluZyB1 c2VkPyZuYnNwOyBFaXRoZXIgdG8ga2ljayBvZiBhbiBhc3NlcnRpb24gZmxvdyB3aXRoIGFub3Ro ZXIgKG5vbi1Hb29nbGUpDQogQVMsIG9yIHRvIHByZXNlbnQgZGlyZWN0bHkgdG8gYSBub24tR29v Z2xlIFJTPzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+YWRhbTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10 b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJv bTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDtKb2huIEJyYWRs ZXkgWzxhIGhyZWY9Im1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPjxz cGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPm1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbTwvc3Bhbj48 L2E+XSZuYnNwOzxicj4NCjxiPlNlbnQ6PC9iPiZuYnNwO1RodXJzZGF5LCBNYXJjaCAyNywgMjAx NCA5OjA3IEFNPGJyPg0KPGI+VG86PC9iPiZuYnNwO0xld2lzIEFkYW0tQ0FMMDIyPGJyPg0KPGI+ Q2M6PC9iPiZuYnNwOzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxh bmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPm9hdXRoQGlldGYub3JnPC9zcGFuPjwvYT48 YnI+DQo8Yj5TdWJqZWN0OjwvYj4mbmJzcDtSZTogW09BVVRILVdHXSBPQXV0aCAmYW1wOyBFbnRl cHJpc2UgZmVkZXJhdGlvbiAuLi4gNSB5ZWFycyBmcm9tIG5vdzwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBBZGFtLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij4zIGlzIHRoZSBtb3N0IGNvbW1vbiB0b2RheS4gJm5ic3A7SW4gdGhlIFNhbGVzZm9yY2UgY2Fz ZSBpdCBoYXMgdGhlIGFkZGl0aW9uYWwgYmVuZWZpdCB0aGF0IHdoZW4gRG9tYWluIDEgaXMgZmVk ZXJhdGluZyB0byBTYWxlc0ZvcmNlIHZpYSBPcGVuSUQgQ29ubmVjdCBpdCBjYW4gcHJvdmlkZSBh Y2Nlc3MgdG9rZW5zIGZvciBpdCdzIEFQSSB0byBzYWxlcyBmb3JjZSBzY29wZWQgZm9yIHRoYXQg dXNlciBmb3IgdXNlIGluDQogdGhlIFNhbGVzRm9yY2UgY3VzdG9tIGxvZ2ljLjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj4xIGFuZCAyIGFyZSBzaW1pbGFyIGFuZCBsaWtlbHkgaXQgaXMgbW9y ZSBvZiBhIGRlcGxveW1lbnQgY2hvaWNlIGJldHdlZW4gdGhlbS48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldlIGRvIHNl ZSBleGFtcGxlcyBvZiB0aGlzIGN1cnJlbnRseSB3aXRoIHRoZSBBbmRyb2lkIHBsYXkgc3RvcmUg cHJvdmlkaW5nIHRoaXJkLXBhcnR5IGlkX3Rva2Vucy9KV1QgYXNzZXJ0aW9ucyB0byBPQXV0aCBj bGllbnRzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGUgcmVhc29uIGZvciBkb2luZyAx IG9yIDIgdnMgMyBwcm9iYWJseSBjb21lcyBkb3duIHRvIGNvbm5pdmVuY2UgYW5kIHNlY3VyaXR5 IGlmICZuYnNwO3RoZXJlIGlzIGFuIGFnZW50IGZvciB0aGUgdXNlcidzICZuYnNwO0lkUCBvbiB0 aGUgZGV2aWNlIHRoYXQgY2FuIGFjdCBhcyBhIGNvbmZpZGVudGlhbCBjbGllbnQgdG8gdGhlIElk UCBmb3Igc2VjdXJpdHkgYW5kIHByb3ZpZGUgYSBtb3JlIGNvbnNpc3RlbnQgVUkgZm9yIHRoZQ0K IHVzZXIuICZuYnNwOyBUaGF0IGlzIHdoYXQgd2UgYXJlIHdvcmtpbmcgb24gaW4gdGhlIE5BUFBT IFdHIGF0IE9JREYuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldlIGhhdmUgZXhhbXBsZXMg b2YgMS8yIG5vdywgdGhlIHByb2JsZW0gaXMgdGhhdCB0aGV5IGFyZSBub3QgYXMgdW5pdmVyc2Fs bHkgYXBwbGljYWJsZSBhcyAzIGJ1dCBob3BlZnVsbHkgd2l0aCBzdGFuZGFyZGl6YXRpb24gZm9y IGRldmVsb3BlcnMgd2Ugd2lsbCBzZSBtb3JlIGluIHRoZSBuZXh0IHllYXIgb3Igc28uPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpvaG4gQi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ T24gTWFyIDI3LCAyMDE0LCBhdCAxMDowNiBBTSwgTGV3aXMgQWRhbS1DQUwwMjIgJmx0OzxhIGhy ZWY9Im1haWx0bzpBZGFtLkxld2lzQG1vdG9yb2xhc29sdXRpb25zLmNvbSIgdGFyZ2V0PSJfYmxh bmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPkFkYW0uTGV3aXNAbW90b3JvbGFzb2x1dGlv bnMuY29tPC9zcGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KPGJyPg0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij5JIGFtIGN1cmlvdXMgaXQgcGluZyB0aGUgdGhvdWdodHMgb2Yg b3RoZXJzIG9uIHRoZSBsaXN0IG9mIGhvdyBPQXV0aCBpcyBnb2luZyB0byBjb250aW51ZSB0byBt YXR1cmUsIGVzcGVjaWFsbHkgd2l0aCByZXNwZWN0IHRvIGVudGVycHJpc2UgZmVkZXJhdGlvbiBz Y2VuYXJpb3MuJm5ic3A7IFRoaXMgaXMNCiBzb21ldGhpbmcgdGhhdCBJIHNwZW5kIGEgd2hvbGUg bG90IG9mIHRpbWUgdGhpbmtpbmcgYWJvdXQuJm5ic3A7IFNwZWNpZmljYWxseSwgY29uc2lkZXIg dGhlIGZvbGxvd2luZyB1c2UgY2FzZTo8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+QW4gZW5kIHVzZXIgaW4gZG9tYWluIDEgZG93bmxvYWRzIGEgbmF0aXZlIGFwcGxp Y2F0aW9uIHRvIGFjY2VzcyBhbiBBUEkgZXhwb3NlZCBieSBkb21haW4gMiwgdG8gYWNjZXNzIGEg cHJvdGVjdGVkIHJlc291cmNlIGluIGRvbWFpbiAyLCB1bmRlciB0aGUgYWRtaW5pc3RyYXRpdmUg Y29udHJvbA0KIG9mIHRoZSBkb21haW4gMiBlbnRlcnByaXNlLjwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWJvdHRvbToxMi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VGhlcmUgYXJl IGluIG15IG1pbmQgdGhyZWUgYmFzaWMgbWVhbnMgYnkgd2hpY2ggT0F1dGggY2FuIGZlZGVyYXRl LCB3aGljaCBJIGtub3cgSSBoYXZlIGRpc2N1c3NlZCB3aXRoIHNvbWUgb2YgeW91IGluIHRoZSBw YXN0Ojxicj4NCjxicj4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+MS48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+Rmlyc3Qgb3B0aW9uIOKApiBFbmQgdXNlcg0KIGluIGRvbWFpbiAxIHJlcXVl c3RzIGEgSldULXN0cnVjdHVyZWQgYWNjZXNzX3Rva2VuIGZyb20gdGhlIE9BdXRoIHByb3ZpZGVy IGluIGRvbWFpbiAxLCBhbmQgc2VuZHMgaXQgaW4gdGhlIEhUVFAgaGVhZGVyIGRpcmVjdGx5IHRv IHRoZSBSUyBpbiBkb21haW4gMi4mbmJzcDsmbmJzcDsgVGhlIEpXVCBhY2Nlc3NfdG9rZW4gbG9v a3MgYSB3aG9sZSBsb3QgbGlrZSBhIE9JREMgaWRfdG9rZW4gKG1heWJlIGl0IGV2ZW4gaXMgb25l PykuJm5ic3A7IFRoZSBSUyBpbiBkb21haW4NCiAyIGlzIGFibGUgdG8gbWFrZSBhdHRyaWJ1dGVk LWJhc2VkIGFjY2VzcyBjb250cm9sIGRlY2lzaW9ucyBiYXNlZCBvbiB0aGUgY29udGVudHMgb2Yg dGhlIEpXVC4mbmJzcDsgVGhpcyBpcyBhcmNoaXRlY3R1cmFsbHkgdGhlIHNpbXBsZXN0IGFwcHJv YWNoLCBidXQgZW50ZXJwcmlzZXMgYXJlbuKAmXQgZXhhY3RseSBzZXR0aW5nIHVwIE9BdXRoIHBy b3ZpZGVycyB0aGVzZSBkYXlzIGZvciB0aGUgaW50ZW50IG9mIGFjY2Vzc2luZyBwcm90ZWN0ZWQg cmVzb3VyY2VzDQogaW4gZm9yZWlnbiBkb21haW5zLiZuYnNwOyBBbnlib2R5IHRoaW5rIHRoaXMg bWlnaHQgYmUgdGhlIGNhc2UgNSB5ZWFycyBmcm9tIG5vdz88YnI+DQo8YnI+DQo8YnI+DQo8L3Nw YW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxl ZnQ6LjVpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0 b206MTIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjIuPC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6Ny4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlNlY29uZCBvcHRpb24g 4oCmIHNpbWlsYXINCiB0byB0aGUgZmlyc3QsIGJ1dCB0aGUgSldULXN0cnVjdHVyZWQgYWNjZXNz X3Rva2VuIGZyb20gZG9tYWluIDEgaXMgc2VudCB0byB0aGUgT0F1dGggcHJvdmlkZXIgaW4gZG9t YWluIDIsIGFsYSB0aGUgSldUIGFzc2VydGlvbiBwcm9maWxlLiZuYnNwOyBEb21haW4gMSBhY2Nl c3MgdG9rZW4gaXMgZXhjaGFuZ2VkIGZvciBhIGRvbWFpbiAyIGFjY2VzcyB0b2tlbiwgYW5kIHRo ZSBuYXRpdmUgY2xpZW50IHVzZXMgdGhlIGRvbWFpbiAyIGFjY2VzcyB0b2tlbg0KIHRvIHNlbmQg dG8gdGhlIHByb3RlY3RlZCByZXNvdXJjZSBpbiBkb21haW4gMi4mbmJzcDsgSSBsaWtlIHRoaXMg c2xpZ2h0bHkgbW9yZSB0aGFuIHRoZSBmaXJzdCBvcHRpb24sIGJlY2F1c2UgdGhlIHJlc291cmNl cyBzZXJ2ZXJzIGluIGRvbWFpbiAyIG9ubHkgbmVlZCB0byB1bmRlcnN0YW5kIHRoZSB0b2tlbiBm b3JtYXQgb2YgdGhlaXIgb3duIEFTLiZuYnNwOyBCdXQgaXQgc3RpbGwgc3VmZmVycyBmcm9tIHRo ZSBzYW1lIGJhc2ljIGNoYWxsZW5nZSBvZiBvcHRpb24NCiAxLCB0aGF0IGVudGVycHJpc2VzIGRv buKAmXTigJkgc2V0dXAgT0F1dGggcHJvdmlkZXJzIHRvZGF5IGZvciB0aGUgcHVycG9zZSBvZiBm ZWRlcmF0aW5nLCB0aGUgd2F5IHRoYXQgc2V0dXAgU0FNTCBwcm92aWRlcnMgZm9yIFdlYlNTTy48 YnI+DQo8YnI+DQo8YnI+DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4zLjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjcuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5UaGlyZCBvcHRpb24uJm5ic3A7IE5h dGl2ZSBjbGllbnQgY29udGFjdHMgdGhlIE9BdXRoIHByb3ZpZGVyDQogaW4gZG9tYWluIDIgZGly ZWN0bHkuJm5ic3A7IFRoZSBhdXRob3JpemF0aW9uIGVuZHBvaW50IGlzIGZlZGVyYXRpb24gZW5h YmxlZCAoTkFTQ0FSIG9yIG90aGVyKSBhbmQgdGhlIHVzZXIgaW4gZG9tYWluIDEgc2VsZWN0cyB0 aGVpciBob21lIElkUCAoU0FNTCBvciBPSURDKSBhbmQgZG9lcyBXZWJTU08gdG8gZmVkZXJhdGVk IGludG8gdGhlIGRvbWFpbiAyIE9BdXRoIHByb3ZpZGVyLiZuYnNwOyBJIGJlbGlldmUgdGhpcyBp cyB0aGUgbW9kZWwgdGhhdCBTYWxlc2ZvcmNlDQogc3VwcG9ydHMgdG9kYXksIGFuZCBpdCB0aGUg bW9zdCB0YWN0aWNhbCwgc2luY2UgZW50ZXJwcmlzZSB0aGF0IHdhbnQgdG8gZmVkZXJhdGUgdG9k YXkgcnVuIG91dCBhbmQgYnV5IGEgU0FNTCBwcm92aWRlci48L3NwYW4+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+U28gb3B0aW9uIDMgaXMgdGhlIG1vc3Qgb2J2aW91cyBhcHBy b2FjaCB0b2RheS4mbmJzcDsgRG9lcyBhbnlib2R5IGZvcmVzZWUgZW50ZXJwcmlzZXMgc2V0dGlu ZyB1cCBhbiBTVFMgaW4gdGhlIGZ1dHVyZSB0byBmZWRlcmF0ZSB0byBmb3JlaWduIFJT4oCZcyAo dGhlIHdheSB0aGV5IHNldHVwIFNBTUwgcHJvdmlkZXJzDQogdG9kYXkpPyZuYnNwOyBBbnlib2R5 IHRoaW5rIHdlIHdpbGwgc2VlIG9wdGlvbnMgMSBvciAyIGluIHRoZSBmdXR1cmU/PC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+YWRhbTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFp bHRvOk9BdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1 cnBsZSI+T0F1dGhAaWV0Zi5vcmc8L3NwYW4+PC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv L29hdXRoPC9zcGFuPjwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_4087640a4a3042c485a3e8cca52720f0DM2PR04MB735namprd04pro_-- From nobody Thu Mar 27 17:00:13 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF89E1A0743 for ; Thu, 27 Mar 2014 17:00:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HogpCwaYW33 for ; Thu, 27 Mar 2014 17:00:04 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id CE23C1A0775 for ; Thu, 27 Mar 2014 17:00:02 -0700 (PDT) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s2RNxxlX028749 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 28 Mar 2014 00:00:00 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s2RNxxPQ008779 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Mar 2014 23:59:59 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s2RNxxxi008763; Thu, 27 Mar 2014 23:59:59 GMT Received: from [192.168.0.172] (/199.33.32.40) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 27 Mar 2014 16:59:59 -0700 Message-ID: <5334BB7B.2060602@oracle.com> Date: Thu, 27 Mar 2014 16:59:55 -0700 From: Prateek Mishra Organization: Oracle Corporation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Bill Burke References: <53344407.1050802@redhat.com> In-Reply-To: <53344407.1050802@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tZpeM0l-cziQGDNnpVZMFKAAA6w Cc: IETF oauth WG Subject: Re: [OAUTH-WG] CORS and public vs. confidential clients X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 00:00:10 -0000 Bill - as you are referencing CORS in your message, I assume you are discussing a Javascript-only (browser) client. I believe the implicit flow was designed for this case and this flow never involves a confidential client. Confidential clients may be used with the other flows (code, resource,..) that are capable of making a TLS call to a Token Endpoint. - prateek > I'm still trying to wrap my head around the differences between public > and confidential clients. In our IDP impl, we check redirect uris and > associate a lot of private metadata to the access code to ensure there > is no client_id swapping. My understanding was that confidential > clients made sure that only an authenticated client could obtain an > access token. > > What if you throw CORS in the mix where your browser needs the access > token (and the ability to refresh it) to make cross-domain requests? > Doesn't this remove a large benefit of confidential clients? > > Anybody know a good document that describes the difference and > pros/cons of public vs. confidential clients beyond the actual OAUTH > spec itself? > > Thanks > From nobody Thu Mar 27 17:10:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822DD1A03F8 for ; Thu, 27 Mar 2014 17:10:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.379 X-Spam-Level: X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36UJ3XcWz0pU for ; Thu, 27 Mar 2014 17:10:47 -0700 (PDT) Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 532311A03FD for ; Thu, 27 Mar 2014 17:10:47 -0700 (PDT) Received: by mail-oa0-f52.google.com with SMTP id l6so5144693oag.25 for ; Thu, 27 Mar 2014 17:10:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=T2t0AeM5rcBaZ2IvN1j+4COPdq5NtVhRDDhJt6hQctA=; b=cy0OZvqY+G00GS3ZOcw1MwnAtFzFYeXDb0eEi0R1MaHxN+EqZn0ai7kULloSYCdDi5 Am4vHPKhDu6281ikkSvxuwG2M/c+fJgyCxfs7EKp4whogTI5iZEcGEfAoTKUnZe0JD+L StmW46GW/0dBlCfpJSnnG5FvQYG0v33cgpUao= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=T2t0AeM5rcBaZ2IvN1j+4COPdq5NtVhRDDhJt6hQctA=; b=enH3Rl+keA7gHKX2rK2zKLSYy8O8mKcieq2LdzFb0PaZDSb+4BHX0DKyO2qPlRyIab X+B1IKNP6xp5K+vKZXpyLwCBcZks8MYrTJVk8GL5lMdPzoK3qyzPUKPF93W2RoHCEw4p hgx2ZX/BnwUqzTn6rqpgSq8cQb3gDGofNrpWzFvtCodm+4q4kiHPfa/0yMkIc8HLACSt f22LxZCeBB4dH7hJ/yWbv2KUkez1GTLLh5a7k23Qm+nKT+0vGxsXInad62VD0uOW0ER1 n5HKdAG6OherTKt9juqCjxMU8JUINKDTHXNimuOAU8LsoeBhUWY4VE4xbe1Lb6UHZHdU 6Pnw== X-Gm-Message-State: ALoCoQmocOGtWQ4pzRw1HGOrbESjKffTGVhKCI+ALdkT6EDgDiLD0TeCjJgjwyOIEY+EaN8KFOOV MIME-Version: 1.0 X-Received: by 10.60.132.12 with SMTP id oq12mr4007202oeb.42.1395965445164; Thu, 27 Mar 2014 17:10:45 -0700 (PDT) Received: by 10.60.54.99 with HTTP; Thu, 27 Mar 2014 17:10:45 -0700 (PDT) Date: Fri, 28 Mar 2014 05:40:45 +0530 Message-ID: From: Prabath Siriwardena To: "oauth@ietf.org WG" Content-Type: text/plain; charset=ISO-8859-1 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/V4QAdHFmYx8E7jkE-7dLE8nowN4 Subject: [OAUTH-WG] Do we have any public implementations of OAuth 2.0 MAC Token Profile..? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 00:10:48 -0000 Do we have any public implementations of OAuth 2.0 MAC Token Profile..? [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +94 71 809 6732 http://blog.facilelogin.com http://blog.api-security.org From nobody Fri Mar 28 07:19:26 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3143A1A065A; Fri, 28 Mar 2014 07:19:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z928WL3Kk2J8; Fri, 28 Mar 2014 07:19:20 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) by ietfa.amsl.com (Postfix) with ESMTP id B6D851A0651; Fri, 28 Mar 2014 07:19:20 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.898.11; Fri, 28 Mar 2014 14:19:17 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([10.242.165.144]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.116]) with mapi id 15.00.0898.005; Fri, 28 Mar 2014 14:19:16 +0000 From: Antonio Sanso To: "oauth@ietf.org" Thread-Topic: JWE with A128CBC-HS256 Thread-Index: AQHPSpCycCA73yYRfEu550luWR/WWg== Date: Fri, 28 Mar 2014 14:19:15 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 01644DCF4A x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(189002)(199002)(97186001)(92726001)(95416001)(76786001)(76796001)(74706001)(80976001)(97336001)(92566001)(74876001)(74502001)(47446002)(74662001)(83322001)(20776003)(19580395003)(31966008)(47976001)(94316002)(95666003)(15975445006)(81686001)(81816001)(49866001)(85306002)(87266001)(82746002)(66066001)(47736001)(50986001)(79102001)(85852003)(74366001)(65816001)(54356001)(76176001)(56816005)(83072002)(4396001)(90146001)(69226001)(93136001)(93516002)(86362001)(51856001)(98676001)(2656002)(83716003)(94946001)(80022001)(76482001)(56776001)(59766001)(81342001)(81542001)(33656001)(54316002)(87936001)(77982001)(15202345003)(53806001)(36756003)(46102001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:A348707A.9D342C9A.3273314C.C4E7D9F0.20110; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="us-ascii" Content-ID: <7366396A11C3934392DAA7E1FB8FAC19@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/OO5OaRua-k3fT8OiqX6q2EkQbIs Cc: "jose@ietf.org" Subject: [OAUTH-WG] JWE with A128CBC-HS256 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 14:19:23 -0000 hi *, in the JWT specification [0] there is an example of a JWE that use A128CBC-= HS256 for content encrpyption. Now I am not a cryptographer my self but IIUC the same CEK is used for encr= ypting with AES and authentication HMAC. AFAIK is better to use two different keys for those 2 different primitives = (this will not obviously apply to AES_GCM). Unless I am missing something... :) regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-= A.1 [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appen= dix-A.2= From nobody Fri Mar 28 07:33:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C4541A0934; Fri, 28 Mar 2014 07:33:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5QzrMZH5NNZ; Fri, 28 Mar 2014 07:33:05 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E5D1A06DD; Fri, 28 Mar 2014 07:33:05 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IETF Secretariat To: dick.hardt@gmail.com X-Test-IDTracker: no X-IETF-IDTracker: 5.2.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140328143305.17834.59493.idtracker@ietfa.amsl.com> Date: Fri, 28 Mar 2014 07:33:05 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/bs9KcoSrEz9GSPPKsQiliUkE_l4 Cc: derek@ihtfp.com, oauth@ietf.org, ipr-announce@ietf.org Subject: [OAUTH-WG] IPR Disclosure: Nokia Corporation's Statement about IPR related to RFC 6749 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 14:33:07 -0000 Dear Dick Hardt: An IPR disclosure that pertains to your RFC entitled "The OAuth 2.0 Authorization Framework" (RFC6749) was submitted to the IETF Secretariat on 2014-03-28 and has been posted on the "IETF Page of Intellectual Property Rights Disclosures" (https://datatracker.ietf.org/ipr/2336/). The title of the IPR disclosure is "Nokia Corporation's Statement about IPR related to RFC 6749.""); The IETF Secretariat From nobody Fri Mar 28 09:10:22 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C6A1A063C for ; Fri, 28 Mar 2014 09:10:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.146 X-Spam-Level: X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSz1-FG_fXOn for ; Fri, 28 Mar 2014 09:10:19 -0700 (PDT) Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8531A0146 for ; Fri, 28 Mar 2014 09:10:19 -0700 (PDT) Received: by mail-qa0-f42.google.com with SMTP id k15so5507859qaq.15 for ; Fri, 28 Mar 2014 09:10:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=PCL9sLEAQo+ejjx9oXzMdmM9uMhPcIu5T2elQo+Q2CA=; b=i7SFKmOIDNHwXr3+F/Q0A5lJEGQcasHuf3LWzFs6NPA/ShDkmBE0tzptMvIsaTuGgy AJUFJ470UCzDfamlkgQbgXKBNowhkQ2rgE1e7aTIx5aBQB5mqf5pf+Cnw8ptcVO4Apr7 aSr7T81bQMjonWw9pXwAZ4UuX1yx7cQZXYZgOYBIZHW6zNTugom2rkexfWqRSCjQuS7M 3S5HHziVTZ5bXP+55mVrx/DOlPueaYnviQKphUxxdrG1WZgiOc5Sq2HQr++L51n4BEaR 7Lcbnop3oFgvFxtJl9/gu7OC1u4QlspG9FglHtM5hGCBVMwLvnTb6ERxCN9dEjK7DeKT jdCw== X-Gm-Message-State: ALoCoQmOPE2eiJnmOHk82z0ZoOSJ+InY2Bp5j8rLoI1MfsdTXy5Owasbo+f0b/r70H540cQ8EbqI X-Received: by 10.224.13.142 with SMTP id c14mr3444573qaa.76.1396023016939; Fri, 28 Mar 2014 09:10:16 -0700 (PDT) Received: from [192.168.1.216] (190-20-47-194.baf.movistar.cl. [190.20.47.194]) by mx.google.com with ESMTPSA id i95sm1551877qge.5.2014.03.28.09.10.15 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 28 Mar 2014 09:10:16 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Fri, 28 Mar 2014 13:09:02 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Antonio Sanso X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tgxeXFUrwHiP4QclAJdHZOBLRnA Cc: "oauth@ietf.org" , "jose@ietf.org" Subject: Re: [OAUTH-WG] JWE with A128CBC-HS256 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 16:10:21 -0000 This reference may be useful to you. = http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2 The part of the spec you need is = http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-24#page-23 We originally used a KDF as you mention. In order to simplify the alg = and align with draft-mcgrew-aead-aes-cbc-hmac-sha2. K is the concatenation of the AES key and teh HMAC Key. John B. On Mar 28, 2014, at 11:19 AM, Antonio Sanso wrote: > hi *, >=20 > in the JWT specification [0] there is an example of a JWE that use = A128CBC-HS256 for content encrpyption. > Now I am not a cryptographer my self but IIUC the same CEK is used for = encrypting with AES and authentication HMAC. >=20 > AFAIK is better to use two different keys for those 2 different = primitives (this will not obviously apply to AES_GCM). >=20 > Unless I am missing something... :) >=20 > regards >=20 > antonio >=20 > [0] = http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-A.1= > [1] = http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix= -A.2 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Mar 28 09:52:03 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E1E1A00D9 for ; Fri, 28 Mar 2014 09:52:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.912 X-Spam-Level: X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnIh7Qdx-CTc for ; Fri, 28 Mar 2014 09:51:58 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id A9AED1A00FB for ; Fri, 28 Mar 2014 09:51:58 -0700 (PDT) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2SGptdf014127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 28 Mar 2014 12:51:55 -0400 Received: from [10.10.60.86] (vpn-60-86.rdu2.redhat.com [10.10.60.86]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s2SGpsTL008556; Fri, 28 Mar 2014 12:51:55 -0400 Message-ID: <5335A8AD.9030000@redhat.com> Date: Fri, 28 Mar 2014 12:51:57 -0400 From: Bill Burke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Prateek Mishra References: <53344407.1050802@redhat.com> <5334BB7B.2060602@oracle.com> In-Reply-To: <5334BB7B.2060602@oracle.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zZwqmTlCgZFzCrnVehhures-8Lk Cc: IETF oauth WG Subject: Re: [OAUTH-WG] CORS and public vs. confidential clients X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 16:52:01 -0000 The thread model doc was really great, but I still couldn't find anything concrete on what guarantees you lose if you use a public client vs. a confidential one. Honestly, I'm just trying to have the right info to guide users on what auth flow to use and the pros/cons. On 3/27/2014 7:59 PM, Prateek Mishra wrote: > Bill - as you are referencing CORS in your message, I assume you are > discussing a Javascript-only (browser) client. I believe the implicit flow > was designed for this case and this flow never involves a confidential > client. > Yes, it is a Javascript (browser) client. Implicit flow doesn't allow for a refresh token. Our browser javascript code uses CORS also when participating in the access code grant flow. Our access codes are digitally signed, and unique. They can only be turned into an access token once. They are associated privately with a redirect URI, state, and client_id. And they have a timeout. We do validation/verification at each part of the flow to make sure the redirectURI, state, and/or client_id is valid. I just want to know what to tell users what security implications there are if they use a public client in this scenario. > Confidential clients may be used with the other flows (code, > resource,..) that are capable of making a TLS call to a Token Endpoint. > BTW, Is there a better list for these types of questions? Didn't have a lot of luck on the Google Group for OAuth. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nobody Sun Mar 30 08:13:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 482EA1A063E for ; Sun, 30 Mar 2014 08:13:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ERDfCoobFcXB for ; Sun, 30 Mar 2014 08:13:40 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 4B01A1A034C for ; Sun, 30 Mar 2014 08:13:40 -0700 (PDT) Received: from [192.168.131.137] ([80.92.119.215]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LpKKr-1X0ZMw2v7F-00fAHN; Sun, 30 Mar 2014 17:13:35 +0200 Message-ID: <53383308.7040306@gmx.net> Date: Sun, 30 Mar 2014 17:06:48 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Prabath Siriwardena , "oauth@ietf.org WG" References: In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HecT6m7mPLNOcqTWSTnta4DdDp6HlJxui" X-Provags-ID: V03:K0:MOY3lM1BsbM5vLKe0Pcu/jO2tgyw23cMzXUO4D+dbzwL7gc2IPu OmJqlXSKm+k2YtvGo8PSW+NvsmhqnyeQyY41u3+CN7naSQgNJ/qL7nBfeuR0YGurtBmMIJN SJamwwjjQ3l0n6k8M0FQLkqddUO3gsqDbZ9UqXjf8BejMsRaT/1q5+3BeP2I5j07xrlUkc+ qBLbJlT+EWYP9JyMw5vJQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GUQTawKhd22rAqOb-ltr1kN40rg Subject: Re: [OAUTH-WG] Do we have any public implementations of OAuth 2.0 MAC Token Profile..? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2014 15:13:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HecT6m7mPLNOcqTWSTnta4DdDp6HlJxui Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Prabath, I remember that someone mentioned that he had implemented that version of the document. Unfortunately, I cannot point you to the code from the top of my head. The main reason for my response is, however, different. At the last IETF meeting I presented a proposal for moving this "better-than-bearer token" work forward and there will be changes to what is currently in this document. So, I would encourage you to wait a few weeks and you will the updated version of the document. Ciao Hannes On 03/28/2014 01:10 AM, Prabath Siriwardena wrote: > Do we have any public implementations of OAuth 2.0 MAC Token Profile..?= >=20 > [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 >=20 >=20 > Thanks & Regards, > Prabath >=20 > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >=20 > Mobile : +94 71 809 6732 >=20 > http://blog.facilelogin.com > http://blog.api-security.org >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --HecT6m7mPLNOcqTWSTnta4DdDp6HlJxui Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTODMJAAoJEGhJURNOOiAtsjkH/0NkCa52OAsBcLruZbhXhRiX 8q7e2vQoVvXSBtrhEkMOyT4JPCfZbFMittuQGcsZt21Tf9RhEstDySbw0ncaIeRD vEIWkLlsZ274ffjP0MErRmR8RiHw3jyiPn+yZ5as6UuvXVIHGlpSAES8aLgKDPmp O8EG13PhtQqXRMcLug3SmxZ9GnSM1Bckvq3UL9cIVqQYpy6iUnQQTiaXAh3du4T5 dIrRKrZW/4Uz3UEcON0pDcZ4a88L31ycNLCUhS5pSgyiII0Q9qQE0Da8oppeTFtC DhUviR3pJXl4SG3676rGjnsflw8WlTYRue+u//BnEVm2XsdZNrysP0JVgrIqWkM= =ew5n -----END PGP SIGNATURE----- --HecT6m7mPLNOcqTWSTnta4DdDp6HlJxui-- From nobody Sun Mar 30 09:46:41 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA2F1A089D for ; Sun, 30 Mar 2014 09:46:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.379 X-Spam-Level: X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id paC88dqh2b9F for ; Sun, 30 Mar 2014 09:46:38 -0700 (PDT) Received: from mail-oa0-x22a.google.com (mail-oa0-x22a.google.com [IPv6:2607:f8b0:4003:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 55CA61A06EA for ; Sun, 30 Mar 2014 09:46:38 -0700 (PDT) Received: by mail-oa0-f42.google.com with SMTP id i4so8267190oah.15 for ; Sun, 30 Mar 2014 09:46:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jvTxt4YD0Mz3r04/WMEAWEMW+KSckyKBagD1ddRMGD4=; b=NIiENWGgBxKBKd9i/r1Uy2d2gE9OS5ODoj7XHO/BoAoaeYkKC04BU9G7jZLG337btx WHq6HAZZ8doyeWpR8T9ARaRSNKjshA9jk/eyFtPhhHOc7NdH0egfHO2zMnsYYSnTAx2D 0rWUpeThc0CSkWkXtYK0eBA9dlQEcSmUz/OxE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jvTxt4YD0Mz3r04/WMEAWEMW+KSckyKBagD1ddRMGD4=; b=iUX4yQnZmzRyRe7H0j5EmmNJ0RTv3mrdEQzizyAIVc6PJbBh+3E9aIhn7OaGXuXBtx AJFoMpEqCXyxw6XyxUTw54XPHTR2kHLm7Btfw7br9ZLoIWt6cAzRdjCbNRtO0qVgLdR4 FNy0YZTp/sI+uiTk3efveu+1unpdi/k88EYEkV1OyTtKZoqad3yWS/vsguMv4SPOaPPj 44WsSas2dV/p+ySpX7T+CCgBXCmmH9aXAjMxZvfMuLaXMR/efAqUsL8owgFW5Lv+mBIk 8uhu81M34XphKQBVLp7FsuVa9KqZ7l7ChBIAILwdWqE+BF4P/Oi0nzdgNVp2gQ8aVh5E JQBQ== X-Gm-Message-State: ALoCoQkRt5KKGkIszQePjbi6dRCBfinZJod0f5o0SJftbikn768RI/inItjWECAzLUd6D7EvKM1Q MIME-Version: 1.0 X-Received: by 10.60.115.68 with SMTP id jm4mr1368740oeb.45.1396197995205; Sun, 30 Mar 2014 09:46:35 -0700 (PDT) Received: by 10.60.54.99 with HTTP; Sun, 30 Mar 2014 09:46:35 -0700 (PDT) In-Reply-To: <53383308.7040306@gmx.net> References: <53383308.7040306@gmx.net> Date: Sun, 30 Mar 2014 22:16:35 +0530 Message-ID: From: Prabath Siriwardena To: Hannes Tschofenig Content-Type: text/plain; charset=ISO-8859-1 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/T_UlgONunMCDeotzRGIM6DL027M Cc: "oauth@ietf.org WG" Subject: Re: [OAUTH-WG] Do we have any public implementations of OAuth 2.0 MAC Token Profile..? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2014 16:46:40 -0000 Thanks Hannes.. I was looking for a public API secured with MAC token profile to do a demo in one of my presentations.. I hardly ever found one... Thanks & regards, -Prabath On Sun, Mar 30, 2014 at 8:36 PM, Hannes Tschofenig wrote: > Hi Prabath, > > I remember that someone mentioned that he had implemented that version > of the document. Unfortunately, I cannot point you to the code from the > top of my head. > > The main reason for my response is, however, different. At the last IETF > meeting I presented a proposal for moving this "better-than-bearer > token" work forward and there will be changes to what is currently in > this document. > > So, I would encourage you to wait a few weeks and you will the updated > version of the document. > > Ciao > Hannes > > > On 03/28/2014 01:10 AM, Prabath Siriwardena wrote: >> Do we have any public implementations of OAuth 2.0 MAC Token Profile..? >> >> [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 >> >> >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +94 71 809 6732 http://blog.facilelogin.com http://blog.api-security.org From nobody Sun Mar 30 23:43:42 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D4D1A0815; Sun, 30 Mar 2014 23:43:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.555 X-Spam-Level: X-Spam-Status: No, score=0.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KhCmMv8Y8eD; Sun, 30 Mar 2014 23:43:38 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (dns-bn1lp0143.outbound.protection.outlook.com [207.46.163.143]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF7F1A0444; Sun, 30 Mar 2014 23:43:37 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.898.11; Mon, 31 Mar 2014 06:43:32 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([10.242.165.144]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.116]) with mapi id 15.00.0898.005; Mon, 31 Mar 2014 06:43:31 +0000 From: Antonio Sanso To: John Bradley Thread-Topic: [OAUTH-WG] JWE with A128CBC-HS256 Thread-Index: AQHPSpCycCA73yYRfEu550luWR/WWpr2qvAAgAQY/YA= Date: Mon, 31 Mar 2014 06:43:30 +0000 Message-ID: <9B0FC530-C3D7-4BA8-85FC-7457B7BEA194@adobe.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 0167DB5752 x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(24454002)(377454003)(199002)(189002)(98676001)(51856001)(69226001)(83072002)(93136001)(90146001)(93516002)(86362001)(4396001)(54356001)(56816005)(2656002)(80022001)(83716003)(56776001)(87936001)(53806001)(46102001)(54316002)(76482001)(81542001)(59766001)(81342001)(36756003)(77982001)(15202345003)(33656001)(94946001)(16236675002)(74502001)(19580405001)(92566001)(65816001)(47446002)(80976001)(74706001)(31966008)(19580395003)(20776003)(83322001)(82746002)(63696002)(74662001)(50986001)(47976001)(87266001)(85306002)(76786001)(92726001)(97186001)(95416001)(47736001)(66066001)(74876001)(79102001)(85852003)(97336001)(74366001)(15975445006)(49866001)(99286001)(95666003)(81816001)(94316002)(81686001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:EF4871B6.8DF0449A.36F03D4B.4DDD920.2028C; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_9B0FC530C3D74BA885FC7457B7BEA194adobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VMeexJYKcF9tozvcU9IMnTQJFt8 Cc: "oauth@ietf.org" , "jose@ietf.org" Subject: Re: [OAUTH-WG] JWE with A128CBC-HS256 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 06:43:41 -0000 --_000_9B0FC530C3D74BA885FC7457B7BEA194adobecom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable thanks a lot John, On Mar 28, 2014, at 5:09 PM, John Bradley > wrote: This reference may be useful to you. http://tools.ietf.org/html/draft-mcgre= w-aead-aes-cbc-hmac-sha2 The part of the spec you need is http://tools.ietf.org/html/draft-ietf-jos= e-json-web-algorithms-24#page-23 We originally used a KDF as you mention. In order to simplify the alg and = align with draft-mcgrew-aead-aes-cbc-hmac-sha2. K is the concatenation of the AES key and teh HMAC Key. question, are the examples in the spec already updated to use the new mech= anism? There are some obsolete references in the JWE spec. E.g. in [2] says: as described where this algorithm is defined in Sections 4.8 and 4.8.3 of JWA, These sections seems to point to on old version of the spec (Section 4.8.3 = doesn=92t even exist anymore in JWA) regards antonio [2] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appen= dix-B John B. On Mar 28, 2014, at 11:19 AM, Antonio Sanso > wrote: hi *, in the JWT specification [0] there is an example of a JWE that use A128CBC-= HS256 for content encrpyption. Now I am not a cryptographer my self but IIUC the same CEK is used for encr= ypting with AES and authentication HMAC. AFAIK is better to use two different keys for those 2 different primitives = (this will not obviously apply to AES_GCM). Unless I am missing something... :) regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-= A.1 [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appen= dix-A.2 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_9B0FC530C3D74BA885FC7457B7BEA194adobecom_ Content-Type: text/html; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable thanks a lot John,

On Mar 28, 2014, at 5:09 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

This reference may be useful to you. http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2

The part of the spec you need is  http://tools.ietf.org/htm= l/draft-ietf-jose-json-web-algorithms-24#page-23

We originally used a KDF as you mention.  In order to simplify the alg= and align with draft-mcgrew-aead-aes-cbc-hmac-sha2.

K is the concatenation of the AES key and teh HMAC Key.

question,  are the examples in the spec already updated to use th= e new mechanism? 
There are some obsolete references in the JWE spec. E.g. in [2] says:<= /div> 

as described where this algorithm is
   defined in Sections 4.8 and 4.8.3 of JWA,

These sections seems to point to on old version of the spec (Section 4= .8.3 doesn=92t even exist anymore in JWA)

regards

antonio

John B.


On Mar 28, 2014, at 11:19 AM, Antonio Sanso <asanso@adobe.com> wrote:

hi *,

in the JWT specification [0] there is an example of a JWE that use A128CBC-= HS256 for content encrpyption.
Now I am not a cryptographer my self but IIUC the same CEK is used for encr= ypting with AES and authentication HMAC.

AFAIK is better to use two different keys for those 2 different primitives = (this will not obviously apply to AES_GCM).

Unless I am missing something... :)

regards

antonio

[0] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-A.1<= /a>
[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix-= A.2
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--_000_9B0FC530C3D74BA885FC7457B7BEA194adobecom_-- From nobody Mon Mar 31 05:34:12 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF0791A07EA for ; Mon, 31 Mar 2014 05:34:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.145 X-Spam-Level: X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4wMs09V1v9C for ; Mon, 31 Mar 2014 05:34:05 -0700 (PDT) Received: from mail-ob0-f173.google.com (mail-ob0-f173.google.com [209.85.214.173]) by ietfa.amsl.com (Postfix) with ESMTP id CA2D91A082F for ; Mon, 31 Mar 2014 05:34:05 -0700 (PDT) Received: by mail-ob0-f173.google.com with SMTP id gq1so9121024obb.32 for ; Mon, 31 Mar 2014 05:34:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=xsSXLqgo1EwFJOgcTP+M8T9XQTlNtks+XT4sC80vNfU=; b=fZD0D05IGA6KjQPA63B6ka3vfZ1vBUrJkw1IKczkuB8buZjHW/zMG1IPrlXtnbIc5A scBdKtNYaEvfWoQIgpV42JCVxpKUfpvngTZRC+9SXsbbCsA/NTxrWCiaGUV6c9OXxTUf VfEMK9cAi0x11Rf8Daj8bVSGAwW8bXvGmGj9XSJBcpyDuU5yKpF/jm8hFPd7gF0dyBiB QGOGc+ChrJn6TdRRtuVsrEq3pKVzgnP+49oQu0Gtj1zAlej8QdGIuV9plM7kwSBUnmCH 04sfXd7uSLX3QGeB1nikUXO6c6tBWoLAjI4NmfUPfy9EEppfM3QfkJOhplM8s/6+SgmB XCSA== X-Gm-Message-State: ALoCoQkTYBMo3WFCDKcRLksCSfYLLEQkkcxDuOM+guhqp67yNzbdh5LZgTna3mjrrphsJ9j2UA/T X-Received: by 10.60.37.199 with SMTP id a7mr2804580oek.41.1396269242514; Mon, 31 Mar 2014 05:34:02 -0700 (PDT) Received: from [192.168.10.212] (ip-64-134-11-246.public.wayport.net. [64.134.11.246]) by mx.google.com with ESMTPSA id c7sm60972107oek.12.2014.03.31.05.34.00 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 31 Mar 2014 05:34:00 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_99EBCEE7-2AB0-4A6F-A234-1F1F723CCD5E" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <9B0FC530-C3D7-4BA8-85FC-7457B7BEA194@adobe.com> Date: Mon, 31 Mar 2014 09:34:00 -0300 Message-Id: <8480C7F7-E43B-4094-BBE3-95E13E8AE33A@ve7jtb.com> References: <9B0FC530-C3D7-4BA8-85FC-7457B7BEA194@adobe.com> To: Antonio Sanso X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/LgfRcJ5rPCoE-MLX7IhAkrLhhdk Cc: "oauth@ietf.org" , "jose@ietf.org" Subject: Re: [OAUTH-WG] JWE with A128CBC-HS256 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 12:34:08 -0000 --Apple-Mail=_99EBCEE7-2AB0-4A6F-A234-1F1F723CCD5E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Thanks, I will have a look. On Mar 31, 2014, at 3:43 AM, Antonio Sanso wrote: > thanks a lot John, >=20 > On Mar 28, 2014, at 5:09 PM, John Bradley wrote: >=20 >> This reference may be useful to you. = http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2 >>=20 >> The part of the spec you need is = http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-24#page-23 >>=20 >> We originally used a KDF as you mention. In order to simplify the = alg and align with draft-mcgrew-aead-aes-cbc-hmac-sha2. >>=20 >> K is the concatenation of the AES key and teh HMAC Key. >=20 > question, are the examples in the spec already updated to use the new = mechanism?=20 > There are some obsolete references in the JWE spec. E.g. in [2] says: >=20 > as described where this algorithm is > defined in Sections 4.8 and 4.8.3 of JWA, >=20 > These sections seems to point to on old version of the spec (Section = 4.8.3 doesn=92t even exist anymore in JWA) >=20 > regards >=20 > antonio >=20 > [2] = http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix= -B >=20 >>=20 >> John B. >>=20 >>=20 >> On Mar 28, 2014, at 11:19 AM, Antonio Sanso wrote: >>=20 >>> hi *, >>>=20 >>> in the JWT specification [0] there is an example of a JWE that use = A128CBC-HS256 for content encrpyption. >>> Now I am not a cryptographer my self but IIUC the same CEK is used = for encrypting with AES and authentication HMAC. >>>=20 >>> AFAIK is better to use two different keys for those 2 different = primitives (this will not obviously apply to AES_GCM). >>>=20 >>> Unless I am missing something... :) >>>=20 >>> regards >>>=20 >>> antonio >>>=20 >>> [0] = http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-A.1= >>> [1] = http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix= -A.2 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >=20 --Apple-Mail=_99EBCEE7-2AB0-4A6F-A234-1F1F723CCD5E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Thanks,  I will have a = look.

On Mar 31, 2014, at 3:43 AM, Antonio Sanso = <asanso@adobe.com> = wrote:

thanks a lot John,

On Mar 28, 2014, at 5:09 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

This reference may be useful to you. http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2

The part of the spec you need is  http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-24= #page-23

We originally used a KDF as you mention.  In order to simplify the = alg and align with draft-mcgrew-aead-aes-cbc-hmac-sha2.

K is the concatenation of the AES key and teh HMAC Key.

question,  are the examples in the spec already updated to use = the new mechanism? 
There are some obsolete references in the JWE spec. E.g. in [2] = says:

as described where this =
algorithm is
   defined in Sections 4.8 and 4.8.3 of JWA,

These sections seems to point to on old version of the spec = (Section 4.8.3 doesn=92t even exist anymore in JWA)

regards

antonio



John B.


On Mar 28, 2014, at 11:19 AM, Antonio Sanso <asanso@adobe.com> wrote:

hi *,

in the JWT specification [0] there is an example of a JWE that use = A128CBC-HS256 for content encrpyption.
Now I am not a cryptographer my self but IIUC the same CEK is used for = encrypting with AES and authentication HMAC.

AFAIK is better to use two different keys for those 2 different = primitives (this will not obviously apply to AES_GCM).

Unless I am missing something... :)

regards

antonio

[0] = http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-A.1=
[1] = http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix= -A.2
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth



= --Apple-Mail=_99EBCEE7-2AB0-4A6F-A234-1F1F723CCD5E-- From nobody Mon Mar 31 20:55:02 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB661A0947; Mon, 31 Mar 2014 20:55:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.145 X-Spam-Level: X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-2qTtOeGLXa; Mon, 31 Mar 2014 20:54:54 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id A1D0A1A0927; Mon, 31 Mar 2014 20:54:53 -0700 (PDT) Received: from DM2PR03CA002.namprd03.prod.outlook.com (10.141.52.150) by BLUPR03MB168.namprd03.prod.outlook.com (10.255.212.152) with Microsoft SMTP Server (TLS) id 15.0.908.10; Tue, 1 Apr 2014 03:54:49 +0000 Received: from BY2FFO11FD056.protection.gbl (2a01:111:f400:7c0c::184) by DM2PR03CA002.outlook.office365.com (2a01:111:e400:2414::22) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Tue, 1 Apr 2014 03:54:49 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD056.mail.protection.outlook.com (10.1.15.193) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Tue, 1 Apr 2014 03:54:48 +0000 Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.193) by TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.3.181.7; Tue, 1 Apr 2014 03:54:26 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0174.002; Tue, 1 Apr 2014 03:54:26 +0000 From: Mike Jones To: Antonio Sanso Thread-Topic: [OAUTH-WG] JWE with A128CBC-HS256 Thread-Index: AQHPSpCycCA73yYRfEu550luWR/WWpr2qvAAgAQY/YCAAWLyQA== Date: Tue, 1 Apr 2014 03:54:25 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A12DC8C@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <9B0FC530-C3D7-4BA8-85FC-7457B7BEA194@adobe.com> In-Reply-To: <9B0FC530-C3D7-4BA8-85FC-7457B7BEA194@adobe.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.73] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A12DC8CTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(377454003)(52604005)(189002)(199002)(24454002?= =?us-ascii?Q?)(50986001)(84326002)(92566001)(16796002)(47736001)(74662001?= =?us-ascii?Q?)(92726001)(74502001)(47446002)(77096001)(47976001)(85306002?= =?us-ascii?Q?)(79102001)(94946001)(59766001)(76786001)(2009001)(31966008)?= =?us-ascii?Q?(77982001)(71186001)(56816005)(86612001)(512954002)(81342001?= =?us-ascii?Q?)(19300405004)(63696002)(99396001)(83072002)(90146001)(85852?= =?us-ascii?Q?003)(20776003)(85806002)(49866001)(4396001)(56776001)(159754?= =?us-ascii?Q?45006)(54316002)(66066001)(65816001)(80976001)(86362001)(518?= =?us-ascii?Q?56001)(54356001)(46102001)(93516002)(74876001)(53806001)(931?= =?us-ascii?Q?36001)(2656002)(44976005)(74366001)(69226001)(97736001)(8181?= =?us-ascii?Q?6001)(95666003)(87266001)(81542001)(76482001)(55846006)(8002?= =?us-ascii?Q?2001)(95416001)(15202345003)(83322001)(19580405001)(81686001?= =?us-ascii?Q?)(94316002)(87936001)(19580395003)(33656001)(97186001)(16236?= =?us-ascii?Q?675002)(16297215004)(6806004)(98676001);DIR:OUT;SFP:1101;SCL?= =?us-ascii?Q?:1;SRVR:BLUPR03MB168;H:mail.microsoft.com;FPR:EC4A71B7.8DF05?= =?us-ascii?Q?69A.32FC3D4B.84DDD928.202F0;MLV:sfv;PTR:InfoDomainNonexisten?= =?us-ascii?Q?t;MX:1;A:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 016885DD9B Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qnqr2jzBAdoJz57ouvn0Nhi5evY Cc: "oauth@ietf.org" , "jose@ietf.org" Subject: Re: [OAUTH-WG] JWE with A128CBC-HS256 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2014 03:55:00 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A12DC8CTK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable This typo has been corrected in the JOSE -25 specs. Thanks for bringing it= to our attention. -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Sunday, March 30, 2014 11:44 PM To: John Bradley Cc: oauth@ietf.org; jose@ietf.org Subject: Re: [OAUTH-WG] JWE with A128CBC-HS256 thanks a lot John, On Mar 28, 2014, at 5:09 PM, John Bradley > wrote: This reference may be useful to you. http://tools.ietf.org/html/draft-mcgre= w-aead-aes-cbc-hmac-sha2 The part of the spec you need is http://tools.ietf.org/html/draft-ietf-jos= e-json-web-algorithms-24#page-23 We originally used a KDF as you mention. In order to simplify the alg and = align with draft-mcgrew-aead-aes-cbc-hmac-sha2. K is the concatenation of the AES key and teh HMAC Key. question, are the examples in the spec already updated to use the new mech= anism? There are some obsolete references in the JWE spec. E.g. in [2] says: as described where this algorithm is defined in Sections 4.8 and 4.8.3 of JWA, These sections seems to point to on old version of the spec (Section 4.8.3 = doesn't even exist anymore in JWA) regards antonio [2] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appen= dix-B John B. On Mar 28, 2014, at 11:19 AM, Antonio Sanso > wrote: hi *, in the JWT specification [0] there is an example of a JWE that use A128CBC-= HS256 for content encrpyption. Now I am not a cryptographer my self but IIUC the same CEK is used for encr= ypting with AES and authentication HMAC. AFAIK is better to use two different keys for those 2 different primitives = (this will not obviously apply to AES_GCM). Unless I am missing something... :) regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-= A.1 [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appen= dix-A.2 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A12DC8CTK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

This typo has been correc= ted in the JOSE -25 specs.  Thanks for bringing it to our attention.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;         -- Mike

 <= /p>

From: OAuth [m= ailto:oauth-bounces@ietf.org] On Behalf Of Antonio Sanso
Sent: Sunday, March 30, 2014 11:44 PM
To: John Bradley
Cc: oauth@ietf.org; jose@ietf.org
Subject: Re: [OAUTH-WG] JWE with A128CBC-HS256

 

thanks a lot John,

 

On Mar 28, 2014, at 5:09 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:<= /p>



This reference may be useful to you. http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2

The part of the spec you need is  http://tools.ietf.org/htm= l/draft-ietf-jose-json-web-algorithms-24#page-23

We originally used a KDF as you mention.  In order to simplify the alg= and align with draft-mcgrew-aead-aes-cbc-hmac-sha2.

K is the concatenation of the AES key and teh HMAC Key.

 

question,  are the examples in the spec already= updated to use the new mechanism? 

There are some obsolete references in the JWE spec. = E.g. in [2] says:

 

as=
 described where this algorithm is
&n=
bsp;  defined in Sections 4.8 and =
4.8.3 of JWA,

 

These sections seems to point to on old version of t= he spec (Section 4.8.3 doesn’t even exist anymore in JWA)<= /p>

 

regards

 

antonio

 




John B.


On Mar 28, 2014, at 11:19 AM, Antonio Sanso <asanso@adobe.com> wrote:


hi *,

in the JWT specification [0] there is an example of a JWE that use A128CBC-= HS256 for content encrpyption.
Now I am not a cryptographer my self but IIUC the same CEK is used for encr= ypting with AES and authentication HMAC.

AFAIK is better to use two different keys for those 2 different primitives = (this will not obviously apply to AES_GCM).

Unless I am missing something... :)

regards

antonio

[0] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-A.1<= /a>
[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix-= A.2
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

 

--_000_4E1F6AAD24975D4BA5B16804296739439A12DC8CTK5EX14MBXC286r_--